Documentation Index
Fetch the complete documentation index at: https://nono.sh/docs/llms.txt
Use this file to discover all available pages before exploring further.
Complete feature compatibility for nono running on WSL2. Default counts are for the Microsoft kernel (6.6, Landlock V3). See the summary for rolling kernel (V6) numbers.
Legend: Full = identical to native Linux | Blocked (default) = fails secure, requires profile opt-in | Unavailable = not functional on WSL2
Subcommands
| Feature | Status | Notes |
|---|
nono run (supervised mode) | Full | Fork + Landlock + exec works |
nono shell (interactive shell) | Full | Same as run with $SHELL |
nono wrap (direct mode) | Full | No fork, no supervisor |
nono why | Full | Policy queries are pure logic |
nono setup | Full | Reports WSL2 feature matrix |
nono rollback (list/show/restore/verify/cleanup) | Full | Pure userspace |
nono audit (list/show) | Full | Pure userspace |
nono trust (init/sign/verify/list) | Full | keygen/sign-policy require gnome-keyring (distro dependency, not WSL2-specific) |
nono ps | Full | Session listing, pure userspace |
nono stop | Full | Signal-based session stop |
nono attach | Full | PTY attach, basic supervised mode |
nono detach | Full | PTY detach |
nono logs | Full | Session event logs, pure userspace |
nono inspect | Full | Session state, pure userspace |
nono prune | Full | Session cleanup, pure userspace |
nono profile (init/list/show/diff/validate/groups/schema/guide) | Full | Pure logic |
Filesystem Permissions
| Feature | Status | Notes |
|---|
--allow (read+write directory) | Full | Landlock V1+ |
--read (read-only directory) | Full | Landlock V1+ |
--write (write-only directory) | Full | Landlock V1+ |
--allow-file (read+write single file) | Full | Landlock V1+ |
--read-file (read-only single file) | Full | Landlock V1+ |
--write-file (write-only single file) | Full | Landlock V1+ |
--allow-cwd | Full | |
--workdir | Full | Variable expansion only |
--bypass-protection | Full | Renamed in #594; legacy alias accepted until v1.0.0 |
--skip-dir | Full | |
| File rename across directories | Full | Landlock V2 (Refer) |
| File truncation control | Full | Landlock V3 (Truncate) |
| Device ioctl filtering | Unavailable | Needs Landlock V5 (kernel 6.10+) |
| Path canonicalization / symlink resolution | Full | |
| Sensitive path blocking (46 paths) | Full | Policy-driven |
Network
| Feature | Status | Notes |
|---|
--block-net (block all outbound) | Full | seccomp RET_ERRNO, kernel-enforced |
| Default (allow all network) | Full | No restriction applied |
--listen-port (child binds TCP port) | Unavailable | Needs Landlock V4 |
--open-port (bidirectional localhost TCP) | Unavailable | Needs Landlock V4 |
| Per-port TCP filtering | Unavailable | Needs Landlock V4 (kernel 6.7+) |
Credential Proxy
| Feature | Status | Notes |
|---|
--credential SERVICE (reverse proxy injection) | Blocked (default) | Fails secure unless profile sets wsl2_proxy_policy: "insecure_proxy" |
--env-credential (env var injection) | Full | No proxy needed |
--env-credential-map | Full | No proxy needed |
--network-profile (host allowlist via proxy) | Blocked (default) | Requires wsl2_proxy_policy: "insecure_proxy" opt-in; no port lockdown |
--allow-domain (domain allowlist) | Blocked (default) | Same as above |
--allow-endpoint (L7 method+path filtering) | Blocked (default) | Filtering works at proxy level; child can bypass proxy |
--upstream-proxy (chain through external proxy) | Blocked (default) | Same as above |
--upstream-bypass | Blocked (default) | Same as above |
--proxy-port (fixed proxy port) | Blocked (default) | Same as above |
| Phantom token authentication | Full | Session token in env vars |
| Credential zeroization in memory | Full | Rust Zeroizing<String> |
| SSRF protection (cloud metadata blocking) | Full | Applied at proxy level |
wsl2_proxy_policy: "insecure_proxy" in the security config. When Landlock V4 arrives (kernel 6.7+), enforcement activates automatically and the policy setting becomes irrelevant.
Execution & Supervision
| Feature | Status | Notes |
|---|
| Supervised mode (fork + sandbox child) | Full | Basic supervision works |
| Direct mode (sandbox + exec) | Full | |
| Signal forwarding (SIGTERM, etc.) | Full | Parent forwards to child |
| Exit code preservation | Full | |
| Diagnostic footer on failure | Full | |
--capability-elevation (interactive prompts) | Unavailable | seccomp notify returns EBUSY |
| PTY relay for approval UI | Unavailable | Depends on capability elevation |
| Runtime capability expansion | Unavailable | Depends on seccomp notify |
--dry-run | Full | No execution, pure logic |
--no-diagnostics | Full | |
| Threading context management | Full | |
PR_SET_DUMPABLE(0) on parent | Full | |
--allow-gpu | Full | WSL2 uses /dev/dxg (DirectX passthrough) instead of /dev/dri//dev/nvidia*. CUDA and ollama inference verified. |
Rollback & Snapshots
| Feature | Status | Notes |
|---|
--rollback (enable snapshots) | Full | Pure userspace (content-addressable store) |
--no-rollback | Full | |
--no-rollback-prompt | Full | |
--rollback-exclude | Full | |
--rollback-include | Full | |
--rollback-all | Full | |
--rollback-dest | Full | |
| Merkle tree integrity verification | Full | SHA-256 |
| Incremental snapshots | Full | |
| Interactive restore prompts | Full | |
| Gitignore-aware exclusion | Full | |
Audit Trail
| Feature | Status | Notes |
|---|
| Session recording | Full | JSON per session |
--no-audit | Full | |
| Audit list/show/filter | Full | |
| Date/path/command filtering | Full | |
| JSON output | Full | |
Command Blocking
| Feature | Status | Notes |
|---|
| Default dangerous command blocklist (46 commands) | Deprecated | Startup-only check, not child-process enforced |
--allow-command | Deprecated | Startup-only compatibility behavior |
--block-command | Deprecated | Startup-only compatibility behavior |
Trust & Signing
| Feature | Status | Notes |
|---|
trust init | Full | Creates trust-policy.json |
trust sign (with key) | Full | Requires gnome-keyring (distro dependency, not WSL2-specific) |
trust sign --keyless (Sigstore) | Full | Fulcio + Rekor, no local keystore |
trust sign-policy | Full | Requires gnome-keyring (distro dependency) |
trust verify | Full | Bundle verification is pure crypto |
trust list | Full | |
trust keygen | Full | Requires gnome-keyring (distro dependency) |
trust export-key | Full | Requires gnome-keyring (distro dependency) |
| Write-protection for signed files | Full | Landlock deny rules |
| Trust interception in supervised mode | Full | Uses Unix socket IPC, not seccomp |
keygen, sign, sign-policy, export-key) require a D-Bus secret service (gnome-keyring or keepassxc). This is a Linux distro dependency, not a WSL2 limitation — the same requirement applies on any headless Linux. Install with: sudo apt install gnome-keyring dbus-x11
Profile System
| Feature | Status | Notes |
|---|
| Agent profiles (claude-code, codex, etc.) | Full | |
| Custom user profiles | Full | |
Profile inheritance (extends) | Full | |
| Variable expansion (WORKDIR,HOME, $TMPDIR) | Full | |
| Policy group resolution | Full | |
signal_mode | Unavailable | Needs Landlock V6 (Scoping) |
process_info_mode | Unavailable | Needs Landlock V6 (Scoping) |
ipc_mode | Unavailable | Needs Landlock V6 (Scoping) |
capability_elevation (in profile) | Unavailable | seccomp notify EBUSY |
interactive mode | Unavailable | Depends on capability elevation |
| Workdir access levels (none/read/readwrite) | Full | |
Hooks
| Feature | Status | Notes |
|---|
| Hook installation (Claude Code) | Full | Shell script installation |
| Hook script embedding | Full | |
| Settings.json registration | Full | |
Output & UX
| Feature | Status | Notes |
|---|
--silent | Full | |
--theme | Full | |
--log-file | Full | |
--verbose | Full | |
--json (on applicable commands) | Full | |
| Colored output | Full | |
| Update notifications | Full | |
Environment & Configuration
| Feature | Status | Notes |
|---|
| Environment sanitization | Full | |
NONO_* env var support | Full | |
| User config (~/.config/nono/) | Full | |
| Embedded policy (policy.json) | Full | |
Summary
| Category | Full | Degraded | Unavailable |
|---|
| Subcommands (18) | 18 | 0 | 0 |
| Filesystem (15) | 14 | 0 | 1 |
| Network (5) | 2 | 0 | 3 |
| Credential Proxy (10) | 4 | 0 | 6 |
| Execution (13) | 10 | 0 | 3 |
| Rollback (10) | 10 | 0 | 0 |
| Audit (5) | 5 | 0 | 0 |
| Command Blocking (3) | 3 | 0 | 0 |
| Trust (10) | 10 | 0 | 0 |
| Profiles (11) | 6 | 0 | 5 |
| Hooks (3) | 3 | 0 | 0 |
| Learn Mode (5) | 5 | 0 | 0 |
| Output (6) | 6 | 0 | 0 |
| Environment (4) | 4 | 0 | 0 |
| Total (118) | 100 (85%) | 0 (0%) | 18 (15%) |
Root causes of all WSL2-specific limitations
| Root Cause | Features Affected | Fix |
|---|
| Landlock V4 missing (kernel 6.6 < 6.7) | Per-port network (3) | Rolling kernel or wait for Microsoft kernel upgrade |
| Landlock V6 missing (kernel 6.6 < 6.12) | signal_mode, process_info_mode, ipc_mode (3) | Rolling kernel or wait for Microsoft kernel upgrade |
| Landlock V5 missing (kernel 6.6 < 6.10) | Device ioctl filtering (1) | Rolling kernel or wait for Microsoft kernel upgrade |
| seccomp notify EBUSY | capability_elevation, interactive mode, PTY relay, runtime expansion (4) | microsoft/WSL#9548 — WSL2 userspace issue, persists regardless of kernel version |
| Proxy port enforcement (pre-V4) | Credential proxy features (6 blocked by default) | Rolling kernel (V4+ enables native enforcement) or wsl2_proxy_policy: "insecure_proxy" opt-in |
--capability-elevation and dependent features). See WSL2 Support for install instructions.
Distro dependencies (not WSL2-specific)
| Dependency | Features Affected | Fix |
|---|
gnome-keyring or keepassxc | trust keygen/sign/sign-policy/export-key | sudo apt install gnome-keyring dbus-x11 |
