Go SDK

Runtime Safety for Go AI Agents

Enforce kernel-level isolation, network filtering, and atomic rollbacks from Go with nono-go.

go get github.com/always-further/nono-go
pkg.go.dev

Secure execution model

The Go SDK provides CGo bindings to nono's core Rust library. When you call nono.Apply(caps), the SDK applies kernel-level Landlock rules (Linux) or Seatbelt profiles (macOS) to the current process. The sandbox is irrevocable — it cannot be loosened after application. Static libraries for macOS (arm64, amd64) and Linux (amd64, arm64) are bundled in the repository.

This means your Go AI agent and every subprocess it spawns operate within the defined capability set. Filesystem access is constrained at the kernel level, not by application-level checks that can be bypassed. Use NewQueryContext to dry-run permission checks and SandboxState to serialize capability sets to JSON.

Filesystem Isolation

Define per-path access modes (read, write, read-write) with fine-grained control. Only explicitly allowed paths are accessible — everything else is denied by default at the kernel level.

Static Binary Support

Compiles to a single static binary with CGo bindings to nono's Rust core. No runtime dependencies beyond the kernel. Works with standard Go build tooling and cross-compilation.

main.go
package main


import (
	"log"
	"github.com/always-further/nono-go"
)


func main() {
	caps := nono.New()
	defer caps.Close()


	if err := caps.AllowPath("/home/user/data", nono.AccessRead); err != nil {
		log.Fatal(err)
	}
	if err := caps.AllowPath("/tmp", nono.AccessReadWrite); err != nil {
		log.Fatal(err)
	}
	if err := caps.SetNetworkMode(nono.NetworkBlocked); err != nil {
		log.Fatal(err)
	}


	// Irreversible — applies to this process and all children.
	if err := nono.Apply(caps); err != nil {
		log.Fatal(err)
	}
}
query.go
package main


import (
	"fmt"
	"log"
	"github.com/always-further/nono-go"
)


func main() {
	caps := nono.New()
	if err := caps.AllowPath("/home/user/data", nono.AccessRead); err != nil {
		log.Fatal(err)
	}
	if err := caps.SetNetworkMode(nono.NetworkAllowAll); err != nil {
		log.Fatal(err)
	}


	qc, err := nono.NewQueryContext(caps)
	if err != nil {
		log.Fatal(err)
	}
	defer qc.Close()


	result, err := qc.QueryPath("/home/user/data/file.txt", nono.AccessRead)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println(result.Status) // nono.QueryAllowed
}

SDK Capabilities

CapabilitySet

Created via nono.New(). AllowPath(), AllowFile(), and SetNetworkMode() define access rules. Irrevocable after Apply().

QueryContext

Created via NewQueryContext(caps). QueryPath() and QueryNetwork() dry-run permission checks. The capability set is cloned internally.

SandboxState

StateFromCaps() and StateFromJSON() serialize and deserialize capability sets. ToJSON() exports, ToCaps() restores.

Related

OS Sandbox

How kernel isolation works under the hood

API Reference

Full SDK documentation

Getting Started Guide

End-to-end walkthrough

Ship safer agents today

Read the DocsView on GitHub