AI coding agents run as your user. They have the same access you do: SSH keys, cloud credentials, source code across every project on your machine. This guide walks through setting up nono to enforce kernel-level boundaries around agent execution.
Install nono
On macOS:
brew install nono
From source (requires Rust toolchain):
cargo build --release
Verify the installation:
nono --version
Choose or create a profile
A profile defines the filesystem, network, and command access rules for a sandbox. The fastest way to get a hardened, signed profile for a specific agent is to install a pack from the nono registry.
Search the registry for a pack:
nono search claude
Install a pack. This pulls the signed pack and registers its profile — for example, always-further/claude provides the claude-code profile:
nono pull always-further/claude
Add --init to also copy the pack's project instructions into the current directory:
nono pull always-further/claude --init
List installed packs and the profiles available on your system:
nono list --installednono profile list
nono profile list shows both registry-managed packs and the built-in profiles (default, python-dev, node-dev, rust-dev, and more). The claude-code profile allows access to the current working directory and common development tools while blocking sensitive directories and unrestricted network access.
To use a profile:
nono run --profile claude-code -- claude
To create a custom profile, generate a skeleton that extends an existing one:
nono profile init my-agent --extends claude-code
Edit the generated JSON to add or remove allowed paths, network domains, and commands, then validate it. See the profile reference for the full schema.
nono profile validate my-agent
Start with a restrictive profile and expand as needed. It is easier to add permissions than to audit what an overly permissive agent accessed.
Run your agent
The basic invocation wraps your agent command with nono:
nono run --allow ~/projects/myapp -- claude
This creates a sandbox that:
- Allows read/write access to
~/projects/myappand its subdirectories - Blocks access to all other filesystem paths (including
~/.ssh,~/.aws,~/.config) - Blocks all outbound network connections by default
- Records every operation in the audit trail
- Captures a filesystem snapshot before the agent starts (when run with
--rollback)
To allow network access to specific hosts:
nono run \--allow ~/projects/myapp \--allow-domain registry.npmjs.org \--allow-domain api.github.com \-- claude
Never use --trust-override in production. This flag bypasses instruction file verification and should only be used during initial setup.
Review the audit log
After the session ends, list recent sandboxed sessions:
nono audit list
Then show what a given session did, using its ID:
nono audit show <id>
This shows every file read, file write, network connection attempt, and command execution. Violations (denied operations) are highlighted.
For a machine-readable format:
nono audit show <id> --json
Undo if needed
If you ran the agent with --rollback and it made unwanted changes, restore the session. First list rollback sessions:
nono rollback list
Then restore every file to its pre-session state using the SHA-256 content-addressed snapshot:
nono rollback restore <id>
You can also review the diff before restoring:
nono rollback show <id> --diff
Runtime supervision
For workflows that require dynamic permission expansion, enable the runtime supervisor:
nono run --profile claude-code --capability-elevation -- claude
When the agent tries to access a resource outside its sandbox, nono prompts you in the terminal. You can approve, deny, or approve-always for the session duration. All supervisor decisions are recorded in the audit trail.
Next steps
- Read the Linux/MacOS Sandbox page to understand how kernel isolation works
- Read the Audit Trail page for details on cryptographic verification
- Explore the Python SDK or TypeScript SDK for programmatic sandbox control
- Check the full documentation for the complete CLI reference