AI coding agents run as your user. They have the same access you do: SSH keys, cloud credentials, source code across every project on your machine. This guide walks through setting up nono to enforce kernel-level boundaries around agent execution.
Install nono
On macOS:
brew tap always-further/nono && brew install nono
From source (requires Rust toolchain):
cargo build --release
Verify the installation:
nono --version
Choose or create a profile
nono ships with built-in profiles for common AI coding agents. List them:
nono profiles list
Each profile is a JSON file defining filesystem, network, and command access rules. The built-in claude-code profile allows access to the current working directory and common development tools while blocking sensitive directories and unrestricted network access.
To use a built-in profile:
nono run --profile claude-code -- claude
To create a custom profile, start from a built-in one and modify:
nono profiles export claude-code > my-profile.json
Edit my-profile.json to add or remove allowed paths, network hosts, and commands. See the profile reference for the full schema.
Start with a restrictive profile and expand as needed. It is easier to add permissions than to audit what an overly permissive agent accessed.
Run your agent
The basic invocation wraps your agent command with nono:
nono run --allow ~/projects/myapp -- claude
This creates a sandbox that:
- Allows read/write access to
~/projects/myappand its subdirectories - Blocks access to all other filesystem paths (including
~/.ssh,~/.aws,~/.config) - Blocks all outbound network connections by default
- Records every operation in the audit trail
- Captures a filesystem snapshot before the agent starts
To allow network access to specific hosts:
nono run \--allow ~/projects/myapp \--proxy-allow registry.npmjs.org \--proxy-allow api.github.com \-- claude
Never use --trust-unsigned in production. This flag bypasses instruction file verification and should only be used during initial setup.
Review the audit log
After the session ends, review what the agent did:
nono audit --session latest
This shows every file read, file write, network connection attempt, and command execution. Violations (denied operations) are highlighted.
For a machine-readable format:
nono audit --session latest --format json
Undo if needed
If the agent made unwanted changes, undo the entire session:
nono undo latest
This restores every file to its pre-session state using the SHA-256 content-addressed snapshot. You can also review the diff before undoing:
nono diff latest
Runtime supervision
For workflows that require dynamic permission expansion, enable the runtime supervisor:
nono run --profile claude-code --supervisor terminal -- claude
When the agent tries to access a resource outside its sandbox, nono prompts you in the terminal. You can approve, deny, or approve-always for the session duration. All supervisor decisions are recorded in the audit trail.
Next steps
- Read the Linux Sandbox page to understand how kernel isolation works
- Read the Audit Trail page for details on cryptographic verification
- Explore the Python SDK or TypeScript SDK for programmatic sandbox control
- Check the full documentation for the complete CLI reference