Python SDK

Runtime Safety for Python AI Agents

Enforce kernel-level isolation, network filtering, and atomic rollbacks from Python with nono-py.

pip install nono-py
PyPI

Secure execution model

The Python SDK provides a thin wrapper around nono's core Rust library via PyO3 bindings. When you call nono.apply(caps), the SDK applies kernel-level Landlock rules (Linux) or Seatbelt profiles (macOS) to the current process. The sandbox is irrevocable — it cannot be loosened after application.

This means your Python AI agent and every subprocess it spawns operate within the defined capability set. Filesystem access is constrained at the kernel level, not by application-level checks that can be bypassed. Use QueryContext to dry-run permission checks and SandboxState to serialize capability sets.

Filesystem Isolation

Define per-path access modes (read, write, read-write) with fine-grained control. Only explicitly allowed paths are accessible — everything else is denied by default at the kernel level.

Network Blocking

Block all outbound network connections at the kernel level with block_network(). The block is enforced by Landlock (Linux) or Seatbelt (macOS) and applies to all child processes.

sandbox.py
import nono_py as nono


# Define capabilities
caps = nono.CapabilitySet()
caps.allow_path("/project", nono.AccessMode.READ_WRITE)
caps.allow_file("/home/user/.gitconfig", nono.AccessMode.READ)
caps.block_network()  # deny all outbound connections


# Apply sandbox (irrevocable)
nono.apply(caps)


# Your agent code runs here, fully sandboxed
agent.run()
query.py
import nono_py as nono


# Check platform support
info = nono.support_info()
print(info.platform, info.details)


# Build capabilities and dry-run check
caps = nono.CapabilitySet()
caps.allow_path("/project", nono.AccessMode.READ_WRITE)


ctx = nono.QueryContext(caps)
result = ctx.query_path("/etc/passwd", nono.AccessMode.READ)
print(result.status)  # "denied"
print(result.reason)  # explains why

SDK Capabilities

CapabilitySet

Builder pattern for defining filesystem access, network blocking, and command rules. Irrevocable after apply().

QueryContext

Dry-run permission checks against a capability set. Test whether a path or network access would be allowed before applying.

SandboxState

Serialize and deserialize capability sets to JSON. Persist sandbox configurations or transfer them between processes.

Related

Linux Sandbox

How kernel isolation works under the hood

Learn more

API Reference

Full SDK documentation

Learn more

Getting Started Guide

End-to-end walkthrough

Learn more

Ship safer agents today

Read the DocsView on GitHub