Runtime Supervisor

Dynamic Permission Expansion

Approve, deny, or inject credentials at runtime. On Linux, seccomp-notify intercepts system calls and enables transparent file descriptor passing so agents access new resources without retry logic.

Beyond static sandboxes

A static sandbox defines permissions upfront: the agent can access these files, these network hosts, these commands. But real-world agent workflows are dynamic. An agent might discover it needs to read a configuration file in a sibling project, or access a new API endpoint it was not originally granted.

The runtime supervisor sits between the agent and the kernel sandbox, intercepting requests that would otherwise be denied. It presents the request to the human operator (via terminal prompt, webhook, or API) and, if approved, dynamically expands the sandbox scope for that session. The expansion is session-scoped and does not persist after the agent exits.

seccomp-notify on Linux

On Linux, nono uses seccomp-notify to intercept system calls that would violate the sandbox. The supervisor receives the intercepted syscall, prompts for approval, and if granted, passes the file descriptor directly to the agent process. The agent does not need retry logic — the syscall completes transparently.

Credential Injection

Secrets are loaded from the system keystore (macOS Keychain, Linux Secret Service) and injected via a reverse proxy (--proxy-credential) or as environment variables (--env-credential). The reverse proxy approach ensures the agent never sees raw API tokens.

terminal
# Enable supervised mode with capability expansion
$ nono run --supervised --allow ~/projects/myapp -- claude


# Combine with credential injection via reverse proxy
$ nono run --supervised \
    --allow ~/projects/myapp \
    --proxy-credential openai \
    --proxy-credential anthropic \
    -- claude


# Or inject credentials as environment variables
$ nono run --supervised \
    --allow ~/projects/myapp \
    --env-credential openai_api_key,anthropic_api_key \
    -- claude
terminal
# Agent requests access to a new file
# nono intercepts via seccomp-notify on openat/openat2


[nono] Agent requests: FILE_WRITE ~/projects/other/config.yaml


  Approve? [y/N/always] y


[nono] Expanding sandbox to include:
  ~/projects/other/config.yaml (write)
  Session-scoped. Will not persist after session ends.


# seccomp-notify passes the file descriptor directly
# via SCM_RIGHTS - no retry logic needed in the agent.

Supervisor Capabilities

File Expansion

Dynamically grant access to new files and directories. Pattern-based rules constrain what the supervisor can approve.

Network Expansion

Approve connections to new hosts at runtime. Denied by default, approved per-session with optional domain pattern matching.

Command Approval

Approve execution of commands not in the original allow-list. Session-scoped approval with full audit trail logging.

Related Infrastructure

Linux Sandbox

Kernel-level filesystem isolation

Learn more

Undo & Rollback

Atomic filesystem snapshots

Learn more

Guide: Runtime Governance

Policy, audit, and compliance

Learn more

Get started with nono

Runtime safety infrastructure that works on macOS, Linux, and in CI.

Read the DocsView on GitHub