From the creator of
Sigstore
The standard for secure software attestation, used by PyPI, npm, brew, and Maven Central
Note
In the lead-up to a 1.0 release, APIs are stabilizing. API changes may still occur where necessary, but will be kept to a minimum.
nono is a capability-based, policy-governed runtime for AI agents.
It gives a process narrowly scoped access to the host resources it actually needs: specific paths, network destinations, sockets, environment variables, credentials, and operations. Policies are explicit, composable, auditable, and enforced by kernel primitives.
nono fits the space between "run the agent directly on my machine with full access to keys and files" and "seal it inside a separate guest OS." Agents work inside real development environments, with host resources modeled as explicit capabilities.
A profile states what the agent may touch, and nono applies it. The core library is policy-free: it applies only the capabilities a caller provides. The CLI, profiles, and registry packages carry the policy - and all inbuilt policy can be extended or overridden, since policy is fully composable.
For organizations, that means policy can be reviewed, versioned, distributed, and reused. A team can ship a standard profile for a class of agents, collect supervised audit records, preserve rollback evidence, and keep sensitive credentials in a trusted proxy path instead of injecting them directly into the agent process.
Platform support: macOS, Linux, and WSL2.
Install:
brew install nonoOther options in the Installation Guide.
nono pull agent packages from the registry for all popular agents — Claude Code, Codex, Pi, Hermes, OpenCode, OpenClaw, and more — or build your own and securely share plugins, SKILLS, and hooks with the community or your team.
nono run --profile always-further/claude -- claudeThe core is a Rust library that can be embedded into any application. Policy-free - it applies only what clients explicitly request.
use nono::{CapabilitySet, Sandbox};
let mut caps = CapabilitySet::new();
caps.allow_read("/data/models")?;
caps.allow_write("/tmp/workspace")?;
Sandbox::apply(&caps)?; // Irreversible -- kernel-enforced from here onAlso available as Python , TypeScript, Go bindings.
| Feature | Description |
|---|---|
| Kernel sandbox | Landlock (Linux) + Seatbelt (macOS). Irreversible, inherited by child processes. |
| Credential injection | Proxy mode keeps API keys outside the sandbox entirely. Supports keystore, 1Password, Apple Passwords. |
| Attestation | Sigstore-based signing and verification of instruction files (SKILLS.md, CLAUDE.md, etc.). |
| Network filtering | Allowlist-based host and endpoint filtering via local proxy. Cloud metadata endpoints hard-denied. |
| Snapshots | Content-addressable rollback with SHA-256 dedup and Merkle tree integrity. |
| Policy profiles | Pre-built profiles for popular agents and use cases. Custom profile builder for your own needs. |
| Audit logs | Default event audit for supervised runs, optional append-only integrity hashing, and optional rollback-backed filesystem evidence. |
| Cross-platform | Support for macOS, Linux, and WSL2. Native Windows support in planning. |
| Multiplexing | Run multiple agents in parallel with separate sandboxes. Attach/detach to long-running agents. |
| Runs anywhere | Local CLI, CI pipelines, Containers / Kubernetes, cloud VMs, microVMs. |
See the full documentation for details and configuration.
We encourage using AI tools to contribute. However, you must understand and carefully review any AI-generated code before submitting. Security is paramount. If you don't understand how a change works, ask in Discord first.
If you discover a security vulnerability, please do not open a public issue. Follow the process in our Security Policy.
Apache-2.0