-
(macos) Emit specific-op seatbelt rules for keychain DB allows
-
(sandbox) Allow Unix domain socket connections in restricted network modes
-
(learn) Print profile JSON as fallback when save fails
- Add github to credential route configuration
-
Upgrade rustls-webpki to 0.103.12 to fix RUSTSEC-2026-0098 and RUSTSEC-2026-0099
-
Upgrade rustls-webpki to 0.103.12 to fix RUSTSEC-2026-0098 and RUSTSEC-2026-0099
- Apply rustfmt
-
(claude-code) Enable token refresh via .claude.json symlink
-
(profiles) Prevent infinite recursion in profile extends check
-
(sandbox) Support claude-code profile extensions and simplify config
- (claude-code) Pre-create claude config lock directory
- (proxy-tls) Remove rustls-pemfile and use pki_types for pem parsing
- (proxy) Downgrade CONNECT-to-route-upstream log from warn to debug
-
Add ?decode=go-keyring query param for keyring:// URIs
-
Add keyring:// URI scheme for custom-service credential lookup
-
Chore: lint
-
Chore: revert to json! obj syntax
-
Chore: split predicate out again for provider specific claims
-
Refactor: expose build config URI extension
-
(pty) Improve session gone error detection when connecting
-
(cli) Increase detached session startup timeout and order
-
(trust) Support GitLab ID tokens for signing
-
Strip proxy artifacts and fix upstream connection handling
-
Revert doc string
-
Drop example workflow in comment
-
Mention GitLab tokens in doc comment
-
Use append to merge signer fields
-
Use build signer URI extension for trust
-
(gpu) Grant NVIDIA procfs paths required for CUDA init under --allow-gpu
-
(gpu) Add nvidia-uvm-tools to GPU device allowlist
-
(proxy) Add missing proxy field in regression tests
-
(network-policy) Activate anthropic credential in claude-code profile
-
(proxy) Set ANTHROPIC_API_KEY phantom token for anthropic credential
-
(sandbox) Use relative path for ~/.claude.json symlink
-
(sandbox) Redirect ~/.claude.json to ~/.claude/ via symlink on all unix platforms
-
(deps) Bump rustls from 0.23.37 to 0.23.38
-
(deps) Bump similar from 2.7.0 to 3.1.0
-
(deps) Bump rand from 0.10.0 to 0.10.1
-
(deps) Bump always-further/agent-sign from 0.0.8 to 0.0.11
-
(deps) Bump peter-evans/repository-dispatch from 3.0.0 to 4.0.1
-
(deps) Bump docker/build-push-action from 7.0.0 to 7.1.0
-
(deps) Bump softprops/action-gh-release from 2.6.1 to 3.0.0
-
(deps) Bump actions/upload-artifact from 7.0.0 to 7.0.1
- (macos) Auto-enable claude launch services, refine keychain access
- (policy) Improve seatbelt path regex escaping
-
(gpu) Add unit + integration coverage for NVIDIA procfs grants
-
(gpu) Extract is_nvidia_compute_device predicate and add unit tests
-
(proxy) Add regression test for issue #624 phantom token bug
- Fix rustfmt formatting in sandbox_prepare.rs
-
Address review feedback on downstream bump workflows
-
(fmt) Sort imports alphabetically in command_runtime.rs
-
(shell) Initialize proxy runtime when credentials are configured
-
(cli) Decouple audit trail from rollback
-
(proxy) Guard macOS keychain hint with platform check
-
(proxy) Warn when keychain credential is not found
-
(landlock) Widen /proc/self Landlock rule to /proc for grandchild access
-
(seccomp) Resolve /proc/self correctly for grandchild processes
-
(cli) Adjust ps command output column widths
-
(cli) Align status and attach columns in ps output
-
(test) Add --allow-cwd to GPU integration tests
-
(cli) Compile dummy GPU function for non-macOS tests
-
(pty-proxy) Exit early if client socket cannot be set nonblocking
-
(pty) Correctly handle blocking state for attach streams
-
(sandbox) Prevent interactive CWD prompt in detached mode
-
Tighten GPU IOKit surface to AGXDeviceUserClient only
-
(test) Handle non-default TMPDIR in linux nested home grant test
-
(policy) Remove broad ~/.local allow from openclaw profile on Linux
-
Remove nono-registry from downstream dispatch
-
Add release automation for downstream SDK repos
-
(readme) Add early alpha warning and remove separator
-
(readme) Overhaul content and visuals
-
(cli) Clarify --allow-gpu flag behavior and profile interaction
-
(macos) Make parent-of-protected-root relaxation opt-in via profile
-
(gpu) Add WSL2 GPU support via /dev/dxg passthrough
-
(gpu) Add WSL2 GPU support via /dev/dxg passthrough
-
(gpu) Add Linux GPU access and improve macOS support
-
(profile) Introduce separate profile preparation for preflight
-
(cli) Introduce pre-flight CWD prompt for detached launches
- Remove test results file
- (seccomp) Skip read_tgid for direct child and use Cow for cap_check_path
-
(cli-validation) Propagate protected parent flag to cli validation
-
(command-blocking) Improve deprecation warning messages
-
(command-blocking) Deprecate startup-only command blocking
-
(macos) Address Gemini review feedback
-
(macos) Align GPU IOKit tests with tightened surface from #635
-
(gpu) Skip DRM tests if no render node permissions
- Deprecate startup-only command blocking surfaces in
v0.33.0, add compatibility warnings, and document the child-process bypass.
- Add upstream mTLS client certificate support
-
Tighten GPU IOKit rules
-
Remove allow_gpu from default profiles
-
Address review feedback for --allow-gpu
-
Add docs for --allow-gpu flag and improve test coverage
-
(macos) Deny keychain Mach IPC services on modern macOS
-
(macos) Allow atomic-write temp files for writable capabilities
-
Add --allow-gpu flag for GPU access on Apple Silicon Macs
-
(trust) Add file:// backend for trust signing keys
-
(cli) Handle profile allow_file entries resolving to directories
-
(cli) Handle profile allow_file entries resolving to directories
-
(macos) Improve path resolution for non-existent files
-
(reverse-proxy) Authenticate requests on non-credentialed routes
-
(test) Guard EnvVarGuard::remove against unmanaged keys
-
(test) Prevent TMPDIR pollution by not auto-deleting temp dirs used as TMPDIR
-
(test) Add clippy disallowed_methods lint and migrate remaining unguarded env var tests
-
(test) Unify env var locks to eliminate flaky test failures
-
(policy) Avoid false deny for Nix store symlink targets on Linux
-
Allow filesystem.read entries to be files
-
(proxy) Address review feedback — normalize prefix in CredentialStore
-
(proxy) Handle route prefixes with leading slashes
-
(deps) Bump getrandom from 0.4.1 to 0.4.2
-
(deps) Bump tokio from 1.49.0 to 1.51.0
-
(deps) Bump sha2 from 0.10.9 to 0.11.0
-
(deps) Bump docker/login-action from 4.0.0 to 4.1.0
- (theme) Update theme colors
-
(macos) Expand keychain DB exception to include metadata DB
-
(macos) Allow future file grants and update policies
-
(nix) Improve NixOS compatibility for /nix/store paths
-
(wsl2) ABI-aware tests and rolling kernel documentation
-
(trust) Add
filesfield for attesting arbitrary-location paths
- (scripts) Add script to manage Claude authentication state
- (nono-proxy/route) Cache upstream host:port for faster lookups
-
(proxy) Separate route configuration from credential configuration
-
(policy) Consolidate resolved deny target skipping logic
-
(macos) Allow DNS resolution via mDNSResponder in proxy and blocked modes (#588)
-
(profile) Add missing $TMPDIR and state dir to opencode profile
-
Ipv6 normalization logic
-
(proxy) Disable NO_PROXY bypass on macOS (#580)
-
(policy) Grant ~/.cache/claude readwrite in claude-code profile
-
(proxy) Don't factor seatbelt for port lockdown
-
(pty_proxy) Improve write retry test reliability with deadline-based polling
-
(pty_proxy) Remove timeout from test recv to prevent race condition
-
(test) Resolve race condition and cache key uniqueness
- (deps) Sort wait-timeout in Cargo.lock and fix credentials resolution
-
(cli) Add
--detachedand--nameflag documentation -
Document supervised session lifecycle and runtime workflows
-
(cli) Add manifest support and improve sandbox preparation
-
(rollback) Add configurable rollback destination support
-
(pty,session,supervisor) Enhance PTY attach/detach and socket utilities
-
(pty_proxy) Improve logging and error handling for attach/detach
-
(exec_strategy) Replace startup timeout thread with interactive prompt
-
(diagnostic) Add macOS sandbox violation logging and startup timeouts
-
(rollback) Condition audit state creation on rollback request flags
-
(pty_proxy) Disable keyboard enhancement modes on terminal restore
-
(pty_proxy) Improve enhanced key detection and multi-key sequences
-
(pty_proxy) Support enhanced CSI u key sequences in detach detection
-
(runtime) Harden supervised child dumpability and fd passing
-
(runtime) Land supervised sessions and diagnostics stack
- (output) Consolidate leading break logic in print_terminal_block
-
(proxy) Add tls_ca field to file:// credential test fixtures
-
(proxy) Simplify tls_ca to tilde expansion and doc clarification
-
(proxy) Expand and validate tls_ca paths at credential resolution
-
(policy) Expand git config paths in credentials group
-
(credential,proxy) Add missing tls_ca and tls_connector fields
-
(proxy) Add custom CA certificate support for upstream TLS (closes #545)
-
(policy) Skip system temp grants when HOME is nested under TMPDIR
-
(policy) Split homebrew group into platform-specific variants
-
(proxy) Wrap CA file read in Zeroizing and improve error messages
-
(proxy) Reuse policy::expand_path for tls_ca expansion
-
(capability_ext) Extract locked test helpers for env isolation
-
(test) Extract environment variable guard into reusable utility
-
(cli) Remove proptest regression file for manifest roundtrip
-
(profile,query) Isolate environment variables and fix symlink test
- Fix rustfmt in tls_ca path expansion closure
-
(test) Use real temp directories for env_nono_allow_comma_separated
-
(proxy) Strip port suffix from allow_domain entries in proxy host filter
-
Tighten manifest round-trip fidelity and wire proxy from --config
-
(test) Use portable paths in manifest round-trip test
-
Harden --config flag conflicts and error handling
-
(macos) Align Seatbelt signal isolation with Linux Landlock behaviour
-
Gate deny-overlap test to Linux only
-
Harden deny-overlap validation, reject unknown profile fields, narrow user_tools scope
-
(deps) Bump tracing-subscriber from 0.3.22 to 0.3.23
-
(deps) Bump ureq from 3.2.0 to 3.3.0
-
Replace mention of --supervised with --capability-elevation in README
-
Address review feedback on wsl2 cross-references
-
Add WSL2 cross-references to feature docs and fix discoverability
-
Move endpoint filtering from credential injection to networking page
-
(keystore) Update module docs for file:// scheme and add redaction
-
(policy) Check credentials Option with is_some_and instead of field access
-
(proxy) Block CONNECT to credential upstreams and smart NO_PROXY
-
(sandbox) Add allow_domain ports to Landlock ConnectTcp rules
-
(profile) Allow child to override inherited credentials to empty
-
(schema) Allow additionalProperties for forward-compatible evolution
-
(cli) Add
nono policy show --format manifestfor profile-to-manifest compilation -
(cli) Wire up --config manifest path in prepare_sandbox
-
(cli) Add conflicts_with to --config flag
-
(manifest) Add typify codegen, manifest module, and CapabilitySet conversion
-
(schema) Add capability manifest JSON Schema
-
(proxy) Auto-detect credential format from inject_header
-
(keystore) Preserve significant whitespace in secret files
-
(profile) Accept file:// credential keys in custom_credentials
-
(keystore) Wire file:// into credential dispatch and CLI mappings
-
(keystore) Add load_from_file() for file:// credential source
-
(keystore) Add file:// URI validation for local file credentials
-
(policy) Split linux system groups for granular host compatibility
-
Add $XDG_RUNTIME_DIR to variable expansion
-
Deduplicate path expansion and fs grant construction
-
(keystore) Extract file-backed secret helpers
-
(env_vars) Use as_str() for contains() calls
-
(env_vars) Replace to_str() with display().to_string()
-
(profile,trust_scan) Add env lock guards to fix test isolation
-
(cli) Add global env lock for parallel test isolation
-
(cli) Add integration tests for --config manifest flag
-
(profile) Add endpoint_rules field to credential test fixtures
- Keep ~/.local/state in user_tools, defer to #546
-
(learn) Make Enter actually skip profile save prompt (closes #431)
-
(proxy) Use lossy UTF-8 decoding for percent-encoded paths
-
(proxy) Percent-decode paths before endpoint rule matching
- (workflows) Decouple image build from release workflow
-
(deps) Bump docker/setup-buildx-action from 3.12.0 to 4.0.0
-
(deps) Bump toml from 1.0.6+spec-1.1.0 to 1.0.7+spec-1.1.0
-
(deps) Bump docker/setup-qemu-action from 3.7.0 to 4.0.0
-
(deps) Bump docker/build-push-action from 6.19.2 to 7.0.0
-
(deps) Bump docker/login-action from 3.7.0 to 4.0.0
-
(deps) Bump sigstore/cosign-installer from 3.10.1 to 4.1.1
- Add DCO sign-off requirement to CLAUDE.md
-
(wsl2) Security hardening from code review
-
(learn) Resolve fs_usage pipe buffering and process name mismatch on macOS
-
(workflows) Extract push condition to environment variable
-
(workflows) Extract Docker image build into reusable workflow
-
(release) Fix workflow inputs reference syntax
-
(release) Use inputs.tag fallback in Docker publish condition
-
(release) Support manual tag input in workflow conditions
- (wsl2) Add WSL2 documentation and feature matrix (Track 1.5)
-
(wsl2) Add WSL2 feature matrix to setup --check-only (Track 1.4)
-
(wsl2) Clarify proxy network enforcement on WSL2 (Track 1.3)
-
(wsl2) Guard seccomp notify paths for WSL2 (Track 1.2)
-
(wsl2) Add WSL2 detection, feature matrix, and integration tests (Track 1.1)
-
(proxy) Add L7 method+path endpoint filtering for reverse proxy routes (#465)
-
(ci) Add Docker image build and push to release workflow (#511) (#511)
-
(cli) Add --log-file flag to redirect logs to a file (#490) (#490)
- Add .gitattributes to enforce LF line endings
-
(undo) Support per-root exclusion filters in snapshot manager (#506) (#506)
-
(sandbox/linux) Add seccomp proxy-only network fallback (#503) (#503)
-
(trust) Add skip_dirs support to trust scanning and rollback preflight (#498) (#498)
-
Add documentation for add_deny_commands (#495) (#495)
-
Update GitHub Action badge to agent-sign (#494) (#494)
- (sandbox/linux) Add seccomp fallback for network (#496) (#496)
-
Block Unix socket connections via add_deny_access; add add_deny_commands (#488) (#488)
-
Handle relative paths in --rollback-dest pre-check (#486) (#486)
-
(deps) Bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0 (#479) (#479)
-
(deps) Bump which from 8.0.0 to 8.0.2 (#478) (#478)
-
(deps) Bump aws-lc-rs from 1.16.1 to 1.16.2 (#477) (#477)
-
(deps) Bump mislav/bump-homebrew-formula-action from 3.6 to 4.1 (#476) (#476)
-
(deps) Bump actions/cache from 5.0.3 to 5.0.4 (#474) (#474)
-
(deps) Bump always-further/agent-sign from 0.0.4 to 0.0.8 (#475) (#475)
- Remove compiled PDF, keep Typst source
-
(query) Add diagnostic details to path query results (#472) (#472)
-
(cli) Add --rollback-dest flag to override snapshot storage path
- (audit) Add cargo-audit ignores for AWS-LC X.509 advisories (#449) (#449)
- Add change classification to skip unnecessary jobs (#456) (#456)
-
Detect system architecture in deb installation command (#455) (#455)
-
Fix arrow direction in OS-level enforcement diagram (#453) (#453)
-
(clients) Recommend disabling agent sandboxes when running under nono (#451) (#451)
- (deps) Bump rustls-webpki from 0.103.9 to 0.103.10 (#443) (#443)
- (trust) Lazy verification of scan policies (#448) (#448)
-
(setup) Detect Landlock via syscall probe instead of LSM file (#417) (#417)
-
(cli) Add ~/.opencode to opencode profile paths (#421) (#421)
-
(policy) Add standard I/O and fd paths to base_posix group (#441) (#441)
-
(trust) Add --user flag to sign-policy for user-level trust policy (#440) (#440)
-
(trust) Scaffold policies, enforce missing includes at startup, and simplify write protection (#435) (#435)
- Fix installation command for nono-cli package (#426) (#426)
-
Support multiple base profiles in extends field (#399) (#399)
-
(cli) Standardize network flag naming and add listen_port support (#415) (#415)
- (deny) Canonicalize parent directories in deny access rules (#393) (#393)
-
(deps) Bump tempfile from 3.26.0 to 3.27.0 (#398) (#398)
-
(deps) Bump sigstore-sign from 0.6.3 to 0.6.4 (#397) (#397)
-
(deps) Bump clap from 4.5.60 to 4.6.0 (#396) (#396)
-
(deps) Bump actions/download-artifact from 8.0.0 to 8.0.1 (#395) (#395)
-
(deps) Bump softprops/action-gh-release from 2.5.0 to 2.6.1 (#394) (#394)
-
(sandbox) Add IpcMode capability for POSIX semaphores (macOS Seatbelt) (#412) (#412)
-
(learn) Add macOS network tracing via nettop (#403) (#403)
-
Add linux-arm64 (#402) (#402)
-
(hooks) Use resolved path in capability display (#387) (#387)
-
(main) Move cwd resolution before pre-fork sandbox setup (#370) (#370)
-
(policy) Honor excluded dangerous command groups for direct exec (#368) (#368)
-
(config) Remove hardcoded dangerous commands list (#366) (#366)
-
(exec) Prevent implicit cwd access under restrictive profiles (#363) (#363)
-
(profiles) Simplify group-based profile creation guide (#390) (#390)
-
(profiles-groups) Expand built-in profiles and add policy override examples (#376) (#376)
-
Restyle --help output with grouped sections and bold headings (#345) (#345)
-
(trust) Skip well-known heavy directories in instruction file walk (#388) (#388)
-
(cli) Add
nono profilescaffolding and authoring tooling (#385) (#385) -
(policy) Extract git config paths into reusable group (#383) (#383)
-
(cli) Add
nono policyintrospection subcommand (#382) (#382) -
(profile) Add profile-level override_deny for deny group exceptions (#380) (#380)
-
(macos) Gate open shim installation behind launch services flag (#374) (#374)
-
(capability) Remove exact file caps when deny patch overrides grant (#367) (#367)
-
(policy) Deprecate security.trust_groups in favor of policy.exclude_groups (#357) (#357)
-
(policy) Use default profile groups for runtime policy resolution (#356) (#356)
-
(policy) Add extends field to embedded profiles (#355) (#355)
-
Add default profile with base group configuration (#352) (#352)
-
(profile) Add composable policy patch configuration (#351) (#351)
-
(setup) Move banner printing to main.rs (#386) (#386)
-
(supervisor) Remove never_grant in favor of protected roots (#360) (#360)
-
(policy) Remove deprecated base_groups and trust_groups fields (#359) (#359)
-
(policy) Deprecate base_groups in favor of default profile (#358) (#358)
- Narrow broad linux /etc and /proc reads in system_read policy (#350) (#350)
- (sandbox/linux) Add Landlock V6 signal scoping support (#344) (#344)
-
Release v0.17.0
-
Release v0.17.0
- Narrow broad linux /etc and /proc reads in system_read policy (#350) (#350)
- (sandbox/linux) Add Landlock V6 signal scoping support (#344) (#344)
- Release v0.17.0
-
Add OAuth2 URL opening support via supervisor IPC (#340) (#340)
-
Check access mode when determining if CWD is already covered (#334) (#334)
-
Updating docs to reflect pnpm support. (#332) (#332)
-
Update Homebrew install references (#326) (#326)
- (cli) Add pluggable theme system with 6 built-in palettes (#341) (#341)
- (cli) Standardize flags to verb-noun ordering (#302) (#302)
-
Add pnpm paths to policy.json (#320) (#320)
-
Add uv paths to python_runtime group (#313) (#313)
-
Allow tty ioctls on Linux v5+ (#310) (#310)
- Fix broken links and stale examples (#283) (#283)
-
Inject nono sandbox instructions via Claude Code system prompt (#322) (#322)
-
Add
--external-proxy-bypassfor routing domains direct (#309) (#309) -
Abi-aware Landlock capability system (#256, #306) (#311) (#311)
-
Add built-in swival profile (#312) (#312)
-
Add same-sandbox process mode for signal and process-info (#299) (#299)
-
Migrate Homebrew distribution from tap to homebrew-core (#321) (#321)
-
Simplify instruction file signing with nono-attest Action (#317) (#317)
-
Allow opentui data dir in opencode profile (#296) (#296)
-
nono rundefault to direct exec when supervision is not needed (#295) (#295) -
Add tilde expansion to profile paths and opencode binary access (#294) (#294)
-
Honor silent tracing output (#290) (#290)
-
Preserve supervised Linux open semantics (#289) (#289)
-
(deps) Bump sigstore-verify from 0.6.3 to 0.6.4 (#305) (#305)
-
(deps) Bump libc from 0.2.182 to 0.2.183 (#304) (#304)
-
(deps) Bump tempfile from 3.25.0 to 3.26.0 (#303) (#303)
- Document that gemini baseurl is ignored in opencode (#307) (#307)
-
Add Apple Passwords URI credential support (#229) (#229)
-
Add built-in Codex profile (#300) (#300)
-
Add Debian package support (#298) (#298)
-
Add capability_elevation profile field and OS-aware groups (#293) (#293)
-
Make claude-code profile platform-aware (#291) (#291)
- Resolve symlinked paths in deny rule checks (#272) (#279) (#279)
- Add environment variable equivalents for CLI flags (#270) (#278) (#278)
-
Resolve dirfd-relative paths in seccomp-notify handler (#262) (#277) (#277)
-
Show platform-correct path in user-level policy warning (#263) (#263)
-
Enforce macOS signal isolation via Seatbelt (#264) (#264)
-
(profile) Allow clearing inherited network profiles (#252) (#252)
- (readme) Update latest release note (#253) (#253)
-
Add port_allow to profile JSON NetworkConfig (#254) (#276) (#276)
-
Context-aware diagnostic banner for sandbox failures (#275) (#275)
-
(cli) Add --net-allow override (#251) (#251)
-
Add macOS learn mode using fs_usage and profile save prompt (#244) (#244)
-
Implement Cargo audit and update AWS-LC (#273) (#273)
-
Remove Monitor strategy, make Supervised the default (#267) (#267)
-
Add --allow-port for bidirectional localhost IPC between sandboxes (#248) (#248)
-
Unify proxy network audit with session audit trail (#231) (#231)
-
Add GitHub issue templates for bugs, features, and onboarding (#247) (#247)
-
Add GitHub issue templates for bugs, features, and onboarding
-
Don't inject phantom token for unavailable credentials (#234) (#236) (#236)
-
Allow CLI flags to upgrade access mode of profile-covered paths (#232) (#232)
-
Landlock network false-negative and runtime ABI probe in setup (#230) (#230)
-
Proxy host filtering and credential resolution for sandboxed (#215) (#215)
-
Include character device files in policy group resolution (#218) (#218)
-
Pre-create claude-code config lock file on Linux (#221) (#221)
-
Add --override-deny CLI flag for targeted deny group exemptions (#242) (#242)
-
Add env:// credential scheme and GitHub token proxy support (#227) (#227)
-
Remove RFC1918 private network CIDR deny list from host filter (#226) (#226)
-
Add allowed_commands support to profile security config (#204) (#204)
-
Profile inheritance via
extendsfield (#203) (#203)
- Prevent --net-block bypass via proxy credential activation (#202) (#202)
- Rollback preflight with auto-exclude and walk budget (#200) (#200)
- Release v0.8.0
-
Reject parent directory traversal in snapshot manifest validation (#201) (#201)
-
Writes setup profiles to the correct directory on macOS (#184) (#184)
-
Add AccessFs::RemoveDir to Landlock write permissions (#199) (#199)
-
(network) Add claude.ai to llm_apis allow list (#206) (#206)
- Add conventional commits enforcement and auto-labeling (#194) (#194)
- Add 7 new integration test suites and parallelize test runner (#214) (#214)
- (docs) Add 1Password credential injection documentation (#198) (#198)
- Add 1Password secret injection via op:// URI support (#183)
- First release of seperarate nono and nono-cli packages