From the creator of
Sigstore
The standard for secure software attestation, used by PyPI, npm, brew, and Maven Central
Warning
Early alpha -- not yet security audited for production use. Active development may cause breakage.
Most sandboxes feel like sandboxes. Rigid, sluggish, and designed for a different problem entirely. nono was built from the ground up for AI agents - and the developer workfows they need to thrive - agent multiplexing, snapshots, credential injection, supply chain security out of the box. Develop alongside nono, then deploy anywhere: CI pipelines, Kubernetes, cloud VMs, microVMs. The one stop shop for all your clankers.
-
nono registry - we will be bringing online a skill and policy registry to allow uses to contribute agent skills (SKILLS.md, hooks, scripts etc), and policy - this will allow us to more easily scale to supporting all of the different agents, installers and linux dists. Security will be baked in from the start. Read more here
-
WSL2 support -- Auto-detection with ~84% feature coverage out of the box. Run
nono setup --check-onlyto see what's available. (#522)
Platform support: macOS, Linux, and WSL2.
Install:
brew install nonoOther options in the Installation Guide.
Built-in profiles for Claude Code, Codex, OpenCode, OpenClaw, and Swival -- or define your own.
The core is a Rust library that can be embedded into any application. Policy-free - it applies only what clients explicitly request.
use nono::{CapabilitySet, Sandbox};
let mut caps = CapabilitySet::new();
caps.allow_read("/data/models")?;
caps.allow_write("/tmp/workspace")?;
Sandbox::apply(&caps)?; // Irreversible -- kernel-enforced from here onAlso available as Python , TypeScript, Go bindings.
| Feature | Description |
|---|---|
| Kernel sandbox | Landlock (Linux) + Seatbelt (macOS). Irreversible, inherited by child processes. |
| Credential injection | Proxy mode keeps API keys outside the sandbox entirely. Supports keystore, 1Password, Apple Passwords. |
| Attestation | Sigstore-based signing and verification of instruction files (SKILLS.md, CLAUDE.md, etc.). |
| Network filtering | Allowlist-based host and endpoint filtering via local proxy. Cloud metadata endpoints hard-denied. |
| Snapshots | Content-addressable rollback with SHA-256 dedup and Merkle tree integrity. |
| Policy profiles | Pre-built profiles for popular agents and use cases. Custom profile builder for your own needs. |
| Audit logs | Verifiable logs of all agent actions, with optional remote upload and monitoring. |
| Cross-platform | Support for macOS, Linux, and WSL2. Native Windows support in planning. |
| Multiplexing | Run multiple agents in parallel with separate sandboxes. Attach/detach to long-running agents. |
| Runs anywhere | Local CLI, CI pipelines, Containers / Kubernetes, cloud VMs, microVMs. |
See the full documentation for details and configuration.
We encourage using AI tools to contribute. However, you must understand and carefully review any AI-generated code before submitting. Security is paramount. If you don't understand how a change works, ask in Discord first.
If you discover a security vulnerability, please do not open a public issue. Follow the process in our Security Policy.
Apache-2.0