Introducing nono: A Secure Sandbox for AI Agents
Source: Dev.to
Introduction
AI coding agents like Claude Code, OpenCode, and others are incredibly powerful—they can write code, refactor entire codebases, and automate tedious tasks. However, they run with your permissions, meaning they can read SSH keys, access AWS credentials, and potentially exfiltrate data. Current solutions often rely on the agent to police itself, but bugs and vulnerabilities are common.
nono is a capability‑based security shell that leverages kernel‑level primitives to sandbox AI agents and other untrusted processes. It uses Landlock on Linux and Seatbelt on macOS to create an environment where, once restrictions are applied, there is no API to escape them—not even for nono itself.
The name says it all: “no” to unauthorized filesystem access, “no” to secret exfiltration, “no” to destructive commands.
Why nono instead of containers?
| Concern | Containers | nono |
|---|---|---|
| Overhead | Requires images, layers, a runtime | No images or runtime; applies restrictions directly |
| Complexity | Managing volumes, networking, permissions | Simple CLI flags |
| Overkill for single commands | Yes | No, lightweight by design |
nono provides security without the weight of containers, VMs, or additional infrastructure.
Installation
macOS (Homebrew)
brew tap lukehinds/nono
brew install nonoBuild from source (Linux/macOS)
git clone https://github.com/lukehinds/nono.git
cd nono
cargo build --releaseBasic Usage
# Give Claude Code read/write access only to the current directory
nono run --allow . -- claude
# Separate read and write permissions
nono run --allow ./project-dir --write ./output claude
# Block network access entirely
nono run --allow . --net-block -- my-agent
# Preview what would happen (dry run)
nono run --allow . --dry-run -- my-commandOnce nono applies the sandbox, the kernel denies unauthorized operations. This is structural enforcement, not a policy filter that can be bypassed.
Protection Layers
| Layer | Protection | Can Be Overridden? |
|---|---|---|
| Command blocklist | Blocks dangerous binaries (rm, dd, chmod, sudo) | Yes, with --allow-command |
| Kernel (delete) | Blocks unlink/rmdir syscalls | No |
| Kernel (truncate) | Prevents zero‑ing out files | No |
| Filesystem sandbox | Restricts path access | Only via explicit --allow |
| Network sandbox | Blocks network access | Only by removing --net-block |
Sensitive paths such as SSH keys, AWS credentials, and shell configuration files are blocked by default. Child processes inherit all restrictions, preventing privilege escalation through subprocess tricks.
Visual Overview
Terminal
$ nono run --allow ./project -- claude
│
├─ nono (applies sandbox, then exec)
│ └─ Claude Code (sandboxed)
│ ✓ Can read/write ./project
│ ✗ Cannot access ~/.ssh, ~/.aws
│ ✗ Cannot delete filesPlatform Support
| Platform | Mechanism | Kernel Requirement | Status |
|---|---|---|---|
| Linux | Landlock LSM | 5.13+ | ✅ Filesystem |
| Linux | Landlock LSM | 6.7+ | ✅ Filesystem + Network |
| macOS | Seatbelt | 10.5+ | ✅ Filesystem + Network |
| Windows | — | — | 🚧 Not yet supported |
Debugging: nono why
$ nono why ~/.ssh/id_rsa
Path: /Users/you/.ssh/id_rsa
Status: BLOCKED
Reason: Sensitive path – SSH private keys are protected by defaultThe command explains why a path is blocked, making sandbox behavior easy to understand and debug.
Example Workflows
-
Run an AI coding agent safely
nono run --allow ./my-project -- claude -
Build code with restricted write access
nono run --read ./src --write ./target -- cargo build -
Run tests without network access
nono run --allow . --net-block -- npm test -
Process files without risk of deletion
nono run --read ./input --write ./output -- python process.py
License & Resources
- License: Apache 2.0
- Source code:
- Documentation:
Conclusion
As AI agents become more powerful and autonomous, the security model of “trust the agent to behave” becomes increasingly untenable. nono offers a different approach: make bad behavior impossible at the kernel level. Give it a try, experiment safely, and share your feedback.
Created by Luke Hinds – star the repository if you find it useful!