Audience
Developers & AI power users — Anyone running Claude Code, Cursor, OpenCode, or other CLI-based AI coding agents on their local machine who wants to prevent agents from accessing credentials, deleting files, or touching paths outside the project directory. CISO, Security engineers & DevSecOps teams — Teams responsible for establishing safe agent usage policies across engineering organisations. nono provides kernel-enforced, auditable enforcement without requiring infrastructure changes. Platform & ML engineers — Engineering teams building or evaluating agentic AI workflows who need runtime isolation as part of their agent stack. Software companies adopting AI tooling — Organisations in software development, fintech, healthcare, and any regulated industry where developer workstations hold sensitive credentials, proprietary code, or compliance-relevant data that must not be accessible to autonomous agents. Open source contributors & researchers — Security researchers and OSS contributors working with or studying AI agent threat models, kernel sandboxing, and runtime security primitives.
About nono
nono is an open source, kernel-enforced sandbox for AI coding agents and LLM workloads. Unlike policy-based guardrails that intercept and filter operations, nono uses OS security primitives — Landlock on Linux and Seatbelt on macOS — to make unauthorised operations structurally impossible at the syscall level.
Wrap any AI agent — Claude Code, OpenCode, OpenClaw, or any CLI process — with a single command. nono applies default-deny filesystem access, blocks destructive commands (rm, dd, chmod, sudo), isolates credentials and API keys, and cascades all restrictions to child processes. No escape mechanism exists once restrictions are applied.
Built-in profiles get you running in seconds. Secrets inject securely from the system keystore and are zeroised on exit. Audit logging, atomic rollbacks, and Sigstore-attested policy signing are on the roadmap.
Apache 2.0. From the creator of Sigstore.
