A secure, kernel-enforced capability sandbox for running untrusted AI agents and processes. It leverages OS security primitives like Linux's Landlock and macOS's Seatbelt to structurally prevent unauthorized operations, offering a robust security model beyond traditional policy-based sandboxes. This approach is beneficial for developers and researchers needing to isolate potentially risky AI workloads.

How It Works

nono implements a capability-based security model by directly utilizing kernel features. On Linux, it employs Landlock, and on macOS, Seatbelt. This mechanism ensures that unauthorized operations are impossible at the kernel level, rather than relying on runtime interception. The system grants minimal, explicit permissions to agents, and any attempt to exceed these bounds is denied by the OS, providing a strong, structural security guarantee.

Quick Start & Requirements

• macOS: Install via Homebrew: brew tap lukehinds/nono && brew install nono.
• Linux: Use prebuilt binaries or build from source (refer to Development Guide for details).
• Prerequisites: Linux kernel 5.13+ for Landlock filesystem support, 6.7+ for network TCP support. macOS 10.5+ for Seatbelt. Windows is not yet supported.
• Links: Client profiles include "Allowed Guide" links for specific agents.

Highlighted Details

• Agent Agnostic: Works with any CLI command or AI agent, not limited to specific tools.
• OS-Level Enforcement: Kernel denies unauthorized operations, preventing escapes.
• Destructive Command Blocking: Defaults to blocking dangerous commands like rm, dd, chmod, sudo, and package managers for defense-in-depth.
• Cross-Platform: Supports Linux (Landlock) and macOS (Seatbelt).
• Kernel-Level Protection: Directory deletion is blocked everywhere; file deletion is blocked outside explicitly granted write paths.

Maintenance & Community

No specific details on contributors, sponsorships, or community channels (e.g., Discord, Slack) are provided in the README.

Licensing & Compatibility

Licensed under Apache-2.0, which is generally permissive for commercial use and integration into closed-source projects.

Limitations & Caveats

This project is an early alpha release and has not undergone comprehensive security auditing or peer review. It is not recommended for production environments due to potential instability and ongoing policy file changes. Windows support is not yet implemented.