Always Further

nono

Contain. Control. Correct.

Kernel-enforced isolation, immutable auditing, and atomic rollbacks for AI agents - built into the nono CLI and native SDKs.

Get StartedView on GitHub
From the creator ofSigstoreSigstore
The industry standard for software signing, used by PyPi, Homebrew, Maven and Google, GitHub, NVIDIA
Chris Hughes avatar

OS-Level Isolation for AI Agents. Really awesome work and resource here

Chris Hughes

VP, Security Strategy @ Zenity

Clint Gibler avatar

Neat project, thanks for sharing! I like the OS-specific security primitives, useful built-in profiles, and being able to customize what's allowed/blocked.

Clint Gibler

Head of Security Research at Semgrep

Terra Tauri avatar

I integrated nono into my project this weekend and it was a breeze to work with!

Terra Tauri

Senior Engineer II, Bit Complete

snapsec avatar

nono hits the real problem: agents shouldn’t inherit full user trust by default. Treating them like untrusted processes, with deny-by-default filesystem, network, and secrets access, feels like the right baseline going forward.

snapsec

Centralising Application Security

Cuong Nguyen avatar

Beautiful work! It is encouraging to see kernel security being taken seriously, especially during this current episode of OpenClaw and Moltbot.

Cuong Nguyen

Cloud Architect and System Engineer

Security without compromise

Unlike policy-based approaches that intercept and filter operations after they occur, nono leverages OS security primitives to create an environment where unauthorized operations are structurally impossible.

Profiles and Groups

Composable JSON profiles define exactly what an agent can access. 22 built-in groups cover runtimes, credential deny-lists, and dangerous commands.

Secrets Injection

Secrets load from the system keystore before sandboxing, then get injected as environment variables. Direct keystore access is blocked. Zeroised on exit.

Atomic Rollbacks

SHA-256 content-addressed snapshots capture filesystem state before and after execution. Restore any session with a single command.

Provenance and Audit

Every operation is recorded with a Merkle tree rooted in SHA-256 hashes. Cryptographically verify that no file was altered outside the sandbox.

Orchestrate Secure Environments

Programmable Guardrails for AI Agents - enforce kernel-level isolation, immutable audit trails, and atomic rollbacks with nono's native SDKs for Python, TypeScript, and Rust.

Coming soon
Python
import nono_py as nono


caps = nono.CapabilitySet()
caps.allow_path("/project", nono.AccessMode.READ_WRITE)
caps.block_network()


nono.apply(caps)
TypeScript
import { CapabilitySet, AccessMode, apply } from 'nono-ts';


const caps = new CapabilitySet();
caps.allowPath('/project', AccessMode.ReadWrite);
caps.blockNetwork();


apply(caps);
Rust
use nono::{CapabilitySet, AccessMode, Sandbox};


let caps = CapabilitySet::new()
    .allow_path("/project", AccessMode::ReadWrite)?
    .block_network();


Sandbox::apply(&caps)?;

Get started

Get up and running in seconds.

brew tap always-further/nono
brew install nono
macOS via Seatbelt
Linux via Landlock

Building from source requires Rust toolchain. See the docs for more installation options.