nono: OS-Level
Isolation for AI Agents.

OS-enforced sandboxing for untrusted AI agents and processes.

Get StartedView on GitHub
Brought to you by the creator ofSigstoreSigstore
Chris Hughes avatar

“OS-Level Isolation for AI Agents. Really awesome work and resource here”

Chris Hughes

VP, Security Strategy @ Zenity

Clint Gibler avatar

“Neat project, thanks for sharing! I like the OS-specific security primitives, useful built-in profiles, and being able to customize what's allowed/blocked.”

Clint Gibler

Head of Security Research at Semgrep

snapsec avatar

“nono hits the real problem: agents shouldn’t inherit full user trust by default. Treating them like untrusted processes, with deny-by-default filesystem, network, and secrets access, feels like the right baseline going forward.”

snapsec

Centralising Application Security

Cuong Nguyen avatar

“Beautiful work! It is encouraging to see kernel security being taken seriously, especially during this current episode of OpenClaw and Moltbot. ”

Cuong Nguyen

Cloud Architect and System Engineer

Looking for how to secure OpenClaw?

OpenClawHead over here
Terminal
$

Security without compromise

Unlike policy-based sandboxes that intercept and filter operations, nono leverages OS security primitives to create an environment where unauthorized operations are structurally impossible.

No Escape Hatch

Once inside nono, there is no mechanism to bypass restrictions. The agent cannot request more permissions because the mechanism doesn't exist.

Agent Agnostic

Works with any AI agent. Actually, more than that. It works with any process you want to sandbox.

OS-Level Enforcement

Kernel denies unauthorized operations directly. No interception, no filtering - operations are structurally impossible.

Cross-Platform

Linux support via Landlock and macOS support via Seatbelt. Native OS security primitives for maximum reliability.

How it works

nono follows a capability-based security model. You grant explicit capabilities, and the OS enforces them at the kernel level.

nono architecture diagram
1

Enter sandbox

You start nono with explicit capabilities for the paths you want to allow.

2

Sandbox applied

OS-level restrictions are applied. This is irreversible for the process.

3

Command executed

The command runs with only granted capabilities. All children inherit restrictions.

Install

Get up and running in seconds.

brew tap lukehinds/nono
brew install nono

Building from source requires Rust toolchain. See the docs for more installation options.

Platform support

nono uses native OS security primitives for maximum reliability and performance.

macOS

via Seatbelt

Supported

Linux

via Landlock

Supported

Windows support is planned for a future release.