“OS-Level Isolation for AI Agents. Really awesome work and resource here”
Chris Hughes
VP, Security Strategy @ Zenity
Runtime Safety Infrastructure
for AI Agents
Kernel-enforced isolation, immutable auditing, and atomic rollbacks — built into the CLI and native SDKs.
>brew install nonoFrom the creator of
Sigstore
The industry standard for software signing, used by PyPi, Homebrew, Maven and Google, GitHub, NVIDIASigstore
Python
import nono_py as nonocaps = nono.CapabilitySet()caps.allow_path("/project", nono.AccessMode.READ_WRITE)caps.block_network()nono.apply(caps)
TypeScript
import { CapabilitySet, AccessMode, apply } from 'nono-ts';const caps = new CapabilitySet();caps.allowPath('/project', AccessMode.ReadWrite);caps.blockNetwork();apply(caps);
Rust
use nono::{CapabilitySet, AccessMode, Sandbox};let caps = CapabilitySet::new().allow_path("/project", AccessMode::ReadWrite)?.block_network();Sandbox::apply(&caps)?;
C FFI bindings for any language with C interop
C
C++
Go
Swift
Ruby
Zig
“Neat project, thanks for sharing! I like the OS-specific security primitives, useful built-in profiles, and being able to customize what's allowed/blocked.”
Clint Gibler
Head of Security Research at Semgrep
“I integrated nono into my project this weekend and it was a breeze to work with!”
Terra Tauri
Senior Engineer II, Bit Complete
“nono hits the real problem: agents shouldn’t inherit full user trust by default. Treating them like untrusted processes, with deny-by-default filesystem, network, and secrets access, feels like the right baseline going forward.”
snapsec
Centralising Application Security
“Beautiful work! It is encouraging to see kernel security being taken seriously, especially during this current episode of OpenClaw and Moltbot. ”
Cuong Nguyen
Cloud Architect and System Engineer