Key takeaways
- 2,643 stars and 184 forks in just over four months (created January 31, 2026), with weekly releases — v0.62.0 shipped June 7, 2026 — making it the fastest-growing tool in the kernel-sandbox-for-agents niche
- The differentiator is layering: kernel-enforced, irreversible capability dropping (Landlock/Seatbelt) plus a credential-injection proxy that keeps API keys outside the sandboxed process entirely, plus Sigstore-based attestation of instruction files like CLAUDE.md and SKILLS.md
- Built by Luke Hinds — creator of Sigstore and co-founder of Stacklok — under a new company, Always Further, which is seeking enterprise design partners; the runtime itself is Apache-2.0 and free
- Cross-platform where rivals are not: macOS (Seatbelt), Linux (Landlock), and WSL2, with native Windows support in planning
FAQ
What is nono?
nono is an open-source CLI and Rust library that sandboxes AI agents using kernel security primitives — Landlock on Linux and Seatbelt on macOS — granting a process only the specific paths, network destinations, and credentials it needs, with restrictions that cannot be reversed once applied.
How much does nono cost?
The runtime is free under the Apache-2.0 license. The company behind it, Always Further, has not published pricing and is recruiting enterprise design partners.
How does the credential-injection proxy work?
In proxy mode, API keys never enter the sandboxed agent process — a trusted local proxy injects credentials into outbound requests, sourcing them from the OS keystore, 1Password, or Apple Passwords, so a compromised agent cannot read or exfiltrate the keys.
How is nono different from landrun or yolobox?
landrun is a Linux-only Landlock wrapper whose development stalled in late 2025; yolobox wraps agents in Docker containers. nono applies kernel enforcement directly on macOS and Linux with no containers, and adds credential proxying, filesystem snapshots/rollback, audit logs, and a profile registry on top.
Executive Summary
nono is a capability-based, policy-governed runtime for AI agents: it gives a process narrowly scoped access to only the host resources it actually needs — specific paths, network destinations, environment variables, credentials — with policies enforced by kernel primitives, Landlock on Linux and Seatbelt on macOS.[1] Once restrictions are applied they are irreversible and inherited by every child process; if the agent tries to read ~/.ssh or write outside its granted paths, the operation fails at the syscall level, with no API to escape — not even for nono itself.[2] The positioning is explicit: the space between "run the agent directly with full access to keys and files" and "seal it inside a separate guest OS."[1] Sandboxing an agent is one command: nono run --allow ./project -- claude.[2]
The project is the work of Luke Hinds — creator of Sigstore, the software-signing standard used by PyPI, npm, Homebrew, and Maven Central, and co-founder of supply-chain security startup Stacklok ($17.5M raised, 2023) — now building nono under a new company, Always Further.[1][3][4] Created January 31, 2026, the repository reached 2,643 stars and 184 forks by June 11, 2026, with commits landing the same day and v0.62.0 released June 7 — the fastest trajectory in the local agent sandbox niche, overtaking landrun's 2,217 stars in a fraction of the time.[1]
| Attribute | Value |
|---|---|
| Creator | Luke Hinds (Sigstore creator, Stacklok co-founder), via Always Further[1][3] |
| Created | January 31, 2026[1] |
| GitHub Stars | 2,643 (184 forks, 161 open issues) as of June 11, 2026[1] |
| Language | Rust core; Python, TypeScript, Go bindings[1] |
| License | Apache-2.0[1] |
| Platforms | macOS (Seatbelt), Linux (Landlock), WSL2; native Windows planned[1] |
Product Overview
The core loop: state what the agent may touch in a profile, and nono applies it before exec'ing the agent. Pre-built policy profiles for popular agents — Claude Code, Codex, Pi, Hermes, OpenCode, OpenClaw — can be pulled from a registry (nono pull), or composed and published as custom profiles; all inbuilt policy can be extended or overridden.[1] Dangerous defaults are handled out of the box: sensitive paths like ~/.ssh and ~/.aws are protected, and cloud metadata endpoints are hard-denied.[2][1] A nono why ~/.ssh/id_rsa debugging command explains why an access was blocked.[2]
Around the kernel sandbox, nono layers what the vendor calls defense in depth: credential proxying, filesystem snapshots with rollback, cryptographic audit logs, supply-chain attestation of agent instruction files, and a runtime supervisor for approval-gated permission expansion.[4]
Key Capabilities
| Capability | Description |
|---|---|
| Kernel sandbox | Landlock (Linux) + Seatbelt (macOS); irreversible, inherited by child processes[1] |
| Credential injection | Proxy mode keeps API keys outside the sandbox entirely; sources from keystore, 1Password, Apple Passwords[1] |
| Network filtering | Allowlist-based host/endpoint filtering via local proxy; cloud metadata endpoints hard-denied[1] |
| Snapshots & rollback | Content-addressable snapshots with SHA-256 dedup and Merkle-tree integrity[1] |
| Attestation | Sigstore-based signing/verification of instruction files (SKILLS.md, CLAUDE.md)[1] |
| Audit logs | Default event audit for supervised runs; optional append-only integrity hashing[1] |
| Multiplexing | Parallel agents in separate sandboxes; attach/detach to long-running sessions[1] |
| Profile registry | nono pull packages for popular agents; publish and share custom profiles[1] |
Technical Architecture
nono ships as a single CLI installed via Homebrew, with a policy-free Rust core library that applies only the capabilities a caller provides — the CLI, profiles, and registry packages carry the policy.[1]
brew install nono
nono run --profile always-further/claude -- claude
nono run --read ./src --write ./target -- cargo build
On Linux, enforcement uses the Landlock LSM (filesystem on kernel 5.13+, network restrictions on 6.7+); on macOS, Apple's Seatbelt handles filesystem and network sandboxing.[2] The kernel structurally denies unauthorized operations rather than filtering them in userspace, and all child processes inherit the restrictions — a spawned Python script or compiled binary is equally sandboxed.[2][5] The credential proxy is the architectural piece container-based rivals lack: secrets are injected into outbound requests by a trusted proxy path instead of being placed in the agent's environment.[1]
Key Technical Details
| Aspect | Detail |
|---|---|
| Deployment | Local CLI, CI pipelines, containers/Kubernetes, cloud VMs, microVMs[1] |
| Enforcement | Landlock (Linux), Seatbelt (macOS); kernel-level, irreversible[1] |
| Bindings | Embeddable Rust library; Python, TypeScript, Go bindings; C FFI for others[1][4] |
| Maturity | Pre-1.0; APIs stabilizing, v0.62.0 (June 7, 2026)[1] |
| Open Source | Apache-2.0, fully open[1] |
Strengths
- Kernel enforcement with no container tax — restrictions are applied directly to the process via Landlock/Seatbelt, with no daemon, images, or guest OS; the agent works inside the real development environment.[1][2]
- Credentials never enter the sandbox — the injection proxy is a structurally stronger answer to key exfiltration than any path-blocking approach, since there is nothing in the agent's environment to steal.[1]
- Cross-platform where the category is fragmented — macOS and Linux from one tool, against Linux-only Landlock wrappers and Docker-dependent alternatives; WSL2 supported, native Windows planned.[1]
- Pedigree and velocity — built by the Sigstore creator, 2,643 stars in just over four months, same-day commit activity, and three releases in the first week of June 2026 alone.[1][3]
- More than a sandbox — snapshots/rollback, Merkle-committed audit logs, and Sigstore attestation of CLAUDE.md/SKILLS.md files address prompt-injection supply-chain risk no sibling tool touches.[1]
- Embeddable — the policy-free Rust core with Python/TypeScript/Go bindings lets agent platforms build nono in rather than shelling out to a CLI.[1]
Cautions
- Pre-1.0 with real churn — APIs are still stabilizing by the project's own notice, and 161 open issues against a four-month-old codebase means early adopters will hit edges.[1]
- Access control, not full isolation — like all Landlock/Seatbelt approaches, nono restricts filesystem, network, and credentials but does not provide PID namespaces, memory limits, or a separate kernel; the project itself positions containers/VMs as the heavier alternative for full isolation.[1]
- Environment variables remain a soft spot — HN commenters noted that if secrets are already in the environment and network egress is allowed, an agent can exfiltrate them before mitigations matter; the proxy mode exists precisely to avoid putting keys in the environment, but you have to use it.[5][1]
- Real-world friction at the device layer — an independent adopter hit a Bun/Claude Code segmentation fault that required manually granting
/dev/tty,/dev/null, and/dev/urandombefore the agent would run.[6] - Community discussion is thinner than the star count suggests — the Show HN drew only 4 points and 5 comments, and most third-party coverage traces back to the author's own launch posts.[5][2]
- Commercial trajectory is undefined — Always Further is recruiting enterprise design partners with no published pricing, so the open-core boundary between the Apache-2.0 runtime and a future paid product is not yet drawn.[4]
What Developers Say
Community commentary is still sparse relative to the project's growth: the February 2026 Show HN drew just 5 comments, with the launch-month Hugging Face post and a handful of independent adoption write-ups making up the rest.[5][2]
"I think with access to bash any AI agent can write a basic python/bash script and run it to evade you sandbox, Right?" — gossterrible on Hacker News[5]
"All child processes inherit the restrictions—if the agent spawns Python, Bash, or compiles and runs a binary, that process is equally sandboxed." — decodebytes (Luke Hinds, the author — vendor voice) in reply[5]
"If the agent can run printenv in the first millisecond and exfiltrate it (if net is allowed), zeroizing won't help." — veunes on Hacker News[5]
"Biggest thing I'd want as a user is very explicit docs on the remaining gaps (macOS read-permissive mode, procfs/env/subprocess behavior)." — sukinai on Hacker News[5]
"nono blocked access to this command, and gave me some feedback about why the command failed." — Shane Boulden, in an independent OpenShift + Claude Code write-up[6]
Pricing & Licensing
| Tier | Price | Includes |
|---|---|---|
| Open source | Free | Full CLI, kernel sandbox, credential proxy, snapshots, audit, registry profiles[1] |
| Enterprise | Not published | Always Further is recruiting design partners for enterprise deployment[4] |
Licensing model: Apache-2.0 for the runtime, libraries, and bindings on GitHub; the company behind it is venture-style but undisclosed in structure, with hiring open.[1]
Hidden costs: None today — you bring your own agent and API keys. The risk is forward-looking: an undefined open-core line once enterprise packaging lands.[4]
Competitive Positioning
Direct Competitors
| Competitor | Differentiation |
|---|---|
| Landrun | The original Landlock-wrapper (2,217 stars) but Linux-only and stalled since October 2025; nono covers macOS too, adds credential proxying, snapshots, and attestation, and ships weekly |
| YOLObox | Docker-container approach with batteries-included agent images; broader isolation but requires a container runtime, and secrets still enter the container — nono enforces at the kernel with keys held outside |
| Anthropic Sandbox Runtime | First-party OS-level sandboxing for Claude Code from the agent vendor itself; nono is agent-agnostic, adds the credential proxy and audit/rollback layers, and is policy-composable across teams |
| bubblewrap / firejail | General-purpose Linux namespace sandboxes; not agent-aware, no profiles, proxying, or rollback |
When to Choose nono Over Alternatives
- Choose nono when: you run agents on macOS and Linux and want one kernel-enforced tool, when API-key exfiltration is your top threat (the proxy keeps keys out entirely), or when you need audit trails and rollback evidence for organizational policy.
- Choose Landrun when: you are Linux-only and want the smallest possible auditable binary, and can accept an unmaintained dependency.
- Choose YOLObox when: you want full container isolation with pre-baked agent images and don't mind the Docker dependency.
- Choose Anthropic Sandbox Runtime when: you are all-in on Claude Code and prefer first-party defaults over a third-party policy layer.
Ideal Customer Profile
Best fit:
- Developers running Claude Code, Codex, or OpenCode in YOLO/full-permission mode on their own machines who want kernel-level guarantees that
~/.ssh,~/.aws, and API keys are unreachable - Teams that want versioned, reviewable, shareable sandbox policy — a standard profile per agent class, with audit records[1]
- Agent platform builders who want to embed capability enforcement via the Rust/Python/TypeScript/Go libraries[1]
Poor fit:
- Workloads needing full isolation — memory/CPU limits, separate kernel, multi-tenant hostile code (use microVMs or containers)
- Native Windows environments (WSL2 only today)[1]
- Teams that require a 1.0-stable, slow-moving dependency[1]
Viability Assessment
| Factor | Assessment |
|---|---|
| Financial Health | Unknown — Always Further's funding is undisclosed; the founder previously co-founded $17.5M-backed Stacklok, and the company is hiring[3][1] |
| Market Position | Category leader by stars among local kernel-sandbox tools (2,643 vs landrun's 2,217), with the broadest feature surface[1] |
| Innovation Pace | Very high — created January 31, 2026; v0.62.0 by June 7 with same-day commit activity[1] |
| Community/Ecosystem | Growing but shallow — 184 forks and a Discord, yet only 5 Show HN comments and limited independent evaluation[1][5] |
| Long-term Outlook | Strong technically; the open question is the commercial model and whether first-party agent vendors absorb the niche[4] |
The pedigree-to-traction combination is the story: the Sigstore creator applying supply-chain security instincts (attestation, audit, provenance) to agent runtime safety, with the fastest star growth in the niche and an active release cadence — exactly the maintenance profile landrun lacked.[1][3] The risks are the usual pre-1.0 ones, plus a commercial layer that hasn't been priced.[4]
Bottom Line
nono is currently the most complete answer to local agent sandboxing: kernel-enforced and irreversible like landrun, cross-platform unlike it, container-free unlike yolobox, and alone in keeping credentials structurally outside the sandbox via its injection proxy. The Sigstore-rooted attestation and audit layers suggest where it's headed — agent runtime safety as organizational policy, not just personal hygiene. It is also four months old, pre-1.0, and backed by a company whose business model is not yet visible.
Recommended for: Developers and teams running coding agents in full-permission mode on macOS or Linux who want kernel-level guarantees plus credential isolation, and platform builders who want an embeddable enforcement library.
Not recommended for: Hostile multi-tenant isolation, native Windows, or teams that need API stability and an established support contract today.
Outlook: The strongest momentum in the local agent sandbox niche. Watch the 1.0 release, the enterprise design-partner program's pricing, and whether Anthropic's first-party sandbox runtime narrows the gap nono fills for Claude Code users.
Research by Ry Walker Research • methodology
Sources
- [1] nono GitHub Repository
- [2] Hugging Face Blog: Introducing nono — A Secure Sandbox for AI Agents
- [3] TechCrunch: Kubernetes and Sigstore founders raise $17.5M to launch Stacklok
- [4] nono Website
- [5] Show HN: Nono – Kernel-enforced sandboxing for AI agents
- [6] Shane Boulden: From 'oh no' to nono — building apps on OpenShift with nono and Claude Code