Kernel-enforced sandbox App and SDK for AI agents, MCP and LLM workloads(github.com)
1 pointby decodebytes2 hours ago1 comment
  • decodebytes2 hours ago
    Hey HN

    Luke here.

    I wanted to introduce a project I have building for the past few weeks in response to events such as openclaw and the glaring security issues at hand. Prior to nono, I created Sigstore , a project used for software supply chain security now used by pypi, npm, brew and GitHub for release attestation and provence.

    The problem: Protecting the host from the agent is largely solved, microVMs (kata, firecracker), containers , nono is more focused on protecting the environment or workspace itself - having said that, the isolation controls from the host are pretty solid as we use landlock and seatbelt.

    nono uses OS-level isolation, atomic snapshots, and command auditing, secret / token protections (using keychain on linux and the secure enclave chip on apple)

    Linux: Landlock LSM (kernel 5.13+) macOS: Seatbelt (sandbox_init) After sandbox + exec(), there's no syscall to expand permissions. The kernel says no.

    Filesystem: read/write/allow per directory or file Network: block entirely (per-host filtering planned)

    Atomic Rollbacks: Content-addressable storage — Files are stored by SHA-256 hash. Identical content is never duplicated, keeping storage efficient even across long sessions with many reverts — Every snapshot is committed to a Merkle tree. Tampering or corruption becomes more easily detectable

    Audit trail of commands: nono automatically generates a cryptographically verifiable audit trail of every file change made by a sandboxed AI agent.

    SDKs. We have two SDKs releasing soon using FFI bindings, python and typescript to allow uses to easily implement nono features into their own code base.

    Technical details:

    Written in Rust. Uses the landlock crate on Linux, raw FFI to sandbox_init() on macOS. Secrets via keyring crate. All paths canonicalized at grant time to prevent symlink escapes.

    Landlock ABI v4+ gives us TCP port filtering. Older kernels fall back to full network allow/deny. macOS Seatbelt profiles are generated dynamically as Scheme-like DSL strings.

    Limitations:

    Network is binary, on or off - plans are in place to introduce IP filtering.

    GitHub: https://github.com/always-further/nono Docs: https://docs.nono.dev Site: https://noto.sh

    Apache 2.0. Would love feedback!