AI coding agents like Claude Code and OpenClaw run with your permissions. That means they can read SSH keys, grab AWS credentials, and ship them elsewhere. Last week proved it: OpenClaw servers got hit with a 1-click RCE that enabled data theft.
Developer Luke Hinds released nono as a direct response. The open-source tool uses kernel-level primitives - Landlock on Linux, Seatbelt on macOS - to sandbox AI agents at the OS level. Once applied, the restrictions are irreversible. There's no API to escape them, not even for nono itself.
Why not Docker?
Containers work, but they're heavy. You need images, layers, runtime management. nono applies kernel-enforced restrictions directly to a process. No containers, no VMs, no infrastructure.
The tool blocks dangerous commands (rm -rf, dd, sudo) and protects sensitive paths (~/.ssh, ~/.aws) by default. You explicitly allow what the agent can access: nono run --allow ./project -- claude gives Claude read-write to that directory only. Network access? Blocked with --net-block.
Child processes inherit all restrictions - no privilege escalation through subprocess tricks.
Context matters
OWASP ranks "Agent Tool Interaction Manipulation" in its top 10 AI threats. The vulnerability class is real: Langflow RCE (Horizon3), Cursor auto-execution bugs, Replit database wipes. Agents that can execute arbitrary code need isolation.
Enterprise alternatives exist - Kubernetes with gVisor, Elastic's GenAI sandbox with IAM controls, MicroVMs. Cloud sandboxes like E2B (used by Mistral and Perplexity) focus on multi-tenant isolation. nono targets local development: lightweight, agent-agnostic, no infrastructure required.
The tool is early-stage ("bugs expected, PRs welcome" per the repo). Hacker News users note it's useful for npm installs and blocking destructive commands. No funding or commercial backing - just an open-source response to active exploits.
Linux kernel 5.13+ required for filesystem sandboxing, 6.7+ for network controls. macOS 10.5+ supported. Windows: not yet.
The real question: will AI agent developers adopt it? History suggests many treat security as someone else's problem.