Skip to main content
  1. Short Thoughts/

nono.sh

·2 mins

Nono is a new lightweight sandboxing tool that takes advantages of native Linux and macOS kernel-level isolation controls to wrap Claude Code and other agentic coding harnesses (or any process) and prevent them from deleting your home directory or dropping your database.

Nono is developed by Luke Hinds, a former RedHat Distinguished Engineer and developer behind sigstore. It uses Linux Landlock and macOS Seatbelt to provide kernel-enforced restrictions on what agents like Claude Code or OpenClaw are able to do.

nono’s security model is built on a single premise: the sandboxed process is untrusted. Every architectural decision follows from this. The sandbox must be enforced by the kernel, must be irreversible once applied, and must not depend on the cooperation of the sandboxed process.

Additionally, leveraging sigstore, it is adding the ability to enforce signatures on plugins such as CLAUDE.md or skill files with a feature called Agent Instruction Attestation:

As with any Sigstore-based attestation, signing an instruction file proves two things:

  • Provenance — The file was signed by a specific identity (a key you control, or a CI/CD pipeline you trust). You can verify who produced the file.
  • Integrity — The file has not been modified since it was signed. Any tampering — even a single byte — breaks the cryptographic digest and the signature is rejected.

Signing does not prove that the content is safe, correct, or free of malicious instructions. A legitimately signed file could still contain harmful directives if the signer intended it, or if the signer’s own environment was compromised before signing. The signature attests to who signed it and that it has not changed, not to the quality or safety of the content itself.