alwaysfurther.ai

nono.sh/blog/openclaw-… Had a lot of folks asking the difference between nono and @nvidia 's OpenShell shipped in Nemoclaw this week - as both had a significant shared feature surface and terminology - so I wrote an unbiased as possible teardown and it turns out they have quite different architectural differences and applications of use.

If you're building with AI agents and haven't thought through what happens when the agent's permissions are broader than they need to be, this conversation is a good starting point. nono.sh/?utm_source=tw…

Containers and microVMs solved a well-defined problem: process isolation between workload and host. They are best in class for host/guest isolation, resource constraint and environment isolation. Industry transformative and nothing less. The mistake is assuming the same specialism solves the new problems that agents present. An agent is not a workload to isolate, it's far more nuanced. It is an autonomous decision-making system operating , sometimes on your behalf, at runtime, against often sensitive material, in ways that cannot be fully anticipated at launch time. Placing it in an isolated environment and considering the security problem solved because the host is protected and the guest is isolated is not enough. The agent needs access to sensitive resources to do its job, and those resources require protection as well. When the agent needs capabilities beyond its initial grant, it requires a secure, mediated channel to request them. Without one, privilege elevation becomes a path that bypasses the very isolation boundary you depended on. Existing primitives enforce boundaries. They do not enforce intent, auditability, or runtime access control over an actor whose behaviour is non-deterministic by design. Nono is built on a different premise: the sandboxed process is untrusted by construction, and capabilities are granted dynamically under explicit oversight, enforced at the kernel level, and recorded with immutably. The supervisor is the mechanism that realises this, and its nono's superpower. The supervisor runs outside the sandbox, intercepts every file access syscall via seccomp-notify, and mediates every access decision before it reaches its entity. The agent never executes its own calls. Privilege elevation requests are trapped, approved over a secure verified channel, and fulfilled via direct file descriptor injection. The audit trail and access gate - is not an instrumentation on top of execution. It is direct in the execution path. API credentials never enter the agent's address space. Files can be cryptographically attested, right back to the source code - before the agent even reads or executes them. And the best bit of all, already have a container orchestration system in place, well nono runs quite at home in either a container or a microVM - belt, braces, and a safety harness. This is not a tightening of existing primitives or a repurposing of previous tools. It is an approach purpose-built for a new era. nono.sh #AgenticAI #Security

AI coding agents don't need to hold your API keys. nono's phantom token proxy keeps real credentials out of agent process environments entirely. Blog: nono.sh/blog/blog-cred… Repo: github.com/always-further… #AISecurity #AIAgents #opensource

We give agents API keys as environment variables, and a single prompt injection can exfiltrate them via env, `/proc/PID/environ`, with just an outbound HTTP call. The blast radius is the full scope of that key. So we built what we're calling the "phantom token pattern" - a credential injection proxy that sits outside the sandbox with a parent process that limited with connection to its sandboxed child by seccomp. The agent never sees real credentials. It gets a per-session token that only works only with the session bound localhost proxy. The proxy validates the token (constant-time), strips it, injects the real credential, and forwards upstream over TLS. If the agent is fully compromised, there's nothing worth stealing. Real credentials live in the system keystore (macOS Keychain / Linux Secret Service), memory is zeroized on drop, and DNS resolution is pinned to prevent rebinding attacks. It works transparently with OpenAI, Anthropic, and Gemini SDKs — they just follow the `*_BASE_URL` env vars to the proxy. Blog post walks through the architecture, the token swap flow, and how to set it up. Would love feedback from anyone thinking about agent credential security. nono.sh/blog/blog-cred… We also have other features we have shipped, such as atomic rollbacks, Sigstore based SKILL attestation. github.com/always-further…

We are configuring autonomous systems with prose. SKILLS.md, RULES.md, CLAUDE.md - loaded into the same context window as untrusted data. The model has no way to separate its own instructions from an attacker's. The control plane and data plane we built out as seperate, the lessons we learned about xss attacks, sql injections - and here we are , back where we started again. A post I wrote about why I built nono: alwaysfurther.ai/blog/why-i-bui… #AIAgents #InfoSec #OpenSource #PromptInjection

Nono: Kernel-Enforced Sandboxing for AI Agent Security (Source: Nono) Nono provides OS-level sandboxing for AI agents, preventing unauthorized operations through kernel-enforced restrictions. #AIsecurity #Sandboxing #Kernel #Security #Agents 🤔 How can we balance the need for AI agent security with the desire for performance and flexibility? dailyaiwire.news/article/nono-a…

Overview of how AI Agent workflows have reshaped the software supply chain , by Always Further co-founder @decodebytes

Guest Blog on the @spinframework community blog by @decodebytes on using webassembly tool executions for the training of agentic large language models spinframework.dev/blog/deepfabri…

How do you train an SEO-focused agent from scratch? Our co-founder @parkie covers the full process - dataset generation, live tool execution setup, and more. Part two dropping soon.

DeepFabric now supports live tool execution during dataset generation, isolated within web-assembly components care of the @spinframework - this produces training dataset with far less hallucinations and encourages more reactive learning patterns.

The revamped DeepFabric docs are a much easier cognitive kind read and look so much better to boot: docs.deepfabric.dev

How we trained a 4b model to outperform Claude Sonnet 2.5 and Gemini 2.5 pro at Tool Calling alwaysfurther.ai/blog/train-4b-…

Our CEO @decodebytes interviewed in Red Hat Magazine.

A new DeepFabric release shipping soon, where real live Tool traces are used for Agent Tool calling dataset curation, all within a safe confined wasm component care of the @spinframework :

Latest Blog on why relying on system prompts as guardrails could let you down alwaysfurther.ai/blog/system-pr…

We're out of stealth! Today we're announcing Always Further and our $1.8M pre-seed to deliver precise, secure and reliable open language models. More soon. Let's build 🚀 alwaysfurther.ai/blog/announcin…