alwaysfurther.ai

Exciting new feature coming online shortly. nono.sh package and policy registry. we heard from users and they wanted a way of having a more customized self-serving system for having nono configure agent hooks, skills and nono policy.

Most agent security conversations stop at the sandbox. On 6 May, @SCPARKINSON is going further. Enforce, Attest, Decide: three layers of runtime security, with live demos from nono, our open source kernel-level sandbox. The hard part: permission-expansion when no human is at the terminal. That's where the real problems live. Free summit: background-agents.com/summit

It is time for me to reveal the truth - I am Satoshi Nakamoto I just don't have any proof. nono.sh/blog/secure-ag…

The number worth pausing on in here isn't 2,000 stars. It's 50 contributors in two months, on a kernel-level security tool. Security tooling doesn't usually attract contributors. It attracts issue reports. Something different is going on with nono. github.com/always-further…

AI coding agents can read your files, write to your filesystem, exfiltrate credentials, and make network calls. Most teams shipping with them have no kernel-level enforcement in place. Policy filters and application-layer controls aren't the same thing. We'll be at @aidotengineer Europe in London, 8–10 April. Come talk to @decodebytes and @SCPARKINSON about what a proper security layer actually looks like. Book time: nono.sh/book

The axios supply chain attack and AI agent security have the same enforcement gap. Both rely on trusting code that runs with your permissions. nono closes that gap at the kernel level. Read how: nono.sh/blog/nono-axio…

nono v0.26.0: kernel-enforced sandboxing now works on Windows via WSL2. WSL2 runs a real Linux kernel. nono uses the same Landlock path as native Linux. 84% feature parity. The remaining 16% is a WSL2 kernel bug on Microsoft's side. When they fix it, nono picks it up automatically. If you're running AI coding agents on Windows, you now have the same protection as Linux and macOS users. nono.sh/blog/nono-wsl2…

Kexin wrapped a GitHub triage bot with nono and documented what each feature actually does. Sandbox profile. Trust verification of the instruction file. Phantom token credential injection — real credentials never enter the sandbox. Python unchanged. Security comes from the launch wrapper. Write-up + code: nono.sh/blog/wrapping-…

Josh Bressers put it well: MCP is moving faster than anyone can keep up with. @decodebytes joined Josh Bressers on #OpenSourceSecurity to dig into why agent security is structurally hard and what kernel-level sandboxing actually solves. Good listen: opensourcesecurity.io/2026/2026-03-m… Runtime safety sandbox for AI agents: nono.sh/?utm_source=tw…

nono.sh/blog/openclaw-… Had a lot of folks asking the difference between nono and @nvidia 's OpenShell shipped in Nemoclaw this week - as both had a significant shared feature surface and terminology - so I wrote an unbiased as possible teardown and it turns out they have quite different architectural differences and applications of use.

If you're building with AI agents and haven't thought through what happens when the agent's permissions are broader than they need to be, this conversation is a good starting point. nono.sh/?utm_source=tw…

Containers and microVMs solved a well-defined problem: process isolation between workload and host. They are best in class for host/guest isolation, resource constraint and environment isolation. Industry transformative and nothing less. The mistake is assuming the same specialism solves the new problems that agents present. An agent is not a workload to isolate, it's far more nuanced. It is an autonomous decision-making system operating , sometimes on your behalf, at runtime, against often sensitive material, in ways that cannot be fully anticipated at launch time. Placing it in an isolated environment and considering the security problem solved because the host is protected and the guest is isolated is not enough. The agent needs access to sensitive resources to do its job, and those resources require protection as well. When the agent needs capabilities beyond its initial grant, it requires a secure, mediated channel to request them. Without one, privilege elevation becomes a path that bypasses the very isolation boundary you depended on. Existing primitives enforce boundaries. They do not enforce intent, auditability, or runtime access control over an actor whose behaviour is non-deterministic by design. Nono is built on a different premise: the sandboxed process is untrusted by construction, and capabilities are granted dynamically under explicit oversight, enforced at the kernel level, and recorded with immutably. The supervisor is the mechanism that realises this, and its nono's superpower. The supervisor runs outside the sandbox, intercepts every file access syscall via seccomp-notify, and mediates every access decision before it reaches its entity. The agent never executes its own calls. Privilege elevation requests are trapped, approved over a secure verified channel, and fulfilled via direct file descriptor injection. The audit trail and access gate - is not an instrumentation on top of execution. It is direct in the execution path. API credentials never enter the agent's address space. Files can be cryptographically attested, right back to the source code - before the agent even reads or executes them. And the best bit of all, already have a container orchestration system in place, well nono runs quite at home in either a container or a microVM - belt, braces, and a safety harness. This is not a tightening of existing primitives or a repurposing of previous tools. It is an approach purpose-built for a new era. nono.sh #AgenticAI #Security

AI coding agents don't need to hold your API keys. nono's phantom token proxy keeps real credentials out of agent process environments entirely. Blog: nono.sh/blog/blog-cred… Repo: github.com/always-further… #AISecurity #AIAgents #opensource

We give agents API keys as environment variables, and a single prompt injection can exfiltrate them via env, `/proc/PID/environ`, with just an outbound HTTP call. The blast radius is the full scope of that key. So we built what we're calling the "phantom token pattern" - a credential injection proxy that sits outside the sandbox with a parent process that limited with connection to its sandboxed child by seccomp. The agent never sees real credentials. It gets a per-session token that only works only with the session bound localhost proxy. The proxy validates the token (constant-time), strips it, injects the real credential, and forwards upstream over TLS. If the agent is fully compromised, there's nothing worth stealing. Real credentials live in the system keystore (macOS Keychain / Linux Secret Service), memory is zeroized on drop, and DNS resolution is pinned to prevent rebinding attacks. It works transparently with OpenAI, Anthropic, and Gemini SDKs — they just follow the `*_BASE_URL` env vars to the proxy. Blog post walks through the architecture, the token swap flow, and how to set it up. Would love feedback from anyone thinking about agent credential security. nono.sh/blog/blog-cred… We also have other features we have shipped, such as atomic rollbacks, Sigstore based SKILL attestation. github.com/always-further…

We are configuring autonomous systems with prose. SKILLS.md, RULES.md, CLAUDE.md - loaded into the same context window as untrusted data. The model has no way to separate its own instructions from an attacker's. The control plane and data plane we built out as seperate, the lessons we learned about xss attacks, sql injections - and here we are , back where we started again. A post I wrote about why I built nono: alwaysfurther.ai/blog/why-i-bui… #AIAgents #InfoSec #OpenSource #PromptInjection

Nono: Kernel-Enforced Sandboxing for AI Agent Security (Source: Nono) Nono provides OS-level sandboxing for AI agents, preventing unauthorized operations through kernel-enforced restrictions. #AIsecurity #Sandboxing #Kernel #Security #Agents 🤔 How can we balance the need for AI agent security with the desire for performance and flexibility? dailyaiwire.news/article/nono-a…

Overview of how AI Agent workflows have reshaped the software supply chain , by Always Further co-founder @decodebytes

Guest Blog on the @spinframework community blog by @decodebytes on using webassembly tool executions for the training of agentic large language models spinframework.dev/blog/deepfabri…

How do you train an SEO-focused agent from scratch? Our co-founder @parkie covers the full process - dataset generation, live tool execution setup, and more. Part two dropping soon.

DeepFabric now supports live tool execution during dataset generation, isolated within web-assembly components care of the @spinframework - this produces training dataset with far less hallucinations and encourages more reactive learning patterns.