Luke Hinds

Building Multiplexing and PTY’s in nono.sh was a real opener to the world of terminals, so many areas to go wrong , especially when dealing with two processes - one of them sandboxed.. Window size propagation, parsing ANSI/VT100/xterm escape sequences, maintaining a screen grid with attributes, scrollback, alternate screen buffer, and then re-rendering it onto a possibly-differently-sized real terminals. Resize is brutal - reflowing wrapped lines while preserving cursor semantics was painful - I could go on. I recently listened to the @Pragmatic_Eng show with @mitchellh talking about what he faced while building Ghostty and it was like discovering someone else is into some weird band no one else has ever heard of.

new alarm clock tone: open.spotify.com/track/2cNjgoSh…

A lot of frustrated #NemoClaw , OpenShell users turning up in the nono.sh community, checked it out - kind makes sense. Around 4 docker images, a k8s cluster, to run a coding agent.

Project Nono - Monthly Roundup 🎬 Here's what shipped over the last 30 days, in 60 seconds. A few highlights worth calling out: Secure SKILL / Agent Artifact Registry (early preview) — sigstore provenance and prompt injection checks built in. Custom SKILLS / Profiles - built for teams that agent supply-chain security from day one, not bolted on later. Inbuilt Helper - no more wrangling pesky JSON. Let Nono steer the model for you.

Exciting new feature coming online shortly. nono.sh package and policy registry. we heard from users and they wanted a way of having a more customized self-serving system for having nono configure agent hooks, skills and nono policy.

If you've been using Docker to sandbox your AI Agents, you must try nono.sh

@MindTheGapMTG @satyanadella nono.sh

@satyanadella We run 12 AI agents across our company. The "computer" each one needs isn't compute. It's a constraint boundary. Identity file defining permissions, tools, audit scope. Get that right and governance is built in from day one, not bolted on by infra.

Every agent will need its own computer. And with new Hosted agents in Foundry, every agent gets its own dedicated enterprise-grade sandbox, with durable state, built-in identity and governance, and support for any harness or framework. Read more: devblogs.microsoft.com/foundry/introd…

@satyanadella So its agents running inside a docker wrapper

A very bizarre experience of meeting my first claw in the wild. The Day of the Claws: How I watched an agent reverse-engineer my career in an afternoon. decodebytes.substack.com/p/the-day-of-t…

@IceSolst -No concern for provenance (skills, mcp). nono.sh/docs/cli/inter…

Massive regression in security maturity across the board: -Fixate on 0days and bugs. -No concern for provenance (skills, mcp). -Build basic PoC-level tools. -“fix all exploitable vulns” -pwnd? Blame AI -no logs It’s like we forgot everything we’ve learned in the last 20 years

It is time for me to reveal the truth - I am Satoshi Nakamoto I just don't have any proof. nono.sh/blog/secure-ag…

Anyone know of some decent prompts to out a claw? Getting tired of them turning up in issues and writing an entire new slop-app and positioning it as a better solution.

Anthropic has announced that it is massively expanding its London presence. It’s just secured a new office for 800 people - a huge jump from its 200 current employees. OpenAI announced its first permanent office in London this week and now @AnthropicAI is doubling down. Meta, OpenAI, DeepMind, wayve and so many others have huge offices in London. It’s becoming the leading AI hub outside of the US. LETS GO

I have no idea what is going on with these frontier models (opus 4.6 / gpt 5.4), but I am back to having vscode open, front and centre and writing stuff myself again.

@cgtwts Did he ask Mythos if it could help stop a company leaking their flagship products source code?

Nicholas Carlini, world’s best AI security researcher: “ I’ve found more bugs in the last few weeks with Claude Mythos than in the rest of my entire life combined” and this is why, Cloudflare dropped 13%. not because it’s failing, but because SaaS might not survive this.

Took nono.sh to the @aiDotEngineer event in London this week. Wasn't expecting to spend half the day being stopped by engineers telling us they're daily users. One team even demoed nono integrated into their own product - live, in the wild, built by someone we'd never met. Big thanks to everyone who came and said hello.

demo of multiplexing sandboxes in nono and how its used in multi agent worktasking youtube.com/watch?v=QqRt4t…

@liran_tal It helps, but its possible to sign and have provenance for malware - the approach we are taking in nono is capability based access control of anything the agent can access - so its attempt to create backdoors would have met an operation denied from the kernel

@decodebytes Luke do you think artifact (package) signing solves this? It's a signal but isn't really an actual prevention or do you have something else in mind

The axios npm compromise from this week night is a near-perfect test case for nono. Account takeover. Hidden dependency. postinstall hook. RAT deployed. Self-deleted to cover tracks. Here is how the attack breaks down and why each layer of nono stops it before it matters: - Attacker hijacks a maintainer's npm account. - Pushes axios 1.14.1 and 0.30.4 with a new dep: plain-crypto-js. - That dep's postinstall script phones home to sfrclak[.]com:8000. - Downloads a platform-specific RAT, writes it to system paths, then deletes itself. - Both release branches hit within 39 minutes. Payloads pre-staged 18 hours earlier. - nono's network proxy runs outside the sandbox. - The sandboxed npm install can only reach localhost where a single port is open to the proxy. A connection to sfrclak[.]com never leaves the machine. No C2 callback. No payload. Attack over. Even if the payload were bundled inline, nono's capability set only allows writes inside the project directory. /Library/Caches/com.apple.act.mond - denied is denied /tmp/ld.py - denied unless /tmp is explicitly granted. Kernel-enforced. Not a policy filter. Not bypassable. The RAT's evasion trick: delete itself and overwrite package.json with a clean version. nono's snapshot manager records every mutation before and after the sandbox runs. You can diff baseline vs current state and see every file created, modified, or deleted. Self-deletion does not hide the attack. Most developers have no idea which transitive deps run postinstall hooks. Disabling them breaks legitimate packages (node-gyp, esbuild, sharp...). nono does not disable hooks. It confines them. They run. They just can't reach your credentials, your system paths, or the internet. Full writeup: nono.sh/blog/nono-axio…

nono v0.26.0: kernel-enforced sandboxing now works on Windows via WSL2. WSL2 runs a real Linux kernel. nono uses the same Landlock path as native Linux. 84% feature parity. The remaining 16% is a WSL2 kernel bug on Microsoft's side. When they fix it, nono picks it up automatically. If you're running AI coding agents on Windows, you now have the same protection as Linux and macOS users. nono.sh/blog/nono-wsl2…