Luke Hinds

nono.sh/blog/openclaw-… Had a lot of folks asking the difference between nono and @nvidia 's OpenShell shipped in Nemoclaw this week - as both had a significant shared feature surface and terminology - so I wrote an unbiased as possible teardown and it turns out they have quite different architectural differences and applications of use.

@delta_ops_ai do you mind advertising somewhere else please.

@decodebytes Nailed it — the sandbox is the enforcement layer, but the policy is the hard part. We're building DeltaOps to solve this with declarative rules: BLOCK_DESTRUCTIVE_ACTIONS, MANDATORY_CODE_REVIEW, etc. Define intent once, enforce on every agent action. No guessing.

One of the hardest parts of sandboxing an AI coding agent isn't always running sandbox itself. It's knowing what to put in the policy. Guessing leaves you with one of two outcomes: an over-permissive sandbox that doesn't actually protect anything, or a broken agent missing the paths it needs to function. We built three commands to solve this. Here's how they work together. nono.sh/blog/nono-lear…

@livingdevops Imitation is the sincerest form of flattery as they say: github.com/always-further…

🔥Breaking: NVIDIA just open-sourced the guardrails AI agents should have had from day one. It’s called OpenShell. Announced at GTC yesterday. Your coding agent currently has access to your terminal, files, AWS keys, and network. OpenShell fixes that. What it does: - Filesystem locked at sandbox creation - Network blocked by default. - You whitelist what’s allowed - API keys never touch the filesystem. Injected at runtime only - Policies defined in simple YAML One command to sandbox Claude Code, Codex, or Cursor. The architecture runs a full K3s cluster inside a single Docker container. No separate Kubernetes install. Adobe, Atlassian, Cisco, CrowdStrike, Salesforce are already integrating it. Most teams solve agent security at the application layer. OpenShell solves it at the infrastructure layer. GitHub repo link in comments.

If you're building with AI agents and haven't thought through what happens when the agent's permissions are broader than they need to be, this conversation is a good starting point. nono.sh/?utm_source=tw…

I could have sworn I have heard this somewhere before, supervisors, network injection 🤷‍♂️ : #L13-L19" target="_blank" rel="nofollow noopener">github.com/NVIDIA/OpenShe…

On linux we can support post apply() grant - seccomp BPF filter intercepts syscalls before they reach Landlock - unfortunately macos don't give us much to work with , but typically a human (dev laptop) present making it easier for them to restart with new grants nono.sh/docs/cli/featu…

@decodebytes I see btw, I saw from the documentation that After apply(), there is no way to expand permissions. The sandbox persists for the lifetime of the process and all child processes. /tmp/myapp-<session-id> would not work with nono in that case right ?

Containers and microVMs solved a well-defined problem: process isolation between workload and host. They are best in class for host/guest isolation, resource constraint and environment isolation. Industry transformative and nothing less. The mistake is assuming the same specialism solves the new problems that agents present. An agent is not a workload to isolate, it's far more nuanced. It is an autonomous decision-making system operating , sometimes on your behalf, at runtime, against often sensitive material, in ways that cannot be fully anticipated at launch time. Placing it in an isolated environment and considering the security problem solved because the host is protected and the guest is isolated is not enough. The agent needs access to sensitive resources to do its job, and those resources require protection as well. When the agent needs capabilities beyond its initial grant, it requires a secure, mediated channel to request them. Without one, privilege elevation becomes a path that bypasses the very isolation boundary you depended on. Existing primitives enforce boundaries. They do not enforce intent, auditability, or runtime access control over an actor whose behaviour is non-deterministic by design. Nono is built on a different premise: the sandboxed process is untrusted by construction, and capabilities are granted dynamically under explicit oversight, enforced at the kernel level, and recorded with immutably. The supervisor is the mechanism that realises this, and its nono's superpower. The supervisor runs outside the sandbox, intercepts every file access syscall via seccomp-notify, and mediates every access decision before it reaches its entity. The agent never executes its own calls. Privilege elevation requests are trapped, approved over a secure verified channel, and fulfilled via direct file descriptor injection. The audit trail and access gate - is not an instrumentation on top of execution. It is direct in the execution path. API credentials never enter the agent's address space. Files can be cryptographically attested, right back to the source code - before the agent even reads or executes them. And the best bit of all, already have a container orchestration system in place, well nono runs quite at home in either a container or a microVM - belt, braces, and a safety harness. This is not a tightening of existing primitives or a repurposing of previous tools. It is an approach purpose-built for a new era. nono.sh #AgenticAI #Security

@torque59 The answer is: don't grant /tmp. Grant /tmp/myapp-<session-id>/ instead. But nono isn't a guest/host isolation layer; plenty already do a good job there (Kata, Firecracker). This is granular, OS-enforced resource control over what an agent may or may not access.

@decodebytes Question, maybe i'm missing something but wouldn't this still introduce risks with related to multiple users of the same agent/system to still access files or filesystem in place, if you have granted for ex access to /tmp is granted, how would this help isolate it ?

@dguido SKILL to runtime provenance / attestation ?github.com/marketplace/ac… - happy to colab if interested , i borrowed a lot of the same approach that TOB folks implemented for python trusted publishers

The trailofbits/skills repo now has official Codex support, and we're looking for testers. Please file issues if you encounter any using our skills with Codex! 👍 github.com/trailofbits/sk…

nono.sh 's python library protecting @pydanti_ai / @FastAPI based agents with kernel enforced sandboxing

complete w a nono profile @decodebytes

@mbrg0 ohh! I am getting a 404, did the repo change?

cc skill to generate pixel art for your kid's yoto having lots of fun w this github.com/mbrg/yoto

Spent an hour with @WeAreDevelopers breaking down why agent security has to live at the kernel, not the app layer. Watch it here: youtube.com/watch?v=xVK29A…

@VraserX alan watts touched upon this, tax the machines youtube.com/watch?v=OhvoIn…

Andrew Yang is right. Taxing AI companies will be a cornerstone of a post-labor economy. But we should go further. AI was trained on our data, our writing, our code, our images. Society created the raw material. So society should own a piece of it. Not just taxes. Shared ownership and AI dividends. If AI becomes the most productive technology in history, the wealth it creates should flow back to the people who helped create it.

eyes on network...

Go bindings for nono.sh from kipz - get native sandboxing in your go apps: github.com/kipz/nono-go

@bidhanxcode Rust

Google uses Go. Meta uses Go. Microsoft uses Go. Amazon uses Go. Uber uses Go. Dropbox uses Go. Cloudflare uses Go. Twitch uses Go. Docker uses Go. Kubernetes uses Go. PayPal uses Go. Shopify uses Go. What’s stopping you from learning Go?

little nono.sh is just 30 days old, just about to hit a 1k 🌟's - Its fairing very well against the OSS security giants - lets see if it can keep up the 🚀 trajectory

@fr0gger_ When it can run down the stairs while eating toast, checking pocket for car keys, answering the wife, and not tripping over the dog - with no pre-script of coordinates and 10 tesla batteries - - I might start fancying its chances going head to head with humans

I said it once, I will say it again. Today we protect AI from human hacking. One day we will have to protect humans from AI.