[research] nono — kernel-enforced agent sandbox via macOS Seatbelt, no hypervisor needed #72
Description
What It Does
nono (from the creator of Sigstore) is a kernel-enforced agent sandbox that wraps any CLI agent in OS-level capability restrictions with zero latency overhead and no hypervisor. On macOS it uses Seatbelt; on Linux it uses Landlock (kernel 5.13+). Permissions are declared as a capability set before execution — once applied they are irreversible and inherited by all child processes. It includes: destructive command blocking (rm, dd, chmod, sudo), credential injection via proxy mode (agent never sees API keys), composable YAML policy groups, content-addressable rollback/snapshots with SHA-256 deduplication, network allowlist filtering, and a structured JSON audit trail. Ships with built-in profiles for Claude Code, Codex, and OpenClaw.
Why It Matters for ShellForge
ShellForge currently uses OpenShell (Docker + Colima) for sandboxing, which requires a running hypervisor and adds container startup latency. nono replaces this with a zero-latency kernel primitive — nono run --profile crush -- crush would wrap ShellForge's Crush subprocess with filesystem capability restrictions enforced by macOS Seatbelt, more powerful than AgentGuard's YAML pattern matching and complementary to it. The cryptographic audit trail with Sigstore attestation is a direct upgrade to AgentGuard's current audit logging. TypeScript bindings (nono-ts) would let ShellForge embed the sandbox API directly.
Integration point: Replace/extend OpenShell in the Sandbox layer. shellforge setup could install nono and shellforge run could wrap the agent subprocess with it.
Links
- GitHub: https://github.com/always-further/nono
- Stars: 1,325 (created 2026-01-31, alpha)
- License: Apache-2.0 ✅
- Language: Rust (TypeScript + Python bindings available)
Integration Effort
Moderate — nono installs via homebrew. Adding nono run --profile crush as a wrapper in shellforge run is straightforward. Creating a custom ShellForge profile and wiring the audit trail into AgentGuard's session logging is moderate work.