The claude code nono package just passed 50,000 pulls directly into a zero latency sandbox - it is already about to head past 60k. Copied by many, yet rivalled by few - nono pioneered the zero-latency, zero-setup agent sandbox, and continues to innovate and lead the way.

I am looking forward to the day where we no longer have frenzied hype play out at whatever new way someone has just discovered at passing markdown files into an API

I give up with @ycombinator news - seems so petty to let users just flag you without reason.

Swival gets built-in, first-class support for the Nono sandbox swival.dev/pages/nono.html /cc @decodebytes

Containers share the host kernel by design. For AI agents executing model-generated code, that's a real problem - one kernel exploit reaches the host. New post on Kubefence from @pradipta_kr from @RedHat : stacking Kata Containers Seccomp nono into one RuntimeClass. 👇 nono.sh/blog/kubefence-multi…

nono.sh often ends up in comparison articles where its pitched against microVMs, within a very loose rag-tag bunch known as "Agent Sandboxes" - but the truth is, this is like comparing the fly-by-wire limits built into an aircraft control system to an end-of-runway concrete barrier - one governs every control input from within, in real time; the other stops things outside from going wrong when the plane runs out of runway. A microVM guards the host. What happens inside, is not really its concern or duty to protect . If data is exfiltrated to unknown endpoints, destructive tool calls are made, an agent malfunctions and racks up eye-watering LLM api costs, and then deletes your database - you can't really blame the VM. You got what you signed up for - strong, monolithic, isolation. Not internal governance. So nono operates at a completely different point in the security model: inside. It enforces capability-based, fine-grained policy, to intercept sensitive or destructive operations, and it audits what the agent is actually doing with tamper resistant , cryptographic claims (the blackbox recorder!). The question isn't "how contained is the damage" - it's "does the agent get to do this at all, in this particular context." They answer different questions entirely: A VM answers, "if malicious code executes, how do we contain the blast radius from breaching the host and adjacent tenants?" nono answers, "how do I give the agent some authority to use a tool to access AWS credentials and call its APIs, but not allow the same access when its curl using the POST method to send your production credentials in a payload to a public github issue. Docker not long back announced "we launched Docker Sandboxes with a bold goal: to deliver the strongest agent isolation in the market." That's Great! However, it's not really what your AI weary CISO needs to sleep better at night. Instead, it's resolving a problem that's already mostly solved - in a claimed, much stronger way. AI agents aren't highly focused on breaking isolation, something very difficult to achieve; they want to steal keys and cause wreckage from the inside. Want to see what the future malicious agent looks like? Go check out TeamPCP and their recent pursuits - they aren't bypassing hardware-level isolation with a zero-day, they're letting npm install do the job by executing a post-install scripts to exfiltrate your CI tokens. BUT - they also harmonise and are formidable when combined - which is why teams and orgs are now deploying nono directly onto AWS Fargate / Firecracker, and hardened Kubernetes bound images - one holds the perimeter; the other governs what runs inside it. You get to sleep a bit easier at night. If you interested in learning more and working with us to help shape a new approach for a new threat - we are now accepting a limited number of design partners to help us shape the future of AI Agent Security.

Seriously, what is happening at @github - cannot do any work and seriously considering alternatives now.

SPIFFIE and Agent Fed-ID experts, please weigh in with any feedback: github.com/always-further/no…

nono just shipped a profile for @NousResearch Hermes Agent * Kernel based OS sandbox isolation * Credential Protections - a dummy key is giving to the agent, so if it gets leaked, its useless * Atomic rollback, the agent deletes somethng, screws up your files, simply rollback * L7 filtering, let the agent post to /v1/chat/completions , but not /v1/dashboard/billing/subscription No sign up needed, no cloud keys, no messing around with volume mounts etc. registry.nono.sh/packages/al…

#nix users, just noticed nono.sh is included github.com/numtide/llm-agent…

This week in nono.sh #nono #hermes agent

Building Multiplexing and PTY’s in nono.sh was a real opener to the world of terminals, so many areas to go wrong , especially when dealing with two processes - one of them sandboxed.. Window size propagation, parsing ANSI/VT100/xterm escape sequences, maintaining a screen grid with attributes, scrollback, alternate screen buffer, and then re-rendering it onto a possibly-differently-sized real terminals. Resize is brutal - reflowing wrapped lines while preserving cursor semantics was painful - I could go on. I recently listened to the @Pragmatic_Eng show with @mitchellh talking about what he faced while building Ghostty and it was like discovering someone else is into some weird band no one else has ever heard of.

new alarm clock tone: open.spotify.com/track/2cNjg…

A lot of frustrated #NemoClaw , OpenShell users turning up in the nono.sh community, checked it out - kind makes sense. Around 4 docker images, a k8s cluster, to run a coding agent.

Project Nono - Monthly Roundup 🎬 Here's what shipped over the last 30 days, in 60 seconds. A few highlights worth calling out: Secure SKILL / Agent Artifact Registry (early preview) — sigstore provenance and prompt injection checks built in. Custom SKILLS / Profiles - built for teams that agent supply-chain security from day one, not bolted on later. Inbuilt Helper - no more wrangling pesky JSON. Let Nono steer the model for you.

Exciting new feature coming online shortly. nono.sh package and policy registry. we heard from users and they wanted a way of having a more customized self-serving system for having nono configure agent hooks, skills and nono policy.

If you've been using Docker to sandbox your AI Agents, you must try nono.sh