What Really Happened In There? A Tamper-Evident Audit Trail for AI Agents How nono records every action an AI agent makes in an append-only Merkle tree the agent itself cannot reach, and lets anyone verify after the fact — with cryptographic proof — that the record was not ...

It is time for me to reveal the truth - I am Satoshi Nakamoto

I just don't have any proof.

nono.sh/blog/secure-...

Anyone know of some decent prompts to out a claw? Getting tired of them turning up in issues and writing an entire new slop-app and positioning it as a better solution.

you can tell that was human - generated:

**is** becoming a dream to develop **with** - no more having five terminals open , losing track of work in progress.

nono.sh is becoming a dream to develop - not more five terminals left open , losing track of work in progress.

Took nono.sh to the @aidotengineer.bsky.social event in London this week. Wasn't expecting to spend half the day being stopped by engineers telling us they're daily users. One team even demoed nono integrated into their own product - live, in the wild, built by someone we'd never met.

@simonwillison.net

nono lifecycle YouTube video by Luke Hinds

demo of nono tmux style multiplexed sandboxes and how they can be used in a development workflow www.youtube.com/watch?v=QqRt...

How nono Prevents Supply Chain Attacks: A Case Study of the axios Compromise How nono's kernel-level sandbox stops supply chain attacks like the axios npm compromise — blocking RAT deployment, credential theft, and exfiltration.

The axios npm compromise from this week night is a near-perfect test case for nono.

Account takeover. Hidden dependency. postinstall hook. RAT deployed. Self-deleted to cover tracks.

Full writeup: nono.sh/blog/nono-ax...

Next-Generation Agent Security | nono Kernel-enforced isolation, network filtering, immutable auditing, and atomic rollbacks for AI agents - built into the nono CLI and native SDKs.

nono.sh (although I am biased)

MCP and Agent security with Luke Hinds Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke’s new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We ...

I had a chat on #OpenSourceSecurity with @lukehinds.bsky.social about his project nono as well as MCP security

nono is a sandbox for containing all these tools which is an incredibly difficult problem to solve. The things we see skills and MCP doing are moving forward faster than anyone can keep up

If you're building with AI agents and haven't thought through what happens when the agent's permissions are broader than they need to be, this conversation is a good starting point.

nono.sh?utm_source=t...

MCP and Agent security with Luke Hinds Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke’s new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We ...

@josh.bressers.name put it well: MCP is moving faster than anyone can keep up with.
@lukehinds.bsky.social joined #OpenSourceSecurity to dig into why agent security is structurally hard and what kernel-level sandboxing nono.sh actually solves.
Episode: opensourcesecurity.io/2026/2026-03...

tmux style sandboxes anyone? along with full docker-eque style lifecycle and atomic rollbacks? nono.sh

Securing AI Agents from the Ground Up YouTube video by WeAreDevelopers

We built nono.sh because kernel-level enforcement is the only layer that can't be bypassed by the agent itself. Talked through the reasoning with @wearedevelopers - link: www.youtube.com/watch?v=xVK2...

great chat, with a great chap (Josh, not me).

little nono.sh is just 30 days old, just about to hit a 1k - Its fairing very well against the OSS security giants - lets see if it can keep up the trajectory

agree, say it like it is (or spell it like you say it).

yml or yaml, was a winner ever established?

How the phantom token pattern works in practice: session-scoped token → localhost proxy → real credential injected outside the sandbox → forwarded over TLS. Scoped to one session. Expires on exit. #AISecurity #infosec

Credential Protection for AI Agents: The Phantom Token Pattern How nono uses a credential injection proxy to protect API keys for AI agents.

API keys in env vars. One prompt injection. One outbound HTTP call. Your key and everything it can touch is gone.
We built a phantom token pattern: a credential proxy that lives outside the sandbox, talking to agents only through a seccomp-restricted channel.

nono.sh/blog/blog-credential-injection

Gem, what is going on with you?

LOL - "Gemini is wrong again. The code compiles and runs - you demonstrated it. Gemini is hallucinating a v2/v3 API mashup"

Config + sandboxes + great DX - the current sweet spot

Its always nice to get a bit of love and appreciation as an OSS maintainer

Sorry, but I will never get the attraction with this thing (only using it to debug a user issue)

How to Sandbox Claude Code with nono — Live Demo YouTube video by Always Further

Loving the new nono claude demo video, so far the common ask has been 'Is that Sean Bean speaking"

www.youtube.com/watch?v=d6Y8...

nono.sh part two:

nono --net-block bash <(curl url):

curl downloads the script outside the sandbox, but bash executes it inside with network blocked. The malicious script can't exfiltrate or cause any damage, because the kernel denies all network syscalls with "Operation not permitted."

cool things you can do with nono.sh , part on:

nono'ception - aka nono spawns itself into a nono sandbox and then asks nono, why can I not access ~/.ssh/id_rsa

AI is 6 months away from being 6 months away

What is this bizarre reality we are in - utterly bonkers