Claude Code is one of the most capable coding agents available today. It can navigate your codebase, edit files across multiple directories, run shell commands, install packages, and execute tests — all autonomously.
It also runs with your full user permissions. Every file on your system is readable. Every credential in your environment is accessible. Every command it runs executes as you.
We've all seen the stories. Claude deleted my database. Claude deleted all my code. Claude wiped my home directory. These aren't hypothetical risks — they're things that happen when an agent operates with no isolation between what it wants to do and what it can do.
Permission prompts don't scale
The default response to this problem has been permission dialogs. The agent wants to run a command — do you approve? The agent wants to write a file — do you approve?
The issue is predictable. After the third prompt, you're clicking "allow" reflexively. Approval fatigue turns a security feature into a rubber stamp. You end up with interrupted flow and reduced security.
Claude Code now ships with a built-in sandbox mode, which is a meaningful step forward. It uses OS-level primitives to enforce filesystem and network boundaries, reducing the need for constant approval prompts.
But it includes an escape hatch. When a command fails due to sandbox restrictions, Claude can retry it outside the sandbox with the dangerouslyDisableSandbox parameter. The name is honest — it is dangerous. One retry outside the sandbox and the agent has full access again.
Kernel-level enforcement with no escape
nono takes a different approach. It uses Landlock (Linux) and Seatbelt (macOS) to enforce restrictions at the kernel level. Once applied, these restrictions are irreversible for the process. There is no API to widen them. There is no escape hatch. Not even nono itself can remove the restrictions after they're set.
This is what we mean by "structurally impossible." The kernel denies unauthorised operations directly. There's no interception layer, no policy filter, no mechanism to bypass. If the agent tries to read your SSH keys or delete files outside its granted path, the operation fails at the syscall level.
Getting started
Install nono:
brew install nono
Launch Claude Code inside a sandbox using the built-in profile:
nono run --allow-cwd --profile claude-code -- claude
That's it. Claude Code now runs with default-deny filesystem access. Only the current directory is writable. SSH keys, AWS credentials, system configs — all blocked at the kernel level.
If you want to run silently without the nono banner:
nono run --allow-cwd --silent --profile claude-code -- claude
For more granular control:
# Read-only access to reference docs, write access to project
nono run --read ~/docs --write ./src --profile claude-code -- claude
# Check why a specific path would be blocked
nono why --path ~/.ssh/id_rsa --op read
What's next
nono is free, open source, and available today. We're actively developing fine-grained network controls, atomic rollbacks, and library bindings for Python, TypeScript, and Rust so other tools can integrate nono's security primitives directly.
- Docs: nono.sh/docs
- GitHub: github.com/always-further/nono
- Discord: Join the community
Don't yolo when you can nono.
Top comments (0)