nono-cli-0.6.0 is not a library.

nono-cli

CLI for capability-based sandboxing using Landlock (Linux) and Seatbelt (macOS).

Installation

Homebrew (macOS)

brew tap always-further/nono
brew install nono

Cargo

cargo install nono-cli

From Source

git clone https://github.com/always-further/nono
cd nono
cargo build --release

Usage

# Allow read+write to current directory
nono run --allow . -- command

# Separate read and write permissions
nono run --read ./src --write ./output -- cargo build

# Multiple paths
nono run --allow ./project-a --allow ./project-b -- command

# Block network access
nono run --allow . --net-block -- command

# Use a built-in profile
nono run --profile claude-code -- claude

# Start an interactive shell inside the sandbox
nono shell --allow .

# Check why a path would be blocked
nono why --path ~/.ssh/id_rsa --op read

# Dry run (show what would be sandboxed)
nono run --allow . --dry-run -- command

Built-in Profiles

Profile	Command
Claude Code	`nono run --profile claude-code -- claude`
OpenCode	`nono run --profile opencode -- opencode`
OpenClaw	`nono run --profile openclaw -- openclaw gateway`

Command Blocking

Dangerous commands are blocked by default:

Category	Commands
File destruction	`rm`, `rmdir`, `shred`, `srm`
Disk operations	`dd`, `mkfs`, `fdisk`, `parted`
Permission changes	`chmod`, `chown`, `chgrp`
Privilege escalation	`sudo`, `su`, `doas`

Override with --allow-command:

nono run --allow . --allow-command rm -- rm ./temp-file.txt

Documentation

License

Apache-2.0

nono-cli 0.6.0

nono-cli

Installation

Homebrew (macOS)

Cargo

From Source

Usage

Built-in Profiles

Command Blocking

Documentation

License