[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"similar-always-further--nono":3,"tool-always-further--nono":64},[4,17,27,35,43,56],{"id":5,"name":6,"github_repo":7,"description_zh":8,"stars":9,"difficulty_score":10,"last_commit_at":11,"category_tags":12,"status":16},3808,"stable-diffusion-webui","AUTOMATIC1111\u002Fstable-diffusion-webui","stable-diffusion-webui 是一个基于 Gradio 构建的网页版操作界面，旨在让用户能够轻松地在本地运行和使用强大的 Stable Diffusion 图像生成模型。它解决了原始模型依赖命令行、操作门槛高且功能分散的痛点，将复杂的 AI 绘图流程整合进一个直观易用的图形化平台。\n\n无论是希望快速上手的普通创作者、需要精细控制画面细节的设计师，还是想要深入探索模型潜力的开发者与研究人员，都能从中获益。其核心亮点在于极高的功能丰富度：不仅支持文生图、图生图、局部重绘（Inpainting）和外绘（Outpainting）等基础模式，还独创了注意力机制调整、提示词矩阵、负向提示词以及“高清修复”等高级功能。此外，它内置了 GFPGAN 和 CodeFormer 等人脸修复工具，支持多种神经网络放大算法，并允许用户通过插件系统无限扩展能力。即使是显存有限的设备，stable-diffusion-webui 也提供了相应的优化选项，让高质量的 AI 艺术创作变得触手可及。",162132,3,"2026-04-05T11:01:52",[13,14,15],"开发框架","图像","Agent","ready",{"id":18,"name":19,"github_repo":20,"description_zh":21,"stars":22,"difficulty_score":23,"last_commit_at":24,"category_tags":25,"status":16},1381,"everything-claude-code","affaan-m\u002Feverything-claude-code","everything-claude-code 是一套专为 AI 编程助手（如 Claude Code、Codex、Cursor 等）打造的高性能优化系统。它不仅仅是一组配置文件，而是一个经过长期实战打磨的完整框架，旨在解决 AI 代理在实际开发中面临的效率低下、记忆丢失、安全隐患及缺乏持续学习能力等核心痛点。\n\n通过引入技能模块化、直觉增强、记忆持久化机制以及内置的安全扫描功能，everything-claude-code 能显著提升 AI 在复杂任务中的表现，帮助开发者构建更稳定、更智能的生产级 AI 代理。其独特的“研究优先”开发理念和针对 Token 消耗的优化策略，使得模型响应更快、成本更低，同时有效防御潜在的攻击向量。\n\n这套工具特别适合软件开发者、AI 研究人员以及希望深度定制 AI 工作流的技术团队使用。无论您是在构建大型代码库，还是需要 AI 协助进行安全审计与自动化测试，everything-claude-code 都能提供强大的底层支持。作为一个曾荣获 Anthropic 黑客大奖的开源项目，它融合了多语言支持与丰富的实战钩子（hooks），让 AI 真正成长为懂上",138956,2,"2026-04-05T11:33:21",[13,15,26],"语言模型",{"id":28,"name":29,"github_repo":30,"description_zh":31,"stars":32,"difficulty_score":23,"last_commit_at":33,"category_tags":34,"status":16},2271,"ComfyUI","Comfy-Org\u002FComfyUI","ComfyUI 是一款功能强大且高度模块化的视觉 AI 引擎，专为设计和执行复杂的 Stable Diffusion 图像生成流程而打造。它摒弃了传统的代码编写模式，采用直观的节点式流程图界面，让用户通过连接不同的功能模块即可构建个性化的生成管线。\n\n这一设计巧妙解决了高级 AI 绘图工作流配置复杂、灵活性不足的痛点。用户无需具备编程背景，也能自由组合模型、调整参数并实时预览效果，轻松实现从基础文生图到多步骤高清修复等各类复杂任务。ComfyUI 拥有极佳的兼容性，不仅支持 Windows、macOS 和 Linux 全平台，还广泛适配 NVIDIA、AMD、Intel 及苹果 Silicon 等多种硬件架构，并率先支持 SDXL、Flux、SD3 等前沿模型。\n\n无论是希望深入探索算法潜力的研究人员和开发者，还是追求极致创作自由度的设计师与资深 AI 绘画爱好者，ComfyUI 都能提供强大的支持。其独特的模块化架构允许社区不断扩展新功能，使其成为当前最灵活、生态最丰富的开源扩散模型工具之一，帮助用户将创意高效转化为现实。",107662,"2026-04-03T11:11:01",[13,14,15],{"id":36,"name":37,"github_repo":38,"description_zh":39,"stars":40,"difficulty_score":23,"last_commit_at":41,"category_tags":42,"status":16},3704,"NextChat","ChatGPTNextWeb\u002FNextChat","NextChat 是一款轻量且极速的 AI 助手，旨在为用户提供流畅、跨平台的大模型交互体验。它完美解决了用户在多设备间切换时难以保持对话连续性，以及面对众多 AI 模型不知如何统一管理的痛点。无论是日常办公、学习辅助还是创意激发，NextChat 都能让用户随时随地通过网页、iOS、Android、Windows、MacOS 或 Linux 端无缝接入智能服务。\n\n这款工具非常适合普通用户、学生、职场人士以及需要私有化部署的企业团队使用。对于开发者而言，它也提供了便捷的自托管方案，支持一键部署到 Vercel 或 Zeabur 等平台。\n\nNextChat 的核心亮点在于其广泛的模型兼容性，原生支持 Claude、DeepSeek、GPT-4 及 Gemini Pro 等主流大模型，让用户在一个界面即可自由切换不同 AI 能力。此外，它还率先支持 MCP（Model Context Protocol）协议，增强了上下文处理能力。针对企业用户，NextChat 提供专业版解决方案，具备品牌定制、细粒度权限控制、内部知识库整合及安全审计等功能，满足公司对数据隐私和个性化管理的高标准要求。",87618,"2026-04-05T07:20:52",[13,26],{"id":44,"name":45,"github_repo":46,"description_zh":47,"stars":48,"difficulty_score":23,"last_commit_at":49,"category_tags":50,"status":16},2268,"ML-For-Beginners","microsoft\u002FML-For-Beginners","ML-For-Beginners 是由微软推出的一套系统化机器学习入门课程，旨在帮助零基础用户轻松掌握经典机器学习知识。这套课程将学习路径规划为 12 周，包含 26 节精炼课程和 52 道配套测验，内容涵盖从基础概念到实际应用的完整流程，有效解决了初学者面对庞大知识体系时无从下手、缺乏结构化指导的痛点。\n\n无论是希望转型的开发者、需要补充算法背景的研究人员，还是对人工智能充满好奇的普通爱好者，都能从中受益。课程不仅提供了清晰的理论讲解，还强调动手实践，让用户在循序渐进中建立扎实的技能基础。其独特的亮点在于强大的多语言支持，通过自动化机制提供了包括简体中文在内的 50 多种语言版本，极大地降低了全球不同背景用户的学习门槛。此外，项目采用开源协作模式，社区活跃且内容持续更新，确保学习者能获取前沿且准确的技术资讯。如果你正寻找一条清晰、友好且专业的机器学习入门之路，ML-For-Beginners 将是理想的起点。",84991,"2026-04-05T10:45:23",[14,51,52,53,15,54,26,13,55],"数据工具","视频","插件","其他","音频",{"id":57,"name":58,"github_repo":59,"description_zh":60,"stars":61,"difficulty_score":10,"last_commit_at":62,"category_tags":63,"status":16},3128,"ragflow","infiniflow\u002Fragflow","RAGFlow 是一款领先的开源检索增强生成（RAG）引擎，旨在为大语言模型构建更精准、可靠的上下文层。它巧妙地将前沿的 RAG 技术与智能体（Agent）能力相结合，不仅支持从各类文档中高效提取知识，还能让模型基于这些知识进行逻辑推理和任务执行。\n\n在大模型应用中，幻觉问题和知识滞后是常见痛点。RAGFlow 通过深度解析复杂文档结构（如表格、图表及混合排版），显著提升了信息检索的准确度，从而有效减少模型“胡编乱造”的现象，确保回答既有据可依又具备时效性。其内置的智能体机制更进一步，使系统不仅能回答问题，还能自主规划步骤解决复杂问题。\n\n这款工具特别适合开发者、企业技术团队以及 AI 研究人员使用。无论是希望快速搭建私有知识库问答系统，还是致力于探索大模型在垂直领域落地的创新者，都能从中受益。RAGFlow 提供了可视化的工作流编排界面和灵活的 API 接口，既降低了非算法背景用户的上手门槛，也满足了专业开发者对系统深度定制的需求。作为基于 Apache 2.0 协议开源的项目，它正成为连接通用大模型与行业专有知识之间的重要桥梁。",77062,"2026-04-04T04:44:48",[15,14,13,26,54],{"id":65,"github_repo":66,"name":67,"description_en":68,"description_zh":69,"ai_summary_zh":69,"readme_en":70,"readme_zh":71,"quickstart_zh":72,"use_case_zh":73,"hero_image_url":74,"owner_login":75,"owner_name":76,"owner_avatar_url":77,"owner_bio":78,"owner_company":79,"owner_location":79,"owner_email":79,"owner_twitter":80,"owner_website":81,"owner_url":82,"languages":83,"stars":108,"forks":109,"last_commit_at":110,"license":111,"difficulty_score":23,"env_os":112,"env_gpu":113,"env_ram":113,"env_deps":114,"category_tags":120,"github_topics":121,"view_count":10,"oss_zip_url":79,"oss_zip_packed_at":79,"status":16,"created_at":140,"updated_at":141,"faqs":142,"releases":171},1129,"always-further\u002Fnono","nono","Kernel-enforced agent sandbox. Capability-based isolation with secure key management, atomic rollback, cryptographic immutable audit chain of provenance. Run your agents in a zero-trust environment.","nono 是一款专为 AI 智能体设计的内核级安全沙箱工具。它旨在解决当前 AI 代理普遍面临的权限过大问题——许多代理拥有文件系统访问和 Shell 命令执行权，极易受提示词注入攻击，而传统的软件策略防护往往容易被绕过。\n\n通过非虚拟化方案，nono 能在几秒钟内为任意 CLI 代理创建隔离环境，无需配置 Hypervisor 或挂载容器卷，几乎零延迟。其核心亮点包括基于能力的隔离机制、安全的密钥管理、原子操作回滚以及不可篡改的加密审计链。这些特性确保即使在零信任环境下，AI 的破坏性行为也能被结构性地阻止。\n\nnono 由知名开源项目 Sigstore 的创作者开发，目前支持 macOS 和 Linux 系统，可通过 Homebrew 快速安装。虽然正处于早期 Alpha 阶段，暂不推荐用于生产环境，但对于希望安全测试、运行本地 AI 代理的开发者和技术研究人员来说，nono 提供了一个极具潜力的安全解决方案。","\u003Cdiv align=\"center\">\n\n\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Falways-further_nono_readme_70b020f79d5e.png\" alt=\"nono logo\" width=\"600\"\u002F>\n\n**AI agent security that makes the dangerous bits structurally impossible.**\n\n\u003Cp>\n  From the creator of\n  \u003Ca href=\"https:\u002F\u002Fsigstore.dev\">\u003Cstrong>Sigstore\u003C\u002Fstrong>\u003C\u002Fa>\n  \u003Cbr\u002F>\n  \u003Csub>The standard for secure software attestation, used by PyPI, npm, brew, and Maven Central\u003C\u002Fsub>\n\u003C\u002Fp>\n\u003Cp>\n  \u003Ca href=\"https:\u002F\u002Fopensource.org\u002Flicenses\u002FApache-2.0\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache%202.0-blue.svg\" alt=\"License\"\u002F>\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Factions\u002Fworkflows\u002Fci.yml\">\u003Cimg src=\"https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg\" alt=\"CI Status\"\u002F>\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fdocs.nono.sh\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FDocs-docs.nono.sh-green.svg\" alt=\"Documentation\"\u002F>\u003C\u002Fa>\n\u003C\u002Fp>\n\u003Cp>\n  \u003Ca href=\"https:\u002F\u002Fdiscord.gg\u002FpPcjYzGvbS\">\n    \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FChat-Join%20Discord-7289da?style=for-the-badge&logo=discord&logoColor=white\" alt=\"Join Discord\"\u002F>\n  \u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fmarketplace\u002Factions\u002Fagent-sign\">\n    \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FSecure_Action-agent--sign-2088FF?style=for-the-badge&logo=github-actions&logoColor=white\" alt=\"agent-sign GitHub Action\"\u002F>\n  \u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003C\u002Fdiv>\n\n> [!WARNING]\n> This is an early alpha release that has not undergone comprehensive security audits. While we have taken care to implement robust security measures, there may still be undiscovered issues. We do not recommend using this in production until we release a stable version of 1.0.\n\n> [!IMPORTANT]\n> Active development may cause disruptions — if something is broken, it's likely us, not you.\n> - **Supervisor:** Work is underway on a runtime lifecycle making the supervisor the default execution mode, introducing commands like `ps`, `attach`, `detach`, `inspect`, and `stop`. [#502](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fdiscussions\u002F502)\n> - **Packages & Skills:** A system for customized hooks, skills, and scripts for Coding Agents — with a community registry or any git repo as a source. [#459](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fissues\u002F459)\n> - **Policy:** Work continues to make everything fully composable and group-based. [#446](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fissues\u002F446)\n\n---\n\nAI agents get filesystem access, run shell commands, and are wide open to prompt injections. The standard response is guardrails and policies. The problem is that policies can be bypassed — and guardrails can be talked out of.\n\nWith nono, you don't have to. nono wraps your agent in a kernel-isolated sandbox in seconds — with API key protection, destructive action guardrails, and full snapshot\u002Frollback built in. No hypervisor to configure. No container volume mounts. Zero latency overhead.\n\n---\n\n**Platform support:** macOS and Linux now. Windows coming soon.\n\n**Homebrew (macOS\u002FLinux)**\n```bash\nbrew install nono\n```\n\n**Other install options**\n\nPrebuilt binaries and package manager instructions are in the [Installation Guide](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fgetting_started\u002Finstallation).\n\n---\n\n## CLI\n\nThe CLI is the quickest way to get going! zero startup latency, no need to install hypervisors, runtimes, mount volumes...sandboxed and protected in a single command\n\n```bash\n# Any CLI agent — just put your command after --\nnono run --profile claude-code -- claude\nnono run --profile codex -- codex\nnono run --profile opencode -- opencode\nnono run --profile openclaw -- openclaw\nnono run --profile swival -- swival\n\nnono run --allow-cwd -- python3 my_agent.py\nnono run --allow-cwd -- npx @anthropic\u002Fagent-framework\n\n# MCP servers, agents, anything!\nnono run --read \u002Fdata -- npx @modelcontextprotocol\u002Fserver-filesystem \u002Fdata\nnono run --profile pydantic-ai-agent --allow logs\u002F -- uv run my_agent.py\nnono run --profile custom-profile -- node agent.js\n```\n\nBuilt-in profiles for [Claude Code](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fclaude-code), [Codex](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fcodex), [OpenCode](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fopencode), [OpenClaw](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fopenclaw), and [Swival](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fswival) — or define your own with custom permissions.\n\n---\n\n## Library\n\nThe core is a Rust library that can be embedded into any application via native bindings. The library is a policy-free sandbox primitive -- it applies only what clients explicitly request.\n\n#### \u003Cimg src=\"https:\u002F\u002Fcdn.jsdelivr.net\u002Fgh\u002Fdevicons\u002Fdevicon\u002Ficons\u002Frust\u002Frust-original.svg\" width=\"18\" height=\"18\" alt=\"Rust\"\u002F> Rust — [crates.io](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fnono)\n\n```rust\nuse nono::{CapabilitySet, Sandbox};\n\nlet mut caps = CapabilitySet::new();\ncaps.allow_read(\"\u002Fdata\u002Fmodels\")?;\ncaps.allow_write(\"\u002Ftmp\u002Fworkspace\")?;\n\nSandbox::apply(&caps)?;  \u002F\u002F Irreversible — kernel-enforced from here on\n```\n\n#### \u003Cimg src=\"https:\u002F\u002Fcdn.jsdelivr.net\u002Fgh\u002Fdevicons\u002Fdevicon\u002Ficons\u002Fpython\u002Fpython-original.svg\" width=\"18\" height=\"18\" alt=\"Python\"\u002F> Python — [nono-py](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono-py)\n\n```python\nfrom nono_py import CapabilitySet, AccessMode, apply\n\ncaps = CapabilitySet()\ncaps.allow_path(\"\u002Fdata\u002Fmodels\", AccessMode.READ)\ncaps.allow_path(\"\u002Ftmp\u002Fworkspace\", AccessMode.READ_WRITE)\n\napply(caps)  # Apply CapabilitySet\n```\n\n#### \u003Cimg src=\"https:\u002F\u002Fcdn.jsdelivr.net\u002Fgh\u002Fdevicons\u002Fdevicon\u002Ficons\u002Ftypescript\u002Ftypescript-original.svg\" width=\"18\" height=\"18\" alt=\"TypeScript\"\u002F> TypeScript — [nono-ts](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono-ts)\n\n```typescript\nimport { CapabilitySet, AccessMode, apply } from \"nono-ts\";\n\nconst caps = new CapabilitySet();\ncaps.allowPath(\"\u002Fdata\u002Fmodels\", AccessMode.Read);\ncaps.allowPath(\"\u002Ftmp\u002Fworkspace\", AccessMode.ReadWrite);\n\napply(caps);  \u002F\u002F Irreversible — kernel-enforced from here on\n```\n\n---\n\n## Features\n\n### Kernel-Enforced Sandbox\n\nnono applies OS-level restrictions that cannot be bypassed or escalated from within the sandboxed process. Permissions are defined as capabilities granted before execution -- once the sandbox is applied, it is irreversible. All child processes inherit the same restrictions.\n\n| Platform | Mechanism | Minimum Kernel |\n|----------|-----------|----------------|\n| macOS | Seatbelt | 10.5+ |\n| Linux | Landlock | 5.13+ |\n\n```bash\n# Grant read to src, write to output — everything else is denied by the kernel\nnono run --read .\u002Fsrc --write .\u002Foutput -- cargo build\n```\n\n### Credential Injection\n\nTwo modes: **proxy injection** keeps credentials entirely outside the sandbox — the agent connects to `localhost` and the proxy injects real API keys into upstream requests. **Env injection** loads secrets from the OS keystore, 1Password, or Apple Passwords and injects them as environment variables before the sandbox locks.\n\n```bash\n# Proxy mode — agent never sees the API key, even in its own memory\nnono run --network-profile claude-code --proxy-credential openai -- my-agent\n\n# Env mode — simpler, but secret is in the process environment\nnono run --env-credential openai_api_key --allow-cwd -- my-agent\n\n# 1Password — map URI reference to destination env var\nnono run --env-credential-map 'op:\u002F\u002FDevelopment\u002FOpenAI\u002Fcredential' OPENAI_API_KEY --allow-cwd -- my-agent\n\n# Apple Passwords (macOS) — map URI reference to destination env var\nnono run --env-credential-map 'apple-password:\u002F\u002Fgithub.com\u002Falice@example.com' GITHUB_PASSWORD --allow-cwd -- my-agent\n```\n\n### Agent SKILL Provenance and Supply Chain Security\n\nInstruction files (SKILLS.md, CLAUDE.md, AGENTS.md, AGENT.MD) and associated artifacts such as scripts are a supply chain attack vector. nono cryptographically signs and verifies them using Sigstore attestation with DSSE envelopes and in-toto \u002F SLSA style statements. It supports keyed signing (system keystore) and keyless signing (OIDC via GitHub Actions + Fulcio + Rekor). Upon execution, nono verifies the signature, checks the signing certificate against trusted roots, and validates the statement predicates (e.g. signed within the last 30 days, signed by a trusted maintainer).\n\n\u003Cp align=\"center\">\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fmarketplace\u002Factions\u002Fnono-attest\">\n    \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FGitHub_Action-nono--attest-2088FF?style=for-the-badge&logo=github-actions&logoColor=white\" alt=\"nono-attest GitHub Action\"\u002F>\n  \u003C\u002Fa>\n\u003C\u002Fp>\n\nSign instruction files directly within GitHub Actions workflows. Users can then verify that files originate from the expected repository and branch, signed by a trusted maintainer.\n\n### Network Filtering\n\nAllowlist-based host filtering via a local proxy. The sandbox blocks all direct outbound connections — the agent can only reach explicitly allowed hosts. Cloud metadata endpoints are hardcoded as denied.\n\n```bash\nnono run --allow-proxy api.openai.com --allow-proxy api.anthropic.com -- my-agent\n\n# Keep the claude-code profile, but allow unrestricted network for this session\nnono run --profile claude-code --allow-net -- claude\n```\n\n### Supervisor and Capability Expansion\n\nOn Linux, seccomp user notification intercepts syscalls when the agent needs access outside its sandbox. The supervisor prompts the user, then injects the file descriptor directly — the agent never executes its own `open()`. Sensitive paths are never-grantable regardless of approval.\n\n```bash\nnono run --rollback --supervised --profile claude-code --allow-cwd -- claude\n```\n\n### Undo and Snapshots\n\nContent-addressable snapshots of your working directory taken before and during sandboxed execution. SHA-256 deduplication and Merkle tree commitments for integrity verification. Interactively review and restore individual files or the entire directory. Known regenerable directories (`.git`, `target`, `node_modules`, etc.) and directories with more than 10,000 files are auto-excluded from snapshots to prevent hangs on large projects.\n\n```bash\n# Zero-flag usage — auto-excludes large\u002Fregenerable directories\nnono run --rollback --allow . -- npm test\n\n# Force-include an auto-excluded directory\nnono run --rollback --rollback-include target -- cargo build\n\n# Exclude a custom directory from rollback\nnono run --rollback --rollback-exclude vendor -- go test .\u002F...\n\n# Disable rollback entirely\nnono run --no-rollback --allow . -- npm test\n\nnono rollback list\nnono rollback restore\n```\n\n### Composable Policy Groups\n\nSecurity policy defined as named groups in a single JSON file. Profiles reference groups by name — compose fine-grained policies from reusable building blocks.\n\n```json\n{\n  \"deny_credentials\": {\n    \"deny\": { \"access\": [\"~\u002F.ssh\", \"~\u002F.gnupg\", \"~\u002F.aws\", \"~\u002F.kube\"] }\n  },\n  \"node_runtime\": {\n    \"allow\": { \"read\": [\"~\u002F.nvm\", \"~\u002F.fnm\", \"~\u002F.npm\"] }\n  }\n}\n```\n\n### Destructive Command Blocking\n\nDangerous commands (`rm`, `dd`, `chmod`, `sudo`, `scp`) are blocked before execution. Override per invocation with `--allow-command` or permanently via `allowed_commands` in a profile. Block additional commands with `add_deny_commands`.\n\n```bash\n$ nono run --allow-cwd -- rm -rf \u002F\nnono: blocked command: rm\n\n# Override per invocation\nnono run --allow-cwd --allow-command rm -- rm .\u002Ftemp-file.txt\n\n# Override via profile\n# { \"security\": { \"allowed_commands\": [\"rm\"] } }\nnono run --profile my-profile -- rm \u002Ftmp\u002Fold-file.txt\n\n# Block specific commands in a profile (add_deny_commands) — pairs with add_deny_access for sockets\n# { \"policy\": { \"add_deny_access\": [\"\u002Fvar\u002Frun\u002Fdocker.sock\"], \"add_deny_commands\": [\"docker\", \"kubectl\"] } }\nnono run --profile no-docker -- claude\n```\n\n> [!WARNING]\n> Command blocking is defense-in-depth layered on top of the kernel sandbox. Commands can bypass this via `sh -c '...'` or wrapper scripts — the sandbox filesystem restrictions are the real security boundary.\n\n### Themes\n\nnono ships with multiple color themes inspired by popular terminal palettes. The default is **Catppuccin Mocha**.\n\n| Theme | Description |\n|-------|-------------|\n| `mocha` | Catppuccin Mocha -- warm dark (default) |\n| `latte` | Catppuccin Latte -- clean light |\n| `frappe` | Catppuccin Frappe -- muted dark |\n| `macchiato` | Catppuccin Macchiato -- deep vivid dark |\n| `tokyo-night` | Tokyo Night -- cool blues and purples |\n| `minimal` | Grayscale with orange accent |\n\n```bash\n# Per invocation\nnono --theme tokyo-night run --allow-cwd -- my-agent\n\n# Via environment variable\nexport NONO_THEME=latte\n\n# Via config file (~\u002F.config\u002Fnono\u002Fconfig.toml)\n# [ui]\n# theme = \"frappe\"\n```\n\n### Audit Trail\n\nEvery supervised session automatically records command, timing, exit code, network events, and cryptographic snapshot commitments as structured JSON. Opt out with `--no-audit`.\n\n```bash\nnono audit list\nnono audit show 20260216-193311-20751 --json\n```\n\n## Quick Start\n\n### Homebrew (macOS\u002FLinux)\n\n```bash\nbrew install nono\n```\n\n### Other Linux Install Options\n\nSee the [Installation Guide](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fgetting_started\u002Finstallation) for prebuilt binaries and package manager instructions.\n\n### From Source\n\nSee the [Development Guide](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fdevelopment\u002Findex) for building from source.\n\n## Supported Clients\n\nnono ships with built-in profiles for popular AI coding agents. Each profile defines audited, minimal permissions.\n\n| Client | Profile | Docs |\n|--------|---------|------|\n| **Claude Code** | `claude-code` | [Guide](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fclaude-code) |\n| **Codex** | `codex` | [Guide](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fcodex) |\n| **OpenCode** | `opencode` | [Guide](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fopencode) |\n| **OpenClaw** | `openclaw` | [Guide](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fopenclaw) |\n| **Swival** | `swival` | [Guide](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fswival) |\n\nCustom profiles can [extend built-in ones](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Ffeatures\u002Fprofiles-groups) with `\"extends\": \"claude-code\"` (or multiple: `\"extends\": [\"claude-code\", \"node-dev\"]`) to inherit all settings and add overrides. nono is agent-agnostic and works with any CLI command. See the [full documentation](https:\u002F\u002Fdocs.nono.sh) for usage details, configuration, and integration guides.\n\n## Projects using nono\n\n| Project | Repository |\n|---------|------------|\n| **claw-wrap** | [GitHub](https:\u002F\u002Fgithub.com\u002Fdedene\u002Fclaw-wrap) |\n\n## Architecture\n\nnono is structured as a Cargo workspace:\n\n- **nono** (`crates\u002Fnono\u002F`) -- Core library. A policy-free sandbox primitive that applies only what clients explicitly request.\n- **nono-cli** (`crates\u002Fnono-cli\u002F`) -- CLI binary. Owns all security policy, profiles, hooks, and UX.\n- **nono-ffi** (`bindings\u002Fc\u002F`) -- C FFI bindings with auto-generated header.\n\nLanguage-specific bindings are maintained separately:\n\n| Language | Repository | Package |\n|----------|------------|---------|\n| Python | [nono-py](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono-py) | PyPI |\n| TypeScript | [nono-ts](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono-ts) | npm |\n\n## Contributing\n\nWe encourage using AI tools to contribute to nono. However, you must understand and carefully review any AI-generated code before submitting. The security of nono is paramount -- always review and test your code thoroughly, especially around core sandboxing functionality. If you don't understand how a change works, please ask for help in the [Discord](https:\u002F\u002Fdiscord.gg\u002FpPcjYzGvbS) before submitting a PR.\n\n## Security\n\nIf you discover a security vulnerability, please **do not open a public issue**. Instead, follow the responsible disclosure process outlined in our [Security Policy](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fsecurity).\n\n## License\n\nApache-2.0\n","\u003Cdiv align=\"center\">\n\n\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Falways-further_nono_readme_70b020f79d5e.png\" alt=\"nono logo\" width=\"600\"\u002F>\n\n**一种让危险操作在结构上根本不可能发生的 AI 代理安全方案。**\n\n\u003Cp>\n  来自\n  \u003Ca href=\"https:\u002F\u002Fsigstore.dev\">\u003Cstrong>Sigstore\u003C\u002Fstrong>\u003C\u002Fa> 的创作者\n  \u003Cbr\u002F>\n  \u003Csub>安全软件证明的标准，已被 PyPI、npm、brew 和 Maven Central 使用\u003C\u002Fsub>\n\u003C\u002Fp>\n\u003Cp>\n  \u003Ca href=\"https:\u002F\u002Fopensource.org\u002Flicenses\u002FApache-2.0\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache%202.0-blue.svg\" alt=\"License\"\u002F>\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Factions\u002Fworkflows\u002Fci.yml\">\u003Cimg src=\"https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg\" alt=\"CI Status\"\u002F>\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fdocs.nono.sh\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FDocs-docs.nono.sh-green.svg\" alt=\"Documentation\"\u002F>\u003C\u002Fa>\n\u003C\u002Fp>\n\u003Cp>\n  \u003Ca href=\"https:\u002F\u002Fdiscord.gg\u002FpPcjYzGvbS\">\n    \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FChat-Join%20Discord-7289da?style=for-the-badge&logo=discord&logoColor=white\" alt=\"Join Discord\"\u002F>\n  \u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fmarketplace\u002Factions\u002Fagent-sign\">\n    \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FSecure_Action-agent--sign-2088FF?style=for-the-badge&logo=github-actions&logoColor=white\" alt=\"agent-sign GitHub Action\"\u002F>\n  \u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003C\u002Fdiv>\n\n> [!WARNING]\n> 这是一个尚未经过全面安全审计的早期 Alpha 版本。尽管我们已采取措施实施强大的安全机制，但仍可能存在未被发现的问题。在我们发布稳定的 1.0 版本之前，不建议将其用于生产环境。\n\n> [!IMPORTANT]\n> 积极的开发可能会导致中断——如果出现问题，很可能是我们的原因，而不是您。\n\n> - **Supervisor:** 我们正在开发一种运行时生命周期管理功能，使 Supervisor 成为默认的执行模式，并引入 `ps`、`attach`、`detach`、`inspect` 和 `stop` 等命令。[#502](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fdiscussions\u002F502)\n> - **Packages & Skills:** 针对编码代理的自定义钩子、技能和脚本系统——社区注册表或任何 Git 仓库都可以作为来源。[#459](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fissues\u002F459)\n> - **Policy:** 我们仍在继续努力，使所有功能完全可组合且基于组策略。[#446](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fissues\u002F446)\n\n---\n\nAI 代理通常拥有文件系统访问权限、可以执行 Shell 命令，并且极易受到提示注入攻击。传统的应对方式是使用护栏和策略。然而，问题在于这些策略可能被绕过，而护栏也可能被“说服”失效。\n\n有了 nono，您无需担心这些问题。no-no 可以在几秒钟内将您的代理包裹在一个内核隔离的沙箱中——内置 API 密钥保护、破坏性操作防护以及完整的快照与回滚功能。无需配置虚拟机管理程序，无需挂载容器卷，也不存在延迟开销。\n\n---\n\n**平台支持：** 目前支持 macOS 和 Linux，Windows 即将推出。\n\n**Homebrew (macOS\u002FLinux)**\n```bash\nbrew install nono\n```\n\n**其他安装选项**\n\n预编译的二进制文件和包管理器安装说明，请参阅[安装指南](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fgetting_started\u002Finstallation)。\n\n---\n\n## CLI\n\nCLI 是最快上手的方式！无启动延迟，无需安装虚拟机管理程序、运行时或挂载卷……只需一条命令即可实现沙箱化并提供保护。\n\n```bash\n# 任何 CLI 代理——只需在 -- 后面加上您的命令\nnono run --profile claude-code -- claude\nnono run --profile codex -- codex\nnono run --profile opencode -- opencode\nnono run --profile openclaw -- openclaw\nnono run --profile swival -- swival\n\nnono run --allow-cwd -- python3 my_agent.py\nnono run --allow-cwd -- npx @anthropic\u002Fagent-framework\n\n# MCP 服务器、代理，任何东西！\nnono run --read \u002Fdata -- npx @modelcontextprotocol\u002Fserver-filesystem \u002Fdata\nnono run --profile pydantic-ai-agent --allow logs\u002F -- uv run my_agent.py\nnono run --profile custom-profile -- node agent.js\n```\n\n内置针对 [Claude Code](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fclaude-code)、[Codex](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fcodex)、[OpenCode](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fopencode)、[OpenClaw](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fopenclaw) 和 [Swival](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fswival) 的配置文件——或者您也可以通过自定义权限来定义自己的配置文件。\n\n---\n\n## Library\n\n核心是一个 Rust 库，可以通过原生绑定嵌入到任何应用程序中。该库是一个无策略的沙箱基础组件——它仅应用客户端明确请求的内容。\n\n#### \u003Cimg src=\"https:\u002F\u002Fcdn.jsdelivr.net\u002Fgh\u002Fdevicons\u002Fdevicon\u002Ficons\u002Frust\u002Frust-original.svg\" width=\"18\" height=\"18\" alt=\"Rust\"\u002F> Rust — [crates.io](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fnono)\n\n```rust\nuse nono::{CapabilitySet, Sandbox};\n\nlet mut caps = CapabilitySet::new();\ncaps.allow_read(\"\u002Fdata\u002Fmodels\")?;\ncaps.allow_write(\"\u002Ftmp\u002Fworkspace\")?;\n\nSandbox::apply(&caps)?;  \u002F\u002F 不可逆——从此时起由内核强制执行\n```\n\n#### \u003Cimg src=\"https:\u002F\u002Fcdn.jsdelivr.net\u002Fgh\u002Fdevicons\u002Fdevicon\u002Ficons\u002Fpython\u002Fpython-original.svg\" width=\"18\" height=\"18\" alt=\"Python\"\u002F> Python — [nono-py](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono-py)\n\n```python\nfrom nono_py import CapabilitySet, AccessMode, apply\n\ncaps = CapabilitySet()\ncaps.allow_path(\"\u002Fdata\u002Fmodels\", AccessMode.READ)\ncaps.allow_path(\"\u002Ftmp\u002Fworkspace\", AccessMode.READ_WRITE)\n\napply(caps)  # 应用能力集\n```\n\n#### \u003Cimg src=\"https:\u002F\u002Fcdn.jsdelivr.net\u002Fgh\u002Fdevicons\u002Fdevicon\u002Ficons\u002Ftypescript\u002Ftypescript-original.svg\" width=\"18\" height=\"18\" alt=\"TypeScript\"\u002F> TypeScript — [nono-ts](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono-ts)\n\n```typescript\nimport { CapabilitySet, AccessMode, apply } from \"nono-ts\";\n\nconst caps = new CapabilitySet();\ncaps.allowPath(\"\u002Fdata\u002Fmodels\", AccessMode.Read);\ncaps.allowPath(\"\u002Ftmp\u002Fworkspace\", AccessMode.ReadWrite);\n\napply(caps);  \u002F\u002F 不可逆——从此时起由内核强制执行\n```\n\n---\n\n## 功能\n\n### 内核强制执行的沙箱\n\nno-no 应用操作系统级别的限制，这些限制无法从沙箱进程内部被绕过或提升权限。权限以执行前授予的能力形式定义——一旦沙箱被应用，便不可逆转。所有子进程都会继承相同的限制。\n\n| 平台 | 机制 | 最低内核版本 |\n|----------|-----------|----------------|\n| macOS | Seatbelt | 10.5+ |\n| Linux | Landlock | 5.13+ |\n\n```bash\n# 授予对 src 的读取权限，对 output 的写入权限——其余一切均由内核禁止\nnono run --read .\u002Fsrc --write .\u002Foutput -- cargo build\n```\n\n### 凭证注入\n\n两种模式：**代理注入**会将凭证完全保留在沙箱之外——代理连接到 `localhost`，代理会将真实的 API 密钥注入到上游请求中。**环境变量注入**则会从操作系统密钥链、1Password 或 Apple Passwords 中加载秘密，并在沙箱锁定之前将其注入为环境变量。\n\n```bash\n# 代理模式——代理甚至在其自身内存中都看不到 API 密钥\nnono run --network-profile claude-code --proxy-credential openai -- my-agent\n\n# 环境变量模式——更简单，但秘密存在于进程环境中\nnono run --env-credential openai_api_key --allow-cwd -- my-agent\n\n# 1Password — 将 URI 引用映射到目标环境变量\nnono run --env-credential-map 'op:\u002F\u002FDevelopment\u002FOpenAI\u002Fcredential' OPENAI_API_KEY --allow-cwd -- my-agent\n\n# Apple Passwords (macOS) — 将 URI 引用映射到目标环境变量\nnono run --env-credential-map 'apple-password:\u002F\u002Fgithub.com\u002Falice@example.com' GITHUB_PASSWORD --allow-cwd -- my-agent\n```\n\n### 代理技能溯源与供应链安全\n\n指令文件（SKILLS.md、CLAUDE.md、AGENTS.md、AGENT.MD）及其相关工件（如脚本）是供应链攻击的潜在途径。nono 使用 Sigstore 的 DSSE 封装和 in-toto\u002FSLSA 样式的声明，对这些文件进行加密签名并验证。它支持基于密钥的签名（系统密钥库）和无密钥签名（通过 GitHub Actions + Fulcio + Rekor 实现的 OIDC）。在执行时，nono 会验证签名、检查签名证书是否来自受信根证书，并验证声明中的谓词（例如：在过去 30 天内签名、由受信维护者签名）。\n\n\u003Cp align=\"center\">\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fmarketplace\u002Factions\u002Fnono-attest\">\n    \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FGitHub_Action-nono--attest-2088FF?style=for-the-badge&logo=github-actions&logoColor=white\" alt=\"nono-attest GitHub Action\"\u002F>\n  \u003C\u002Fa>\n\u003C\u002Fp>\n\n您可以在 GitHub Actions 工作流中直接对指令文件进行签名。用户随后可以验证这些文件是否确实来自预期的仓库和分支，并且是由受信维护者签名的。\n\n### 网络过滤\n\n通过本地代理实现基于白名单的主机过滤。沙箱会阻止所有直接的出站连接——代理只能访问明确允许的主机。云元数据端点则被硬编码为禁止访问。\n\n```bash\nnono run --allow-proxy api.openai.com --allow-proxy api.anthropic.com -- my-agent\n\n# 保留 claude-code 配置文件，但在此会话中允许无限制的网络访问\nnono run --profile claude-code --allow-net -- claude\n```\n\n### 监督与能力扩展\n\n在 Linux 系统上，当代理需要访问其沙箱之外的资源时，seccomp 用户通知机制会拦截系统调用。监督程序会提示用户，然后直接注入文件描述符——代理本身不会执行 `open()` 系统调用。无论是否获得批准，敏感路径始终无法授予访问权限。\n\n```bash\nnono run --rollback --supervised --profile claude-code --allow-cwd -- claude\n```\n\n### 撤销与快照\n\n在沙箱执行之前和期间，会对您的工作目录进行内容寻址式快照。使用 SHA-256 进行去重，并通过默克尔树承诺来验证完整性。您可以交互式地查看并恢复单个文件或整个目录。对于已知可再生的目录（如 `.git`、`target`、`node_modules` 等）以及包含超过 10,000 个文件的目录，系统会自动将其排除在快照之外，以避免在大型项目中出现卡顿。\n\n```bash\n# 使用 zero 标志——自动排除大型或可再生目录\nnono run --rollback --allow . -- npm test\n\n# 强制包含一个被自动排除的目录\nnono run --rollback --rollback-include target -- cargo build\n\n# 排除自定义目录不参与撤销操作\nnono run --rollback --rollback-exclude vendor -- go test .\u002F...\n\n# 完全禁用撤销功能\nnono run --no-rollback --allow . -- npm test\n\nnono rollback list\nnono rollback restore\n```\n\n### 可组合策略组\n\n安全策略以命名组的形式定义在一个 JSON 文件中。配置文件通过名称引用这些组——从而可以从可重用的构建模块中组合出细粒度的策略。\n\n```json\n{\n  \"deny_credentials\": {\n    \"deny\": { \"access\": [\"~\u002F.ssh\", \"~\u002F.gnupg\", \"~\u002F.aws\", \"~\u002F.kube\"] }\n  },\n  \"node_runtime\": {\n    \"allow\": { \"read\": [\"~\u002F.nvm\", \"~\u002F.fnm\", \"~\u002F.npm\"] }\n  }\n}\n```\n\n### 破坏性命令拦截\n\n危险命令（`rm`、`dd`、`chmod`、`sudo`、`scp`）会在执行前被拦截。您可以通过 `--allow-command` 参数在每次调用时覆盖拦截，或者通过配置文件中的 `allowed_commands` 设置永久允许某些命令。此外，还可以使用 `add_deny_commands` 来额外阻止特定命令。\n\n```bash\n$ nono run --allow-cwd -- rm -rf \u002F\nnono: blocked command: rm\n\n# 在每次调用时覆盖拦截\nnono run --allow-cwd --allow-command rm -- rm .\u002Ftemp-file.txt\n\n# 通过配置文件覆盖\n# { \"security\": { \"allowed_commands\": [\"rm\"] } }\nnono run --profile my-profile -- rm \u002Ftmp\u002Fold-file.txt\n\n# 在配置文件中阻止特定命令（使用 add_deny_commands）——同时配合 add_deny_access 来阻止对套接字的访问\n# { \"policy\": { \"add_deny_access\": [\"\u002Fvar\u002Frun\u002Fdocker.sock\"], \"add_deny_commands\": [\"docker\", \"kubectl\"] } }\nnono run --profile no-docker -- claude\n```\n\n> [!WARNING]\n> 命令拦截是在内核沙箱之上的一层纵深防御。如果使用 `sh -c '...'` 或包装脚本，仍有可能绕过此机制——真正的安全边界在于沙箱的文件系统限制。\n\n### 主题\n\nnono 自带多个受流行终端配色方案启发的颜色主题，默认主题为 **Catppuccin Mocha**。\n\n| 主题 | 描述 |\n|-------|-------------|\n| `mocha` | Catppuccin Mocha — 温暖的深色（默认） |\n| `latte` | Catppuccin Latte — 干净的浅色 |\n| `frappe` | Catppuccin Frappe — 柔和的深色 |\n| `macchiato` | Catppuccin Macchiato — 深邃而鲜艳的深色 |\n| `tokyo-night` | Tokyo Night — 冷色调的蓝色和紫色 |\n| `minimal` | 灰度配橙色点缀 |\n\n```bash\n# 每次调用时指定\nnono --theme tokyo-night run --allow-cwd -- my-agent\n\n# 通过环境变量设置\nexport NONO_THEME=latte\n\n# 通过配置文件 (~\u002F.config\u002Fnono\u002Fconfig.toml)\n# [ui]\n# theme = \"frappe\"\n```\n\n### 审计追踪\n\n每个受监督的会话都会自动记录命令、时间、退出码、网络事件以及加密快照的承诺信息，并以结构化 JSON 格式保存。您可以通过 `--no-audit` 参数选择关闭审计功能。\n\n```bash\nnono audit list\nnono audit show 20260216-193311-20751 --json\n```\n\n## 快速入门\n\n### Homebrew（macOS\u002FLinux）\n\n```bash\nbrew install nono\n```\n\n### 其他 Linux 安装选项\n\n有关预编译二进制文件和包管理器安装说明，请参阅[安装指南](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fgetting_started\u002Finstallation)。\n\n### 从源代码编译\n\n有关从源代码编译的信息，请参阅[开发指南](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fdevelopment\u002Findex)。\n\n## 支持的客户端\n\nnono 内置了针对热门 AI 编程代理的配置文件。每个配置文件都定义了经过审核的最小权限。\n\n| 客户端 | 配置文件 | 文档 |\n|--------|---------|------|\n| **Claude Code** | `claude-code` | [指南](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fclaude-code) |\n| **Codex** | `codex` | [指南](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fcodex) |\n| **OpenCode** | `opencode` | [指南](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fopencode) |\n| **OpenClaw** | `openclaw` | [指南](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fopenclaw) |\n| **Swival** | `swival` | [指南](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fclients\u002Fswival) |\n\n自定义配置文件可以通过 `\"extends\": \"claude-code\"`（或多个：`\"extends\": [\"claude-code\", \"node-dev\"]`）来扩展内置配置，继承所有设置并添加覆盖。nono 是代理无关的，适用于任何 CLI 命令。更多使用细节、配置和集成指南，请参阅[完整文档](https:\u002F\u002Fdocs.nono.sh)。\n\n## 使用 nono 的项目\n\n| 项目 | 仓库 |\n|---------|------------|\n| **claw-wrap** | [GitHub](https:\u002F\u002Fgithub.com\u002Fdedene\u002Fclaw-wrap) |\n\n## 架构\n\nnono 采用 Cargo 工作区结构：\n\n- **nono** (`crates\u002Fnono\u002F`) -- 核心库。一个无策略的沙箱原语，仅应用客户端显式请求的内容。\n- **nono-cli** (`crates\u002Fnono-cli\u002F`) -- CLI 可执行文件。负责所有安全策略、配置文件、钩子及用户界面。\n- **nono-ffi** (`bindings\u002Fc\u002F`) -- 自动生成头文件的 C FFI 绑定。\n\n各语言特定的绑定由单独的仓库维护：\n\n| 语言 | 仓库 | 包 |\n|----------|------------|---------|\n| Python | [nono-py](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono-py) | PyPI |\n| TypeScript | [nono-ts](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono-ts) | npm |\n\n## 贡献\n\n我们鼓励使用 AI 工具为 nono 做贡献。然而，在提交之前，您必须理解并仔细审查任何由 AI 生成的代码。nono 的安全性至关重要——请务必彻底审查和测试您的代码，尤其是在核心沙箱功能相关部分。如果您不理解某项更改的工作原理，请在提交 PR 之前先在 [Discord](https:\u002F\u002Fdiscord.gg\u002FpPcjYzGvbS) 中寻求帮助。\n\n## 安全\n\n如果您发现安全漏洞，请**不要公开提交问题**。相反，请遵循我们[安全政策](https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fsecurity)中规定的负责任披露流程。\n\n## 许可证\n\nApache-2.0","# nono 快速上手指南\n\n## 简介\nnono 是一个专为 AI Agent 设计的安全沙箱工具。它通过内核隔离技术，从结构上阻止危险操作，提供 API 密钥保护、破坏性操作防护以及完整的快照\u002F回滚功能，无需配置 Hypervisor 或容器卷挂载。\n\n> [!WARNING]\n> **早期 Alpha 版本警告**：此版本尚未经过全面的安全审计。虽然已实施稳健的安全措施，但仍可能存在未发现的问题。**在发布稳定的 1.0 版本之前，不建议在生产环境中使用。**\n\n## 环境准备\n*   **操作系统**：目前支持 **macOS** 和 **Linux**。Windows 支持即将推出。\n*   **内核要求**：\n    *   macOS: 10.5+ (使用 Seatbelt)\n    *   Linux: 5.13+ (使用 Landlock)\n*   **前置依赖**：无特殊依赖，建议使用 Homebrew 管理。\n\n## 安装步骤\n### 方式一：Homebrew（推荐）\n适用于 macOS 和 Linux 用户：\n```bash\nbrew install nono\n```\n\n### 方式二：预编译二进制文件\n如需其他包管理器指令或特定版本，请参考官方 [安装指南](https:\u002F\u002Fdocs.nono.sh\u002Fcli\u002Fgetting_started\u002Finstallation)。\n\n## 基本使用\nnono 的 CLI 是最快捷的使用方式。只需一条命令即可启动沙箱并运行 Agent，无需额外配置运行时或挂载卷。\n\n### 1. 运行内置配置的 Agent\nnono 内置了多种流行 Agent 的配置 Profile（如 Claude Code, Codex 等）：\n```bash\nnono run --profile claude-code -- claude\nnono run --profile codex -- codex\nnono run --profile opencode -- opencode\n```\n\n### 2. 自定义权限运行\n你可以手动指定允许读取或写入的目录，其余访问将被内核拒绝：\n```bash\n# 仅允许读取 src 目录，写入 output 目录\nnono run --read .\u002Fsrc --write .\u002Foutput -- cargo build\n\n# 允许当前工作目录，运行 Python 脚本\nnono run --allow-cwd -- python3 my_agent.py\n```\n\n### 3. 启用回滚与快照\n在执行前自动创建内容寻址快照，支持交互式恢复：\n```bash\nnono run --rollback --allow . -- npm test\n```\n\n### 4. 网络与凭证控制\n限制 Agent 只能访问特定的 API 主机，并安全注入凭证：\n```bash\n# 仅允许访问 OpenAI 和 Anthropic 的 API\nnono run --allow-proxy api.openai.com --allow-proxy api.anthropic.com -- my-agent\n\n# 使用代理模式注入 OpenAI 凭证（Agent 无法直接看到密钥）\nnono run --network-profile claude-code --proxy-credential openai -- my-agent\n```\n\n---\n> [!IMPORTANT]\n> **开发中提示**：Active development may cause disruptions。如果遇到故障，很可能是工具本身的问题而非你的配置问题。","某资深后端工程师正在本地运行 AI 编程助手（如 Claude Code），让其自动重构核心业务代码并协助调试涉及数据库连接的服务。\n\n### 没有 nono 时\n- 担心 AI 因提示词注入误删生产环境文件，传统策略容易被绕过，缺乏底层强制隔离。\n- API 密钥需明文传入环境变量，存在被恶意读取或意外泄露的高安全风险。\n- 一旦 AI 执行了破坏性命令，手动排查和恢复耗时费力，且容易遗漏关键变更。\n- 无法追溯 AI 具体调用了哪些接口或修改了哪些配置，缺乏完整的操作审计记录。\n\n### 使用 nono 后\n- nono 提供内核级沙箱隔离，无需配置虚拟机，从结构上使危险操作变得不可能执行。\n- 内置安全密钥管理，AI 代理仅在受控能力范围内访问凭证，彻底杜绝明文暴露。\n- 支持原子化快照与回滚，操作失误后可瞬间恢复到安全状态，零延迟开销。\n- 生成加密不可变的审计链，完整记录操作溯源，轻松满足企业级合规与安全要求。\n\nnono 让开发者能在零信任环境中安全地释放 AI 代理的生产力，无需牺牲系统安全性。","https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Falways-further_nono_65fa2baf.png","always-further","Always Further","https:\u002F\u002Foss.gittoolsai.com\u002Favatars\u002Falways-further_530b3e69.png","New Threat Model - New Paradigm - We're Defining It",null,"alwaysfurtherAI","https:\u002F\u002Falwaysfurther.ai","https:\u002F\u002Fgithub.com\u002Falways-further",[84,88,92,96,100,104],{"name":85,"color":86,"percentage":87},"Rust","#dea584",90.5,{"name":89,"color":90,"percentage":91},"Shell","#89e051",8.4,{"name":93,"color":94,"percentage":95},"C","#555555",0.8,{"name":97,"color":98,"percentage":99},"Python","#3572A5",0.2,{"name":101,"color":102,"percentage":103},"Makefile","#427819",0.1,{"name":105,"color":106,"percentage":107},"Dockerfile","#384d54",0,1643,111,"2026-04-05T10:13:43","Apache-2.0","macOS, Linux","未说明",{"notes":115,"python":113,"dependencies":116},"1. 当前为早期 Alpha 版本，未经过全面安全审计，不建议在生产环境使用；2. Linux 需内核 5.13+ (Landlock)，macOS 需 10.5+ (Seatbelt)；3. Windows 支持即将推出；4. 基于内核隔离沙箱，无需配置 Hypervisor 或容器卷挂载；5. 提供 CLI、Rust 库、Python 和 TypeScript 绑定。",[117,118,119],"Rust (核心库)","nono-py","nono-ts",[26,15],[122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139],"ai-agents","security","ai-agent-security","ai-security","code-execution","mcp","prompt-injection","runtime-security","sigstore","supply-chain-security","zero-trust","agent-sandbox","agent-security","ai-security-tool","llm-sandbox","llm-security","mcp-security","ai-agent-sandbox","2026-03-27T02:49:30.150509","2026-04-06T05:37:46.620108",[143,148,152,157,161,166],{"id":144,"question_zh":145,"answer_zh":146,"source_url":147},5089,"如何编写有效的自定义配置文件（Profile）？","推荐使用 JSON 格式而非 TOML。必须包含 `meta`, `interactive`, `workdir`, `filesystem`, `network` 等字段。特别注意 `filesystem.allow` 需包含必要的目录权限（如 `$HOME\u002F.cache\u002Fopencode`），且可能需要显式添加 `interactive: true` 才能正常启动 TUI。","https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fissues\u002F91",{"id":149,"question_zh":150,"answer_zh":151,"source_url":147},5090,"为什么自定义配置文件启动后会卡住（Hang）？","通常是因为缺少必要的配置项或权限设置不当。检查是否遗漏了 `interactive` 字段，以及 `filesystem.allow` 是否覆盖了运行所需的所有路径（如 `$HOME\u002F.local\u002Fshare`, `$HOME\u002F.npm` 等）。确保网络设置正确（`block: false`），并参考社区验证过的 JSON 模板进行对比。",{"id":153,"question_zh":154,"answer_zh":155,"source_url":156},5091,"如何让沙箱环境访问宿主机的特定本地端口？","使用 `--allow-port \u003Cport>` CLI 参数。例如：`nono run --net-block --proxy-allow 127.0.0.1 --allow-port 2222 -- curl http:\u002F\u002F127.0.0.1:2222\u002Fv1\u002Fmodels`。这将允许沙箱进程直接连接宿主机的指定端口，而无需经过网络代理。","https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fissues\u002F235",{"id":158,"question_zh":159,"answer_zh":160,"source_url":156},5092,"是否可以在 Profile JSON 中配置允许的网络端口？","目前尚不支持。虽然 CLI 支持 `--allow-port`，但在 profile JSON 的 `network` 部分添加 `port_allow` 字段暂时无效。建议继续使用命令行参数进行配置，直到该功能被添加到配置文件解析器中。",{"id":162,"question_zh":163,"answer_zh":164,"source_url":165},5093,"如何避免 nono 永久修改 CLAUDE.md 文件？","利用 Claude Code 的 `--append-system-prompt` 或 `--append-system-prompt-file` 标志。nono 应通过此方式传递沙箱指令，使上下文仅在当前会话生效，从而避免文件持久化修改、VCS 噪音以及退出后上下文残留导致的行为错误。","https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fissues\u002F250",{"id":167,"question_zh":168,"answer_zh":169,"source_url":170},5094,"Coding Agent 的 Skill 文件是如何定义和执行脚本的？","Skill 文件是包含嵌入式代码块（bash\u002Fpython）的 Markdown 文件。Agent 读取 SKILL.md，识别并按顺序执行其中的脚本块。这种方式将文档与可执行规范结合，无需额外工具层。可通过 `nono pull --url` 分发技能文件到 `~\u002F.claude\u002Fskills\u002F`。","https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fissues\u002F407",[172,177,182,187,192,197,202,207,212,217,222,227,232,237,242,247,252,257,262,267],{"id":173,"version":174,"summary_zh":175,"released_at":176},104612,"v0.29.1","## What's Changed\n* fix(policy): grant ~\u002F.cache\u002Fclaude readwrite in claude-code profile by @mbtamuli in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F578\n* fix(proxy): disable NO_PROXY bypass on macOS (#580) by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F582\n* fix(profile): add missing $TMPDIR read and state dir to opencode profile by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F584\n* Revise README for improved clarity and detail by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F591\n* fix(macos): allow DNS resolution via mDNSResponder in proxy and blocked modes (#588) by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F590\n\n## New Contributors\n* @mbtamuli made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F578\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.29.0...v0.29.1","2026-04-04T17:52:22",{"id":178,"version":179,"summary_zh":180,"released_at":181},104613,"v0.29.0","## What's Changed\n* feat: runtime & multiplexing session support and significant CLI refactor by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F526\n* fix(proxy): don't factor seatbelt for port lockdown by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F579\n\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.28.0...v0.29.0","2026-04-03T19:12:56",{"id":183,"version":184,"summary_zh":185,"released_at":186},104614,"v0.28.0","## What's Changed\n* test(profile,query): isolate environment variables and fix symlink test by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F572\n* feat(policy): split homebrew group into platform-specific variants by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F571\n* feat(policy): skip system temp grants when HOME is nested under TMPDIR by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F573\n* feat(proxy): custom CA certificate support for upstream TLS by @AIWithShrey in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F548\n* feat(credential,proxy): add missing tls_ca and tls_connector fields by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F575\n* feat(policy): expand git config paths  by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F577\n\n## New Contributors\n* @AIWithShrey made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F548\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.27.0...v0.28.0","2026-04-03T08:29:06",{"id":188,"version":189,"summary_zh":190,"released_at":191},104615,"v0.27.0","## What's Changed\n* Update warning in README for alpha release by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F551\n* fix: harden deny-overlap, reject unknown profile fields, narrow user_tools by @andreaTP in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F550\n* feat(policy): split linux system groups for granular host compatibility by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F553\n* feat(keystore): add file:\u002F\u002F credential source support by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F552\n* fix(macos): align Seatbelt signal isolation with Linux Landlock behav… by @kipz in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F558\n* docs: move endpoint filtering to networking page by @andreaTP in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F557\n* docs: add wsl2 cross-references to feature docs and fix discoverability by @scp7 in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F556\n* feat(proxy): auto-detect credential format from inject_header by @RobertWi in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F516\n* feat(manifest): add schema-first capability manifest with `--config` and `--format` manifest by @andreaTP in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F534\n* feat(proxy): block CONNECT tunnels to credential upstreams and smart NO_PROXY by @RobertWi in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F518\n* chore(deps): bump ureq from 3.2.0 to 3.3.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F542\n* chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F543\n* docs: replace mention of --supervised with --capability-elevation in README by @rnestler in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F565\n* feat(policy): check credentials Option with is_some_and instead of field access by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F566\n* fix(test): use real temp directories for env_nono_allow_comma_separated by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F564\n\n## New Contributors\n* @RobertWi made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F516\n* @rnestler made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F565\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.26.1...v0.27.0","2026-04-02T13:43:07",{"id":193,"version":194,"summary_zh":195,"released_at":196},104616,"v0.26.1","## What's Changed\n* chore: add DCO sign-off requirement to CLAUDE.md by @andreaTP in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F529\n* chore(deps): bump sigstore\u002Fcosign-installer from 3.10.1 to 4.1.1 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F535\n* chore(deps): bump docker\u002Flogin-action from 3.7.0 to 4.0.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F539\n* chore(deps): bump docker\u002Fbuild-push-action from 6.19.2 to 7.0.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F536\n* chore(deps): bump docker\u002Fsetup-qemu-action from 3.7.0 to 4.0.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F537\n* fix(proxy): percent-decode paths before endpoint rule matching by @andreaTP in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F528\n* fix(learn): make Enter actually skip profile save prompt by @advaithsujith in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F538\n* chore(deps): bump toml from 1.0.6+spec-1.1.0 to 1.0.7+spec-1.1.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F540\n* chore(deps): bump docker\u002Fsetup-buildx-action from 3.12.0 to 4.0.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F541\n* ci(workflows): decouple image build from release workflow by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F549\n\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.26.0...v0.26.1","2026-03-31T11:41:18",{"id":198,"version":199,"summary_zh":200,"released_at":201},104617,"v0.25.0","## What's Changed\n* feat(trust): add skip_dirs support to trust scanning and rollback preflight by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F498\n* feat(sandbox\u002Flinux): add seccomp proxy-only network fallback by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F503\n* feat(undo): support per-root exclusion filters in snapshot manager by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F506\n\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.24.0...v0.25.0\n\n## What's Changed\n* feat(trust): add skip_dirs support to trust scanning and rollback preflight by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F498\n* feat(sandbox\u002Flinux): add seccomp proxy-only network fallback by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F503\n* feat(undo): support per-root exclusion filters in snapshot manager by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F506\n\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.24.0...v0.25.0","2026-03-26T19:50:35",{"id":203,"version":204,"summary_zh":205,"released_at":206},104618,"v0.24.0","## What's Changed\n* docs: update GitHub Action badge to agent-sign by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F494\n* docs: add documentation for add_deny_commands by @Austio in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F495\n* feat(sandbox\u002Flinux): add seccomp fallback for network  by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F496\n\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.23.1...v0.24.0","2026-03-25T20:19:39",{"id":208,"version":209,"summary_zh":210,"released_at":211},104619,"v0.23.1","## What's Changed\n* feat(cli): add --rollback-dest flag for custom snapshot storage by @advaithsujith in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F486\n* fix: block Unix socket connections via add_deny_access; add add_deny_commands by @Austio in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F488\n\n## New Contributors\n* @advaithsujith made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F486\n* @Austio made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F488\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.23.0...v0.23.1","2026-03-25T05:38:09",{"id":213,"version":214,"summary_zh":215,"released_at":216},104620,"v0.23.0","## What's Changed\n* fix: update security vulnerability disclosure link in README by @rosenbjerg in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F461\n* feat(query): add diagnostic details to path query results by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F472\n* chore(deps): bump always-further\u002Fagent-sign from 0.0.4 to 0.0.8 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F475\n* chore(deps): bump actions\u002Fcache from 5.0.3 to 5.0.4 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F474\n* chore(deps): bump mislav\u002Fbump-homebrew-formula-action from 3.6 to 4.1 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F476\n* chore(deps): bump aws-lc-rs from 1.16.1 to 1.16.2 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F477\n* chore(deps): bump which from 8.0.0 to 8.0.2 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F478\n* chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F479\n\n## New Contributors\n* @rosenbjerg made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F461\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.22.1...v0.23.0","2026-03-24T06:06:43",{"id":218,"version":219,"summary_zh":220,"released_at":221},104621,"v0.22.1","## What's Changed\n* docs(clients): recommend disabling agent sandboxes when running under nono by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F451\n* docs: fix arrow direction in OS-level enforcement diagram by @y4ney in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F453\n* ci: add change classification to skip unnecessary jobs by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F456\n* docs: detect system architecture in deb installation command by @y4ney in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F455\n* build(audit): add cargo-audit ignores for AWS-LC X.509 advisories by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F449\n\n## New Contributors\n* @y4ney made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F453\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.22.0...v0.22.1","2026-03-23T08:52:19",{"id":223,"version":224,"summary_zh":225,"released_at":226},104622,"v0.22.0","## What's Changed\n* chore(deps): bump rustls-webpki from 0.103.9 to 0.103.10 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F443\n* feat(trust): lazy verification of scan policies by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F448\n\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.21.0...v0.22.0","2026-03-21T12:38:50",{"id":228,"version":229,"summary_zh":230,"released_at":231},104623,"v0.21.0","## What's Changed\n* docs: fix installation command for nono-cli package by @kulla in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F426\n* feat(trust): scaffold policies, enforce missing includes at startup, and simplify write protection by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F435\n* fix(cli): add ~\u002F.opencode to opencode profile paths by @aand18 in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F421\n* fix(setup): detect Landlock via syscall probe instead of LSM file by @aand18 in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F417\n* feat(trust): add --user flag to sign-policy for user-level trust policy by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F440\n* feat(policy): add standard I\u002FO and fd paths to base_posix group by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F441\n\n## New Contributors\n* @kulla made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F426\n* @aand18 made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F421\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.20.0...v0.21.0","2026-03-21T08:19:48",{"id":233,"version":234,"summary_zh":235,"released_at":236},104624,"v0.20.0","## What's Changed\n* feat(cli): standardize network flag naming and add listen_port support by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F415\n* feat: support multiple base profiles in extends field by @kipz in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F399\n\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.19.0...v0.20.0","2026-03-18T13:37:50",{"id":238,"version":239,"summary_zh":240,"released_at":241},104625,"v0.19.0","## What's Changed\n* fix(deny): canonicalize parent directories in deny access rules by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F393\n* chore(deps): bump softprops\u002Faction-gh-release from 2.5.0 to 2.6.1 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F394\n* chore(deps): bump actions\u002Fdownload-artifact from 8.0.0 to 8.0.1 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F395\n* chore(deps): bump clap from 4.5.60 to 4.6.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F396\n* chore(deps): bump sigstore-sign from 0.6.3 to 0.6.4 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F397\n* chore(deps): bump tempfile from 3.26.0 to 3.27.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F398\n* feat: add linux-arm64 by @JimBugwadia in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F402\n* feat(learn): add macOS network tracing via nettop by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F403\n* feat(sandbox): add IpcMode capability for POSIX semaphores (macOS Seatbelt) by @nf-matt in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F412\n\n## New Contributors\n* @JimBugwadia made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F402\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.18.0...v0.19.0","2026-03-18T08:26:46",{"id":243,"version":244,"summary_zh":245,"released_at":246},104626,"v0.18.0","## What's Changed\n* feat(profile): add composable policy patch configuration by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F351\n* feat: add default profile with base group configuration by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F352\n* fix: inject nono sandbox instructions via Claude Code system… by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F354\n* feat(policy): add extends field to embedded profiles by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F355\n* feat(policy): use default profile groups for runtime policy resolution by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F356\n* feat(policy): deprecate security.trust_groups in favor of policy.exclude_groups by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F357\n* refactor(policy): deprecate base_groups in favor of default profile by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F358\n* refactor(policy): remove deprecated base_groups and trust_groups fields by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F359\n* refactor(supervisor): remove never_grant in favor of protected roots by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F360\n* fix(exec): prevent implicit cwd access under restrictive profiles by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F363\n* fix(config): remove hardcoded dangerous commands list by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F366\n* feat(capability): remove exact file caps when deny patch overrides grant by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F367\n* fix(policy): honor excluded dangerous command groups for direct exec by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F368\n* fix(main): move cwd resolution before pre-fork sandbox setup by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F370\n* fix: change CI release to ubuntu 22 by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F373\n* feat(macos): gate open shim installation behind launch services flag by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F374\n* docs(profiles-groups): expand built-in profiles and add policy overri… by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F376\n* feat(profile): add profile-level override_deny for deny group exceptions by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F380\n* feat(cli): add `nono policy` introspection subcommand by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F382\n* feat(policy): extract git config paths into reusable group by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F383\n* feat(cli): add `nono profile` scaffolding and authoring tooling by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F385\n* refactor(setup): move banner printing to main.rs by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F386\n* fix(hooks): use resolved path in capability display by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F387\n* feat(trust): skip well-known heavy directories in instruction file walk by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F388\n* docs(profiles): simplify group-based profile creation guide by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F390\n* feat: restyle --help output with grouped sections and bold headings by @scp7 in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F345\n* fix: remove linux warns and LandLock info by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F392\n\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.17.1...v0.18.0","2026-03-16T10:19:57",{"id":248,"version":249,"summary_zh":250,"released_at":251},104627,"v0.17.1","## What's Changed\n* docs: update Homebrew install references by @chenrui333 in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F326\n* fix: check access mode when determining if CWD is already covered by @Flixt in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F334\n* refactor(cli): standardize flags to verb-noun ordering by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F302\n* fix: add OAuth2 URL opening support via supervisor IPC by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F340\n* feat(cli): add pluggable theme system with 6 built-in palettes by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F341\n* docs: updating docs to reflect pnpm support. by @wrgore in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F332\n* feat(sandbox\u002Flinux): add Landlock V6 signal scoping support by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F344\n* fix: narrow broad linux \u002Fetc and \u002Fproc reads in system_read policy by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F350\n\n## New Contributors\n* @chenrui333 made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F326\n* @Flixt made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F334\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.16.0...v0.17.1","2026-03-13T12:37:08",{"id":253,"version":254,"summary_zh":255,"released_at":256},104628,"v0.17.0","## What's Changed\n* docs: update Homebrew install references by @chenrui333 in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F326\n* fix: check access mode when determining if CWD is already covered by @Flixt in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F334\n* refactor(cli): standardize flags to verb-noun ordering by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F302\n* fix: add OAuth2 URL opening support via supervisor IPC by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F340\n* feat(cli): add pluggable theme system with 6 built-in palettes by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F341\n* docs: updating docs to reflect pnpm support. by @wrgore in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F332\n\n## New Contributors\n* @chenrui333 made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F326\n* @Flixt made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F334\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.16.0...v0.17.0","2026-03-12T15:32:14",{"id":258,"version":259,"summary_zh":260,"released_at":261},104629,"v0.16.0","## What's Changed\n* feat: add same-sandbox process mode for signal and process-info by @nf-matt in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F299\n* fix: allow tty ioctls on Linux v5+ by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F310\n* docs: fix broken links and stale examples by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F283\n* feat: add a profile for swival by @jedisct1 in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F312\n* feat: abi-aware Landlock capability system (#256, #306) by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F311\n* chore: simplify instruction file signing with nono-attest Action by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F317\n* fix: add uv paths to python_runtime group by @jedisct1 in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F313\n* chore: migrate Homebrew distribution from tap to homebrew-core by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F321\n* fix: add pnpm paths to policy.json by @wrgore in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F320\n* feat: add `--external-proxy-bypass` for routing domains direct by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F309\n* feat: inject nono sandbox instructions via Claude Code system prompt by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F322\n\n## New Contributors\n* @nf-matt made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F299\n* @jedisct1 made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F312\n* @wrgore made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F320\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.15.0...v0.16.0","2026-03-10T22:20:42",{"id":263,"version":264,"summary_zh":265,"released_at":266},104630,"v0.15.0","## What's Changed\n* fix: preserve supervised Linux open semantics by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F289\n* feat: make claude-code profile platform-aware by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F291\n* feat: add capability_elevation profile field and OS-aware groups by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F293\n* fix: suppress tracing output in silent mode by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F290\n* fix: add tilde expansion to profile paths and opencode binary access by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F294\n* fix: `nono run` default to direct exec when supervision is not needed by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F295\n* fix: allow OpenTUI data dir in opencode profile by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F296\n* feat: add Debian package support by @myugan in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F298\n* feat: add built-in Codex profile by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F300\n* chore(deps): bump tempfile from 3.25.0 to 3.26.0 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F303\n* feat: add Apple Passwords URI credential support by @josephgimenez in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F229\n* chore(deps): bump libc from 0.2.182 to 0.2.183 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F304\n* chore(deps): bump sigstore-verify from 0.6.3 to 0.6.4 by @dependabot[bot] in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F305\n* docs: document that gemini baseurl is ignored in opencode by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F307\n\n## New Contributors\n* @myugan made their first contribution in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F298\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.14.0...v0.15.0","2026-03-09T19:24:18",{"id":268,"version":269,"summary_zh":270,"released_at":271},104631,"v0.14.0","## What's Changed\n* fix: resolve symlinked paths in deny rule checks (#272) by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F279\n* feat: add environment variable equivalents for CLI flags (#270) by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F278\n* fix: do not restrict internet for three built in profiles by @lukehinds in https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fpull\u002F286\n\n\n**Full Changelog**: https:\u002F\u002Fgithub.com\u002Falways-further\u002Fnono\u002Fcompare\u002Fv0.12.0...v0.14.0","2026-03-08T13:02:27"]