Luke Hinds lukehinds

RFC: Nonofile

Problem

Users frequently hit issues because a path unique to their environment isn't covered by a built-in profile. Today, fixing this requires a code change to policy.json, a new release, and users to upgrade. This feedback loop is too slow for something that's inherently environment-specific.

While nono does support some customization today — users can place a profile JSON file in ~/.config/nono/profiles/ to fully replace a built-in profile, pass --profile /path/to/custom.json for an arbitrary profile, use --allow/--read/--write CLI flags to add paths, and use profile inheritance via "extends" — the policy primitives themselves are not editable. Specifically:

Group definitions (policy.json): The actual paths inside groups like deny_credentials, python_runtime, system_read_macos are embedded in the binary. If a group has the wrong path for your system (e.g., Homebrew installed at /opt/homebrew instead of /usr/local/Homebrew), you cannot fix it withou

Design: Network Filtering Proxy and Credential Management

Status: Proposed Date: 2026-02-17

Problem

The current network control is binary: --allow-net grants full internet access, --block-net (default) blocks everything. This is insufficient for AI agents that need controlled network access:

Primary problem - No host filtering: An agent with --allow-net can:

Design: Instruction File Attestation and Integrity Verification

Status: Proposed Date: 2026-02-20

Problem

AI agent instruction files (SKILLS.md, CLAUDE.md, AGENT.MD) are natural language that the LLM trusts as legitimate instructions. A developer clones a repo or installs a package, the LLM reads the instruction file at session start, and now it's following attacker-controlled directives. This is a supply chain attack that operates at the semantic layer.

nono QA Test Plan

Comprehensive manual verification procedures for all nono subsystems across macOS and Linux.

Prerequisites: A built nono binary (make build).

Important: /tmp is in the base system groups with read+write access. All "outside" test paths must use locations NOT in any system group. $HOME/nono-qa/ works because $HOME itself is not in any allow group (only specific subdirs like ~/.claude, ~/.cargo, etc.).

DeepFabric Dataset Tools

Utility scripts for analyzing, filtering, and cleaning synthetic datasets generated by DeepFabric.

Scripts

filter_tool_dataset.py

Generic quality filter for tool-calling datasets. Removes problematic patterns that can cause models to develop bad habits during training.

	#!/usr/bin/env bash
	# Capture a real Claude auth/login/renewal failure without depending on other
	# repo-local helper scripts.
	#
	# This script is intended to be publishable as a single standalone artifact.

	set -euo pipefail

	usage() {
	cat <<'EOF'

	#!/bin/bash
	# Test: sandboxed agent routes through nono proxy -> external proxy -> internet
	# + localhost IPC via --allow-port
	#
	# Topology:
	# [sandboxed curl] -> [nono proxy] -> [external proxy :9090] -> internet
	# [sandboxed curl] -> localhost:8000 (local service, via --allow-port)
	#
	# The external proxy and local service run OUTSIDE the sandbox.

	{
	"meta": {
	"version": 3,
	"schema_version": "3.0"
	},
	"base_groups": [
	"deny_credentials",
	"deny_keychains_macos",
	"deny_keychains_linux",
	"deny_browser_data_macos",

	#!/usr/bin/env python3
	"""
	Generic Dataset Quality Filter for Tool-Calling Datasets

	This script filters out problematic patterns from ANY synthetic tool-calling dataset
	that can cause models to develop bad habits during training.

	Key features:
	1. Auto-detection mode: Discovers problematic patterns from the data itself
	2. Schema-agnostic: Works with any tool-calling dataset (Blender, Kubernetes, GitHub, etc.)