Skip to main content
Claude Code is Anthropic’s CLI coding agent. It reads and writes files, runs commands, and interacts with git on your behalf. Running it under nono ensures it can only access what you explicitly allow.

Why Sandbox Claude Code?

Claude Code operates includes its own sandbox mechanism, but the Agent is able to override the sandbox by calling dangerouslyOverrideSandbox: true and access any file and perform any operation on the system. Claude Code using dangerouslyOverrideSandbox This creates several risks:
  • It could read sensitive files outside your project (SSH keys, cloud credentials)
  • A prompt injection in a dependency could trigger unintended file access
  • Mistakes in file operations could affect directories outside your workspace
nono’s kernel-enforced sandbox makes these scenarios structurally impossible.

Quick Start

nono run --profile claude-code -- claude
The built-in profile provides:
  • Read+write access to the current working directory
  • Read+write access to ~/.claude (agent state, debug logs, project config)
  • Read+write access to ~/.claude.json (settings file)
  • Read+write access to ~/.vscode (VS Code extensions directory)
  • Read+write access to ~/Library/Application Support/Code (VS Code app data, macOS)
  • Network access enabled (required for Anthropic API)
  • Interactive mode enabled (preserves TTY for Claude’s terminal UI)
  • Automatic hook installation for sandbox-aware error handling

Custom Profile

If you need different permissions, create a custom profile at ~/.config/nono/profiles/claude-code.toml: 
[meta]
name = "claude-code"
version = "1.0.0"
description = "Claude Code with additional project access"

[filesystem]
allow = ["$WORKDIR", "$HOME/.claude"]
read = ["$HOME/shared-libs"]

[filesystem.files]
allow = ["$HOME/.claude.json"]
read = ["$HOME/.gitconfig"]

[network]
block = false

[secrets]
anthropic_api_key = "ANTHROPIC_API_KEY"
Usage: 
nono run --profile claude-code --secrets -- claude
Custom profiles with the same name override the built-in. Remove or rename the file to revert to the built-in profile.

Security Tips

Use Secrets Management

Instead of keeping your API key in environment variable exports or shell config files, load it from the system keystore: macOS: 
security add-generic-password -s "nono" -a "anthropic_api_key" -w
Linux: 
secret-tool store --label="nono: anthropic_api_key" service nono username anthropic_api_key
Then run with secrets: 
nono run --profile claude-code --secrets anthropic_api_key -- claude
See Secrets Management for full documentation.

Restrict to Specific Projects

The built-in profile grants access to the current working directory (wherever you run the command). To limit access to a specific directory regardless of where you invoke it: 
nono run --allow ~/projects/my-app --read ~/.claude -- claude

Read-Only Mode

For code review or exploration where Claude shouldn’t modify files: 
nono run --read . --read ~/.claude --allow-file ~/.claude.json -- claude

Block Network for Offline Work

If you want to prevent any outbound connections (e.g., for reviewing local code without API calls): 
nono run --profile claude-code --net-block -- claude

Enabling LSPs, Linters, and Dev Tools

Claude Code’s LSP plugins (pyright, rust-analyzer, etc.) spawn language servers as child processes. These spawns use posix_spawnp() which searches your PATH for the binary. If any PATH directory is unreadable to the sandbox, posix_spawnp() receives EPERM from the kernel and stops searching immediately (unlike ENOENT, which continues to the next entry). nono’s built-in system paths cover standard directories (/usr/bin, /opt, etc.), but version managers and dev tools install binaries under ~/ which requires explicit read access. Common home-directory PATH entries that need read access:
ToolPath
Rust / cargo~/.cargo/bin
Go~/go/bin
Python / pyenv~/.pyenv/shims, ~/.pyenv/bin
Node / fnm~/.local/share/fnm, ~/.local/state/fnm_multishells
Node / nvm~/.nvm
Haskell / ghcup~/.ghcup/bin
Ruby / rbenv~/.rbenv/shims, ~/.rbenv/bin
Local binaries~/.local/bin
Diagnose which paths are needed by listing your PATH: 
echo "$PATH" | tr ':' '\n'
Grant read access to any ~/ entry that appears before the directory containing your LSP binary: 
nono run --profile claude-code \
  --read ~/.cargo/bin \
  --read ~/.local/bin \
  -- claude
You only need --read (not --allow) for these directories. This permits PATH lookup without granting write access.

VS Code Extension

Claude Code installs a VS Code extension on startup. The built-in profile already grants write access to both ~/.vscode and ~/Library/Application Support/Code (macOS). No additional flags are needed for VS Code extension installation.

Git Configuration

Claude Code reads git configuration for repository operations. The built-in profile already grants read access to ~/.gitconfig and ~/.gitignore_global. No additional flags are needed for git operations.

Secretive (SSH Keys in Secure Enclave)

If you use Secretive to store SSH keys in the macOS Secure Enclave, git commit signing (git commit -S) needs access to the Secretive agent socket. A community profile is provided at data/profiles/claude-code-secretive.toml. Install the profile: 
mkdir -p ~/.config/nono/profiles
cp data/profiles/claude-code-secretive.toml ~/.config/nono/profiles/
Usage: 
nono run --profile claude-code-secretive --allow-cwd -- claude
The profile extends the standard Claude Code profile with:
  • Read access to ~/.gitconfig and ~/.ssh/config (git signing configuration)
  • Read access to the Secretive agent socket (~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh)
  • Read+write access to ~/.ssh/known_hosts (SSH may append new host keys)
The Secretive socket is a Unix domain socket, not a regular file. nono v0.4+ supports granting capabilities on sockets directly, so only the socket itself is exposed — not the entire container directory.

Overriding Profile Settings

CLI flags always take precedence over profile settings: 
# Use profile but add extra directory access
nono run --profile claude-code --allow ~/other-project -- claude

# Use profile but block network
nono run --profile claude-code --net-block -- claude
See Security Profiles for details on profile format and precedence rules.

Automatic Hook Integration

When you first run nono run --profile claude-code, nono automatically installs a hook that helps Claude understand sandbox restrictions. You’ll see: 
Installing claude-code hook to ~/.claude/hooks/nono-hook.sh
This hook:
  1. Detects sandbox errors - When Claude’s file operations fail due to sandbox restrictions
  2. Injects context - Tells Claude exactly which paths are allowed and blocked
  3. Provides guidance - Instructs Claude to suggest restarting with --allow flags instead of attempting workarounds
nono also adds a section to ~/.claude/CLAUDE.md with upfront sandbox instructions, so Claude understands the security boundaries before encountering errors.
The hook installation is idempotent - it only installs once and updates automatically when nono is upgraded. The hook only activates when running inside a nono sandbox (detected via $NONO_CAP_FILE).

What Claude Sees on Errors

When Claude attempts to access a blocked path, instead of just seeing “Operation not permitted”, the hook injects: 
[NONO SANDBOX - PERMISSION DENIED]

STOP. Do not try alternative approaches. This is a hard security boundary.

You are running inside the nono security sandbox. The operation you just
attempted is PERMANENTLY BLOCKED for this session.

ALLOWED PATHS (everything else is blocked):
  /Users/you/project (readwrite)
  /Users/you/.claude (readwrite)
Network: allowed

REQUIRED ACTION:
Tell the user they must EXIT this Claude session and restart with:
  nono run --allow /path/to/needed -- claude
This prevents Claude from wasting time on workarounds that cannot succeed.