Skip to main content
Claude Code is Anthropic’s CLI coding agent. It reads and writes files, runs commands, and interacts with git on your behalf. Running it under nono ensures it can only access what you explicitly allow.

Why Sandbox Claude Code?

Claude Code operates directly on your filesystem and can execute arbitrary shell commands. Without isolation:
  • It could read sensitive files outside your project (SSH keys, cloud credentials)
  • A prompt injection in a dependency could trigger unintended file access
  • Mistakes in file operations could affect directories outside your workspace
nono’s kernel-enforced sandbox makes these scenarios structurally impossible.

Quick Start

nono run --profile claude-code -- claude
The built-in profile provides:
  • Read+write access to the current working directory
  • Read+write access to ~/.claude (agent state, debug logs, project config)
  • Read+write access to ~/.claude.json (settings file)
  • Network access enabled (required for Anthropic API)

Custom Profile

If you need different permissions, create a custom profile at ~/.config/nono/profiles/claude-code.toml: 
[meta]
name = "claude-code"
version = "1.0.0"
description = "Claude Code with additional project access"

[filesystem]
allow = ["$WORKDIR", "$HOME/.claude"]
read = ["$HOME/shared-libs"]

[filesystem.files]
allow = ["$HOME/.claude.json"]
read = ["$HOME/.gitconfig"]

[network]
block = false

[secrets]
anthropic_api_key = "ANTHROPIC_API_KEY"
Usage (custom profiles require --trust-unsigned): 
nono run --profile claude-code --trust-unsigned --secrets -- claude
Custom profiles with the same name override the built-in. Remove or rename the file to revert to the built-in profile.

Security Tips

Use Secrets Management

Instead of keeping your API key in environment variable exports or shell config files, load it from the system keystore: macOS: 
security add-generic-password -s "nono" -a "anthropic_api_key" -w
Linux: 
secret-tool store --label="nono: anthropic_api_key" service nono username anthropic_api_key
Then run with secrets: 
nono run --profile claude-code --secrets anthropic_api_key -- claude
See Secrets Management for full documentation.

Restrict to Specific Projects

The built-in profile grants access to the current working directory (wherever you run the command). To limit access to a specific directory regardless of where you invoke it: 
nono run --allow ~/projects/my-app --read ~/.claude -- claude

Read-Only Mode

For code review or exploration where Claude shouldn’t modify files: 
nono run --read . --read ~/.claude --allow-file ~/.claude.json -- claude

Block Network for Offline Work

If you want to prevent any outbound connections (e.g., for reviewing local code without API calls): 
nono run --profile claude-code --net-block -- claude

Overriding Profile Settings

CLI flags always take precedence over profile settings: 
# Use profile but add extra directory access
nono run --profile claude-code --allow ~/other-project -- claude

# Use profile but block network
nono run --profile claude-code --net-block -- claude
See Security Profiles for details on profile format and precedence rules.