Skip to content

Instantly share code, notes, and snippets.

View lukehinds's full-sized avatar
🎯
Focusing

Luke Hinds lukehinds

🎯
Focusing
View GitHub Profile
{
"extends": "default",
"meta": {
"name": "codex-oauth",
"description": "Codex CLI OAuth profile for login and normal sessions. Isolates CODEX_HOME and rewrites ChatGPT OAuth tokens to nono phantoms before they reach the sandbox."
},
"groups": {
"include": [
{
"name": "user_caches_macos",
{
"extends": "default",
"meta": {
"name": "claude-oauth",
"description": "Claude Code OAuth profile for login and normal sessions. Captures OAuth token responses and persists only nono phantom tokens in the sandbox."
},
"groups": {
"include": [
{
"name": "claude_code_macos",
#!/usr/bin/env bash
set -euo pipefail
tmp="$(mktemp -d /private/tmp/nono-pr1298-repro.XXXXXX)"
main="$tmp/main"
wt="$tmp/linked"
profile="$tmp/profile.json"
cleanup() {
printf 'repro dir left at: %s\n' "$tmp"
#!/usr/bin/env bash
set -euo pipefail
log_index="${1:-1853515968}"
url="https://rekor.sigstore.dev/api/v1/log/entries?logIndex=${log_index}"
tmpdir="$(mktemp -d)"
trap 'rm -rf "$tmpdir"' EXIT
raw="$tmpdir/rekor.json"
{
"meta": {
"name": "eti-schema2-compact-example",
"version": "0.1.0",
"status": "schema2_design_target"
},
"environment": {
"deny_vars": ["AWS_*", "GITHUB_TOKEN", "GH_TOKEN", "NPM_TOKEN"]
},
"workdir": {
#!/usr/bin/env bash
# Capture a real Claude auth/login/renewal failure without depending on other
# repo-local helper scripts.
#
# This script is intended to be publishable as a single standalone artifact.
set -euo pipefail
usage() {
cat <<'EOF'
#!/bin/bash
# Test: sandboxed agent routes through nono proxy -> external proxy -> internet
# + localhost IPC via --allow-port
#
# Topology:
# [sandboxed curl] -> [nono proxy] -> [external proxy :9090] -> internet
# [sandboxed curl] -> localhost:8000 (local service, via --allow-port)
#
# The external proxy and local service run OUTSIDE the sandbox.

RFC: Nonofile

Problem

Users frequently hit issues because a path unique to their environment isn't covered by a built-in profile. Today, fixing this requires a code change to policy.json, a new release, and users to upgrade. This feedback loop is too slow for something that's inherently environment-specific.

While nono does support some customization today — users can place a profile JSON file in ~/.config/nono/profiles/ to fully replace a built-in profile, pass --profile /path/to/custom.json for an arbitrary profile, use --allow/--read/--write CLI flags to add paths, and use profile inheritance via "extends" — the policy primitives themselves are not editable. Specifically:

  • Group definitions (policy.json): The actual paths inside groups like deny_credentials, python_runtime, system_read_macos are embedded in the binary. If a group has the wrong path for your system (e.g., Homebrew installed at /opt/homebrew instead of /usr/local/Homebrew), you cannot fix it withou
test.txt

Design: Network Filtering Proxy and Credential Management

Status: Proposed Date: 2026-02-17

Problem

The current network control is binary: --allow-net grants full internet access, --block-net (default) blocks everything. This is insufficient for AI agents that need controlled network access:

Primary problem - No host filtering: An agent with --allow-net can: