HackerTrans
TopNewTrendsCommentsPastAskShowJobs

decodebytes

no profile record

Submissions

MicroVM sandbox solves one problem well, but not the agent security problem

decodebytes.substack.com
3 points·by decodebytes·20 ngày trước·1 comments

[untitled]

1 points·by decodebytes·tháng trước·0 comments

What Happened in There? A Tamper-Evident Audit Trail for AI Agents

nono.sh
2 points·by decodebytes·2 tháng trước·1 comments

What Happened in There? A Tamper-Evident Audit Trail for AI Agents

nono.sh
2 points·by decodebytes·2 tháng trước·1 comments

Block the LiteLLM supply chain attack, with Nono.sh runtime Security

nono.sh
2 points·by decodebytes·4 tháng trước·0 comments

Credential Protection for AI Agents: The Phantom Token Pattern

nono.sh
3 points·by decodebytes·4 tháng trước·2 comments

Kernel-enforced sandbox App and SDK for AI agents, MCP and LLM workloads

github.com
2 points·by decodebytes·5 tháng trước·2 comments

Nono: A secure, kernel-enforced capability sandbox for AI agents

github.com
2 points·by decodebytes·5 tháng trước·0 comments

Show HN: Nono – Kernel-enforced sandboxing for AI agents

github.com
1 points·by decodebytes·5 tháng trước·0 comments

Show HN: Nono – Kernel-enforced sandboxing for AI agents

nono.sh
4 points·by decodebytes·5 tháng trước·5 comments

When "I Built" Became "I Ordered"

decodebytes.substack.com
2 points·by decodebytes·6 tháng trước·0 comments

DeepFabric – Focused Training for More Grounded and Efficient Models

docs.deepfabric.dev
1 points·by decodebytes·7 tháng trước·0 comments

DeepFabric. Train and Evaluate Model Behavior with Structured Data

huggingface.co
1 points·by decodebytes·7 tháng trước·0 comments

DeepFabric – Generate high-quality synthetic datasets at scale

lukehinds.github.io
106 points·by decodebytes·10 tháng trước·19 comments

We need to talk about LLM's and non-determinism

rdrocket.com
3 points·by decodebytes·10 tháng trước·1 comments

Just how resilient are large language models?

rdrocket.com
57 points·by decodebytes·10 tháng trước·29 comments

Show HN: DeepFabric – Structured synthetic datasets for model distillation

github.com
2 points·by decodebytes·10 tháng trước·0 comments

comments

decodebytes
·20 ngày trước·discuss
Apologies, it should have been "A MicroVM.." but hit by the character title limit.
decodebytes
·2 tháng trước·discuss
Same thoughts - we use an action to ship to production, its builds an image, pushes it to ECS which triggers a deployment.

We can't be blocked here. Seems silly what we settled on this, but for a long time GitHub had been reliable enough for many years, but things are sliding down the pan as of late.
decodebytes
·2 tháng trước·discuss
[dead]
decodebytes
·2 tháng trước·discuss
Overview of how I built in mini version of my previous project, sigstore rekor, into the nono.sh agent security framework.
decodebytes
·3 tháng trước·discuss
Always Further, founded by team who created https://sigstore.dev , used to secure npm, pypi, brew, and provide attestations for github releases, nvidia and google for AI model signing - we and are now building https://nono.sh agent security tooling.

We have roles open for a principal software engineer:

We're looking for a Principal Software Engineer to join as a founding engineer. You'll work directly with the founders to build the core of our agent security runtime. This is a high-autonomy role - you'll shape architecture, engage with early customers, and make the trade-offs that define the product.

You will build the layer between agentic reasoning and system execution — intercepting, classifying, and validating every agent intent against security policy before it runs. Design systems that capture and cryptographically verify every instruction and action, maintaining ground truth in environments prone to hallucination and injection. Architect fine-grained, time-scoped primitives that allow least-privilege permissions, with the ability to escalate under controlled, auditable conditions. Work with research to stress-test our security primitives at scale. Turn emerging threat vectors (prompt injection, tool misuse, privilege escalation) into adaptive defences.

https://www.alwaysfurther.ai/careers/principal-swe

Staff solutions engineer:

We're looking for a Solutions Engineer join as a founding engineer and to sit at the intersection of our open source community and our growing base of enterprise design partners. You'll spend your time contributing to Nono, helping shape its architecture, and working directly with customers who are integrating it into proof-of-concept and pilot programmes. This is a hands-on role - early on you'll be deep in the code, reviewing pull requests, triaging issues, and experimenting with deployment architectures, all while being a trusted technical voice for both community members and enterprise stakeholders. Over time, the role will evolve toward solutions architecture and customer-facing engagement, as you build the domain expertise and relationships that make you the go-to person for designing how Nono fits into complex enterprise environments.

What You'll Do" Contribute directly to the Nono open source project - code, documentation, and architectural proposals. Experiment with different deployment architectures for Nono across cloud environments, on-premise infrastructure, and hybrid setups and share your findings with others at Always Further, and often with the community, via our blogging platforms or YouTube channel. Work closely with early design partners to integrate Nono into proof-of-concept and pilot programmes, gathering feedback and translating it into engineering priorities. Produce technical content - blog posts, architecture guides, demos.
decodebytes
·4 tháng trước·discuss
If anyone wants native python sandboxing without needing a cloud API, we just shipped an early python SDK from the https://nono.sh project:

import nono_py as nono

# Define capabilities caps = nono.CapabilitySet() caps.allow_path("/project", nono.AccessMode.READ_WRITE) caps.allow_file("/home/user/.gitconfig", nono.AccessMode.READ)

# Apply sandbox (irrevocable) nono.apply(caps)

# Your agent code runs here, fully sandboxed agent.run()

example using pydantic and fast API:

https://github.com/always-further/pydantic-ai-fastapi-nono
decodebytes
·4 tháng trước·discuss
nope - most folks wrap it in nono: https://nono.sh/docs/cli/clients/opencode
decodebytes
·4 tháng trước·discuss
If anyone happens to be interested in sandboxing, a community of us are building https://nono.sh

For what it's worth, it's not just whipped up in claude, a lot of us have a long background in security - I originally created sigstore.dev and was a distinguished engineer at red hat where I built and contributed to a lot of open source security work.

Comes and check it out, any support is appreciated as there is a lot of noise around with all these projects going through weekly hype cycles.
decodebytes
·4 tháng trước·discuss
Hey HN. I'm Luke, security engineer and creator of Sigstore and other open source security projects. I've been building nono, an open source sandbox for AI coding agents that uses kernel-level enforcement (Landlock/Seatbelt) to restrict what agents can do on your machine.

One thing that's been bugging me: we give agents our API keys as environment variables, and a single prompt injection can exfiltrate them via env, /proc/PID/environ, or just an outbound HTTP call. The blast radius is the full scope of that key.

So we built what we're calling the "phantom token pattern" — a credential injection proxy that sits outside the sandbox. The agent never sees real credentials. It gets a per-session token that only works only with the session bound localhost proxy. The proxy validates the token (constant-time), strips it, injects the real credential, and forwards upstream over TLS. If the agent is fully compromised, there's nothing worth stealing.

Real credentials live in the system keystore (macOS Keychain / Linux Secret Service), memory is zeroized on drop, and DNS resolution is pinned to prevent rebinding attacks. It works transparently with OpenAI, Anthropic, and Gemini SDKs — they just follow the *_BASE_URL env vars to the proxy.

Blog post walks through the architecture, the token swap flow, and how to set it up. Would love feedback from anyone thinking about agent credential security.

https://nono.sh/blog/blog-credential-injection

We also have other features we have shipped, such as atomic rollbacks, Sigstore based SKILL attestation.

https://github.com/always-further/nono
decodebytes
·5 tháng trước·discuss
Hey HN

Luke here.

I wanted to introduce a project I have building for the past few weeks in response to events such as openclaw and the glaring security issues at hand. Prior to nono, I created Sigstore , a project used for software supply chain security now used by pypi, npm, brew and GitHub for release attestation and provence.

The problem: Protecting the host from the agent is largely solved, microVMs (kata, firecracker), containers , nono is more focused on protecting the environment or workspace itself - having said that, the isolation controls from the host are pretty solid as we use landlock and seatbelt.

nono uses OS-level isolation, atomic snapshots, and command auditing, secret / token protections (using keychain on linux and the secure enclave chip on apple)

Linux: Landlock LSM (kernel 5.13+) macOS: Seatbelt (sandbox_init) After sandbox + exec(), there's no syscall to expand permissions. The kernel says no.

Filesystem: read/write/allow per directory or file Network: block entirely (per-host filtering planned)

Atomic Rollbacks: Content-addressable storage — Files are stored by SHA-256 hash. Identical content is never duplicated, keeping storage efficient even across long sessions with many reverts — Every snapshot is committed to a Merkle tree. Tampering or corruption becomes more easily detectable

Audit trail of commands: nono automatically generates a cryptographically verifiable audit trail of every file change made by a sandboxed AI agent.

SDKs. We have two SDKs releasing soon using FFI bindings, python and typescript to allow uses to easily implement nono features into their own code base.

Technical details:

Written in Rust. Uses the landlock crate on Linux, raw FFI to sandbox_init() on macOS. Secrets via keyring crate. All paths canonicalized at grant time to prevent symlink escapes.

Landlock ABI v4+ gives us TCP port filtering. Older kernels fall back to full network allow/deny. macOS Seatbelt profiles are generated dynamically as Scheme-like DSL strings.

Limitations:

Network is binary, on or off - plans are in place to introduce IP filtering.

GitHub: https://github.com/always-further/nono Docs: https://docs.nono.dev Site: https://noto.sh

Apache 2.0. Would love feedback!
decodebytes
·5 tháng trước·discuss
This is why I started https://nono.sh , agents start with zero trust in a kernel isolated sandbox.
decodebytes
·5 tháng trước·discuss
Good question - and the answer is no, they cannot escape. nono uses Landlock (Linux) and Seatbelt (macOS) - these are kernel-level security mechanisms. When a sandbox is created:

All child processes inherit the restrictions - if the agent spawns Python, Bash, or compiles and runs a binary, that process is equally sandboxed There is no API to remove or expand the sandbox - once restrict_self() (Landlock) or sandbox_init() (Seatbelt) is called, the restrictions are permanent for that process tree.
decodebytes
·5 tháng trước·discuss
Hmm, I don't know about better, more convenient I guess. But if it floats your boat you could write out everything in the sb format and call sandbox_exec()!
decodebytes
·5 tháng trước·discuss
lol thanks! seriously, I have been running the tool over and over while testing and I kept typing 'nano' and opening binaries in the text editor. Next minute I swearing my head off trying to close nano (and not vim!)
decodebytes
·5 tháng trước·discuss
I rushed out nono.sh (the opposite of yolo!) in response to this and its already negated a few gateway attacks.

It uses kernel-level security primitives (Landlock on Linux, Seatbelt on macOS) to create sandboxes where unauthorized operations are structurally impossible. API keys are also stored in apples secure enclave (or the kernel keyring in linux) , and injected at run time and zeroized from memory after use. There is also some blocking of destructive actions (rm -rf ~/)

its as simple to run as: nono run --profile openclaw -- openclaw gateway

You can also use it to sandbox things like npm install:

nono run --allow node_modules --allow-file package.json package.lock npm install pkg

Its early in, there will be bugs! PR's welcome and all that!

https://nono.sh
decodebytes
·6 tháng trước·discuss
DeepFabric - Generate High-Quality Synthetics, Fine-Tune, Measure, and Evaluate models in a Single Pipeline

Recently used the project to train a 4B model to outperform Claude Sonnet 4.5 and Gemini Pro 2.5 at Tool Calling. Colab here to run a free T4 GPU:

https://colab.research.google.com/drive/1EG1V40v5xkJKLf6Ra6W...

What sets DeepFabric apart from other dataset generation tools is its ability to ensure high diversity yet domain-anchored relevance through unique topic graph generation algorithms. This guides sample creation to cover all necessary subtopics while avoiding redundancy, which is where other tools often fall short, resulting in model overfit.

Constrained decoding and response validation, along with real tool executions within isolated webassembly environments, ensure that generated samples strictly adhere to structured schema, variable constraints, and execution correctness, ensuring datasets have exact syntax and structure for use in model training pipelines. Tool definitions can be directly imported from MCP server schemas and then mocked, or rans as real life tool functions. Using real tools means the model has to adapt and correct when it makes the wrong choice or hallucinationates which makes for much better training data.

Once your dataset is generated, it can be automatically uploaded to Hugging Face and directly imported into popular training frameworks like TRL, Unsloth, and Axolotl.

Post-training, DeepFabric's built-in evaluation engine assesses model performance, whereby models prove their capabilities on unseen tasks derived from training splits—covering evaluation-only questions, answers, and tool traces.

https://github.com/always-further/deepfabric
decodebytes
·10 tháng trước·discuss
I think it was gpt4-mini, but local models do surprisingly well too.
decodebytes
·10 tháng trước·discuss
You can now generate reasoning with Tool calling or format pre-existing datasets to the OpenAI harmony format used for gpt-oss with DeepFabric:

https://github.com/lukehinds/deepfabric/discussions/334
decodebytes
·10 tháng trước·discuss
Hey There, this thread is getting derailed. Could you please create a separate post for your project and we let this one be for discussion of deepfabric, thanks!
decodebytes
·10 tháng trước·discuss
I would love to learn more and have a try, I figure you can dump out to txt or csv -

you can raise and issue and I will certainly give it a go - or also reach me via the discord link on the main repo. Let's see what we can do.