Nono: A secure, kernel-enforced capability sandbox for AI agents github.com 2 points by decodebytes 3 hours ago