Practical Integration Roadmap: TapPass + nono + OpenFang + SIM
Date: February 26, 2026
Principle: Incremental. Each step ships standalone value. No big bang.
Current State
Section titled “Current State”| Product | What it is | LOC | Status |
|---|---|---|---|
| TapPass | Conversation governance proxy. multi-step governance pipeline, React dashboard, SDK, SIEM export, compliance evidence. | ~15K Python + ~3K TS | Phase 1 complete. Production-quality detection. |
| nono | OS-level process sandbox. Landlock (Linux) + Seatbelt (macOS), network filtering, capability tokens. | ~39K Rust | Open source, Apache 2.0. Mature. |
| OpenFang | AI agent runtime. Loop guards, circuit breakers, taint tracking, provider health, metering. | ~141K Rust | We already ported the best 10 ideas into TapPass pipeline steps. |
| SIM Studio | Low-code agent builder. Visual workflows, blocks, guardrails, executor. | ~900K TypeScript | Separate product. Don’t fork. |
Key insight: Each product sits at a different layer. They don’t compete: they stack.
┌─────────────────────────────────────────┐│ SIM Studio (agent builder UI) │ ← builds agents├─────────────────────────────────────────┤│ TapPass (conversation governance) │ ← governs what goes to/from LLMs├─────────────────────────────────────────┤│ nono (execution sandbox) │ ← governs what agents do on the OS└─────────────────────────────────────────┘OpenFang’s best ideas are already inside TapPass (loop guard, circuit breaker, taint tracking, shell bleed, dedup, cost tracking, filter groups). We don’t need to integrate OpenFang as a product.
The Plan: 8 Steps
Section titled “The Plan: 8 Steps”Step 1: SIM → TapPass proxy integration (1-2 days)
Section titled “Step 1: SIM → TapPass proxy integration (1-2 days)”What: SIM already makes LLM calls through an executor. Point those calls at TapPass instead of directly at OpenAI/Anthropic.
How:
- SIM’s
executor.tscalls LLM providers via HTTP - Change the base URL to
http://tappass:9620/gateway/openai/v1(or whatever the agent’s gateway endpoint is) - Register a SIM agent in TapPass, get an API key
- Set
Authorization: Bearer tp_<key>on SIM’s outgoing calls
What you get: Every SIM agent workflow is now governed. PII redaction, injection detection, secret scanning, cost tracking, audit trail. Zero code changes in SIM beyond a config change.
Deliverable: A docker-compose.yml with TapPass + SIM, SIM pointed at TapPass gateway.
Exit criteria: Run a SIM workflow → see it in TapPass audit trail with detections.
Step 2: SIM guardrails → TapPass pipeline mapping (2-3 days)
Section titled “Step 2: SIM guardrails → TapPass pipeline mapping (2-3 days)”What: SIM has its own guardrails system (apps/sim/lib/guardrails/). Map SIM’s guardrail config to TapPass pipeline config so CISOs manage one policy.
How:
- SIM guardrails: content filter, PII check, prompt injection, topic restriction
- TapPass pipeline:
detect_pii,detect_injection,detect_business,constrain_output, etc. - Build a small adapter: read SIM’s guardrail JSON → generate TapPass pipeline config
- Or: just disable SIM’s built-in guardrails entirely, let TapPass handle everything (simpler)
What you get: Single pane of glass for security policy. SIM users don’t need to configure guardrails twice.
Deliverable: Documentation: “If you use TapPass, disable SIM guardrails. TapPass is your guardrail layer.”
Exit criteria: SIM workflow with TapPass-only guardrails. SIM’s own guardrails off.
Step 3: nono proof-of-concept. sandbox a local agent (3-5 days)
Section titled “Step 3: nono proof-of-concept. sandbox a local agent (3-5 days)”What: Run a simple Python agent (CrewAI or plain script) inside a nono sandbox. No TapPass integration yet. just prove the sandbox works.
How:
- Install nono CLI (
cargo install nono-clior build from source) - Write a nono policy that allows:
- Network: only
api.openai.com:443andlocalhost:9620(TapPass) - Filesystem: read-only except
/tmp/agent_workspace - No access to
~/.ssh,~/.aws,~/.config
- Network: only
- Run:
nono run --policy agent.json -- python agent.py - Verify: agent runs, LLM calls succeed,
~/.sshaccess is denied
What you get: Proof that nono can sandbox AI agents on macOS and Linux without root.
Deliverable: examples/sandbox/ with policy file + example agent + README.
Exit criteria: Agent runs inside sandbox. cat ~/.ssh/id_rsa from inside agent fails. curl api.openai.com works. curl evil.com fails.
Step 4: nono + TapPass. sandboxed agent with governance (3-5 days)
Section titled “Step 4: nono + TapPass. sandboxed agent with governance (3-5 days)”What: Combine Step 1 (TapPass proxy) and Step 3 (nono sandbox). The agent runs inside nono, and all LLM calls route through TapPass.
How:
- nono policy: network allow
localhost:9620only (force all traffic through TapPass) - Agent configured to use TapPass gateway as OpenAI base URL
- TapPass pipeline governs conversation content
- nono policy governs OS-level actions
What you get: Two-surface governance. conversation + execution. working together.
Deliverable: examples/governed-agent/ with nono policy + TapPass config + agent script.
Exit criteria: Agent talks to LLM through TapPass (audited). Agent can’t access filesystem outside workspace (nono enforced). Agent can’t make arbitrary network calls (nono enforced).
Step 5: Policy sync. TapPass dashboard controls nono policy (1-2 weeks)
Section titled “Step 5: Policy sync. TapPass dashboard controls nono policy (1-2 weeks)”What: When a CISO changes tool permissions in TapPass dashboard, generate an updated nono policy file.
How:
- New module:
tappass/sandbox/policy_gen.py - Maps TapPass concepts to nono policy:
filter_toolsblocked tools → nono network deny rules (block tool API endpoints)tool_permissions→ nono filesystem/network rules- Agent-level settings → per-agent nono policy files
- API endpoint:
GET /agents/{id}/sandbox-policy→ returns nono-compatible JSON - The sandboxed agent fetches its policy from TapPass on startup
What you get: Single dashboard controls both conversation and execution governance.
Deliverable: Policy generator module + API endpoint + example showing policy refresh.
Exit criteria: Block a tool in TapPass UI → agent inside nono can no longer reach that tool’s API.
Step 6: tappass-agent binary. packaging for distribution (2-3 weeks)
Section titled “Step 6: tappass-agent binary. packaging for distribution (2-3 weeks)”What: A single binary (tappass-agent) that:
- Registers with a TapPass server
- Downloads its nono policy
- Launches the agent process inside a nono sandbox
- Reports tool executions back to TapPass
How:
- Rust binary (small. just orchestration, not reimplementing TapPass)
- Embeds nono as a library crate (not a subprocess)
- Config:
tappass-agent --server https://tappass.corp.com --key tp_xxx -- python my_agent.py - On startup: fetch policy, start sandbox, launch agent
- Sidecar: forward tool execution audit events to TapPass
What you get: One-line deployment for governed agents. IT can distribute via Homebrew/apt/Chocolatey.
Deliverable: tappass-agent Rust crate. CI builds for Linux x86/arm64 + macOS x86/arm64.
Exit criteria: tappass-agent -- python agent.py works end-to-end. Events visible in dashboard. Sandbox enforced.
Note: This is the step that requires a Rust engineer. Everything before this is Python/config work.
Step 7: SIM + tappass-agent. governed SIM workflows with sandbox (1 week)
Section titled “Step 7: SIM + tappass-agent. governed SIM workflows with sandbox (1 week)”What: SIM workflows that execute tools run inside tappass-agent sandbox.
How:
- SIM’s executor spawns tool execution processes
- Instead of direct execution, SIM calls
tappass-agentto run the tool - Or: SIM’s entire server process runs inside
tappass-agent - TapPass governs conversation (proxy), nono governs execution (sandbox)
What you get: Full three-layer governance for SIM-built agents.
Deliverable: Docker Compose with SIM + TapPass + tappass-agent. Demo workflow.
Exit criteria: SIM workflow → TapPass governs LLM calls → nono sandboxes tool execution → everything in one dashboard.
Step 8: Credential injection via nono capability tokens (1-2 weeks)
Section titled “Step 8: Credential injection via nono capability tokens (1-2 weeks)”What: Agents never see real API keys. TapPass issues scoped capability tokens, nono’s proxy injects real credentials at the network layer.
How:
- TapPass stores credentials in vault (already exists:
tappass/infra/vault.py) - When agent needs to call an API, TapPass issues a short-lived capability token
- nono’s network proxy intercepts outgoing requests, replaces the token with the real credential
- Agent code never contains real secrets. even if prompt-injected to exfiltrate, there’s nothing to steal
What you get: Third surface. credential governance. The “crown jewel” security argument.
Deliverable: Credential injection flow working end-to-end.
Exit criteria: Agent calls external API with capability token. nono injects real credential. Agent process never has access to real secret. Credential rotation in TapPass propagates automatically.
Timeline Summary
Section titled “Timeline Summary”| Step | What | Effort | Depends on | Rust needed? |
|---|---|---|---|---|
| 1 | SIM → TapPass proxy | 1-2 days | Nothing | No |
| 2 | SIM guardrails → TapPass | 2-3 days | Step 1 | No |
| 3 | nono PoC (standalone) | 3-5 days | Nothing | No (just config) |
| 4 | nono + TapPass together | 3-5 days | Steps 1+3 | No |
| 5 | Policy sync (dashboard → nono) | 1-2 weeks | Step 4 | No |
| 6 | tappass-agent binary | 2-3 weeks | Step 5 | Yes |
| 7 | SIM + tappass-agent | 1 week | Steps 2+6 | No |
| 8 | Credential injection | 1-2 weeks | Step 6 | Yes |
Steps 1-5 = ~4-5 weeks, Python/config only, no Rust engineer needed.
Steps 6-8 = ~5-6 weeks, requires Rust engineer.
Steps 1 and 3 can run in parallel (no dependency). Steps 2 and 4 can overlap.
What We’re NOT Doing
Section titled “What We’re NOT Doing”| Rejected approach | Why |
|---|---|
| Fork SIM | 900K LOC, unmaintainable. We integrate as a proxy consumer. |
| Merge products into monolith | Identity crisis. Each product stays independent. |
| Build our own sandbox | nono exists, is Apache 2.0, and is purpose-built for this. |
| Integrate OpenFang as a runtime | We already ported the 10 best ideas. OpenFang is a different product. |
| Build all 8 steps before shipping | Each step ships standalone value. Step 1 alone is useful. |
| Require partnership with nono | Apache 2.0 dependency first. Partnership is nice-to-have. |
Value at Each Step
Section titled “Value at Each Step”| After step | What a CISO gets |
|---|---|
| 1 | ”All my SIM workflows are governed: PII redacted, injections blocked, audit trail.” |
| 2 | ”One policy dashboard for all agent security: not two config systems.” |
| 3 | ”Proof that we can sandbox agents at the OS level.” |
| 4 | ”Two-surface governance: conversation AND execution. working together.” |
| 5 | ”I click a button in the dashboard, the sandbox policy updates. Single pane of glass.” |
| 6 | ”One-line deployment: tappass-agent -- python agent.py. IT loves it.” |
| 7 | ”Our SIM-built agents run in a governed sandbox. Full stack.” |
| 8 | ”Agents never see real secrets. Even a compromised agent can’t steal credentials.” |
Decision Points
Section titled “Decision Points”- After Step 2: Is SIM integration worth pursuing further, or do we focus on other agent frameworks (CrewAI, LangChain, etc.)?
- After Step 5: Do we build
tappass-agentourselves, or hire a Rust contractor? This is the biggest investment. - After Step 6: Do we open-source
tappass-agentto drive adoption, or keep it proprietary? - After Step 8: Do we pursue SOC 2 certification for the full three-surface platform?
Starting Monday
Section titled “Starting Monday”Week 1: Steps 1 + 3 in parallel.
- Day 1-2: Docker Compose with SIM + TapPass, SIM pointed at gateway (Step 1)
- Day 1-3: nono sandbox PoC with a CrewAI agent (Step 3)
- Day 3-5: Combine into governed + sandboxed agent (Step 4)
Five days of work. Two surfaces governed. Demoable.