Native macOS sandboxing for Agents

Successfully contained agents clunkers

All major agents work perfectly inside Safehouse. They just can't touch anything outside it.

Claude Code

Codex

OpenCode

Amp

Cursor

Aider

Gemini CLI

Cline

Augment Code

Droid

Pi

+yours

Why Safehouse?

Coding agents run as your user. They inherit every permission you have — read your SSH keys, browse your credentials, write anywhere on disk. The built-in permission prompts help, but skipping them (which most people do) means the agent has the same access as sudo -u $USER. Safehouse uses macOS sandbox-exec to enforce kernel-level restrictions that the agent process cannot bypass, even if it tries.

• Kernel-level enforcement — sandbox-exec runs in the macOS kernel. The agent can't escape it, disable it, or write around it. A denied operation returns EPERM, period.
• Deny-first, allow-list model — the policy starts with (deny default). File reads, writes, network, IPC — everything is blocked unless a rule explicitly permits it.
• Scoped to your project — the current working directory gets read/write. Toolchains (~/.cargo, ~/.npm, etc.) get their own scoped access. Everything else — SSH keys, cloud credentials, other repos — is invisible.
• Zero friction — no permission prompts, no babysitting. Safehouse enforces boundaries silently. You just type safehouse -- claude --dangerously-skip-permissions and work.

What's allowed vs. denied

Necessary evils

Access that looks scary but is genuinely required. Narrowest scope possible.

• Keychain & Security framework — most agents store login tokens in macOS Keychain and cannot authenticate without it. We allow read/write to Keychain files and Security mach services (com.apple.SecurityServer, trustd) because agents fail to start without them. This also covers TLS certificate validation.
• Device nodes — agents need /dev/null, /dev/urandom, /dev/tty*, and /dev/ptmx for basic I/O, randomness, and pseudo-terminal allocation. We allow these specific safe nodes but deny raw disk access (/dev/disk*), packet capture (/dev/bpf*), and audit devices.
• Full network access Configurable — agents need package registries, LLM APIs, MCP servers, git remotes, and localhost dev servers. The default policy is fully open, but profiles/20-network.sb includes commented alternatives for outbound-only or localhost-only modes.
• Mach services & IPC — macOS frameworks probe dozens of mach services during process init — notification center, logd, diagnosticd, CoreServices, and more. Without these, even basic CLI tools like git and node crash on startup.
• Full process exec & fork — agents orchestrate deep subprocess trees: shell → git → ssh → credential-helper. Restricting process-exec or process-fork would break every agent immediately. Instead, we constrain what those processes can access via filesystem rules.
• 1Password & credential helpers Configurable — git credential helpers, SSH agent forwarding, and CLI tools like gh and glab often rely on 1Password or the macOS SSH agent socket. The SSH profile still denies private key files — only the agent socket and 1Password CLI integration are allowed.

Getting started

Clone the repo, add an alias, and wrap your agent command. That's it — no build step, no dependencies.

# 1. Clone the repo
git clone https://github.com/eugene1g/agent-safehouse.git ~/.local/share/agent-safehouse

# 2. Add an alias (add this to ~/.zshrc or ~/.bashrc)
alias safehouse="$HOME/.local/share/agent-safehouse/bin/safehouse"

# 3. Run any agent inside Safehouse
cd ~/projects/my-app
safehouse -- claude --dangerously-skip-permissions

Safehouse automatically grants read/write access to the current working directory and read access to your installed toolchains. Everything else — home directory, SSH keys, cloud credentials, other repos — is denied by the kernel.

Use aliases to be safe by default

Add these aliases to your shell config and every agent runs inside Safehouse automatically — you don't have to remember. To run an agent without the sandbox, you deliberately type command claude to bypass the alias and invoke the real binary. This inverts the default: safety is automatic, and running unprotected requires a conscious choice.

# ~/.zshrc or ~/.bashrc
# Point this to your clone location
export SAFEHOUSE="$HOME/.local/share/agent-safehouse/bin/safehouse"

# Sandboxed — the default. Just type the command name.
alias claude='$SAFEHOUSE -- claude --dangerously-skip-permissions'
alias codex='$SAFEHOUSE -- codex --dangerously-bypass-approvals-and-sandbox'
alias amp='$SAFEHOUSE -- amp --dangerously-allow-all'
alias gemini='NO_BROWSER=true $SAFEHOUSE -- gemini --yolo'
alias aider='$SAFEHOUSE -- aider --yes-always'
alias cursor='$SAFEHOUSE -- cursor-agent --force'

# Unsandboxed — use `command` to bypass the alias and run the real binary.
# command claude              — plain interactive session
# command claude <flags>      — pass any flags directly

# Extras — Docker, read-only reference paths, etc.
alias claude-docker='$SAFEHOUSE --enable=docker -- claude --dangerously-skip-permissions'

Usage

# Run Claude in the current repo (CWD always gets read/write)
cd ~/projects/my-app
safehouse -- claude --dangerously-skip-permissions

# Grant extra writable directories
safehouse --add-dirs=/tmp/scratch:/data/shared -- claude

# Grant read-only access to reference code
safehouse --add-dirs-ro=/repos/shared-lib -- aider

# Enable Docker socket access (off by default)
safehouse --enable=docker -- docker ps

# Inspect the generated policy without running anything
safehouse --dry-run -- claude

Just grab the policy file

All profiles flattened into a single .sb file. Run directly with sandbox-exec.

# After saving the file locally, replace the template paths
sed -i '' 's|/private/tmp/agent-safehouse-static-template/home|'$HOME'|g' agent-safehouse-policy.sb
sed -i '' 's|/private/tmp/agent-safehouse-static-template/workspace|'$PWD'|g' agent-safehouse-policy.sb

# Run any agent under the policy
sandbox-exec -f agent-safehouse-policy.sb claude --dangerously-skip-permissions