Agent Safehouse – macOS-native sandboxing for local agents

Mar 8, 2026•atombender•View Original

TL;DR Highlight

You can sandbox Claude Code, Codex, and other local AI agents on macOS using sandbox-exec to restrict filesystem and network access.

Who Should Read

Security-conscious developers running AI coding agents locally who want to limit what those agents can actually touch on their machine.

Core Mechanics

macOS has a built-in sandboxing mechanism called sandbox-exec (based on the SBPL profile language) that can restrict what processes can read/write and what network connections they can make.
Claude Code and similar agents run as regular processes — wrapping them in sandbox-exec profiles limits blast radius if the agent does something unexpected or is manipulated.
Example restrictions: read-only access to the codebase directory, no write access to ~/.ssh or credentials, no outbound network to non-allowed hosts.
This is security defense-in-depth — it doesn't prevent all attacks but significantly limits what a compromised or manipulated agent can do.
The technique is macOS-specific but the approach generalizes: Linux has seccomp/AppArmor, containers provide similar isolation on any platform.

Evidence

The author shared working SBPL profiles for constraining Claude Code, with examples of what access patterns to allow vs. block.
HN commenters with security backgrounds validated the approach, noting sandbox-exec is underused and genuinely effective for this use case.
Some noted that Claude Code itself now has some built-in permissions prompting, reducing but not eliminating the need for OS-level sandboxing.
Others pointed out that Docker-based development environments provide similar isolation with more portability — but have higher setup overhead.

How to Apply

Create a sandbox-exec profile for your AI agent that allows: read/write to project directory, read to /usr/lib and system directories, network to your allowed API endpoints. Block: ~/.ssh, ~/.aws, ~/.config, and broad filesystem writes.
Test your SBPL profile by running the agent against a dummy project and verifying it can't write outside the project dir or make unexpected network calls.
For CI environments running AI agents: use container isolation (Docker with --network=limited) rather than sandbox-exec for cross-platform portability.
Review Claude Code's built-in permission prompts — understand what it asks for and why before granting blanket permissions.

Code Example

snippet

# 1. Installation
brew install eugene1g/safehouse/agent-safehouse

# 2. Run agent inside sandbox
cd ~/projects/my-app
safehouse claude --dangerously-skip-permissions

# 3. Register auto-apply function in zshrc
safe() { safehouse --add-dirs-ro=~/mywork "$@"; }
claude() { safe claude --dangerously-skip-permissions "$@"; }
codex() { safe codex --dangerously-bypass-approvals-and-sandbox "$@"; }

# 4. Sandbox test (verify SSH key access is blocked)
safehouse cat ~/.ssh/id_ed25519
# cat: /Users/you/.ssh/id_ed25519: Operation not permitted

Terminology

sandbox-execA macOS command-line tool for running processes under a sandbox policy defined in SBPL (Sandbox Profile Language), restricting what the process can access.

SBPLSandbox Profile Language — the policy language used to define macOS sandbox restrictions (file access, network, process spawning, etc.).

SeccompSecure Computing Mode — Linux kernel feature for restricting system calls a process can make, similar in purpose to macOS sandbox-exec.

Defense-in-depthA security strategy using multiple independent layers of protection so that if one layer fails, others still limit the damage.