Agent Safehouse – macOS-native sandboxing for local agents
TL;DR Highlight
You can sandbox Claude Code, Codex, and other local AI agents on macOS using sandbox-exec to restrict filesystem and network access.
Who Should Read
Security-conscious developers running AI coding agents locally who want to limit what those agents can actually touch on their machine.
Core Mechanics
- macOS has a built-in sandboxing mechanism called sandbox-exec (based on the SBPL profile language) that can restrict what processes can read/write and what network connections they can make.
- Claude Code and similar agents run as regular processes — wrapping them in sandbox-exec profiles limits blast radius if the agent does something unexpected or is manipulated.
- Example restrictions: read-only access to the codebase directory, no write access to ~/.ssh or credentials, no outbound network to non-allowed hosts.
- This is security defense-in-depth — it doesn't prevent all attacks but significantly limits what a compromised or manipulated agent can do.
- The technique is macOS-specific but the approach generalizes: Linux has seccomp/AppArmor, containers provide similar isolation on any platform.
Evidence
- The author shared working SBPL profiles for constraining Claude Code, with examples of what access patterns to allow vs. block.
- HN commenters with security backgrounds validated the approach, noting sandbox-exec is underused and genuinely effective for this use case.
- Some noted that Claude Code itself now has some built-in permissions prompting, reducing but not eliminating the need for OS-level sandboxing.
- Others pointed out that Docker-based development environments provide similar isolation with more portability — but have higher setup overhead.
How to Apply
- Create a sandbox-exec profile for your AI agent that allows: read/write to project directory, read to /usr/lib and system directories, network to your allowed API endpoints. Block: ~/.ssh, ~/.aws, ~/.config, and broad filesystem writes.
- Test your SBPL profile by running the agent against a dummy project and verifying it can't write outside the project dir or make unexpected network calls.
- For CI environments running AI agents: use container isolation (Docker with --network=limited) rather than sandbox-exec for cross-platform portability.
- Review Claude Code's built-in permission prompts — understand what it asks for and why before granting blanket permissions.
Code Example
# 1. Installation
brew install eugene1g/safehouse/agent-safehouse
# 2. Run agent inside sandbox
cd ~/projects/my-app
safehouse claude --dangerously-skip-permissions
# 3. Register auto-apply function in zshrc
safe() { safehouse --add-dirs-ro=~/mywork "$@"; }
claude() { safe claude --dangerously-skip-permissions "$@"; }
codex() { safe codex --dangerously-bypass-approvals-and-sandbox "$@"; }
# 4. Sandbox test (verify SSH key access is blocked)
safehouse cat ~/.ssh/id_ed25519
# cat: /Users/you/.ssh/id_ed25519: Operation not permittedTerminology
Related Papers
Show HN: adamsreview – better multi-agent PR reviews for Claude Code
Claude Code에서 최대 7개의 병렬 서브 에이전트가 각각 다른 관점으로 PR을 리뷰하고, 자동 수정까지 해주는 오픈소스 플러그인이다. 기존 /review나 CodeRabbit보다 실제 버그를 더 많이 잡는다고 주장하지만 커뮤니티에서는 복잡도와 실효성에 대한 회의론도 나왔다.
How Fast Does Claude, Acting as a User Space IP Stack, Respond to Pings?
Claude Code에게 IP 패킷을 직접 파싱하고 ICMP echo reply를 구성하도록 시켜서 실제로 ping에 응답하게 만든 실험으로, 'Markdown이 곧 코드이고 LLM이 프로세서'라는 아이디어를 네트워크 스택 수준까지 밀어붙인 재미있는 사례다.
Show HN: Git for AI Agents
AI 코딩 에이전트(Claude Code 등)가 수행한 모든 툴 호출을 자동으로 추적하고, 어떤 프롬프트가 어느 코드 줄을 작성했는지 blame까지 가능한 버전 관리 도구다.
Principles for agent-native CLIs
AI 에이전트가 CLI 도구를 더 잘 사용할 수 있도록 설계하는 원칙들을 정리한 글로, 에이전트가 CLI를 도구로 활용하는 빈도가 높아지면서 이 설계 방식이 실용적으로 중요해지고 있다.
Agent-harness-kit scaffolding for multi-agent workflows (MCP, provider-agnostic)
여러 AI 에이전트가 서로 역할을 나눠 협업할 수 있도록 조율하는 scaffolding 도구로, Vite처럼 설정 없이 빠르게 멀티 에이전트 파이프라인을 구성할 수 있다.
Show HN: Tilde.run – Agent sandbox with a transactional, versioned filesystem
AI 에이전트가 실제 프로덕션 데이터를 건드려도 롤백할 수 있는 격리된 샌드박스 환경을 제공하는 도구로, GitHub/S3/Google Drive를 하나의 버전 관리 파일시스템으로 묶어준다.