Sandbox your LLM coding agents on macOS so they can only access the files and integrations they actually need.
Agent Safehouse uses sandbox-exec with composable policy profiles and a deny-first model. It supports major coding agents and app-hosted agent workflows while keeping normal development usage practical.
Agent Safehouse is designed around practical least privilege:
- Start from deny-all.
- Allow only what the agent needs to do useful work.
- Keep developer workflows productive.
- Make risk reduction easy by default.
It is a hardening layer, not a perfect security boundary against a determined attacker.
- Website: agent-safehouse.dev
- Docs: agent-safehouse.dev/docs
- Policy Builder: agent-safehouse.dev/policy-builder
If you keep shared repos, caches, or team folders in machine-specific locations, keep those settings out of project config and put them in a shell wrapper plus a local appended profile.
This lets you define your own sane defaults once and reuse them from claude, codex, amp, or app launchers:
POSIX shells (zsh / bash):
# ~/.zshrc or ~/.bashrc
export SAFEHOUSE_APPEND_PROFILE="$HOME/.config/agent-safehouse/local-overrides.sb"
safe() {
safehouse \
--add-dirs-ro="$HOME/server" \
--append-profile="$SAFEHOUSE_APPEND_PROFILE" \
"$@"
}
safe-claude() { safe claude --dangerously-skip-permissions "$@" }fish:
# ~/.config/fish/config.fish
set -gx SAFEHOUSE_APPEND_PROFILE "$HOME/.config/agent-safehouse/local-overrides.sb"
function safe
safehouse \
--add-dirs-ro="$HOME/server" \
--append-profile="$SAFEHOUSE_APPEND_PROFILE" \
$argv
end
function safe-claude
safe claude --dangerously-skip-permissions $argv
endExample machine-local policy file:
;; ~/.config/agent-safehouse/local-overrides.sb
;; Host-specific exceptions that should not live in shared repo config.
(allow file-read*
(home-literal "/.gitignore_global")
(home-subpath "/Library/Application Support/CleanShot/media")
(subpath "/Volumes/Shared/Engineering")
)Use --add-dirs-ro or --add-dirs for normal shared-folder access, and keep --append-profile for machine-local policy exceptions or final deny/allow overrides. That pattern is useful when the repo is shared but each developer machine has different local mount points.
All detailed documentation (setup, usage, options, architecture, testing, debugging, and investigations) lives in the VitePress docs site.