Agent Safehouse

Summary

Agent Safehouse is a zero-dependency Bash wrapper around macOS’s sandbox-exec that enforces kernel-level filesystem isolation for AI coding agents (Claude Code, Codex, Gemini CLI, Amp). It gives agents read/write access only to the current project directory while blocking access to SSH keys, other repos, and personal files — letting you run agents in full-auto “yolo” mode without risking your system.

Key Insight

• The core value is not the script itself but the curated sandbox-exec profiles — the creator spent significant time identifying minimum required permissions for each agent CLI to work (auto-updates, keychain, clipboard, etc.)
• Two distinct threat models that people conflate: (1) accidental destructive actions like rm -rf which filesystem sandboxing solves completely, and (2) prompt injection via files the agent reads, which sandboxing does NOT solve because the agent already has credentials in memory
• sandbox-exec has been deprecated by Apple since macOS Sierra (2016), but it still works and is used by Chrome, Claude Code, and OpenAI Codex internally — unlikely to be removed
• The Policy Builder (web UI) can generate a standalone sandbox-exec profile without installing anything, making it zero-trust
• Key limitation: no overlay/copy-on-write filesystem on macOS. Agent writes outside CWD are blocked, not captured. On Linux you’d use namespaces; macOS lacks this primitive
• Alternatives mentioned in discussion: Matchlock (microVMs with secret injection via MITM proxy — secrets never enter the VM), yoloai (Docker/Seatbelt/Tart backends with commit review), Treebeard (sandbox-exec + worktrees + COW overlay), Apple Containers (container CLI via Homebrew), Lima VMs
• Claude Code’s built-in sandbox gives read-only access to everything by default, which is weaker — Safehouse is deny-by-default
• Docker on macOS runs a Linux VM, adding ~0.5% continuous CPU overhead vs zero for sandbox-exec