# Agent Safehouse: Kernel-Level Sandbox for AI Coding Agents on macOS

> Agent Safehouse enforces kernel-level filesystem isolation for AI coding agents on macOS, letting you run them in full-auto mode safely.

Published: 2026-03-12
URL: https://daniliants.com/insights/agent-safehouse/
Tags: macos-sandbox, agent-security, sandbox-exec, claude-code, local-agents, devtools, llm-safety

---

## Summary

Agent Safehouse is a zero-dependency Bash wrapper around macOS's sandbox-exec that enforces kernel-level filesystem isolation for AI coding agents (Claude Code, Codex, Gemini CLI, Amp). It gives agents read/write access only to the current project directory while blocking access to SSH keys, other repos, and personal files -- letting you run agents in full-auto "yolo" mode without risking your system.

## Key Insight

- The core value is not the script itself but the curated sandbox-exec profiles -- the creator spent significant time identifying minimum required permissions for each agent CLI to work (auto-updates, keychain, clipboard, etc.)
- Two distinct threat models that people conflate: (1) accidental destructive actions like `rm -rf` which filesystem sandboxing solves completely, and (2) prompt injection via files the agent reads, which sandboxing does NOT solve because the agent already has credentials in memory
- sandbox-exec has been deprecated by Apple since macOS Sierra (2016), but it still works and is used by Chrome, Claude Code, and OpenAI Codex internally -- unlikely to be removed
- The Policy Builder (web UI) can generate a standalone sandbox-exec profile without installing anything, making it zero-trust
- Key limitation: no overlay/copy-on-write filesystem on macOS. Agent writes outside CWD are blocked, not captured. On Linux you'd use namespaces; macOS lacks this primitive
- Alternatives mentioned in discussion: Matchlock (microVMs with secret injection via MITM proxy -- secrets never enter the VM), yoloai (Docker/Seatbelt/Tart backends with commit review), Treebeard (sandbox-exec + worktrees + COW overlay), Apple Containers (`container` CLI via Homebrew), Lima VMs
- Claude Code's built-in sandbox gives read-only access to everything by default, which is weaker -- Safehouse is deny-by-default
- Docker on macOS runs a Linux VM, adding ~0.5% continuous CPU overhead vs zero for sandbox-exec