software

Agent Safehouse – macOS-native sandboxing for local agents

Published: (March 8, 2026 at 04:30 PM EDT)
2 min read
Source: Hacker News

Source: Hacker News

Tested against leading agents

All agents work perfectly in their sandboxes, but cannot impact anything outside them.

Deny‑first access model

Agents inherit your full user permissions. Safehouse flips this—nothing is accessible unless explicitly granted.

~/my-project/read/write
~/shared-lib/read-only
~/.ssh/denied
~/.aws/denied
~/other-repos/denied

Getting started

Download a single shell script, make it executable, and run your agent inside it. No build step, no dependencies—just Bash and macOS.

# 1. Download Safehouse (single self‑contained script)
mkdir -p ~/.local/bin
curl -fsSL https://raw.githubusercontent.com/eugene1g/agent-safehouse/main/dist/safehouse.sh \
  -o ~/.local/bin/safehouse
chmod +x ~/.local/bin/safehouse

# 2. Run any agent inside Safehouse
cd ~/projects/my-app
safehouse claude --dangerously-skip-permissions

Safehouse automatically grants read/write access to the selected work directory (git root by default) and read access to your installed toolchains. Most of your home directory—SSH keys, other repos, personal files—is denied by the kernel.

See it fail — proof the sandbox works

Try reading something sensitive inside Safehouse. The kernel blocks it before the process ever sees the data.

# Try to read your SSH private key — denied by the kernel
safehouse cat ~/.ssh/id_ed25519
# cat: /Users/you/.ssh/id_ed25519: Operation not permitted

# Try to list another repo — invisible
safehouse ls ~/other-project
# ls: /Users/you/other-project: Operation not permitted

# But your current project works fine
safehouse ls .
# README.md  src/  package.json  ...

Safe by default with shell functions

Add these to your shell configuration and every agent runs inside Safehouse automatically—you don’t have to remember. To run without the sandbox, use command claude to bypass the function.

# ~/.zshrc or ~/.bashrc
safe() { safehouse --add-dirs-ro=~/mywork "$@"; }

# Sandboxed — the default. Just type the command name.
claude() { safe claude --dangerously-skip-permissions "$@"; }
codex()  { safe codex --dangerously-bypass-approvals-and-sandbox "$@"; }
amp()    { safe amp --dangerously-allow-all "$@"; }
gemini() { NO_BROWSER=true safe gemini --yolo "$@"; }

# Unsandboxed — bypass the function with `command`
# command claude   # plain interactive session
0 views
#macOS #sandboxing #local agents #security #bash script #CLI tool #LLM safety #access control
View source
Share:
Back to Blog

Related posts

Read more »

Authentication vs Authorization

Authentication Authentication is about confirming a user's identity. It is the process the system uses to verify that you are who you claim to be. A common exa...

Introducing Attune.js

!Cover image for Introducing Attune.jshttps://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads....