Agent Safehouse is a macOS-native sandboxing solution for local AI coding agents that enforces file access restrictions at the kernel level. The tool addresses the probabilistic nature of LLMs by preventing agents from making destructive changes outside designated project directories.

How it works

Safehouse implements a deny-first access model where agents inherit no permissions by default. The kernel blocks system calls before any files are touched, preventing operations like rm -rf ~ from succeeding. When an agent attempts to access restricted areas, the kernel returns "Operation not permitted."

Access control model

• Project directory: read/write access (git root by default)
• Shared libraries: read-only access if explicitly granted
• Denied by default: SSH keys (~/.ssh/), AWS credentials (~/.aws/), other repositories, personal files
• Toolchains: read access to installed toolchains

Getting started

# 1. Download safehouse (single self-contained script)
mkdir -p ~/.local/bin
curl -fsSL https://raw.githubusercontent.com/eugene1g/agent-safehouse/main/dist/safehouse.sh \
  -o ~/.local/bin/safehouse
chmod +x ~/.local/bin/safehouse

2. Run any agent inside Safehouse
cd ~/projects/my-app
safehouse claude --dangerously-skip-permissions

Testing the sandbox

# Try to read your SSH private key — denied by the kernel
safehouse cat ~/.ssh/id_ed25519
# cat: /Users/you/.ssh/id_ed25519: Operation not permitted

Try to list another repo — invisible
safehouse ls ~/other-project
ls: /Users/you/other-project: Operation not permitted
But your current project works fine
safehouse ls .
README.md src/ package.json ...

Shell integration

Add these functions to your shell config (~/.zshrc or ~/.bashrc) to run agents sandboxed by default:

safe () { safehouse --add-dirs-ro=~/mywork "$@"; }

Sandboxed — the default. Just type the command name.
claude () { safe claude --dangerously-skip-permissions "$@"; }
codex () { safe codex --dangerously-bypass-approvals-and-sandbox "$@"; }
amp () { safe amp --dangerously-allow-all "$@"; }
gemini () { NO_BROWSER=true safe gemini --yolo "$@"; }
Unsandboxed — bypass the function with command
command claude — plain interactive session

LLM-assisted profile generation

The project includes a prompt that instructs LLMs (Claude, Codex, Gemini, etc.) to inspect Safehouse profile templates, ask about your home directory and toolchain setup, and generate a least-privilege sandbox-exec profile. The prompt guides the LLM to ask about global dotfiles, suggest a durable profile path like ~/.config/sandbox-exec.profile, create a wrapper that grants access to the current working directory, and add shell shortcuts for preferred agents.

Supported agents

Tested against: Claude Code, Codex, OpenCode, Amp, Gemini CLI, Aider, Goose, Auggie, Pi, Cursor Agent, Cline, Kilo, Code Droid, and custom agents.