Esta página se muestra en inglés. Una traducción al español está en curso.
WorkflowsMay 13, 2026·3 min de lectura

Agent Safehouse — Sandbox macOS Coding Agents

Agent Safehouse sandboxes local coding agents on macOS using sandbox-exec deny-first profiles, limiting access to only approved files and integrations.

Agent Toolkit
Agent Toolkit · Community
Listo para agents

Este activo puede ser leído e instalado directamente por agents

TokRepo expone un comando CLI universal, contrato de instalación, metadata JSON, plan según adaptador y contenido raw para que los agents evalúen compatibilidad, riesgo y próximos pasos.

Needs Confirmation · 62/100Política: confirmar
Superficie agent
Cualquier agent MCP/CLI
Tipo
Workflow
Instalación
Brew|Curl
Confianza
Confianza: Established
Entrada
brew install eugene1g/safehouse/agent-safehouse
Comando CLI universal
npx tokrepo install d13c739b-0477-5978-a0df-8d9be7368988
contrato de instalaciónJSON de metadataplan adaptadorcontenido raw
Introducción

Agent Safehouse sandboxes local LLM coding agents on macOS so they can only access the files and integrations you allow. It uses sandbox-exec with deny-first profiles and is GitHub-verified at 1,753★.

Best for: running autonomous coding modes on macOS while restricting filesystem/integration access to least privilege

Works with: macOS; sandbox-exec; composable deny-first profiles; wraps common coding agents

Setup time: 10–25 minutes

Key facts (verified)

  • README provides Homebrew install: brew install eugene1g/safehouse/agent-safehouse.
  • README shows a standalone script install path via safehouse.sh for ~/.local/bin.
  • README explains deny-first and that HOME metadata traversal does not imply recursive reads by default.
  • GitHub: 1,753 stars · 65 forks; pushed 2026-05-07 (GitHub API verified).

Main

A practical rollout for Safehouse:

  1. Start with a single agent integration and a single repo/workdir.
  2. Add only the directories the agent truly needs via CLI options (read-only where possible).
  3. Keep machine-specific exceptions in an appended local profile so team repos stay clean.

Safehouse is not a perfect boundary, but it materially reduces blast radius when experimenting with more autonomous modes.

README excerpt (verbatim)

Agent Safehouse

Tests (macOS) E2E TUI Tests (macOS) License: Apache 2.0

Sandbox your LLM coding agents on macOS so they can only access the files and integrations they actually need.

Agent Safehouse uses sandbox-exec with composable policy profiles and a deny-first model. It includes profiles for major coding agents and app-hosted agent workflows while keeping normal development usage practical.

Install

Homebrew:

brew install eugene1g/safehouse/agent-safehouse

Standalone script:

mkdir -p ~/.local/bin
curl -fsSL https://github.com/eugene1g/agent-safehouse/releases/latest/download/safehouse.sh \
  -o ~/.local/bin/safehouse
chmod +x ~/.local/bin/safehouse

Philosophy

Agent Safehouse is designed around practical least privilege:

  • Start from deny-all.
  • Allow only what the agent needs to do useful work.
  • Keep developer workflows productive.
  • Make risk reduction easy by default.

It is a hardening layer, not a perfect security boundary against a determined attacker.

HOME access by default

HOME_DIR is used to render precise home-relative rules in the assembled policy. By itself, it does not grant recursive read access to your home directory.

Default Safehouse behavior is narrower:

  • metadata-only traversal on /, the path to $HOME, and $HOME itself so runtimes can probe explicitly allowed home-scoped paths
  • directory-root reads for ~/.config and ~/.cache so tools can discover XDG locations
  • a few explicit home-scoped files/directories from always-on profiles, such as git/ssh metadata and shared agent instruction folders

In practice, stat "$HOME" can succeed while ls "$HOME" and cat ~/secret.txt still fail unless a more specific rule grants that path.

If you want to remove even the default home exceptions, use --append-profile; appended profiles load last, so their deny rules can narrow earlier defaults.

Built-In System Path Resolution

Safehouse's built-in profiles/* modules may include macOS compatibility paths such as /etc, /private/etc/resolv.conf, or /private/etc/localtime.

FAQ

Q: What does Safehouse sandbox? A: It uses macOS sandbox-exec profiles to restrict what the agent process can access (per README).

Q: Is it deny-first by default? A: Yes—README describes a deny-first model with composable profiles.

Q: How do I install it? A: Use brew install eugene1g/safehouse/agent-safehouse or the standalone script path from the README.

🙏

Fuente y agradecimientos

Source: https://github.com/eugene1g/agent-safehouse > License: Apache-2.0 > GitHub stars: 1,753 · forks: 65

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados

Obsidian Agent Client — Bring Agents into Obsidian

Obsidian Agent Client adds ACP-based agent integrations (Claude Code/Codex/Gemini) to Obsidian; install via BRAT or Releases and use adapters (2,016★).

Workflows
Agent Toolkit

Maestro — Multi-Agent Orchestration for Coding CLIs

Maestro is an Apache-2.0 multi-agent orchestrator with 39 specialists for Gemini CLI, Claude Code, Codex, and Qwen Code, plus review/debug entrypoints.

Workflows
Agent Toolkit

OpenHands — AI-Driven Development Agent

OpenHands is an MIT open-source dev agent for agentic coding, with docs, an SDK, and a Docker-first runtime to run tasks reproducibly.

Workflows
Agent Toolkit

1Code — Multi-Agent Desktop for Claude + Codex

1Code is an open-source coding agent client with worktree isolation, diff previews, model/provider BYOK, and MCP/plugin management (5,522★).

Workflows
Agent Toolkit
Inicio🔍Buscar👤Yo