# Agent Safehouse — Sandbox macOS Coding Agents

> Agent Safehouse sandboxes local coding agents on macOS using sandbox-exec deny-first profiles, limiting access to only approved files and integrations.

## Install

Copy the content below into your project:

## Quick Use

```bash
brew install eugene1g/safehouse/agent-safehouse

# Wrap an agent command (example from README patterns)
safehouse --help

# Example wrapper idea (zsh): safe-claude() { safehouse claude --dangerously-skip-permissions "$@" }
```

## Intro

Agent Safehouse sandboxes local LLM coding agents on macOS so they can only access the files and integrations you allow. It uses sandbox-exec with deny-first profiles and is GitHub-verified at 1,753★.

**Best for:** running autonomous coding modes on macOS while restricting filesystem/integration access to least privilege

**Works with:** macOS; sandbox-exec; composable deny-first profiles; wraps common coding agents

**Setup time:** 10–25 minutes

### Key facts (verified)

- README provides Homebrew install: `brew install eugene1g/safehouse/agent-safehouse`.
- README shows a standalone script install path via `safehouse.sh` for ~/.local/bin.
- README explains deny-first and that HOME metadata traversal does not imply recursive reads by default.
- GitHub: 1,753 stars · 65 forks; pushed 2026-05-07 (GitHub API verified).

## Main

A practical rollout for Safehouse:

1) Start with a single agent integration and a single repo/workdir.
2) Add only the directories the agent truly needs via CLI options (read-only where possible).
3) Keep machine-specific exceptions in an appended local profile so team repos stay clean.

Safehouse is not a perfect boundary, but it materially reduces blast radius when experimenting with more autonomous modes.

### README excerpt (verbatim)

# Agent Safehouse

[![Tests (macOS)](https://github.com/eugene1g/agent-safehouse/actions/workflows/tests-macos.yml/badge.svg)](https://github.com/eugene1g/agent-safehouse/actions/workflows/tests-macos.yml)
[![E2E TUI Tests (macOS)](https://github.com/eugene1g/agent-safehouse/actions/workflows/e2e-agent-tui-macos.yml/badge.svg)](https://github.com/eugene1g/agent-safehouse/actions/workflows/e2e-agent-tui-macos.yml)
[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)

Sandbox your LLM coding agents on macOS so they can only access the files and integrations they actually need.

Agent Safehouse uses `sandbox-exec` with composable policy profiles and a deny-first model. It includes profiles for major coding agents and app-hosted agent workflows while keeping normal development usage practical.

## Install

Homebrew:

```bash
brew install eugene1g/safehouse/agent-safehouse
```

Standalone script:

```bash
mkdir -p ~/.local/bin
curl -fsSL https://github.com/eugene1g/agent-safehouse/releases/latest/download/safehouse.sh \
  -o ~/.local/bin/safehouse
chmod +x ~/.local/bin/safehouse
```

## Philosophy

Agent Safehouse is designed around practical least privilege:

- Start from deny-all.
- Allow only what the agent needs to do useful work.
- Keep developer workflows productive.
- Make risk reduction easy by default.

It is a hardening layer, not a perfect security boundary against a determined attacker.

## HOME access by default

`HOME_DIR` is used to render precise home-relative rules in the assembled policy. By itself, it does not grant recursive read access to your home directory.

Default Safehouse behavior is narrower:

- metadata-only traversal on `/`, the path to `$HOME`, and `$HOME` itself so runtimes can probe explicitly allowed home-scoped paths
- directory-root reads for `~/.config` and `~/.cache` so tools can discover XDG locations
- a few explicit home-scoped files/directories from always-on profiles, such as git/ssh metadata and shared agent instruction folders

In practice, `stat "$HOME"` can succeed while `ls "$HOME"` and `cat ~/secret.txt` still fail unless a more specific rule grants that path.

If you want to remove even the default home exceptions, use `--append-profile`; appended profiles load last, so their deny rules can narrow earlier defaults.

## Built-In System Path Resolution

Safehouse's built-in `profiles/*` modules may include macOS compatibility paths such as `/etc`, `/private/etc/resolv.conf`, or `/private/etc/localtime`.

### FAQ

**Q: What does Safehouse sandbox?**
A: It uses macOS sandbox-exec profiles to restrict what the agent process can access (per README).

**Q: Is it deny-first by default?**
A: Yes—README describes a deny-first model with composable profiles.

**Q: How do I install it?**
A: Use `brew install eugene1g/safehouse/agent-safehouse` or the standalone script path from the README.

## Source & Thanks

> Source: https://github.com/eugene1g/agent-safehouse
> License: Apache-2.0
> GitHub stars: 1,753 · forks: 65

---

<!-- ZH -->

## 快速使用

```bash
brew install eugene1g/safehouse/agent-safehouse

# 包装/限制 agent 命令（按 README 思路）
safehouse --help

# 例如写一个包装函数：safe-claude() { safehouse claude --dangerously-skip-permissions "$@" }
```

## 简介

Agent Safehouse 为 macOS 本地 LLM 编码 agent 提供沙箱，让它只访问你允许的文件与集成。它基于 sandbox-exec 的 deny-first profiles，GitHub 已验证 1,753★。

**最适合：** 在 macOS 上运行更自动化的编码模式，同时把文件与集成访问收敛到最小权限

**适配：** macOS；sandbox-exec；可组合 deny-first profiles；可包装常见编码 agent

**配置时间：** 10–25 分钟

### 关键事实（已验证）

- README 给出 Homebrew 安装：`brew install eugene1g/safehouse/agent-safehouse`。
- README 也提供脚本安装：下载 `safehouse.sh` 到 `~/.local/bin/safehouse`。
- README 解释 deny-first：默认 HOME 的元数据探测不等于递归读取。
- GitHub：1,753 stars · 65 forks；最近更新 2026-05-07（GitHub API 验证）。

## 正文

Safehouse 的落地建议走渐进式：

1）先从一个 agent + 一个仓库/工作目录开始。
2）只添加 agent 真实需要的目录（能只读就只读），其余默认拒绝。
3）把“机器相关例外”放到本地 append profile，避免污染团队仓库配置。

Safehouse 不是绝对安全边界，但在尝试更自动化模式时能显著降低误操作与外泄的爆炸半径。

### README 原文节选（verbatim）

# Agent Safehouse

[![Tests (macOS)](https://github.com/eugene1g/agent-safehouse/actions/workflows/tests-macos.yml/badge.svg)](https://github.com/eugene1g/agent-safehouse/actions/workflows/tests-macos.yml)
[![E2E TUI Tests (macOS)](https://github.com/eugene1g/agent-safehouse/actions/workflows/e2e-agent-tui-macos.yml/badge.svg)](https://github.com/eugene1g/agent-safehouse/actions/workflows/e2e-agent-tui-macos.yml)
[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)

Sandbox your LLM coding agents on macOS so they can only access the files and integrations they actually need.

Agent Safehouse uses `sandbox-exec` with composable policy profiles and a deny-first model. It includes profiles for major coding agents and app-hosted agent workflows while keeping normal development usage practical.

## Install

Homebrew:

```bash
brew install eugene1g/safehouse/agent-safehouse
```

Standalone script:

```bash
mkdir -p ~/.local/bin
curl -fsSL https://github.com/eugene1g/agent-safehouse/releases/latest/download/safehouse.sh \
  -o ~/.local/bin/safehouse
chmod +x ~/.local/bin/safehouse
```

## Philosophy

Agent Safehouse is designed around practical least privilege:

- Start from deny-all.
- Allow only what the agent needs to do useful work.
- Keep developer workflows productive.
- Make risk reduction easy by default.

It is a hardening layer, not a perfect security boundary against a determined attacker.

## HOME access by default

`HOME_DIR` is used to render precise home-relative rules in the assembled policy. By itself, it does not grant recursive read access to your home directory.

Default Safehouse behavior is narrower:

- metadata-only traversal on `/`, the path to `$HOME`, and `$HOME` itself so runtimes can probe explicitly allowed home-scoped paths
- directory-root reads for `~/.config` and `~/.cache` so tools can discover XDG locations
- a few explicit home-scoped files/directories from always-on profiles, such as git/ssh metadata and shared agent instruction folders

In practice, `stat "$HOME"` can succeed while `ls "$HOME"` and `cat ~/secret.txt` still fail unless a more specific rule grants that path.

If you want to remove even the default home exceptions, use `--append-profile`; appended profiles load last, so their deny rules can narrow earlier defaults.

## Built-In System Path Resolution

Safehouse's built-in `profiles/*` modules may include macOS compatibility paths such as `/etc`, `/private/etc/resolv.conf`, or `/private/etc/localtime`.

### FAQ

**Safehouse 沙箱限制的是什么？**
答：按 README：通过 macOS sandbox-exec profiles 限制 agent 进程可访问的路径与集成。

**默认是 deny-first 吗？**
答：是的：README 说明默认从拒绝开始，并通过 profiles 逐步放行。

**如何安装？**
答：README 提供 Homebrew 安装与 standalone script 两种路径。

## 来源与感谢

> Source: https://github.com/eugene1g/agent-safehouse
> License: Apache-2.0
> GitHub stars: 1,753 · forks: 65


---
Source: https://tokrepo.com/en/workflows/agent-safehouse-sandbox-macos-coding-agents
Author: Agent Toolkit