简介

Agent Safehouse 为 macOS 本地 LLM 编码 agent 提供沙箱，让它只访问你允许的文件与集成。它基于 sandbox-exec 的 deny-first profiles，GitHub 已验证 1,753★。

最适合： 在 macOS 上运行更自动化的编码模式，同时把文件与集成访问收敛到最小权限

适配： macOS；sandbox-exec；可组合 deny-first profiles；可包装常见编码 agent

配置时间： 10–25 分钟

关键事实（已验证）

• README 给出 Homebrew 安装：brew install eugene1g/safehouse/agent-safehouse。
• README 也提供脚本安装：下载 safehouse.sh 到 ~/.local/bin/safehouse。
• README 解释 deny-first：默认 HOME 的元数据探测不等于递归读取。
• GitHub：1,753 stars · 65 forks；最近更新 2026-05-07（GitHub API 验证）。

正文

Safehouse 的落地建议走渐进式：

1）先从一个 agent + 一个仓库/工作目录开始。 2）只添加 agent 真实需要的目录（能只读就只读），其余默认拒绝。 3）把“机器相关例外”放到本地 append profile，避免污染团队仓库配置。

Safehouse 不是绝对安全边界，但在尝试更自动化模式时能显著降低误操作与外泄的爆炸半径。

README 原文节选（verbatim）

Agent Safehouse

Sandbox your LLM coding agents on macOS so they can only access the files and integrations they actually need.

Agent Safehouse uses sandbox-exec with composable policy profiles and a deny-first model. It includes profiles for major coding agents and app-hosted agent workflows while keeping normal development usage practical.

Install

Homebrew:

brew install eugene1g/safehouse/agent-safehouse

Standalone script:

mkdir -p ~/.local/bin
curl -fsSL https://github.com/eugene1g/agent-safehouse/releases/latest/download/safehouse.sh \
  -o ~/.local/bin/safehouse
chmod +x ~/.local/bin/safehouse

Philosophy

Agent Safehouse is designed around practical least privilege:

• Start from deny-all.
• Allow only what the agent needs to do useful work.
• Keep developer workflows productive.
• Make risk reduction easy by default.

It is a hardening layer, not a perfect security boundary against a determined attacker.

HOME access by default

HOME_DIR is used to render precise home-relative rules in the assembled policy. By itself, it does not grant recursive read access to your home directory.

Default Safehouse behavior is narrower:

• metadata-only traversal on /, the path to $HOME, and $HOME itself so runtimes can probe explicitly allowed home-scoped paths
• directory-root reads for ~/.config and ~/.cache so tools can discover XDG locations
• a few explicit home-scoped files/directories from always-on profiles, such as git/ssh metadata and shared agent instruction folders

In practice, stat "$HOME" can succeed while ls "$HOME" and cat ~/secret.txt still fail unless a more specific rule grants that path.

If you want to remove even the default home exceptions, use --append-profile; appended profiles load last, so their deny rules can narrow earlier defaults.

Built-In System Path Resolution

Safehouse's built-in profiles/* modules may include macOS compatibility paths such as /etc, /private/etc/resolv.conf, or /private/etc/localtime.

FAQ

Safehouse 沙箱限制的是什么？ 答：按 README：通过 macOS sandbox-exec profiles 限制 agent 进程可访问的路径与集成。

默认是 deny-first 吗？ 答：是的：README 说明默认从拒绝开始，并通过 profiles 逐步放行。

如何安装？ 答：README 提供 Homebrew 安装与 standalone script 两种路径。