Overview & Philosophy

Agent Safehouse sandboxes LLM coding agents on macOS so they can only access paths they need.

It uses macOS sandbox-exec with composable policy profiles. The default posture is strict: start from deny-all, then allow specific system/runtime/toolchain paths plus explicitly granted project paths.

Why

LLM coding agents run shell commands with your user privileges. A prompt injection, confused deputy flow, or a bad command can otherwise touch SSH keys, cloud credentials, unrelated repos, and personal files.

Safehouse reduces that blast radius without requiring major workflow changes.

Guiding Philosophy

Agent productivity is prioritized over paranoid lockdown. The goal is practical damage reduction and stronger defaults, not perfect isolation against a determined attacker.

Each policy rule should answer one question:

Does the agent need this to do its job?

What Safehouse Allows

• Filesystem reads for core macOS/system/toolchain paths needed for shells, compilers, and package managers.
• Curated Apple Command Line Tools paths for common shimmed developer tools such as git, make, and clang.
• Process execution/forking so normal dev subprocess trees work.
• Host process enumeration/signalling only when --enable=process-control or --enable=lldb is selected.
• LLDB/debugger toolchain access only when --enable=lldb is selected.
• Xcode developer roots and per-user build/simulator state only when --enable=xcode is selected.
• Agent/app-specific config grants scoped to the wrapped command.
• Keychain/security integration when --enable=keychain is selected or selected profiles declare keychain dependency metadata.
• Core SCM integration profiles and related defaults for tools such as git, gh, and glab.
• Sanitized runtime environment by default, with explicit opt-in controls for env pass-through and SDKROOT preserved when set.
• Network access by default for registries, APIs, remotes, and MCP servers.
• Temporary directories and runtime IPC services required by common CLI workflows.

What Is Denied By Default

• SSH private keys under ~/.ssh.
• Shell startup files unless --enable=shell-init is used.
• Sensitive browser profile data such as cookies, login data, history, and bookmarks.
• Clipboard access unless --enable=clipboard is used.
• Host process enumeration/control unless --enable=process-control or --enable=lldb is used.
• LLDB/debugger toolchain and task-port access unless --enable=lldb is used.
• Full Xcode developer roots, DerivedData, and CoreSimulator state unless --enable=xcode is used.
• Broad raw device access under /dev.

--enable=browser-native-messaging opens native-messaging manifest registration paths and extension-manifest reads. It does not grant browsing data.

Important Limitations

Safehouse does not fully protect against:

• Data exfiltration over network from files the sandbox is allowed to read.
• Sandbox escapes (it is not a VM/hypervisor boundary).
• Abuse through already-allowed IPC/credential channels.
• Leakage of data from explicitly allowed paths.

For practical hardening guidance, continue with Getting Started and Usage.

Isolation Model Comparison

Safehouse is a host-level macOS policy wrapper, not a VM boundary. It is optimized for day-to-day local agent workflows where low overhead and native compatibility matter.

For a detailed comparison with VMs and containers, see Isolation Models.

Default Assumptions

Safehouse defaults prioritize usability plus constrained blast radius:

• keep common coding workflows working
• require explicit opt-in for sensitive integrations
• keep final user overrides possible

For the full allow/disable matrix, see Default Assumptions.