Skip to main content

Agent Safehouse

Practical Security for AI Coding Agents

Agent Safehouse uses macOS sandbox-exec with composable policy profiles to reduce the blast radius when LLM coding agents run on your machine. It follows a deny-first model: start from deny-all, then allow only what the agent needs to do useful work.

Quick Start

Get up and running in 5 minutes with basic sandboxing

Installation

Install the CLI and set up shell functions

CLI Options

Explore all available commands and flags

Agent Compatibility

Check compatibility with 14+ coding agents

Key Features

Deny-First Security Model

Start from deny-all and explicitly allow only what agents need. Reduces blast radius from prompt injection and confused deputy flows.

Composable Policy Profiles

Modular .sb profiles for toolchains, integrations, and agents. Mix and match capabilities with --enable flags.

14+ Agent Profiles

Pre-built profiles for Claude, Cursor, Aider, Goose, OpenCode, and more. Agent-specific grants applied automatically.

Optional Integrations

Docker, kubectl, SSH, clipboard, 1Password, and more. Enable only what you need with fine-grained controls.

Machine-Local Overrides

Append custom policy files for host-specific paths. Keep shared repo config separate from local exceptions.

Workdir-Based Config

Drop a .safehouse file in your repo to define project-specific policies. Trust and load with --trust-workdir-config.

What Gets Protected

Agent Safehouse denies access to sensitive paths by default. Agents cannot read SSH keys, shell startup files, browser profiles, or arbitrary home directory files unless explicitly granted.

SSH Keys

~/.ssh private keys blocked by default

Shell Init Files

.zshrc, .bashrc require --enable=shell-init

Browser Profiles

Profile data requires --enable=browser-native-messaging

Clipboard Access

Clipboard requires --enable=clipboard

Process Control

Host process enumeration requires --enable=process-control

Debugger Access

LLDB and task-port require --enable=lldb

Philosophy

Agent Safehouse is designed around practical least privilege:
  • Start from deny-all
  • Allow only what the agent needs to do useful work
  • Keep developer workflows productive
  • Make risk reduction easy by default
It is a hardening layer, not a perfect security boundary against a determined attacker.
For a detailed comparison with VMs and containers, see Isolation Models.

Getting Started

1

Install the CLI

Download and install the safehouse CLI to your local bin directory.
mkdir -p ~/.local/bin
curl -fsSL https://raw.githubusercontent.com/eugene1g/agent-safehouse/main/dist/safehouse.sh \
  -o ~/.local/bin/safehouse
chmod +x ~/.local/bin/safehouse
2

Set up shell functions

Add wrapper functions to your shell config for easy invocation.
~/.zshrc
safe() { safehouse --add-dirs-ro=~/mywork "$@"; }
claude() { safe claude --dangerously-skip-permissions "$@"; }
3

Run your first sandboxed agent

Run an agent with automatic policy generation and sandboxing.
claude "Check the project structure"

Learn More

Core Concepts

Understand the sandbox model, policy architecture, and design philosophy

Usage Guide

Learn how to use CLI options, shell functions, and workdir config

Policy Architecture

Deep dive into policy assembly, profile layers, and customization

Debugging

Debug sandbox denials with logs and policy inspection

Build docs developers (and LLMs) love

Get started for freeTalk to us