sandbox-exec (Seatbelt) framework.
Supported Agents
Aider
Python CLI assistant with terminal UI
Amp
Clipboard-aware coding agent
Auggie
Augment Code CLI agent
Claude Code
Anthropic’s CLI/TUI agent
Cline
VS Code extension agent
Codex
OpenAI Codex CLI (Rust)
Copilot CLI
GitHub Copilot command line
Cursor Agent
Cursor IDE agent mode
Droid
Factory CLI coding agent
Gemini CLI
Google’s Gemini CLI agent
Goose
Block’s open-source agent
Kilo Code
VS Code extension (Cline fork)
OpenCode
Open-source CLI/TUI agent
Pi
Minimal CLI coding agent
How Agent Profiles Work
Each agent has a dedicated sandbox profile inprofiles/60-agents/<agent>.sb that grants:
- Binary paths — Where the agent CLI is installed (
~/.local/bin/, brew, npm global, etc.) - Config directories — Agent settings, sessions, logs (
~/.agent-name/) - State/cache — Session data, model caches, MCP configurations
- Integrations — Keychain access (when needed), MCP paths, hooks directories
Shell Wrapper Functions
Safehouse provides shell functions for each agent. Add to your~/.zshrc or ~/.bashrc:
safehouse -- to apply the sandbox policy.
Sandbox Policy Examples
Read-Only Workspace (Default)
Workspace Write Access
Network Isolation
By default, agents have no network access in the sandbox. Enable selectively:Custom Integrations
Some agents require additional integrations:Agent Investigation Reports
Each agent has a detailed investigation report analyzing:- UI architecture (TUI framework, Electron, web UI)
- Authentication mechanisms (API keys, OAuth, keychain)
- Filesystem access patterns (config, state, temp files)
- Network endpoints (LLM APIs, telemetry, update checks)
- Subprocess execution (shell commands, git, npm, docker)
- Known vulnerabilities and CVEs
Adding New Agents
To add support for a new agent:- Create profile —
profiles/60-agents/new-agent.sbwith binary and config paths - Test access — Use
--explainto verify granted paths match agent needs - Add dependencies — Use
$$require=path/to/integration.sb$$for keychain, clipboard, etc. - Regenerate dist — Run
./scripts/generate-dist.shto update packaged artifacts - Test sandbox — Verify agent works with minimal policy
Comparison Matrix
| Agent | Language | Keychain | Network Default | Subprocess | UI |
|---|---|---|---|---|---|
| Aider | Python | No | Denied | Shell | Terminal |
| Amp | Bun | No | Denied | Shell | TUI |
| Auggie | Node.js | No | Denied | Shell | TUI |
| Claude Code | Rust | Yes | Denied | Sandboxed | TUI |
| Cline | TypeScript | Yes | Denied | VS Code Terminal | Webview |
| Codex | Rust | Yes | Denied | Sandboxed | TUI |
| Copilot CLI | Node.js | Yes | Denied | Shell | Terminal |
| Cursor Agent | Electron | Yes | Denied | Shell | Electron |
| Droid | Bun | No | Denied | Shell | TUI |
| Gemini CLI | Node.js | Yes | Denied | Shell | TUI |
| Goose | Rust | Yes | Denied | Shell | TUI |
| Kilo Code | TypeScript | Yes | Denied | VS Code Terminal | Webview |
| OpenCode | Node.js | No | Denied | Shell | TUI |
| Pi | Node.js | No | Denied | Shell | Custom TUI |
Special Integration Notes
VS Code Extensions (Cline, Kilo Code)
VS Code extensions run in the Extension Host process, inheriting VS Code’s sandbox. Safehouse cannot directly sandbox VS Code extensions. Instead:- Use
--add-dirsto restrict workspace access via VS Code’s file watchers - Extensions inherit VS Code’s network policy
- Terminal commands spawn through VS Code’s Terminal API
Electron Apps (Cursor)
Electron apps have their own Chromium sandbox. Safehouse profiles grant access to:- App bundle (
/Applications/Cursor.app) - Application Support directories
- Temp directories for IPC
Rust Agents (Codex, Goose)
Rust agents (Codex, Goose) have built-in sandboxing:- Codex uses
sandbox-exec(macOS Seatbelt) for its own tool calls - Goose has no built-in sandbox but is compiled native code