Skip to main content
Agent Safehouse builds on the macOS sandbox ecosystem and draws inspiration from other sandbox and AI agent security projects.

Anthropic Sandbox Runtime

Official Anthropic sandbox reference implementation with TypeScript/Node and cross-platform network proxy support.

Claude Code Sandbox

Restrictive read policy experiments and ancestor literal grant insights.

trace.sh

Automated deny-to-allow profile iteration and rule minimization scripts.

Sandboxes for AI

Overview of sandboxing patterns for AI agents by Luis Cardoso.

macOS Sandbox Documentation

Apple’s sandbox-exec and Sandbox Profile Language documentation is limited. The best learning resources are example profiles and experimentation.

Built-in Profile Examples

Your macOS system includes reference profiles: 
# System profile examples
ls /System/Library/Sandbox/Profiles/

# Additional sandbox profiles
ls /usr/share/sandbox/

Agent Safehouse Source

The project’s own profiles serve as practical examples:
  • Authored profiles: profiles/ directory (source of truth)
  • Assembled examples: dist/profiles/safehouse.generated.sb and dist/profiles/safehouse-for-apps.generated.sb

Learning Resources

Policy Architecture

Understand how Agent Safehouse assembles modular policy profiles.

Debugging Guide

Learn to debug sandbox denials and build profiles from scratch.

Contributing Guide

Read the contributing guide for .sb authoring expectations and patterns.

Profile Language Reference

Common Matchers

Matches an exact file or directory path.
(allow file-read*
  (literal "/Users/alice/.gitconfig")
)
Narrowest option, preferred when possible.
Matches a directory and all its contents recursively.
(allow file-read*
  (subpath "/Users/alice/projects/reference-repo")
)
Broader grant; use only when required.
Matches any path starting with the given prefix.
(allow file-read*
  (prefix "/tmp/agent-")
)
Useful for dynamic path patterns.
Matches paths using regular expressions.
(allow file-read*
  (regex #"^/Users/[^/]+/\\.npmrc$")
)
Most flexible but hardest to audit.

Common Operations

File Operations

(allow file-read*)
(allow file-write*)
(allow file-read-metadata)

Network Operations

(allow network-outbound)
(allow network-inbound)
(allow network-bind)

Mach Services

(allow mach-lookup
  (global-name "com.apple.service")
)

System Calls

(allow sysctl-read
  (sysctl-name "kern.osversion")
)

Community

Agent Safehouse is an open-source project. Contributions, bug reports, and documentation improvements are welcome.

GitHub Repository

View source, report issues, and contribute.

Issue Tracker

Report bugs or request features.

Build docs developers (and LLMs) love

Get started for freeTalk to us