Agent Sandbox For Mac
Ash is a macOS sandbox that uses kernel-level security to restrict AI coding agents. It limits access to files, networks, processes, and environment variables. It runs in userspace, no VM necessary.
$ ash run -- claude --dangerously-skip-permissions▋Problem
Coding agents access your files, network, and shell to be useful. This access creates risk. An agent may accidentally or maliciously destroy sensitive documents, exfiltrate data, or execute unexpected commands.
Solution
Ash sandboxes agents via macOS Endpoint Security and Network Extension frameworks. You define the files, sites, processes, and arguments an agent can use. Ash keeps the agent, and all its subprocesses, out of everything else.
Fine-Grained Security Controls
Filesystem
Restrict files and directories that an agent can read, write, create, delete, or rename
Network
Allow or deny network connections by host, port, transport protocol, and direction
Process Execution
Limit the processes that agents can run, and the arguments they are called with
ENV Variables
Control environment variables that are passed to sandboxed processes
How It Works
Define a Policy
Write a YAML policy file specifying what the agent can access.
Launch with Ash
Run your AI agent through Ash using a simple CLI command.
Enforce Boundaries
Ash monitors and enforces your policy at the kernel level using macOS security frameworks.
Example Policy
# policy.yml
schema_version: 1
files:
rules:
- path: ./**
- path: ~/.config/**
operations: [read]
network:
rules:
- host: api.goodagent.ai
- host: "**.github.com"
exec:
rules:
- path: git
- path: /usr/bin/**