Agent Sandbox
For Mac
Ash is a macOS sandbox that restricts AI coding agents with system-level security. It limits access to files, networks, processes, IO devices, and environment variables.
$ ash run -- claude --dangerously-skip-permissions▌Problem
Coding agents access your files, network, and shell to be useful. This access creates risk. An agent may accidentally or maliciously destroy sensitive documents, exfiltrate data, or execute unexpected commands.
Solution
Ash sandboxes agents via macOS Endpoint Security and Network Extension frameworks. You define the resources an agent can use. Ash keeps the agent, and all its subprocesses, out of everything else.
Fine-Grained
Security Controls
Filesystem
Restrict files and directories that an agent can read, write, create, delete, or rename.
Network
Allow or deny network connections by host and port.
Processes
Limit the processes that agents can run, and the arguments they are called with.
IO Devices
Block the agent's access to USB ports, camera, microphone, and other devices.
Environment
Control environment variables that are passed into the sandbox.
How It Works
Create Your Policy
Initalize a policy file in your project
$ ash init
Created policy.ymlEdit Your Policy
Add rules and dependencies to your policy
schema_version: 1
dependencies:
base-macos: ^0
xcode-dev: ^0
files:
rules:
- path: ./**
network:
rules: []
exec:
rules: []
io_devices:
rules: []Run the Sandbox
Launch your agent inside the sandbox
$ ash run -- claude --dangerously-skip-permissions
Claude Code v2.1.42
Opus 4.6 · Claude Max
~/projects/chowderbot
────────────────────────────────────────────────────────
❯ ▌
────────────────────────────────────────────────────────
⏵⏵ bypass permissions onCreate Your Policy
Initalize a policy file in your project
$ ▌