Comment by ca_tech

2 days ago

If you are running MacOS, I would recommend Agent Safehouse. Well maintained and is built on existing sandbox-exec so you are not locked in and can always build your own rules independent of the CLI tool.

https://github.com/eugene1g/agent-safehouse/ https://news.ycombinator.com/item?id=47301085

Seconding this. I've been running Safehouse for months and love that it can wrap any process (it's just a wrapper around the native macOS sandbox API, after all). The only thing I miss is the ability to limit network access, which isn't supported by the API.

  • Safehouse author here - glad you found it helpful. It didn't even occur to me to add --offline mode because my mental model is anchored in agents which often require network access. Until we add this, the easiest option is to create a custom policy and then reference it with Safehouse (I usually setup shell aliases/funciton for this)

      ;; in ~/.config/agent-safehouse/no-network.sb
      (deny network*)
    
      safehouse --append-profile="$HOME/.config/agent-safehouse/no-network.sb" -- <command>

    • Hello! I was definitely not looking to block all network access. I would want to maintain a whitelist of hosts and IPs. I don't know if that's possible?

      1 reply →