[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74899":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":25,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":33,"readmeContent":34,"aiSummary":35,"trendingCount":16,"starSnapshotCount":16,"syncStatus":36,"lastSyncTime":37,"discoverSource":38},74899,"agent-safehouse","eugene1g\u002Fagent-safehouse","eugene1g","Sandbox your local AI agents so they can read\u002Fwrite only what they need","https:\u002F\u002Fagent-safehouse.dev",null,"Shell",1850,73,3,16,0,9,24,105,27,93.61,"Apache License 2.0",false,"main",true,[27,28,29,30,31,32],"ai-agents","claude-code","llm","macos","sandbox","security","2026-06-12 04:01:16","# Agent Safehouse\n\n[![Tests (macOS)](https:\u002F\u002Fgithub.com\u002Feugene1g\u002Fagent-safehouse\u002Factions\u002Fworkflows\u002Ftests-macos.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Feugene1g\u002Fagent-safehouse\u002Factions\u002Fworkflows\u002Ftests-macos.yml)\n[![E2E TUI Tests (macOS)](https:\u002F\u002Fgithub.com\u002Feugene1g\u002Fagent-safehouse\u002Factions\u002Fworkflows\u002Fe2e-agent-tui-macos.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Feugene1g\u002Fagent-safehouse\u002Factions\u002Fworkflows\u002Fe2e-agent-tui-macos.yml)\n[![License: Apache 2.0](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache_2.0-blue.svg)](LICENSE)\n\nSandbox your LLM coding agents on macOS so they can only access the files and integrations they actually need.\n\nAgent Safehouse uses `sandbox-exec` with composable policy profiles and a deny-first model. It includes profiles for major coding agents and app-hosted agent workflows while keeping normal development usage practical.\n\n## Install\n\nHomebrew:\n\n```bash\nbrew install eugene1g\u002Fsafehouse\u002Fagent-safehouse\n```\n\nStandalone script:\n\n```bash\nmkdir -p ~\u002F.local\u002Fbin\ncurl -fsSL https:\u002F\u002Fgithub.com\u002Feugene1g\u002Fagent-safehouse\u002Freleases\u002Flatest\u002Fdownload\u002Fsafehouse.sh \\\n  -o ~\u002F.local\u002Fbin\u002Fsafehouse\nchmod +x ~\u002F.local\u002Fbin\u002Fsafehouse\n```\n\n## Philosophy\n\nAgent Safehouse is designed around practical least privilege:\n\n- Start from deny-all.\n- Allow only what the agent needs to do useful work.\n- Keep developer workflows productive.\n- Make risk reduction easy by default.\n\nIt is a hardening layer, not a perfect security boundary against a determined attacker.\n\n## HOME access by default\n\n`HOME_DIR` is used to render precise home-relative rules in the assembled policy. By itself, it does not grant recursive read access to your home directory.\n\nDefault Safehouse behavior is narrower:\n\n- metadata-only traversal on `\u002F`, the path to `$HOME`, and `$HOME` itself so runtimes can probe explicitly allowed home-scoped paths\n- directory-root reads for `~\u002F.config` and `~\u002F.cache` so tools can discover XDG locations\n- a few explicit home-scoped files\u002Fdirectories from always-on profiles, such as git\u002Fssh metadata and shared agent instruction folders\n\nIn practice, `stat \"$HOME\"` can succeed while `ls \"$HOME\"` and `cat ~\u002Fsecret.txt` still fail unless a more specific rule grants that path.\n\nIf you want to remove even the default home exceptions, use `--append-profile`; appended profiles load last, so their deny rules can narrow earlier defaults.\n\n## Built-In System Path Resolution\n\nSafehouse's built-in `profiles\u002F*` modules may include macOS compatibility paths such as `\u002Fetc`, `\u002Fprivate\u002Fetc\u002Fresolv.conf`, or `\u002Fprivate\u002Fetc\u002Flocaltime`.\n\nAt policy render time, Safehouse resolves built-in absolute paths from `allow file-read*` rules and emits matching grants for the real target path when the authored path is a symlink. That keeps host-specific system files working without broadening the source profiles to recursive `\u002Fprivate\u002Fetc` access.\n\nCurrent scope is intentionally limited to built-in absolute `literal` and `subpath` read grants. User-provided path grants still normalize separately, and writable or metadata-only built-in rules are not auto-expanded by this mechanism today.\n\n## Documentation\n\n- Website: [agent-safehouse.dev](https:\u002F\u002Fagent-safehouse.dev)\n- Docs: [agent-safehouse.dev\u002Fdocs](https:\u002F\u002Fagent-safehouse.dev\u002Fdocs\u002F)\n- Policy Builder: [agent-safehouse.dev\u002Fpolicy-builder](https:\u002F\u002Fagent-safehouse.dev\u002Fpolicy-builder)\n\n## Machine-Specific Defaults\n\nIf you keep shared repos, caches, or team folders in machine-specific locations, keep those settings out of project config and put them in a shell wrapper plus a local appended profile.\n\nThis lets you define your own sane defaults once and reuse them from `claude`, `codex`, `amp`, or app launchers:\n\nPOSIX shells (`zsh` \u002F `bash`):\n\n```bash\n# ~\u002F.zshrc or ~\u002F.bashrc\nexport SAFEHOUSE_APPEND_PROFILE=\"$HOME\u002F.config\u002Fagent-safehouse\u002Flocal-overrides.sb\"\n\nsafe() {\n  safehouse \\\n    --add-dirs-ro=\"$HOME\u002Fserver\" \\\n    --append-profile=\"$SAFEHOUSE_APPEND_PROFILE\" \\\n    \"$@\"\n}\n\nsafe-claude() { safe claude --dangerously-skip-permissions \"$@\" }\n```\n\n`fish`:\n\n```fish\n# ~\u002F.config\u002Ffish\u002Fconfig.fish\nset -gx SAFEHOUSE_APPEND_PROFILE \"$HOME\u002F.config\u002Fagent-safehouse\u002Flocal-overrides.sb\"\n\nfunction safe\n    safehouse \\\n      --add-dirs-ro=\"$HOME\u002Fserver\" \\\n      --append-profile=\"$SAFEHOUSE_APPEND_PROFILE\" \\\n      $argv\nend\n\nfunction safe-claude\n    safe claude --dangerously-skip-permissions $argv\nend\n```\n\nExample machine-local policy file:\n\n```scheme\n;; ~\u002F.config\u002Fagent-safehouse\u002Flocal-overrides.sb\n;; Host-specific exceptions that should not live in shared repo config.\n(allow file-read*\n  (home-literal \"\u002F.gitignore_global\")\n  (home-subpath \"\u002FLibrary\u002FApplication Support\u002FCleanShot\u002Fmedia\")\n  (subpath \"\u002FVolumes\u002FShared\u002FEngineering\")\n)\n```\n\nUse `--add-dirs-ro` or `--add-dirs` for normal shared-folder access, and keep `--append-profile` for machine-local policy exceptions or final deny\u002Fallow overrides. That pattern is useful when the repo is shared but each developer machine has different local mount points.\n\nGit worktrees are auto-detected at launch when the selected workdir itself is a Git worktree root: that worktree gets the shared Git metadata access it needs when its common dir lives outside the selected workdir, and the other existing linked worktrees for that repo become readable by default for cross-tree inspection. That snapshot does not update for already-running processes, so if you create worktrees under a stable parent such as `~\u002Fworktrees`, prefer adding that root explicitly with `--add-dirs-ro`.\n\nAll detailed documentation (setup, usage, options, architecture, testing, debugging, and investigations) lives in the VitePress docs site.\n","Agent Safehouse 是一个用于在 macOS 上为本地 AI 代理创建沙箱环境的工具，确保这些代理只能访问它们实际需要的文件和集成。该项目利用 `sandbox-exec` 技术，并采用可组合的策略配置文件与默认拒绝模型，以最小权限原则设计，既保障了安全性又不影响开发效率。它内置了针对主要编码代理及应用托管工作流的支持，同时提供通过 Homebrew 或独立脚本安装的方式。适合那些希望在不牺牲生产力的前提下提高 AI 代理运行安全性的开发者使用。",2,"2026-06-11 03:51:21","high_star"]