March 8, 2026

Bash cage match: Docker fans vs Safehouse stans

Article URL →HN comments →

Agent Safehouse – macOS-native sandboxing for local agents

Fans love the tiny safety script, Docker diehards say “just give us the real thing”

TLDR: Safehouse is a tiny macOS script that cages AI agents, allowing your current project while blocking your home folder and SSH keys. Comments split between loving the no‑deps approach and demanding 'real Mac Docker,' with side debates about autonomy and how agents should ask for approval.

Safehouse drops like a mic: a tiny macOS script that runs your AI helpers in a locked room, letting them touch your current project while the rest of your home folder—yes, even your SSH keys—stays off-limits. It’s basically Apple’s built‑in sandbox tool (aka sandbox‑exec) with training wheels, and the demo flexes hard: try to read your private key? Denied.

Cue the comment fireworks. The creator (e1g) proudly says it’s just a policy generator because “no dependencies” and “local, full‑auto agents” are the dream. A big chunk of the crowd cheers the minimalism, with one fan quipping that the hard part of using sandbox‑exec is… sandbox‑exec itself. But the other camp rolls its eyes: garganzol argues this is a band‑aid and that a proper, native Docker for Mac—no Linux virtual machine—would solve this and “1001 other problems,” lighting up a classic Docker vs. native brawl.

Then comes the practical skepticism. gozucito asks if this is basically Claude Code’s sandbox, just tool‑agnostic. And naomi_kynes pokes the “full‑auto” bear: what happens when the bot needs your approval mid‑mission? The thread turns punchy, with jokes about typing --yolo inside a cage and memes dubbing blocked SSH keys “in witness protection.” The vibe: clever safety trick, but the fight over the “right” Mac sandbox lives on.

Key Points

  • Agent Safehouse is a macOS-native shell script that uses sandbox-exec to run local agents with least-privilege access.
  • By default, it grants read/write to a selected workdir (git root by default) and read access to installed toolchains, while denying most home directory access.
  • Demonstrations show the kernel blocks sensitive reads (e.g., SSH keys) and access to other repos, while allowing operations in the current project.
  • Shell configuration examples let users automatically run agents (e.g., Claude, Codex, Gemini) inside Safehouse, with an option to bypass via 'command'.
  • A ready-made prompt helps LLMs generate tailored sandbox-exec policies, choose a durable profile path, create wrappers, and add shell shortcuts.

Hottest takes

"Having real macOS Docker would solve the problem..." — garganzol
"I like that it's just a shell script." — xyzzy_plugh
"The 'full-auto' framing is interesting." — naomi_kynes

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.