Ash, an Agent Sandbox for Mac

Name: Ash, an Agent Sandbox for Mac
Availability: InStock
Author: amsha

by amsha·Mar 10, 2026·16 points·15 comments

Visit Project View on HN

AI Analysis

●●●BangerWizardrySolve My Problem

macOS Endpoint Security frameworks beat sandbox-exec for AI agent isolation.

Strengths

•Observation sessions capture agent behavior to auto-generate policy files instead of manual config.
•Endpoint Security and Network Extension frameworks are more powerful than sandbox-exec.
•GUI audit viewer shows denied actions with one-click policy updates.

Weaknesses

•macOS-only limits audience; no Linux or Windows support mentioned.
•Policy files are YAML—steep learning curve for non-security-minded developers.

Post Description

Ash is a macOS sandbox that restricts AI coding agents. It limits access to files, networks, processes, IO devices, and environment variables. You can use Ash with any CLI coding agent by wrapping it in a single command: `ash run -- <agent>`. I typically use it with Claude to stay safe while avoiding repetitive prompts: `ash run -- claude --dangerously-skip-permissions`.

Ash restricts resources via the Endpoint Security and Network Extension frameworks. These frameworks are significantly more powerful than the sandbox-exec tool.

Each session is driven by a policy file. Any out-of-policy action is denied by default. You can audit denials in the GUI app, which lets you view out-of-policy actions and retroactively add them to your policy file.

Ash also comes with tools for building policies. You can use an "observation session" to watch the typical behavior of a coding agent and capture that behavior in a policy file for future sandbox sessions. Linting, formatting, and rule merging are all built into the Ash CLI to keep your policy files concise and maintainable.

Download Ash at https://ashell.dev