Show HN: Ash, an Agent Sandbox for Mac
4 days ago
- #macOS
- #Sandbox
- #Security
- Ash is a macOS sandbox tool designed to restrict AI coding agents with system-level security.
- It limits access to files, networks, processes, IO devices, and environment variables to mitigate risks like data destruction or exfiltration.
- Ash uses macOS Endpoint Security and Network Extension frameworks to enforce fine-grained security controls.
- Users can define policies to specify allowed resources, including filesystem access, network connections, process execution, and IO device usage.
- The tool allows initialization of a policy file (`policy.yml`) where rules and dependencies are specified.
- Agents can be run within the sandbox using the command `ash run`, with options to skip permissions if necessary.