Show HN: Ash, an Agent Sandbox for Mac

Posted by amsha 13 hours ago

Counter7Comment7OpenOriginal

Ash is a macOS sandbox that restricts AI coding agents. It limits access to files, networks, processes, IO devices, and environment variables. You can use Ash with any CLI coding agent by wrapping it in a single command: `ash run -- <agent>`. I typically use it with Claude to stay safe while avoiding repetitive prompts: `ash run -- claude --dangerously-skip-permissions`.

Ash restricts resources via the Endpoint Security and Network Extension frameworks. These frameworks are significantly more powerful than the sandbox-exec tool.

Each session is driven by a policy file. Any out-of-policy action is denied by default. You can audit denials in the GUI app, which lets you view out-of-policy actions and retroactively add them to your policy file.

Ash also comes with tools for building policies. You can use an "observation session" to watch the typical behavior of a coding agent and capture that behavior in a policy file for future sandbox sessions. Linting, formatting, and rule merging are all built into the Ash CLI to keep your policy files concise and maintainable.

Download Ash at https://ashell.dev

Comments

Comment by nxtfari 32 minutes ago

I believe you’re late to the “ash shell” name by about 36 years

https://en.wikipedia.org/wiki/Almquist_shell

Comment by s3anw3 1 hour ago

Great tool! I've witnessed numerous cases where novice users lost critical data assets by recklessly granting proxies/AI agents excessive permissions without understanding the security implications.

Comment by socialinteldev 44 minutes ago

the network restriction question is the interesting one for agent sandboxing — the real risk isn't the agent reading files it shouldn't, it's exfiltrating data through api calls to attacker-controlled endpoints. for agent-to-agent payment protocols like x402 the question gets weird: the agent needs outbound to pay for data, but you want to allowlist which endpoints it can call. per-process network policy + endpoint allowlisting seems like the right primitive here

Comment by ThroneCreator 6 hours ago

One thing that comes to mind is whether the sandbox can restrict outbound network access per process or per command. That could be useful for preventing agents from silently exfiltrating data while still allowing limited API calls.

Comment by Muhammad523 6 hours ago

There's a shell with the exact same name for Unix

Comment by matthewsinclair 3 hours ago

And there’s also the Ash framework for Elixir.

Comment by jakejmnz 5 hours ago

Looks cool, I'll give it a shot. Is this any different from /sandbox command?