Ash is a macOS sandbox that restricts AI coding agents with system-level security. It limits access to files, networks, processes, IO devices, and environment variables.
$ ash run -- claude --dangerously-skip-permissions▌Problem
Coding agents access your files, network, and shell to be useful. This access creates risk. An agent may accidentally or maliciously destroy sensitive documents, exfiltrate data, or execute unexpected commands.
Solution
Ash sandboxes agents via macOS Endpoint Security and Network Extension frameworks. You define the resources an agent can use. Ash keeps the agent, and all its subprocesses, out of everything else.
Fine-Grained
Security Controls
Filesystem
Restrict files and directories that an agent can read, write, create, delete, or rename.
Network
Allow or deny network connections by host and port.
Processes
Limit the processes that agents can run, and the arguments they are called with.
IO Devices
Block the agent's access to USB ports, camera, microphone, and other devices.
Environment
Control environment variables that are passed into the sandbox.
How It Works
$ ash init
Created policy.ymlschema_version: 1
dependencies:
base-macos: ^0
xcode-dev: ^0
files:
rules:
- path: ./**
network:
rules: []
exec:
rules: []
io_devices:
rules: []$ ash run -- claude --dangerously-skip-permissions
Claude Code v2.1.42
Opus 4.6 · Claude Max
~/projects/chowderbot
────────────────────────────────────────────────────────
❯ ▌
────────────────────────────────────────────────────────
⏵⏵ bypass permissions on