Readit News logoReadit News
Posted by u/amsha 3 days ago
Show HN: Ash, an Agent Sandbox for Macashell.dev...
Ash is a macOS sandbox that restricts AI coding agents. It limits access to files, networks, processes, IO devices, and environment variables. You can use Ash with any CLI coding agent by wrapping it in a single command: `ash run -- <agent>`. I typically use it with Claude to stay safe while avoiding repetitive prompts: `ash run -- claude --dangerously-skip-permissions`.

Ash restricts resources via the Endpoint Security and Network Extension frameworks. These frameworks are significantly more powerful than the sandbox-exec tool.

Each session is driven by a policy file. Any out-of-policy action is denied by default. You can audit denials in the GUI app, which lets you view out-of-policy actions and retroactively add them to your policy file.

Ash also comes with tools for building policies. You can use an "observation session" to watch the typical behavior of a coding agent and capture that behavior in a policy file for future sandbox sessions. Linting, formatting, and rule merging are all built into the Ash CLI to keep your policy files concise and maintainable.

Download Ash at https://ashell.dev

Mooshux · 14 hours ago
Sandboxing agent execution on the host is table stakes now. The bigger gap is external blast radius: even a perfectly sandboxed agent with full API keys can still nuke prod if compromised. Scoped credentials limit what it can actually touch.

Example from a recent plugin incident: agent had DB admin rights because it inherited the deployer's token. Scoped per-tool keys + blast radius audit fixes that. https://www.apistronghold.com/blog/chatgpt-plugin-database-a...

dhblumenfeld1 · 2 days ago
this is great. The environment variable control is particularly interesting to me. I've been working on a related problem but different approach: encrypting/decrypting secrets using the Mac's secure enclave (https://github.com/keypo-us/keypo-wallet/tree/main/keypo-sig...). The two approaches seem complementary: Ash controls the perimeter, encrypted vaults protect the values themselves.
miltieIV2 · 2 days ago
No way to submit bug reports other than email - I'll forward this. How about at least a GitHub stub repo for Issue reports? Lot's of permissions (but missing "Full Disk Access" in the UI setup flow) I didn't know it also needed FDA until I did "ash status". Why is there a Login? GitHub login broken - 404.

No Source - This is a security tool that can't be audited. You had your 5 minutes on HN, but you'll need the community for Linux and Windows.

Yeah, overloaded name - how about AgSh.app / agsh? It's not too late to fix it.

amsha · 2 days ago
Good idea about the GitHub stub repo, I've added it here: https://github.com/Ash-Sandbox/bugs.

Your feedback about permissions is something I'm working on fixing now. Apple requires multiple permissions for Endpoint Security and Network Extension APIs and the current setup process doesn't walk users through that process as elegantly as I would like it to.

nxtfari · 2 days ago
I believe you’re late to the “ash shell” name by about 36 years

https://en.wikipedia.org/wiki/Almquist_shell

s3anw3 · 2 days ago
Great tool! I've witnessed numerous cases where novice users lost critical data assets by recklessly granting proxies/AI agents excessive permissions without understanding the security implications.
ThroneCreator · 2 days ago
One thing that comes to mind is whether the sandbox can restrict outbound network access per process or per command. That could be useful for preventing agents from silently exfiltrating data while still allowing limited API calls.
amsha · 2 days ago
Yeah I like the idea of allowing the sandbox to restrict network connections to specific processes. I'll put it on the roadmap: https://github.com/Ash-Sandbox/bugs/issues/1
breadcat · a day ago
love the tool but the name is used by a lot of folks. I'll try it regardless though. was just talking to someone about this very thing today during a meeting
jakejmnz · 2 days ago
Looks cool, I'll give it a shot. Is this any different from /sandbox command?
amsha · 2 days ago
Yeah, the underlying sandbox technology between Ash and CC is fundamentally different.

Ash is built on the Endpoint Security and Network Extension APIs. Together, they cover the full gamut of potential sandbox escapes, and it's a simple process to update sandbox rules while the sandboxed process is running.

Claude Code sandbox is built mainly on sandbox-exec, an older macOS sandbox technology. It works for filesystem and IO device control, but it can only filter network requests by IP address. CC uses an application-level network proxy as a workaround, but not every network client respects the HTTP_PROXY env variable it requires. There are other workarounds in CC sandbox for complex use cases (e.g. dangerouslyDisableSandbox) that Ash does not need.