Running a local LLM coding agent in fully autonomous mode is a calculated bet. Most sessions go fine. Occasionally they don't, and the failure mode isn't a crashed terminal — it's an agent that's read your AWS credentials, nuked a config directory, or done something else you can't undo. Agent Safehouse changes the terms of that bet.
Built by eugene1g and released under Apache 2.0, it wraps macOS's own `sandbox-exec` around any local agent process. The model is deny-first: the agent gets nothing by default. The project directory — found automatically from git root — gets read/write access. Toolchains get read-only. `~/.ssh`, `~/.aws`, and similar paths are blocked at the syscall level. The agent never sees those files, not because it was told to stay away, but because the kernel won't hand them over.
Claude Code, Codex, Gemini CLI, Aider, Cursor Agent, Cline, and about a dozen others all run normally inside the sandbox. That matters: the constraint is structural, not behavioral. Agent-level guardrails are instructions. Kernel enforcement is a wall.
Installation is a Homebrew tap or a one-liner shell script — no build tools, no dependencies beyond Bash and macOS. Shell function wrappers make sandboxed execution the default for every invocation, with the original binary still reachable via `command <agentname>` for trusted sessions. A Policy Builder and LLM-assisted profile generator let power users push the privilege surface well past the defaults.
The local agent ecosystem is growing fast and the security model is mostly improvised. Agent Safehouse uses infrastructure Apple already ships on every Mac, which means you don't have to place much trust in the tool itself. That's a sensible property for anything standing between your agents and your SSH keys.