AI coding agents can now read, write, and execute across an entire developer filesystem. The question of what stops them from doing something they shouldn't has mostly gone unanswered — at least at the OS level. Ash is a macOS sandbox that tries to close that gap.
Built on Apple's Endpoint Security and Network Extension frameworks, Ash operates below the application layer, at the kernel and network stack. That distinction matters: most agent permission systems are implemented in software the agent itself can influence. Ash isn't.
The tool's workflow starts with `ash init`, which generates a `policy.yml` in the project directory. From there, developers specify rules across five dimensions: filesystem access (per-path read, write, create, delete, and rename permissions), network connections (host and port allowlists), process execution (permitted binaries and argument patterns), IO devices (USB, camera, microphone), and environment variables. The default posture is deny-all — anything not explicitly permitted is blocked. Subprocesses spawned by the agent inherit the same policy, which closes an obvious escape route.
The project's demo workflow shows `ash run -- claude --dangerously-skip-permissions` — a deliberate provocation. That flag normally disables Claude Code's own permission prompts; the demo's argument is that stripping them is fine when the OS-level sandbox is doing real enforcement underneath.
Ash launched in 2026 and is distributed as a direct download for macOS. It also ships a Policy Hub for sharing reusable configurations — useful for teams that don't want to author policies from scratch. Neither the major agent vendors nor Apple have shipped anything comparable natively.