Ash: A macOS Sandbox for Securing AI Coding Agents Like Claude Code at the System Level

Ash is a new macOS-native sandbox tool aimed at developers running AI coding agents like Anthropic's Claude Code, using Apple's Endpoint Security and Network Extension frameworks to enforce system-level restrictions at runtime. Developers define a policy.yml file that specifies exactly what the agent can do: which files and directories it may read, write, create, delete, or rename; which network hosts and ports it may reach; which processes it may spawn and with what arguments; which IO devices like USB, camera, or microphone it may access; and which environment variables it receives. These restrictions apply to the agent and all its child processes, closing a common escape vector where subprocesses inherit unrestricted permissions. The canonical use case shown in Ash's documentation is wrapping Claude Code via the command "ash run -- claude --dangerously-skip-permissions."

The Hacker News discussion surfaced a key architectural limitation: Ash addresses what one commenter called the "internal blast radius" — what a rogue agent can do to your local machine — but leaves the "external blast radius" largely untouched. That second threat surface encompasses what an agent can do via its cloud API credentials to databases, third-party services, and cloud infrastructure, which requires complementary mitigations like scoped per-tool credentials. A separate commenter noted that Ash's environment variable controls pair naturally with Secure Enclave-based secret managers like Keypo Wallet, where Ash controls the perimeter and encrypted vaults protect the secret values themselves.

Community feedback also raised concerns about the tool's maturity and trustworthiness for a security product. Ash is closed-source, which prevents independent auditing — a trust deficit for a tool asking developers to grant it deep system access at a moment when <a href="/news/2026-03-14-anthropic-ab-testing-claude-code-plan-mode-without-disclosure">Claude Code adoption is surging</a>. Reviewers flagged that the GitHub login flow returns a 404 error, that the required macOS Full Disk Access permission is not surfaced during setup (only discoverable via "ash status"), and that there is no public issue tracker. These are real onboarding and transparency gaps. The GitHub 404 is still live.