Best For
macOS developers who want kernel-level security boundaries for AI agents (Claude Code, Goose, etc.) running in autonomous mode. Specifically those who want to understand "how to restrict agent network access at the OS level." This is not a finished product to fork — it's an elegantly designed proof of concept.
How I Actually Use It
Not formally adopted, but I documented three key technical points as reference for future sandbox work: Seatbelt profile syntax for agent containment, the NODE_OPTIONS="--use-env-proxy" trick to force Node.js fetch through a proxy, and the local HTTP proxy + live domain blocking architecture pattern.
Where It Is Strong
- macOS Seatbelt denies
connect()at the syscall level. Child processes inherit the sandbox and cannot escape through any application-level trick. Orders of magnitude more secure than environment variables or hooks - Fail-safe: tools that don't respect proxy environment variables receive EPERM and fail outright, rather than silently bypassing the security layer
- Dynamic egress control via LaunchDarkly feature flags lets you toggle domain allow/block in real time without restarting the agent
- Pure Python standard library. No Docker, VMs, or cloud services required
Where It Fails
sandbox-execis deprecated by Apple. The underlying Seatbelt kernel mechanism is still active (Cursor uses it commercially), but future macOS versions could remove the CLI interface- Only 4 commits, 15 stars, last updated 2026-02-11, no signs of ongoing maintenance. Treat as educational material, not production dependency
- No TLS MitM means POST-based data exfiltration through allowed domains cannot be detected
- Zero Linux support. Cross-platform teams cannot standardize on this approach
Pricing, Difficulty, and Risk
Completely free, zero external dependencies. Installation is just git clone and running a shell script. But the real barrier is understanding Seatbelt profile syntax, proxy mechanisms, and kernel-level security concepts.
Primary risk: sandbox-exec deprecation means Apple could remove it anytime (though realistically unlikely in the short term given commercial products like Cursor depending on the same mechanism). Acceptable risk as a POC reference; unacceptable as a production dependency.
Verdict
Textbook-quality proof of concept that clearly demonstrates how to build kernel-level security boundaries for AI agents using native macOS mechanisms. If you care about agent safety on macOS, read the source code. But don't fork it as a production tool. Study the architecture, then build your own implementation tailored to your needs.