Skip to main content
Lab Grimoire
TW EN
Coffee
ai-tools

agent-seatbelt-sandbox

A proof-of-concept using macOS native Apple Seatbelt to create kernel-level network sandboxing for AI agents. Elegant dual-layer design (kernel blocking + proxy auditing), but only 4 commits and sandbox-exec is deprecated. Best as inspiration for building your own agent sandbox, not a production dependency.

Best For

macOS developers who want kernel-level security boundaries for AI agents (Claude Code, Goose, etc.) running in autonomous mode. Specifically those who want to understand "how to restrict agent network access at the OS level." This is not a finished product to fork — it's an elegantly designed proof of concept.

How I Actually Use It

Not formally adopted, but I documented three key technical points as reference for future sandbox work: Seatbelt profile syntax for agent containment, the NODE_OPTIONS="--use-env-proxy" trick to force Node.js fetch through a proxy, and the local HTTP proxy + live domain blocking architecture pattern.

Where It Is Strong

  • macOS Seatbelt denies connect() at the syscall level. Child processes inherit the sandbox and cannot escape through any application-level trick. Orders of magnitude more secure than environment variables or hooks
  • Fail-safe: tools that don't respect proxy environment variables receive EPERM and fail outright, rather than silently bypassing the security layer
  • Dynamic egress control via LaunchDarkly feature flags lets you toggle domain allow/block in real time without restarting the agent
  • Pure Python standard library. No Docker, VMs, or cloud services required

Where It Fails

  • sandbox-exec is deprecated by Apple. The underlying Seatbelt kernel mechanism is still active (Cursor uses it commercially), but future macOS versions could remove the CLI interface
  • Only 4 commits, 15 stars, last updated 2026-02-11, no signs of ongoing maintenance. Treat as educational material, not production dependency
  • No TLS MitM means POST-based data exfiltration through allowed domains cannot be detected
  • Zero Linux support. Cross-platform teams cannot standardize on this approach

Pricing, Difficulty, and Risk

Completely free, zero external dependencies. Installation is just git clone and running a shell script. But the real barrier is understanding Seatbelt profile syntax, proxy mechanisms, and kernel-level security concepts.

Primary risk: sandbox-exec deprecation means Apple could remove it anytime (though realistically unlikely in the short term given commercial products like Cursor depending on the same mechanism). Acceptable risk as a POC reference; unacceptable as a production dependency.

Verdict

Textbook-quality proof of concept that clearly demonstrates how to build kernel-level security boundaries for AI agents using native macOS mechanisms. If you care about agent safety on macOS, read the source code. But don't fork it as a production tool. Study the architecture, then build your own implementation tailored to your needs.

Source

https://github.com/michaelneale/agent-seatbelt-sandbox