AI UNDERDOGS
Back
0:00 / 1:00
#127

sandfence

github.com/sheremetyev/sandfence
securitymacOSAI codingCLI tool
140 views💬 0 comments🔗 0 visits

A fence for Claude Code

WHAT IT SOLVES

AI coding agents run with full access to your filesystem — SSH keys, .env files, personal docs, everything's in range

WHY IT'S INTERESTING

Product taste

Real problem, restrained solution

Everyone's running Claude Code with full filesystem access. Author thought that was wrong. But instead of Docker or VMs, he went with a shell script — small enough you can actually read it before trusting it

Real craft

Uses macOS's own sandbox primitives, zero dependencies

Wraps macOS's built-in sandbox-exec (deprecated by Apple but still functional). Ships presets for Rust, Node, and Python toolchains. No Docker, no VM — just the OS's own security primitives doing the heavy lifting

"Minimal native macOS sandbox for Claude Code and Codex" — Minimal is the whole philosophy

sheremetyev

TECH GUESS

Shell script wrapping macOS sandbox-exec, with a DESIGN.md explaining internals

DEEP DIVE

A Minimalist's Sandbox for AI Coding Assistants

The excitement around integrating AI coding agents like Claude Code and Codex into development workflows often overshadows a fundamental security concern: by default, these tools operate with permissions nearly equivalent to your own user account. Your SSH keys, .env files, and personal documents are all within their potential read/write scope. Developer sheremetyev found this unsettling and created sandfence, a project whose entire philosophy is encapsulated in its title: "Minimal native macOS sandbox for Claude Code and Codex."

The "Bare-Running" Risk is Real

AI coding assistants need to read and write code and execute commands to function. However, their default configurations rarely restrict their activity to the project directory alone. This creates a tangible risk. A session compromised by prompt injection, or an AI misled into executing a destructive command like rm -rf, can have far greater impact than a traditional script because it may have already silently traversed your entire filesystem. This is not a theoretical threat but a practical one that grows as AI agent capabilities increase. Sheremetyev's concern addresses a widespread security blind spot in current AI toolchains.

The Solution: No Rockets, Just Bricks at Hand

The community's typical response to such sandboxing needs involves heavy containers (Docker) or virtual machines. Sandfence takes a radically different path: a shell script under 200 lines. Its core is a direct call to macOS's built-in sandbox-exec command. While Apple has officially marked this API as "deprecated," it remains functional and fully capable.

The script's operation is transparent. It creates a restricted "sandbox" environment for Claude Code or Codex, with the core rule being: allow read/write access only to the project directory you explicitly specify (e.g., ~/projects/my-app), while strictly prohibiting access to the rest of the system (like ~/.ssh or ~/Documents). It even includes preset rule files for different toolchains (Rust, Node.js, Python) within sandfence.sh, solving the dependency problem for compiling and running code inside the sandbox. The entire solution has zero external dependencies—no Docker, no VM—just the OS's native capabilities. This is the "Minimal" philosophy in action: using the simplest, most direct mechanism to solve the most critical security boundary issue.

Who Is It For? And Its Honest Limitations

Sandfence is ideal for macOS-based developers, especially independents or small teams, who are security-conscious and averse to introducing complex infrastructure. If you routinely use Claude Code on projects involving sensitive configurations, it offers an immediate "safety belt." The project is fully open-source, and the DESIGN.md clearly explains its workings, allowing you to audit every line before trusting it.

However, its limitations are equally clear. First, it is deeply tied to macOS and the sandbox-exec "deprecated" API; future macOS updates could break it, and it is not portable to Linux or Windows. Second, it only addresses filesystem access control, offering no defense against network-level threats (e.g., an AI being tricked into making network requests). Third, its Hacker News traction is currently very low (only 2 points, 0 comments), indicating it's still a very early-stage, niche tool polished by an individual developer for personal use, with virtually no community validation or ecosystem support. Finally, configuring sandbox rules requires some technical understanding, posing a barrier for newcomers.

Conclusion: A Restrained Approach Worth Noting

In the wave of increasingly "all-powerful" AI tools, sandfence serves as a sobering reminder: greater capability demands clearer constraints. It doesn't attempt to build an all-encompassing security fortress but precisely draws a clear line around the most dangerous aspect: filesystem access. While it may only be a transitional solution, the underlying philosophy of "leveraging native OS capabilities for minimal protection" offers valuable insight for thinking about how to safely integrate ever-more-powerful AI agents. For macOS developers who fit its use case, spending half an hour reading its code might grant you significantly more peace of mind when using AI assistants.

📍 Source: hn📅 2026-07-15Original post →Visit site →
Ad
Ad slot (AdSense unit renders here once connected)

Discussion (0)

Sign in with GitHub to post
  • No comments yet — be the first.

Related