A macOS sandbox for AI coding agents. Run your agents in --yolo mode without worrying about what they're doing to your machine.
AgentWall sits between your coding agent and your system. Every file access and network connection goes through it. Nothing reaches the outside world without your approval.
flowchart LR
A["Claude / Codex / any agent"] --> B["AgentWall"]
B -- allow --> C["Internet / Filesystem"]
B -- deny --> D["Blocked"]
B -- prompt --> E["User approval"]
E -- allow / deny --> B
File enforcement — wraps the agent process with macOS sandbox-exec. Reads, writes, and deletes inside the project are individually controllable. Everything outside the project is denied by default.
Network enforcement — all traffic is routed through a local HTTPS proxy. Only explicitly allowed hosts get through. Unknown hosts trigger a real-time approval prompt or are denied.
No kernel extensions. No SIP bypass. No Endpoint Security entitlements. Just sandbox-exec + a local proxy — tools that ship with every Mac.
# Build
cargo build --release
# Run Claude inside the sandbox
agentwall claude
# Run Codex inside the sandbox
agentwall codex
# Run any binary
agentwall run -- /path/to/any-agentThat's it. The agent launches normally. AgentWall enforces policy in the background.
Every project gets its own policy. Defaults are locked down:
| Capability | Default | What it means |
|---|---|---|
| Read project | allow | Agent can read files in the project |
| Write project | deny | Agent can create/modify files |
| Delete project | deny | Agent can delete files |
| Local network | deny | Agent can use local sockets |
| Outbound network | deny | Agent can reach the internet |
| Allowed hosts | [] |
Specific hosts to allow |
# Open up writes for a project
agentwall policy set ./my-project --write-project allow
# Allow a specific host
agentwall host allow ./my-project api.openai.com
# Check what's configured
agentwall policy show ./my-projectNetwork policy changes take effect immediately — no restart needed. The agent keeps running.
When the macOS app is running and an agent tries to reach an unknown host, you get a floating prompt:
- Deny — block this request (Esc)
- Allow Once — let it through this time
- Allow Always — add the host to the project's allowlist (Enter)
If you don't respond in 30 seconds, the request is denied automatically.
AgentWall ships with built-in profiles for popular agents:
| Agent | Auto-allowed hosts | What it grants |
|---|---|---|
| Claude Code | api.anthropic.com |
Read/write ~/.claude, macOS keychain access |
| Codex | chatgpt.com, registry.npmjs.org |
Read/write ~/.codex, disk arbitration |
These are convenience defaults — your project policy always wins. Specs only cover what the agent needs to boot, not what it can do in your project.
Custom specs — drop a JSON file in ~/Library/Application Support/AgentWall/specs/:
{
"id": "my-agent",
"name": "My Agent",
"match": {
"executable_names": ["myagent"],
"executable_contains": ["/myagent/"]
},
"service_hosts": ["api.myagent.com"],
"runtime": {
"read_paths": ["~/.myagent"],
"write_paths": ["~/.myagent"]
}
}Every action is logged — what was allowed, what was blocked, and why.
# Recent events
agentwall events --last 5m
# Live stream
agentwall tailEach event carries a reason:
allow net.connect api.anthropic.com:443 app_spec.service_host_match
deny net.connect evil.example.com:443 project_policy.host_not_allowed
deny file.read /etc/passwd sandbox.sandbox_default_deny
The companion SwiftUI app gives you a dashboard and real-time notifications:
- Menu bar — status icon with live block count
- Dashboard — per-project overview with top hosts, top processes, allow/block stats
- Floating prompts — approve or deny unknown network connections in real time
- Notifications — macOS alerts for blocked events
cd apps/AgentWallMac
swift build# Launch agents
agentwall claude [args...] # Run Claude sandboxed
agentwall codex [args...] # Run Codex sandboxed
agentwall run [--project <path>] -- <cmd> [args...]
# Policy
agentwall policy show <path>
agentwall policy set <path> [--read-project allow|deny] [--write-project allow|deny]
[--delete-project allow|deny] [--outbound-network allow|deny]
# Host allowlist
agentwall host list <path>
agentwall host allow <path> <host>
agentwall host remove <path> <host>
# Projects & sessions
agentwall project list
agentwall project remove <path>
agentwall sessions list [--project <path>]
# Events
agentwall events [--project <path>] [--last <duration>] [--limit <n>]
agentwall tail [--project <path>]
# Agent specs
agentwall spec list
agentwall spec show <id>
# Diagnostics
agentwall doctorcrates/
agentwall-core/ Rust library — sandbox, proxy, policy store, event log
agentwall-cli/ CLI binary + IPC daemon
apps/
AgentWallMac/ SwiftUI macOS app (bundles the Rust binary)
Sandbox — generates Apple sandbox profiles (.sb Scheme DSL) on the fly. Starts with (deny default), carves out exactly what's needed.
Proxy — Hyper-based HTTPS proxy on 127.0.0.1. The sandbox only allows outbound to localhost:<proxy-port>. The proxy checks project policy on every request.
Store — single SQLite database at ~/Library/Application Support/AgentWall/agentwall.db.
Daemon — Unix socket IPC server. The macOS app connects here for real-time events and interactive approval prompts.
- Enforcement covers the wrapped process tree only — it's not a system-wide firewall
- Network enforcement depends on the agent honoring proxy env vars (
HTTP_PROXY,HTTPS_PROXY,NODE_OPTIONS=--use-env-proxy). If an agent ignores them, outbound fails closed (sandbox blocks direct network) - File policy is baked at launch — toggling read/write mid-session requires a restart
- Network granularity is
host:port, not full URL paths - macOS 15+ required
MIT