sandvault runs AI agents in an isolated macOS user account with additional protection from sandbox-exec, limiting what agents can access on your machine and protecting your critical files and credentials.

Running AI coding agents is a leap of faith — they can read your files, use your credentials & browser login-cookies, access other computers with your SSH keys, and modify anything on your computer. sandvault eliminates that risk by running agents in a separate macOS user account. It adds a layer of protection with Apple's Seatbelt (sandbox-exec) to set addition restrictions. Your home directory, browser profile, and personal files stay completely off-limits.

sandvault is pre-configured to run Claude Code, OpenAI Codex, Google Gemini, and OpenCode, enabling them to write and execute code in an isolated environment while you share only the files you choose. There's no VM boot time or Docker overhead — just instant user switching with native macOS performance.

sandvault supports headless Chrome for browser automation and iOS Simulator for app testing, all from within the sandbox. Agents can navigate websites, fill out forms, scrape content, and test iOS apps without ever touching your personal files.

Why I created sandvault

I'm not worried about AI taking my job. I'm worried about it taking my SSH keys.

After exploring Docker containers, Podman, sandbox-exec, and full macOS virtualization, I needed something that works natively on macOS without the overhead, provides meaningful isolation without too much complexity, and lets AI agents run with their full-auto-approve flags — --dangerously-skip-permissions, --dangerously-bypass-approvals-and-sandbox, --yolo — without actually being dangerous.

sandvault uses macOS's Unix heritage and user account system to create a simple but effective sandbox. It's the tool I wished existed when I started giving AI agents the ability to run arbitrary code on my machine.

No sandbox for your AI agent? Are you crazy? — why I built sandvault in the first place
Mike McQuaid on SandVault and git worktrees — the Homebrew project leader on using sandvault
Sandboxing all the way down — iOS Simulator support and the full sandbox story

brew install sandvault

Features

AI Agent Ready

Pre-configured for Claude Code, OpenAI Codex, Google Gemini, and OpenCode. Run any agent in the sandbox with a single command like sv claude or sv codex.

Defense in Depth

Two layers of isolation: a limited macOS user account plus sandbox-exec restrictions. Agents can't access your home directory, browser profile, credentials, or mounted drives.

Zero VM Overhead

No virtual machine boot time, no Docker daemon, no Linux emulation. sandvault uses native macOS user switching for instant startup and full native performance.

iOS Simulator Testing

Expose iOS Simulator to sandboxed agents via an HTTP bridge. Agents can install apps, tap UI elements, read accessibility trees, and capture screenshots.

Browser Automation

Headless Chrome runs on the host and connects via Chrome DevTools Protocol. Agents can automate web interactions without exposing your real browser profile or cookies.

Git Repository Workflows

Clone local or remote Git repos into the sandbox with automatic wiring, so you can fetch commits back to your original repo with git fetch.

Use Cases

Letting AI agents write and execute code without risking your filesRunning agents with full auto-approve flags safelyAutomated browser testing from within a sandboxiOS app testing with AI agentsEvaluating untrusted code or scriptsCI-like local builds in an isolated environment

Install via Homebrew View on GitHub

sandvault