Desktop AI tools with real boundaries
Use macOS-native sandboxing to constrain MCP servers on managed machines. Explicit file, process, and network limits — not broad default trust.
Sandbox launch config
{
"mcpServers": {
"native-container": {
"command": "/usr/bin/sandbox-exec",
"args": [
"-f", "~/.mcp/config/mcp.sb",
"node", "~/.mcp/server/server.js"
]
}
}
}Local agents need boundaries too
Real sandbox, no Docker
macOS sandbox-exec constrains file, network, and process access.
Explicit permissions
Declare paths and endpoints the MCP server can reach. Everything else is denied.
Pairs with the control plane
Local tool isolation plus cloud-side policy enforcement.
How the sandbox wraps MCP execution
Execution flow
Deny by default
The sandbox profile starts from deny-all and adds explicit grants. Cloud execution needs IAM and VPC controls. Desktop execution needs filesystem and process controls. Same discipline.
Filesystem
Scoped to declared project paths.
Network
Outbound constrained or blocked for local tools.
Lifecycle
Supervisor-managed launch and logging.
(version 1)
(deny default)
(allow file-read* (subpath "/Users/yourname/projects"))
(allow process-exec (literal "/usr/local/bin/node"))Same discipline as cloud. Applied locally.
Clear permissions, predictable lifecycle, observable execution — for the AI tools that run on your developers' machines.