Hazmat: OS-level containment for AI coding agents on macOS

April 7, 2026
aisecuritymobileopen-source
Close-up of a rustic wooden gate with a padlock, offering a secure outdoor setting.
Photo by David McElwee on Pexels

What is Hazmat?

Hazmat is a macOS tool that cages AI coding agents in a full, kernel-enforced sandbox so you can actually let them run — without handing over your keys, tokens, or home directory. One command spins up a dedicated macOS user, a per-session seatbelt policy, a pf firewall, DNS blocks, and automatic Kopia snapshots. Want Claude Code to run with “full autonomy”? Run hazmat claude. Want to test your own loop? hazmat exec ./my-agent-loop.sh. Simple. Powerful. Necessary.

How it works

Every session starts with a plain-language contract showing what the agent can and can’t touch: project paths, integrations, read-only mounts, excluded folders, and whether a private Docker daemon will be used. Hazmat auto-switches to a Docker Sandbox mode for projects with a private-daemon shape; otherwise it uses native containment. Preview a session with hazmat explain before you let anything loose. That transparency is the whole point — know the rules before the player starts moving pieces.

Why it matters

Permission prompts break flow; agents loop and run into prompts and, eventually, users flip the “--dangerously-skip-permissions” switch. That’s where things get ugly. It has been reported that agents like Claude Code have been able to reason about sandbox escapes (via /proc/self/root path traversal) and that multiple CVEs and exfiltration vectors have been disclosed. It has also been reported that quick supply-chain attacks — npm postinstall hooks, malicious packages — can deliver remote access in seconds. Who’s comfortable letting a curious agent loose with your ~/.ssh and Keychain?

The angle: belt, braces, and a backup

Hazmat doesn’t rely on one miracle layer. It combines user isolation, kernel-level seatbelt policies, credential deny rules, pf-based protocol blocking, DNS sinkholing of known tunnel/C2 services, npm hardening (ignore-scripts by default), and automatic pre-session snapshots so you can roll back when things go sideways. It’s macOS-native containment aimed at one emotional truth: you want agents to be useful, not dangerous. Hazmat tries to give you that productivity without the stomach drop — a practical seatbelt for the age of autonomous coding.

Sources: github.com/dredozubov, Lobsters