Modern coding agents wield enormous power through unrestricted bash access, yet this expressiveness creates dangerous security gaps. Giving an AI the ability to run arbitrary commands is like handing a new intern the keys to production servers. While virtualization offers the safest path forward, most developers skip proper isolation and rely on dangerously permissive modes.

The article explores how Codex CLI attempts to solve this through macOS native sandboxing APIs rather than Docker containers. It operates in three permission tiers: read-only, auto (workspace-limited), and full access. The auto mode uses Seatbelt—Apple's older but still active sandboxing framework—to restrict filesystem and network access without requiring constant human approval.

However, OS-level sandboxes face inherent limitations. Linux offers Landlock, seccomp-BPF, and namespaces, while macOS options remain more restrictive. Seatbelt struggles with package management needs and granular network controls.

Custom policies are notoriously difficult to write correctly, often leaving dangerous gaps in home directory protection. The piece suggests command whitelists in tools like Cursor feel brittle and impractical for real workflows. As AI agents become standard development partners, balancing security with usability remains an unsolved engineering challenge across the industry.