Kaioshin — Why Your AI Coding Agent Needs a Supreme Kai
Your AI Coding Agent Can Read Your Passwords. Here's How I Fixed It.
Every day, millions of developers launch AI coding agents — Claude Code, Cursor, Copilot, Windsurf, Devin — and hand them the keys to their entire machine.
Think about that for a second.
Your AI agent runs with your full user permissions. It can read your Chrome saved passwords, export your Keychain in plaintext, copy your SSH private keys, browse your Telegram chat history, and access your crypto wallet data. All without asking.
It probably won't. But it can. And in the age of prompt injection — where a single malicious comment in a codebase can hijack an agent's behavior — "probably won't" isn't good enough.
The Moment It Clicked
I've been running AI coding agents on my Mac for months. One day, while setting up a security sandbox for my projects, I realized something uncomfortable: my agent had access to everything. My OKX exchange data. My SSH keys. My WeChat conversations. My Keychain passwords. All of it, sitting there, one hallucination away from being read.
Not because the AI is malicious. But because nobody told the operating system to say no.
The Design Philosophy: Supreme Kai, Not Prison Guard
I'm a lifelong Dragon Ball fan, so when I built the fix, I named it after the Kaiōshin (界王神) — the Supreme Kai. In Dragon Ball, the Supreme Kai doesn't fight in every battle. He doesn't interfere with daily life. But he sets unbreakable cosmic rules that protect the universe from catastrophic threats.
That's exactly the design philosophy:
1. Allow everything by default.
Your code, your Desktop, your terminal tools, git, npm, python — all work exactly as before. Zero friction. Zero performance overhead. The sandbox should be invisible during normal work.
2. Deny only what matters.
A precise list of sensitive paths: browser data, crypto wallets, Keychain, SSH keys, messaging apps, developer credentials. Not broad directories — specific, surgical blocks.
3. Enforce at the kernel level.
Not a wrapper script that can be bypassed. Not a file permission hack. Actual kernel-level process isolation using macOS sandbox-exec. The AI agent process physically cannot read the blocked paths. It would need a kernel exploit to escape — far beyond any AI's capability.
4. Give developers an escape hatch.
Security that blocks legitimate work is security that gets disabled. So there's a built-in diagnostic tool (check) that tells you exactly which rule is blocking you, and a temporary exception system (--allow) that lifts specific blocks for one session only. All other protections stay active.
What Gets Blocked
49 deny rules across 8 categories:
| Category | What's Protected |
|---|---|
| Hardware | Camera, microphone |
| Browsers | Chrome, Firefox, Safari, Edge, Brave, Arc, Opera, Vivaldi, Chromium, Tor |
| Crypto | OKX, Binance, Coinbase, Exodus, Ledger, Trezor, TradingView |
| Keychain | All keychain databases + the security command |
| SSH/GPG | Private keys and agent sockets |
| Messaging | Telegram, Signal, Discord, WhatsApp, WeChat, Slack, iMessage |
| Dev Credentials | AWS, Docker, Kubernetes, npm, PyPI |
| System | Cookies, Accounts, iCloud identity |
Everything not on this list? Completely unrestricted.
Near-Zero Overhead
This isn't a VM. It's not a container. It's not running your AI agent inside Docker.
macOS sandbox-exec operates at the kernel level — it's a simple path-checking filter that runs before every file operation. The overhead is essentially zero. Your AI agent runs at full speed, with full access to your project files, your terminal, and the internet. It just can't touch the 49 paths it has no business touching.
The Threat Model
This protects against three realistic attack vectors:
- AI hallucination — The agent accidentally reads or writes sensitive files while exploring your filesystem.
- Prompt injection — Malicious content in a codebase, a README, or a web page tricks the agent into exfiltrating your data.
- Context leakage — Sensitive file contents get scooped up and transmitted to cloud APIs as part of the conversation context.
None of these require a malicious AI. They require an AI that's too capable running with too many permissions — which is the default for every AI coding agent today.
Real-World Testing
I tested it with a dedicated agent running inside the sandbox. 13 test cases:
- 7 sensitive paths (SSH keys, Keychain, Chrome passwords, Telegram, AWS, GPG, security command) — all returned
Operation not permitted. Blocked at the kernel. - 6 normal operations (reading project files, creating files, listing directories, running git, running python) — all worked perfectly. Zero interference.
The sandbox is invisible when you're doing legitimate work. It only appears when something tries to cross the line.
Coming Soon: Open Source
I'm running this on my own machine daily now. Once I've accumulated enough real-world usage data and edge cases, I'll open-source the entire project. One command to install. One command to protect your Mac.
Because every developer using AI coding agents deserves a Supreme Kai watching over their machine.
This project was born in what I call the "1984 Mac Homeland" — my personal Mac workspace where AI agents and humans coexist. It's named Kaioshin after the Dragon Ball character, built on the spirit of open-source freedom, and designed for a world where AI is powerful, useful, and — with the right guardrails — safe.
— Robbery & 小code (my AI coding partner who co-built this with me)
Written at home, on George Orwell, in 1984 mode.
pid: $$ | ctx: session_ephemeral | memory: ~/.claude/memory/
Comments
Post a Comment