Run Ralph with sandbox-exec (macOS) instead of Docker.
git clone git@github.com:matija/ralph-sandbox-exec.git
chmod +x ralph-sandbox-exec/*.shThen inside whatever project you want Ralph to work on, drop a PRD.md
(write it yourself, or have your agent of choice draft one) and run:
cd some-project
# one task — Claude by default
/path/to/ralph-sandbox-exec/ralph-once.sh
# same, but Claude acts as an orchestrator and delegates
# implementation to pi (swap the harness in ORCHESTRATOR.md)
/path/to/ralph-sandbox-exec/ralph-once.sh --orchestrator
# loop up to 20 tasks
/path/to/ralph-sandbox-exec/afk-ralph.sh 20Pick a different agent with a flag:
/path/to/ralph-sandbox-exec/ralph-once.sh --codex
/path/to/ralph-sandbox-exec/afk-ralph.sh --opencode 20
/path/to/ralph-sandbox-exec/afk-ralph.sh --pi 20
/path/to/ralph-sandbox-exec/ralph-once.sh --cursorAgent commands used under the hood:
- Claude:
claude --dangerously-skip-permissions - Codex:
codex --sandbox danger-full-access --ask-for-approval never - opencode:
opencode run --dangerously-skip-permissions - Pi:
pi --mode json(streaming) orpi -p(print) - Cursor:
cursor-agent --force --sandbox disabled
All scripts run under sandbox-exec. Writes are blocked everywhere except:
- the project folder
- agent and cache dirs (
~/.claude,~/.cache, etc.) /tmp
Reads and network are not blocked. To restrict those, add deny rules to ralph.sb.