Show HN: Tilde.run – Agent Sandbox with a Transactional, Versioned Filesystem

~tilde.run

Let AI agents loose on production. Without the risk.

Tilde turns every agent run into a transaction you can roll back. Code from GitHub, data from S3, and documents from Drive show up as a single versioned filesystem. Every outbound call is checked and logged. Autonomous code, finally safe to use against real data.

Start Now → Read the Docs →

Free to start · Join the private preview

my-team/documents | main LIVE AGENTS 2 running analyst python:3.12 64% doc-writer node:22 41% FILESYSTEM @ a1b2c3d4 · HEAD · 4 mounts /code github acme/ml-pipeline /data s3 847 objects · 12 GB /docs gdrive team-wiki /output local +4~1 5 files staged all versioned · any commit revertible $ curl -fsSL https://tilde.run/install | shcopy Reversible by default Roll back any agent run with one command One filesystem, all your data GitHub, S3, and Drive as a single ~/sandbox Contained by default Isolated runs, every network call audited You stay in control Per-action policies and human approval gates

Plugs into the stack you already use

Hugging Face Claude AWS S3 LangGraph Google Drive Hugging Face Claude AWS S3 LangGraph Google Drive

## Features

Three guarantees that make autonomous code safe to run on real data: reversibility, isolation, and audit. Useful on their own. Decisive together.

Versioned Composable Filesystem

A real POSIX filesystem - any tool, any language, no SDKs. Mount code from GitHub, training data from S3, and documents from Google Drive as a single ~/sandbox. Every file is versioned from the first commit, and any agent run can be rolled back instantly.

compose filesystem 4 mounts SOURCES ~/sandbox github acme/ml-pipeline s3 acme-data/training gdrive team-wiki local output/ ├─code ├─data ├─docs └─output all versioned · all reversible

Safe Serverless Sandboxes

Stop fearing the rogue-agent outcome. Each run is a transaction in a fresh, isolated container - on a clean exit, changes commit atomically; on failure, nothing changes. No backups to restore, no manual cleanup, no infrastructure to manage.

sandbox sb-7f3a9c01 running network filesystem compute my-agent.py python:3.12 512MB 2 CPU ✓commit ↺rollback

Network Isolation

Stop data exfiltration, credential abuse, and prompt-injected callouts before they leave the box. Cloud metadata, private networks, and unauthorized hosts are blocked by default. Every outbound request is policy-checked and logged against the agent that made it.

sandbox egress policy: default-deny 12:04:01 GET api.openai.com/v1/completions ALLOW 12:04:03 POST api.anthropic.com/v1/messages ALLOW 12:04:05 GET pypi.org/simple/pandas ALLOW 12:04:07 POST evil-exfil.io/upload DENY 12:04:08 GET 169.254.169.254/metadata DENY 12:04:09 PUT registry.npmjs.org/my-pkg DENY 3 allowed 3 blocked

Time Travel & Audit Trail

Know exactly what happened, who did it, and why - down to the file. Browse the full timeline, inspect diffs, and revert any commit instantly. Every change is tied to the human, process, or agent that produced it.

timeline scrubber last 6 commits a1b2 c3d4 e5f6 7890 ab12 cd34 2d ago now @ 7890a1b2 rogue-agent · 4h ago − secrets/prod-keys.yaml + exfil/dump.tar.gz ~ config/network.json ↺revert this commit

Agent-first RBAC

Agents are first-class citizens, with their own scoped permissions - never your full user access. Allow, deny, or require human approval per agent, per repository, per action. Granular policies in a simple, readable DSL.

policy evaluation 3 requests A analyst-agent READ /data/*.csv ALLOW WRITE /reports/q1.md APPROVE WRITE /secrets/keys DENY analyst-policy GetObject(path:"/data/*") ?PutObject(path:"/reports/*") # require human approval! !PutObject(path:"/secrets/*")

## Quickstart

CLI Python Claude Code

Run commands and interactive shells in sandboxes from your terminal. Built for CI/CD and agentic automation.

Run agents in interactive shells or one-shot sandboxes, stream output, and commit. Done in a few lines of Python.

Tell Claude to spin up a sandbox, run your agent, and atomically commit the results. In plain English.

CLI copy 1 # Install in one line 2 $ curl -fsSL https://tilde.run/install | sh 3 4 # Run an agent in a sandbox 5 $ tilde exec my-team/documents \ 6 --image python:3.12 \ 7 -- /sandbox/code/agent.py --input /sandbox/data/reports 8 sandbox running... 9 sandbox completed. exit code: 0, commit id: c9d0e1f2 10 11 # Or start an interactive shell 12 $ tilde shell my-team/documents --image python:3.12 13 root@sb-7f3a9c01:/sandbox$ _ 1 import tilde 2 3 repo = tilde.repository("my-team/documents") 4 5 # Run an agent in an interactive sandbox 6 with repo.shell(image="python:3.12") as sh: 7 sh.run("pip install pandas") 8 result = sh.run("python agent.py --input /sandbox/data") 9 print(result.stdout.text()) 10 11 # Or one-shot execution 12 result = repo.execute("python agent.py", image="python:3.12") 13 print(result.stdout.text()) 14 15 # Full audit trail 16 for commit in repo.timeline(): 17 print(commit.id[:8], commit.message) You Analyze the CSV files in our S3 data bucket and write a report to /sandbox/reports Agent I'll run the analysis on /sandbox/data/inputs/s3/, and commit the results. tilde exec my-team/documents \ --image analyst:latest \ -- ./code/agent.py --input ./data/inputs/s3 --output ./reports Analysis complete. 3 reports generated. Agent Sandbox execution complete, approval required Waiting for approval to commit sandbox results CLI Documentation → Agent Sandbox Guide → Python SDK Reference → REST API Documentation → Agent Sandbox Guide → Agent Skill Guide →

## How It Works

Every agent run is a transaction. Compose your filesystem, run your code, then decide: commit the changes or roll back like it never happened.

sandbox sb-7f3a9c01

Generate compliance reports from uploaded contracts

analyst-agent · 2 minutes ago + reports/q1-summary.md + reports/q1-metrics.json + charts/revenue-trend.png - staging/raw-export.csv e5f6a7b8

Code review sandbox: fix auth middleware

code-review-agent · 1 hour ago c9d0e1f2

Import customer documents from S3

sarah@acme.ai · 3 hours ago 01 setup

Compose Filesystem

Build a versioned repository from GitHub, S3, Drive, and more. Spin up an isolated sandbox with everything your agent needs.

github s3 drive ~/sandbox 02 execute

Run Agent

Your agent runs in isolation. Every file write is staged. The entire run is captured as a transaction -- committed atomically or discarded entirely.

$ tilde exec agent.py 03 decide

Commit or Rollback

Review the results. Approve and commit – or roll back and discard. One command, zero risk.

✓commit or ↺rollback >

Built by the team behind lakeFS

We built lakeFS - the open-source data versioning layer trusted by some of the world's largest organizations to manage billions of objects. Tilde is built on that same battle-tested versioning foundation, reimagined as the filesystem platform the autonomous AI agent era demands.

~/workspace | my-team/documents ready $tilde exec acme/docs -- python agent.py ● completed · committed a1b2c3d4 $_

Make agents safe.

Your first transactional, reversible agent run in 60 seconds. Join the private preview.

Get Started → Read the Docs →