Show HN: Tilde.run – Agent Sandbox with a Transactional, Versioned Filesystem
Let AI agents loose on production. Without the risk.
Tilde turns every agent run into a transaction you can roll back. Code from GitHub, data from S3, and documents from Drive show up as a single versioned filesystem. Every outbound call is checked and logged. Autonomous code, finally safe to use against real data.
Start Now → Read the Docs →Free to start · Join the private preview
my-team/documents | main LIVE AGENTS 2 running analyst python:3.12 64% doc-writer node:22 41% FILESYSTEM @ a1b2c3d4 · HEAD · 4 mounts /code github acme/ml-pipeline /data s3 847 objects · 12 GB /docs gdrive team-wiki /output local +4~1 5 files staged all versioned · any commit revertible $ curl -fsSL https://tilde.run/install | shcopy Reversible by default Roll back any agent run with one command One filesystem, all your data GitHub, S3, and Drive as a single ~/sandbox Contained by default Isolated runs, every network call audited You stay in control Per-action policies and human approval gatesPlugs into the stack you already use
Hugging Face Claude AWS S3 LangGraph Google Drive Hugging Face Claude AWS S3 LangGraph Google Drive## Features
Three guarantees that make autonomous code safe to run on real data: reversibility, isolation, and audit. Useful on their own. Decisive together.
Versioned Composable Filesystem
A real POSIX filesystem - any tool, any language, no SDKs. Mount code from GitHub, training data from S3, and documents from Google Drive as a single ~/sandbox. Every file is versioned from the first commit, and any agent run can be rolled back instantly.
compose filesystem 4 mounts SOURCES ~/sandbox github acme/ml-pipeline s3 acme-data/training gdrive team-wiki local output/ ├─code ├─data ├─docs └─output all versioned · all reversibleSafe Serverless Sandboxes
Stop fearing the rogue-agent outcome. Each run is a transaction in a fresh, isolated container - on a clean exit, changes commit atomically; on failure, nothing changes. No backups to restore, no manual cleanup, no infrastructure to manage.
sandbox sb-7f3a9c01 running network filesystem compute my-agent.py python:3.12 512MB 2 CPU ✓commit ↺rollbackNetwork Isolation
Stop data exfiltration, credential abuse, and prompt-injected callouts before they leave the box. Cloud metadata, private networks, and unauthorized hosts are blocked by default. Every outbound request is policy-checked and logged against the agent that made it.
sandbox egress policy: default-deny 12:04:01 GET api.openai.com/v1/completions ALLOW 12:04:03 POST api.anthropic.com/v1/messages ALLOW 12:04:05 GET pypi.org/simple/pandas ALLOW 12:04:07 POST evil-exfil.io/upload DENY 12:04:08 GET 169.254.169.254/metadata DENY 12:04:09 PUT registry.npmjs.org/my-pkg DENY 3 allowed 3 blockedTime Travel & Audit Trail
Know exactly what happened, who did it, and why - down to the file. Browse the full timeline, inspect diffs, and revert any commit instantly. Every change is tied to the human, process, or agent that produced it.
timeline scrubber last 6 commits a1b2 c3d4 e5f6 7890 ab12 cd34 2d ago now @ 7890a1b2 rogue-agent · 4h ago − secrets/prod-keys.yaml + exfil/dump.tar.gz ~ config/network.json ↺revert this commitAgent-first RBAC
Agents are first-class citizens, with their own scoped permissions - never your full user access. Allow, deny, or require human approval per agent, per repository, per action. Granular policies in a simple, readable DSL.
policy evaluation 3 requests A analyst-agent READ /data/*.csv ALLOW WRITE /reports/q1.md APPROVE WRITE /secrets/keys DENY analyst-policy GetObject(path:"/data/*") ?PutObject(path:"/reports/*") # require human approval! !PutObject(path:"/secrets/*")## Quickstart
CLI Python Claude CodeRun commands and interactive shells in sandboxes from your terminal. Built for CI/CD and agentic automation.
Run agents in interactive shells or one-shot sandboxes, stream output, and commit. Done in a few lines of Python.
Tell Claude to spin up a sandbox, run your agent, and atomically commit the results. In plain English.
CLI copy 1 # Install in one line 2 $ curl -fsSL https://tilde.run/install | sh 3 4 # Run an agent in a sandbox 5 $ tilde exec my-team/documents \ 6 --image python:3.12 \ 7 -- /sandbox/code/agent.py --input /sandbox/data/reports 8 sandbox running... 9 sandbox completed. exit code: 0, commit id: c9d0e1f2 10 11 # Or start an interactive shell 12 $ tilde shell my-team/documents --image python:3.12 13 root@sb-7f3a9c01:/sandbox$ _ 1 import tilde 2 3 repo = tilde.repository("my-team/documents") 4 5 # Run an agent in an interactive sandbox 6 with repo.shell(image="python:3.12") as sh: 7 sh.run("pip install pandas") 8 result = sh.run("python agent.py --input /sandbox/data") 9 print(result.stdout.text()) 10 11 # Or one-shot execution 12 result = repo.execute("python agent.py", image="python:3.12") 13 print(result.stdout.text()) 14 15 # Full audit trail 16 for commit in repo.timeline(): 17 print(commit.id[:8], commit.message) You Analyze the CSV files in our S3 data bucket and write a report to /sandbox/reports Agent I'll run the analysis on /sandbox/data/inputs/s3/, and commit the results. tilde exec my-team/documents \ --image analyst:latest \ -- ./code/agent.py --input ./data/inputs/s3 --output ./reports Analysis complete. 3 reports generated. Agent Sandbox execution complete, approval required Waiting for approval to commit sandbox results CLI Documentation → Agent Sandbox Guide → Python SDK Reference → REST API Documentation → Agent Sandbox Guide → Agent Skill Guide →## How It Works
Every agent run is a transaction. Compose your filesystem, run your code, then decide: commit the changes or roll back like it never happened.
sandbox sb-7f3a9c01Generate compliance reports from uploaded contracts
analyst-agent · 2 minutes ago + reports/q1-summary.md + reports/q1-metrics.json + charts/revenue-trend.png - staging/raw-export.csv e5f6a7b8Code review sandbox: fix auth middleware
code-review-agent · 1 hour ago c9d0e1f2Import customer documents from S3
sarah@acme.ai · 3 hours ago 01 setupCompose Filesystem
Build a versioned repository from GitHub, S3, Drive, and more. Spin up an isolated sandbox with everything your agent needs.
github s3 drive ~/sandbox 02 executeRun Agent
Your agent runs in isolation. Every file write is staged. The entire run is captured as a transaction -- committed atomically or discarded entirely.
$ tilde exec agent.py 03 decideCommit or Rollback
Review the results. Approve and commit – or roll back and discard. One command, zero risk.
✓commit or ↺rollback >Built by the team behind lakeFS
We built lakeFS - the open-source data versioning layer trusted by some of the world's largest organizations to manage billions of objects. Tilde is built on that same battle-tested versioning foundation, reimagined as the filesystem platform the autonomous AI agent era demands.
~/workspace | my-team/documents
ready
$tilde exec acme/docs -- python agent.py
● completed · committed a1b2c3d4
$_
Make agents safe.
Your first transactional, reversible agent run in 60 seconds. Join the private preview.
Get Started → Read the Docs →