Tilde.run: Agent Sandbox With a Versioned Filesystem That Rolls Back
Show HN today: Tilde.run, an agent sandbox built around a transactional, versioned filesystem. 102 points in six hours. The team behind it built lakeFS — open-source data versioning — so they're walking into agent infrastructure from a data-engineering background that the rest of the field tends to skip.
The pitch is simple to state and hard to do. Agent runs are reversible transactions: either everything commits atomically or everything discards. No half-applied writes, no manual cleanup of half-deleted directories, no "the agent went rogue and now I'm grepping git history" recovery work. Mount your GitHub code, S3 training data, and Google Drive docs as a single ~/sandbox. The agent sees one filesystem with full version history. Your real production data sees nothing until commit.
Around the filesystem: default-deny network egress (no exfiltration even if the agent gets prompt-injected), agent RBAC scoped separately from your user creds, full audit trail of every file change with attribution. The combination is what's interesting — most agent harnesses pick one of these (sandboxing OR versioning OR egress control). Tilde wraps all three around the same primitive.
This belongs in the agent-runtime-safety cluster forming over the last two weeks: Mendral architectural answer, Rosentic deterministic CI, Mindra consumer self-healing, Intuned production browser. Tilde is the storage-and-network layer answer. Five concrete responses to the same Cursor-deletes-prod-DB problem in three weeks. The harness reliability fight is now a category.
Site: https://tilde.run
← Back to all articles
The pitch is simple to state and hard to do. Agent runs are reversible transactions: either everything commits atomically or everything discards. No half-applied writes, no manual cleanup of half-deleted directories, no "the agent went rogue and now I'm grepping git history" recovery work. Mount your GitHub code, S3 training data, and Google Drive docs as a single ~/sandbox. The agent sees one filesystem with full version history. Your real production data sees nothing until commit.
Around the filesystem: default-deny network egress (no exfiltration even if the agent gets prompt-injected), agent RBAC scoped separately from your user creds, full audit trail of every file change with attribution. The combination is what's interesting — most agent harnesses pick one of these (sandboxing OR versioning OR egress control). Tilde wraps all three around the same primitive.
This belongs in the agent-runtime-safety cluster forming over the last two weeks: Mendral architectural answer, Rosentic deterministic CI, Mindra consumer self-healing, Intuned production browser. Tilde is the storage-and-network layer answer. Five concrete responses to the same Cursor-deletes-prod-DB problem in three weeks. The harness reliability fight is now a category.
Site: https://tilde.run
Comments