How to use with Vercel AI SDK and sandbox?
Julian Benegashow can i use this with the vercel ai sdk and within a vercel sandbox?
use case: i'm building a "chat with a github repo" product in which posts/threads can be done to a different git ref, but will use the same sandbox (we'll clone the repo at that ref and place it in a specific worktree). then i want the agent's edits to live in a specific agentfs database. the database should be persisted to the sandbox itself (that's done automatically by vercel sandbox, or will be done soon). help me build this.
Gemini 3 FlashTo build a "chat with a GitHub repo" product within a Vercel Sandbox using the Vercel AI SDK and AgentFS, you can leverage AgentFS Overlays. This allows you to treat a specific git worktree as a read-only base while capturing all agent edits in a persistent SQLite database.
Since a Vercel Sandbox provides a full Linux environment with a persistent filesystem, the best approach is to combine git worktree with the agentfs CLI.
###Recommended Workflow
- Setup Worktrees: For each different git ref (post/thread), create a dedicated worktree in the sandbox.
- Initialize AgentFS Overlay: Use
agentfs init --base <worktree_path>to create a database that "layers" on top of that worktree. - Execute Tools via AgentFS: Use the
agentfs runcommand as the execution environment for your AI tools (likejust-bash). This ensures all file modifications are captured in the database without touching the original worktree.
###Implementation Guide
####1. Prepare the Sandbox Environment
In your Vercel Sandbox, you can programmatically set up the worktrees and the AgentFS database:
import { execSync } from 'node:child_process';
async function setupThreadEnvironment(ref: string, threadId: string) {
const worktreePath = `./worktrees/${threadId}`;
// 1. Create a git worktree for the specific ref
execSync(`git worktree add ${worktreePath} ${ref}`);
// 2. Initialize AgentFS with the worktree as the read-only base
// This creates .agentfs/${threadId}.db
execSync(`agentfs init --base ${worktreePath} ${threadId}`);
return { worktreePath, databaseId: threadId };
}
####2. Integrate with Vercel AI SDK & just-bash
When using just-bash with the Vercel AI SDK, you want the bash commands to run inside the AgentFS sandbox. You can do this by wrapping the execution in agentfs run.
import { createBashTool } from 'just-bash/ai';
import { streamText } from 'ai';
const { worktreePath, databaseId } = await setupThreadEnvironment('main', 'thread-123');
const bashTool = createBashTool({
// Override the default executor to use agentfs run
// This ensures all bash commands (ls, cat, npm install, etc.)
// happen inside the persistent overlay.
execute: async (command) => {
// Run the command inside the session
const output = execSync(
`agentfs run --session ${databaseId} -- ${command}`,
{ cwd: worktreePath }
).toString();
return output;
}
});
const result = streamText({
model: myModel,
tools: { bash: bashTool },
messages: history,
});
###Key Advantages of this Setup
- Zero-Copy Efficiency: Using
git worktree+AgentFS Overlaymeans you don't have to copy the entire repository for every thread. Thebaseremains the local git checkout, and only the diffs are stored in SQLite. - Persistent Sandbox Edits: Because you use
--session ${databaseId}, the agent can runnpm install, edit files, and run tests. All these changes persist in.agentfs/${threadId}.dbacross different LLM turns. - Automatic Persistence: Vercel Sandbox automatically persists the
.agentfsdirectory. When the sandbox resumes, your agent's state is exactly where it left off. - Auditability: You can inspect the agent's edits at any time using the CLI:
# See what the agent changed compared to the original repo agentfs diff thread-123 # List files from the agent's perspective agentfs fs ls thread-123
###Optional: Pure Programmatic Access
If you want to read the agent's edits directly in your Node.js code (e.g., to show a diff in your UI), use the agentfs-sdk:
import { AgentFS } from 'agentfs-sdk';
const agent = await AgentFS.open({ id: 'thread-123' });
// Read a file the agent might have edited
const content = await agent.fs.readFile('/src/index.ts', 'utf-8');
// The SDK handles the database automatically
const toolCalls = await agent.tools.getRecent();
###Summary of Commands
| Action | Command |
|---|---|
| New Thread | git worktree add ./mnt/t1 <ref> |
| Link AgentFS | agentfs init --base ./mnt/t1 t1-session |
| Run Agent Cmd | agentfs run --session t1-session npm test |
| Inspect Edits | agentfs diff t1-session |
nice! why do we need just-bash with this setup? vs creating our own bash tool?
The reason to use just-bash alongside AgentFS—rather than just wrapping execSync yourself—is that it provides filesystem virtualization and security features that are difficult to build from scratch.
While AgentFS handles the storage of the files, just-bash handles the execution environment and the bridge to the LLM. Here is why they are better together:
###1. Ready-Made AI SDK Integration
just-bash comes with createBashTool, which is already optimized for the Vercel AI SDK. It includes:
- Built-in Zod Schemas: Correct parameter definitions so the LLM knows how to call it.
- Optimized Prompting: It automatically injects "System Instructions" that teach the agent how to use common tools (ls, cat, grep) in a virtualized environment.
- Output Handling: It handles streaming large outputs and error formatting in a way that LLMs understand.
###2. State-Aware Path Normalization
If you use a custom tool with execSync, you have to manually handle cd commands. If the agent runs cd src, your next execSync call will still be in the root directory unless you manually track and prepend the path.
just-bash maintains a persistent virtual state (like the Current Working Directory) across multiple tool calls. When the agent runs:
bash: { command: "cd src" }bash: { command: "ls" }
just-bash ensures the ls happens inside src, even if your Node.js process stays in the root.
###3. Combining "Real" and "Virtual" Files
This is the "killer feature" for your use case. just-bash allows you to mount different things into the same view:
- The Repo (Real): Mounted as the base via AgentFS.
- AgentFS (Overlay): Where edits go.
- In-Memory files: You can inject ephemeral files (like a
.envor a temporary script) into the bash environment without ever writing them to the sandbox disk.
###4. Integration with agentfs-sdk/just-bash
The SDK provides a specific adapter that makes AgentFS "look like" a standard filesystem to just-bash.
Instead of shelling out to agentfs run, you can use the SDK's internal implementation for much lower latency and better control:
import { agentfs } from "agentfs-sdk/just-bash";
import { createBashTool } from "just-bash/ai";
// 1. Create a just-bash compatible FS handle
// This uses the SDK's logic to handle reads/writes to the SQLite DB
const fs = await agentfs({ id: "my-thread-db" });
// 2. Pass it directly to the tool
const bashTool = createBashTool({
fs,
// just-bash handles the execution logic, AgentFS handles the persistence
});
###When should you build your own?
You should build your own tool only if you need to execute commands that just-bash cannot handle internally (like launching a long-running web server or a Docker container) and you don't want to use the agentfs run CLI wrapper.
For a "Chat with Repo" product where the agent is mostly reading code, running grep, and making edits, the just-bash + agentfs combo is significantly more robust.
i'm confused: so the overaly aspect is not an agentfs feature? like if i run agentfs run --session <> -- rm -rf: what will happen? and i mean without just-bash.
The overlay is definitely an AgentFS feature—it is one of its most powerful capabilities.
To clear up the confusion: AgentFS provides the overlay logic; just-bash provides the AI tool interface.
###What happens when you run agentfs run --session t1 -- rm -rf .?
If you run that command without just-bash:
- FUSE/NFS Mount: AgentFS creates a sandbox and mounts a virtual filesystem over your current directory. This virtual filesystem is a "stack":
- Top (Writable): Your AgentFS SQLite database (
t1.db). - Bottom (Read-Only): Your actual GitHub repo worktree.
- Top (Writable): Your AgentFS SQLite database (
- The Deletion: When
rm -rfruns, the Linux kernel sends "unlink" requests to AgentFS. - Whiteouts: AgentFS does not delete the files from your repo. Instead, it writes "whiteout" markers into the SQLite database.
- The Result:
- Inside the sandbox: The directory looks empty. The files are "gone."
- Outside the sandbox (the host): Your repo is completely untouched. All the original files are still there.
- Persistence: Because you used
--session t1, if you runagentfs run --session t1 -- lslater, the directory will still look empty, because the "deletions" are saved in the database.
###So why the confusion?
There are actually two ways to use the AgentFS overlay, and this is usually where the confusion starts:
####1. The "Sandbox" way (CLI)
You use the agentfs run command. This uses kernel-level tricks (FUSE on Linux, NFS on macOS) to make the entire operating system see the overlay. Any program (bash, python, ls, rm) works perfectly because the OS handles the translation.
- Best for: Complex tasks, running existing scripts, or when you want 100% compatibility with real bash.
####2. The "Virtual" way (SDK)
You use the agentfs-sdk inside your Node.js code. There is no "mount" on the disk. Instead, you have a JavaScript object (fs) that behaves like a filesystem. When you call fs.readFile(), the SDK logic decides whether to read from the base repo or the SQLite database.
- Best for: "Pure" Node.js agents, Cloudflare Workers (where you can't mount FUSE), and high-performance "Chat with Repo" tools.
###Where just-bash fits in
just-bash is a library designed to be a "Bash Emulator" for LLMs.
- Without
just-bash: You have to write a tool that takes a string, executes it viaagentfs run, and captures the output. You have to handle errors, timeouts, and state yourself. - With
just-bash: You give it an AgentFSfsobject (from the SDK).just-bashthen provides the "Bash Tool" to the LLM. When the LLM wants to "edit a file,"just-bashcalls the AgentFS SDK, which writes to the SQLite database.
###Summary: Your Use Case
Since you are in a Vercel Sandbox (which is a real Linux environment), you have the luxury of using Method 1 (The CLI). It is the most robust.
The "No-Confusion" Plan for you:
- Git Worktree: For the repo source.
- AgentFS CLI: To provide the Overlay and Sandbox.
- Your own tool or
just-bash: Just as a way to send strings from the LLM to theagentfs runcommand.
If you run agentfs run --session thread-1 -- rm -rf ., you have effectively "deleted" the repo for that specific agent session, but you can "undo" it instantly just by deleting the .db file or starting a new session. Your original worktree remains pristine.
nice. yeah aligned that just cli is the best! cool, that's clear. one other thing i'm confused about: can i run many concurrent "sessions" at the same time? which target the same worktree? will they conflict?
Yes, you can run unlimited concurrent sessions against the same worktree, and they will not conflict.
This is one of the core architectural strengths of AgentFS. Because it uses an Overlay Filesystem approach, it treats your GitHub worktree as a "Golden Image" (Read-Only) and stores all changes in a "Layer" (the SQLite database).
Here is exactly how it works when you have multiple concurrent sessions:
###1. Isolation (Different Sessions)
If you run two different agents on the same worktree using different session IDs:
- Agent A:
agentfs run --session thread-A -- bash - Agent B:
agentfs run --session thread-B -- bash
What happens:
- Both agents see the exact same code from your GitHub worktree.
- If Agent A deletes
README.md, it disappears only for Agent A. - Agent B still sees
README.mdperfectly fine. - No Conflicts: Their changes are written to
thread-A.dbandthread-B.dbrespectively. They never even know the other agent exists.
###2. Collaboration (Same Session)
If you want two different processes to see the same changes (e.g., one process running a test suite and another where the agent is typing), you use the same session ID:
- Terminal 1:
agentfs run --session shared-thread -- npm run dev - Terminal 2:
agentfs run --session shared-thread -- bash
What happens:
- Both processes share the same delta layer.
- If the agent in Terminal 2 edits a file, the dev server in Terminal 1 will immediately see that edit and reload.
- Concurrency Control: AgentFS uses SQLite under the hood with WAL (Write-Ahead Logging) mode enabled. This means multiple processes can read and write to the filesystem database simultaneously without corrupting it.
###3. The "Base" Layer Safety
Even if you have 100 sessions running, your Git Worktree is never modified.
- AgentFS mounts the worktree using "Bind Mounts" or internal SDK logic that treats the source as read-only.
- You could even run
git checkouton the worktree while agents are running (though this might confuse the agents if the files they are looking at suddenly change versions, it won't crash AgentFS).
###Summary for your "Chat with Repo" Product:
| Scenario | Conflict Risk | Result |
|---|---|---|
User A and User B chat with main branch | Zero | Create db-user-a.db and db-user-b.db. They are fully isolated. |
| Agent is running tests while also editing code | Zero | Use the same --session-id. They share the same "virtual" disk. |
| Scaling to 50 concurrent threads | Zero | Each thread gets its own tiny .db file. The only limit is the Sandbox RAM/CPU. |
Pro Tip for Vercel Sandbox:
Since you are in a Vercel Sandbox, all these .db files will live in the .agentfs/ directory. If you want to "reset" a thread, you don't need to touch the git worktree; you just delete that specific .db file. It's much faster than git reset --hard.
brilliant! really noice. ok, outline a simple plan for implementing this myself. assume the whole setup is there (except for the Bash tool (i don't wanna use just-bash btw) and the agentfs setup). in fact, see what's there https://forums.basehub.com/basehub-ai/forums/1
Based on the architecture of Forums and your specific requirements (Vercel Sandbox + AI SDK + Custom Tools), here is a simple plan to implement AgentFS as your persistent, isolated overlay layer.
###I. The Setup Logic (Sandbox Entry)
When your Workflow spawns the Vercel Sandbox, you need to prepare the environment for the specific thread.
// agent/env-setup.ts
import { execSync } from 'node:child_process';
export function setupAgentFS(ref: string, threadId: string) {
const worktreePath = `/tmp/worktrees/${threadId}`;
const sessionId = `thread-${threadId}`;
// 1. Create a git worktree for this specific version of the code
// This allows concurrent threads to target different branches/commits safely
execSync(`git worktree add ${worktreePath} ${ref}`, { stdio: 'inherit' });
// 2. Initialize the AgentFS Overlay
// --base tells AgentFS to treat the worktree as the read-only source
// The database will be created at .agentfs/thread-${threadId}.db
execSync(`agentfs init --base ${worktreePath} ${sessionId}`, { stdio: 'inherit' });
return { worktreePath, sessionId };
}
###II. The Custom Bash Tool
Instead of just-bash, you can build a clean tool that wraps everything in agentfs run. This is the most robust way to ensure that even if the agent tries to rm -rf /, it only affects its own SQLite-backed virtual layer.
// agent/tools/bash.ts
import { tool } from 'ai';
import { execSync } from 'node:child_process';
import { z } from 'zod';
export const createBashTool = (sessionId: string, worktreePath: string) =>
tool({
description: 'Execute bash commands in a persistent, sandboxed environment.',
parameters: z.object({
command: z.string().describe('The bash command to run.'),
}),
execute: async ({ command }) => {
try {
// We wrap the command in 'agentfs run'
// --session ensures edits persist across multiple tool calls in this thread
const output = execSync(
`agentfs run --session ${sessionId} -- bash -c ${JSON.stringify(command)}`,
{
cwd: worktreePath,
env: { ...process.env, AGENTFS_ID: sessionId }
}
);
return output.toString();
} catch (error: any) {
return `Error: ${error.stdout?.toString() || error.message}`;
}
},
});
###III. Optimized Retrieval Tools (High Performance)
For reading code (which agents do a lot), using agentfs run every time has a tiny bit of overhead because it has to set up the mount. You can use the agentfs fs CLI commands for instant read-only access to the overlay state.
// agent/tools/read.ts
export const readTool = (sessionId: string) => tool({
description: 'Read a file from the repository (including agent edits).',
parameters: z.object({ path: z.string() }),
execute: async ({ path }) => {
// This queries the SQLite DB and Base Worktree directly (no mount needed)
return execSync(`agentfs fs cat ${sessionId} ${path}`).toString();
}
});
export const lsTool = (sessionId: string) => tool({
description: 'List files in a directory.',
parameters: z.object({ path: z.string().default('/') }),
execute: async ({ path }) => {
return execSync(`agentfs fs ls ${sessionId} ${path}`).toString();
}
});
###IV. Orchestration in response-agent.ts
Finally, wire it all together using the Vercel AI SDK.
// agent/response-agent.ts
import { streamText } from 'ai';
import { setupAgentFS } from './env-setup';
import { createBashTool } from './tools/bash';
export async function runAgent(ref: string, threadId: string, prompt: string) {
const { worktreePath, sessionId } = setupAgentFS(ref, threadId);
const result = await streamText({
model: yourModel,
tools: {
bash: createBashTool(sessionId, worktreePath),
read: readTool(sessionId),
ls: lsTool(sessionId),
// ... your other tools (WebSearch, ReadPost)
},
system: `You are a coding agent researching a GitHub repo.
You are working in an AgentFS overlay on top of worktree: ${worktreePath}.
All your file edits are persistent.`,
messages: [{ role: 'user', content: prompt }],
});
return result;
}
###Why this plan works for you:
- Worktree Isolation: By creating a
git worktreeper ref, you avoid "branch hopping" conflicts. - Zero Dirty Files: Since the worktree is the
base, the agent can runnpm installorgo build. The hundreds of megabytes ofnode_modulesor binaries stay in the.agentfs/*.dbfile, not in your git repo. - Persistence: If the sandbox sleeps and wakes up, the
.agentfs/*.dbfile is still there. The user can continue the conversation and the agent will see its previous edits. - No
just-bash: You have full control over theexecSynclogic and how errors are reported back to the LLM.
what about Linux OverlayFS? can i just use that if i have the sandbox to myself?
REPLY IN THREAD
Technically, yes, you can use native Linux OverlayFS if you have root/sudo access in the Vercel Sandbox. However, AgentFS was built specifically because native OverlayFS has several "friction points" when building an AI product like yours.
Here is the breakdown of why you might choose one over the other:
###1. The Persistence Problem (SQLite vs. Folders)
- Linux OverlayFS: Your "upper" layer (where edits go) is a standard directory. If you have 100 threads, you have 100 directory trees. Managing, backing up, or moving 100 folders (each potentially containing a
node_modules) is heavy. - AgentFS: Your "upper" layer is a single SQLite file. In a Vercel Sandbox, it is much easier to persist a single
.dbfile than a complex nested directory structure. You can easily upload that.dbto S3 or Turso for long-term storage when the sandbox is destroyed.
###2. Permissions & Security
- Linux OverlayFS: Requires
rootorCAP_SYS_ADMINprivileges to run themount -t overlaycommand. Vercel Sandboxes are secure environments, and you might not always have the permissions to run kernel-level mounts. - AgentFS: Uses FUSE (Filesystem in Userspace). It doesn't need root to run; it just needs access to the
/dev/fusedevice. It works in more restricted environments than native OverlayFS.
###3. Queryability & Audit Trails
This is the biggest advantage for a "Chat with Repo" product:
- Linux OverlayFS: If you want to show the user a list of files the agent changed, you have to run a slow
diff -rbetween the "upper" and "lower" directories. - AgentFS: You can run a SQL query. Since every edit is a row in a database, you can instantly see:
This makes building your UI (like a "Files Modified" list) much easier.-- "Which files did the agent edit in the last 5 minutes?" SELECT path FROM fs_inode WHERE mtime > (strftime('%s','now') - 300);
###4. Portability
If you ever want to move your product to a serverless environment (like Cloudflare Workers) or a different sandbox provider:
- Linux OverlayFS: Only works on Linux. It won't work on macOS (dev machines) or in WASM.
- AgentFS: Works everywhere. The SDK can run the overlay logic in pure JavaScript if the OS doesn't support FUSE.
###If you really want to use Native OverlayFS...
If you prefer the raw speed of the kernel and don't care about the SQL features, your setup would look like this:
# Prepare directories
mkdir -p /tmp/lower /tmp/upper /tmp/work /tmp/merged
# Mount the overlay
sudo mount -t overlay overlay \
-o lowerdir=/tmp/lower,upperdir=/tmp/upper,workdir=/tmp/work \
/tmp/merged
###The "Middle Ground" (How AgentFS actually works)
Interestingly, AgentFS's run command (on Linux) actually uses Linux Namespaces (User and Mount namespaces) to create an isolation layer that feels exactly like native OverlayFS, but redirects the writes to SQLite.
My recommendation:
Use agentfs run. It gives you the "native" feel (you just run bash commands) but gives you the "AI-ready" storage (SQLite) that makes your product easier to manage and scale.
the permission is the most compelling thing IMO. agentfs run ensures all mutations go to the db, even if the agent was prompt injected and CDs into another dir
REPLY IN THREAD
You hit the nail on the head. That is the fundamental difference between Conventional Isolation (just telling the agent "please stay in this folder") and Enforced Isolation (AgentFS).
Here is exactly how agentfs run handles those "escape" scenarios on Linux:
###1. The "Read-Only Root" Strategy
When you execute agentfs run, it doesn't just overlay your current directory; it creates a Linux Mount Namespace (similar to how Docker works, but without the heavy container image). Inside this sandbox:
- The Root Filesystem (
/) is bind-mounted as Read-Only. - The Current Working Directory is replaced by the AgentFS FUSE Overlay (which is writable).
###2. Scenario: The "Prompt Injection" Escape
If an agent is prompt-injected and tries to be malicious:
-
Command:
cd /etc && rm -rf *- Result: Operation Permitted (but fails). Because
/etcis part of the read-only root mount inside the namespace, the kernel itself blocks the write. The agent gets anEPERM(Operation not permitted) error.
- Result: Operation Permitted (but fails). Because
-
Command:
rm -rf /home/user/other-project- Result: Fails. That path is either not visible inside the namespace or is mounted read-only.
-
Command:
rm -rf .(Inside the repo)- Result: Succeeds (virtually). AgentFS intercepts the request. It leaves your actual GitHub worktree files alone and simply records "deleted" markers in the SQLite database. To the agent, the files are gone. To you, the repo is safe.
###3. Why this is better than a simple chmod or "User" restriction
If you just tried to use Linux permissions (like a restricted user), the agent could still potentially see environment variables, read ssh keys, or look at other users' processes.
agentfs run uses multiple layers of isolation:
- Mount Namespace: It has its own private view of the filesystem.
- User Namespace: The agent thinks it is
root(UID 0) inside the sandbox so it can run things likenpm installcomfortably, but on your actual host machine, it has zero privileges. - PID Namespace: The agent can't see or kill other processes running in your Vercel Sandbox.
###The "Stealth" Benefit: $AGENTFS_SESSION
Because AgentFS is aware of the "Session," you can actually let the agent "destroy" its environment as much as it wants. If an agent ruins its workspace with a bad git reset or a recursive delete:
- The user says "Wait, undo that."
- You simply delete the SQLite
.dbfile. - The next time the agent runs, it's back to a perfectly clean state based on the git worktree.
In summary: You aren't just protecting your files from the agent; you are protecting the Agent's future self from its own mistakes (or injections). This is why the CLI run command is the "gold standard" for what you're building.
if i do agentfs run -- <complex command to go to root and rm -rf>, what protects root from not being deleted?
REPLY IN THREAD
When you run agentfs run -- rm -rf /, the host's root directory is protected by a multi-layered "security sandwich" implemented in the agentfs CLI.
Here is exactly what prevents the disaster, step-by-step:
###1. The Linux Namespace "Mirror" (Step 1)
When you run the command, agentfs uses a Linux feature called unshare(CLONE_NEWNS). This creates a private copy of the system's mount table.
- Initially, this looks exactly like your host system.
- However, any changes made to this table (mounting, unmounting, remounting) are invisible to the rest of the computer.
###2. The "Private" Toggle (Step 4)
The CLI then marks the entire filesystem as MS_PRIVATE. This ensures that even if the agent somehow manages to mount a new disk inside the sandbox, it won't "leak" back out to your real machine.
###3. The Overlay "Hijack" (Step 5)
Before the command runs, AgentFS performs a Bind Mount. It takes your agentfs virtual filesystem (the SQLite + Repo mix) and "pins" it on top of your current working directory.
- Inside the sandbox,
.(the current dir) is now a portal to AgentFS. - The original files are still there, but they are "underneath" the overlay.
###4. The "Read-Only" Remount (Step 7) — The Core Protection
This is the most critical part. The agentfs process iterates through every single mount point in the sandbox (including /, /usr, /etc, etc.) and remounts them using the MS_RDONLY flag.
In the code (cli/src/sandbox/linux.rs):
// Remount the bind mount as read-only.
libc::mount(
std::ptr::null(),
mount_cstr.as_ptr(),
std::ptr::null(),
libc::MS_BIND | libc::MS_REMOUNT | libc::MS_RDONLY,
std::ptr::null(),
)
###What happens when rm -rf / executes?
- Traversing
/etc,/bin, etc.: Thermcommand tries to delete/etc/passwd. - Kernel Intervention: The Linux Kernel looks at the mount table for the sandbox. It sees that
/is mountedRO(Read-Only). - Error: The kernel immediately returns
EROFS(Read-only file system). No files are deleted. - Traversing the Repo: Eventually,
rmhits your project folder (the working directory). - Overlay Success: Since this specific path was not remounted as read-only (it’s the AgentFS overlay), the delete request is allowed.
- SQLite Record: AgentFS intercepts the delete, writes a "whiteout" marker to your SQLite
.dbfile, and tellsrm"Done!".
Result:
- The agent thinks it deleted the whole world.
- The agent actually only "deleted" the files in your repo (virtually).
- Your host system's
/etc,/bin, and/rootare perfectly safe because the kernel blocked the writes at the hardware level for that process.
does bubblewrap achieve the same security guarantees?
REPLY IN THREAD
Yes, Bubblewrap and agentfs run share the same underlying security primitives (Linux namespaces), but they have a different philosophy regarding what happens to the data.
Here is how they compare in terms of security and your specific use case:
###1. Same "Hard" Security (Namespaces)
Both tools use CLONE_NEWNS (mount namespaces) and CLONE_NEWUSER (user namespaces). This is the "industry standard" for isolation. If you run a command in either tool, the agent is trapped in a view of the world where the root filesystem is read-only.
From a kernel perspective, they are equally secure at preventing the agent from deleting your real /etc/passwd.
###2. The Differences (Why you'd choose AgentFS for this)
| Feature | Bubblewrap (bwrap) | AgentFS (agentfs run) |
|---|---|---|
| Philosophy | Ephemeral Sandbox. It's designed to run a process, discard the changes, and exit. | Persistent Agent FS. It's designed to treat the filesystem as part of the agent's memory. |
| Storage | Uses tmpfs (RAM) or a directory for overlays. | Uses SQLite for the overlay. |
| Persistence | Hard to persist complex overlays across different runs without creating "directory soup" on your host. | Perfect persistence. Every edit lives in the .db file. You can stop/start the sandbox and the agent "remembers" its edits. |
| Queryability | You can't ask Bubblewrap "What did the agent change?" without doing a manual diff. | You can run SELECT * FROM fs_inode to see exactly what changed, when, and by whom. |
| Audit Trail | None. | Records every tool call and file operation in a single database. |
###3. The "Overlay" Implementation
- Bubblewrap doesn't actually implement the overlay logic itself. You usually have to combine it with the Linux
overlayfskernel module (which requires specific permissions/root) or use its--tmp-overlayflag (which is purely in-memory and lost when the process ends). - AgentFS implements the overlay logic in userspace (FUSE). This means it works in environments where the kernel's
overlayfsmodule might be disabled or restricted, and it allows for that unique SQLite storage backend.
###Summary for your "Chat with Repo" Product
If you used Bubblewrap:
You would get a safe sandbox, but every time the agent makes a comment, you'd have to figure out how to "save" its edits so the next comment can see them. You'd likely end up writing a lot of code to zip/unzip folders or manage rsync snapshots.
If you use AgentFS:
You get the same security as Bubblewrap, but the persistence is "free." You just keep the .db file for that thread, and the agent's workspace is preserved perfectly.
In short: Bubblewrap is a tool for running an agent safely. AgentFS is a tool for giving an agent a brain (persistent state) while running it safely.
END OF POST