The adjacent problem I’ve been focused on is what happens after the agent finishes in its isolated environment: how do you review what it actually changed before accepting the result?
I’m interested in diff/commit/rollback at the filesystem level, so you can selectively keep some changes and discard others.
I kept running AI coding agents with full filesystem and network access,
and no way to review what they did before it hit my system. Docker isolates
but doesn't govern. So I built envpod.
Every agent runs in a pod with a copy-on-write overlay. Your host is never
touched until you explicitly commit:
$ sudo envpod init my-agent --preset claude-code
$ sudo envpod run my-agent -- claude
$ sudo envpod diff my-agent # review every change
$ sudo envpod commit my-agent # apply to host, or rollback
Also: encrypted credential vault (agent never sees raw API keys), per-pod
DNS filtering (whitelist which domains the agent can reach), action queue
(irreversible ops wait for approval), and append-only audit trail.
Single 13 MB static Rust binary. No daemon, no container runtime, no
dependencies. Warm start in 32ms. 50 pod clones in 408ms. Tested on 9
Linux distros.
41 example configs for Claude Code, Codex, Aider, SWE-agent, browser-use,
and more.
The adjacent problem I’ve been focused on is what happens after the agent finishes in its isolated environment: how do you review what it actually changed before accepting the result?
I’m interested in diff/commit/rollback at the filesystem level, so you can selectively keep some changes and discard others.
Different problem, but they compose naturally.