Turso
AgentFS
Get Started
From the creators of Turso

Let AI Agents Use Real Tools Safely

AgentFS provides isolated filesystem access backed by a SQLite file so agents can safely run the CLI tools they were trained on.

Get Started
Host Filesystem
~/project
main.rsunchanged
lib.rsunchanged
config.tomlunchanged
Session A
Agent #1abc123
delta.db
No changes yet
Session B
Agent #2def456
delta.db
No changes yet
$
📋Copy-on-Write

Power vs. Safety

AI agents need filesystem access to be useful, but giving them full access is risky

Agents Need Power

  • Access CLI tools and binaries
  • Read and modify project files
  • Run complex development workflows
  • Interact with tools and scripts
  • Resume execution from saved state

But Access is Risky

  • Agents are inherently unpredictable
  • Accidental file deletion or corruption
  • No audit trail of what changed
  • Difficult to test and debug safely
  • Sessions are not resumable

AgentFS bridges this gap by providing resumable, isolated, auditable filesystem access that keeps your files safe while giving agents the tools they need

Built on Three Core Principles

AgentFS provides enterprise-grade safety for AI agents

Isolation
Copy-on-write overlay keeps original files untouched

AgentFS creates an isolated filesystem layer where all changes happen. Your original files remain completely safe and unchanged until you decide to apply the modifications.

Auditability
Every operation logged to a portable SQLite file

Complete visibility into what the agent did. Every file read, write, and modification is tracked in a SQLite file that you can inspect, share, and archive.

Portability
Entire agent session in a single file you can share

The entire agent session is contained in one portable SQLite file. Share it with teammates, archive it for compliance, or replay it later.

How It Works

Three simple steps to safe AI agent execution

01

Initialize

Set up AgentFS by mounting an isolated filesystem or using the SDK directly. Copy-on-write keeps your project safe.

02

Run

Your agent operates normally, unaware it's sandboxed. It can use any CLI tool and make any changes. All safely contained.

03

Audit

Review all changes in the SQLite file before committing to your real filesystem. Accept, reject, or modify as needed.

Real-World Use Cases

From development to production, AgentFS protects your filesystem

AI Code Assistants
Use Claude Code or Cursor without worrying about file damage

Let your AI assistant refactor code, generate files, and run tools—all in a safe sandbox.

Browser-Based Agents
Run CLI tools entirely in the browser with OPFS

Build web-based development environments where agents can access and modify files without server-side infrastructure.

Agent Development
Test and debug agents in safe, reproducible environments

Develop and test your own AI agents with full filesystem access, knowing you can reset to a clean state anytime.

Compliance & Security
Maintain complete audit logs of all AI operations

Track every file access and modification for security reviews, compliance reporting, and debugging production issues.

Cross-Platform Support

Platform-specific implementations for optimal performance

Browser
OPFS-based
  • Isomorphic-git support
  • Privacy-first design
  • No server required
  • Works in any modern browser
Linux
FUSE-based mounting
  • Production-ready
  • Native filesystem integration
  • High performance
  • Battle-tested in production
macOS
NFS-based serving
  • Built-in sandboxing
  • Native macOS integration
  • Developer-friendly
  • Easy installation via Homebrew

Early Feedback from Developers

See what developers are saying about AgentFS

Jarred Sumner
Jarred Sumner
@jarredsumner
Creator of Bun

agentfs is very interesting. SQLite seems like a better upper fs for this. I think one can probably get claude to do an updated and simpler port of fuse for macOS that exclusively supports FSKit as the backend & avoids the third-party dependency.

Jerry Liu
Jerry Liu
@jerryjliu0
CEO, LlamaIndex

AgentFS by @tursodatabase is a nice example of how you can give the agent access to a copy of all your files without messing up your raw data. This is needed to implement 'RAG 2.0': Just make Claude Code run over your filesystem.

Anthony Morris
Anthony Morris
@amorriscode
Claude Code Team, Anthropic

not seeing enough hype about agentfs tbh

Clélia Milhau
Clélia Milhau
@itsclelia
AI Engineer

I love the concept of sandbox. Especially if it means that my coding agent gets to play with a virtual file system while all my files are safe from the next `rm -rf /`. That's why I decided to integrate AgentFS by @tursodatabase within my workflows-acp agent.

Garrison
Garrison
@HeyGarrison
Founder, Compute-SDK

what @tursodatabase is doing w/ AgentFS is pretty amazing when you stop and think about it.

Darren Shepherd
Darren Shepherd
@ibuildthecloud
Founder, Acorn Labs

I'm really excited about agentfs from the folks at @tursodatabase. It's super early but it's pretty amazing how quickly @penberg can write this super complicated stuff.

Getting Started

Install AgentFS and start running agents safely in minutes

Installation
curl -fsSL https://agentfs.ai/install | bash
Basic Usage
# Run your agent in the sandbox
$ agentfs run claude-code "refactor the auth system"

# Review changes in the SQLite file
$ agentfs diff
View Full Documentation

Build Custom Agents

Also available as SDKs for building your own AI agents with built-in filesystem isolation

TypeScript

Python

Rust

View SDK Documentation →