Recently, I was testing an autonomous AI agent in a local directory. I gave it a multi-step coding task and a terminal tool so it could run its own tests.

Everything looked fine for the first three steps. I thought to myself, this is way easier than I expected. But I was wrong. The agent hit an error, hallucinated a strange fix, and then tried to fix that but executing a command that nuked my workspace filesystem. Everything was corrupted, without warning.

If you are building with LLMs right now, you already know that giving an agent raw shell access feels like giving the summer intern prod credentials on their first day. But the real problem isn't just that agents break things. It's that when they do, we don't have a standard way to hit undo.

The Missing Primitive

Right now, the standard answer to this problem would be: "Why don't you just use a sandbox?"