Sandboxed runner for AI coding agents. No more permission fatigue. Your files stay untouched until you say otherwise.
AI coding agents want to edit your files and run commands, so you must choose between them constantly asking your permission, or bypassing permissions and risking a catastrophe.
Until now.
Let your agent live dangerously in a sandbox, then review the changes and decide what to keep.
You Sandbox Your project
│ │ │
├─ yoloai new fix-bug . ├─ sandbox copy of project │
│ │ │
├─ << your prompt(s) >> ├─ agent works freely │
│ │ (no permission prompts) │
│ │ │
├─ yoloai diff fix-bug ├─ shows what changed │
│ │ │
├─ yoloai apply fix-bug │ ├─ patches applied
│ (you choose which ones) │ │
│ │ │
├─ yoloai destroy fix-bug ├─ destroys sandbox │
demo.mp4
Permission fatigue is real. After a hundred approve/deny prompts you stop reading and just hit "yes" — or you reach for --dangerously-skip-permissions and hope for the best. Neither is great.
Disabling permissions is dangerous! ... Unless you've sandboxed your agent, that is!
yoloAI takes a different approach: let the agent do whatever it wants inside a disposable container. Your original files are never modified. When the agent is done, review the diff and choose what to keep.
- Your files are untouchable. The agent works on an isolated copy. Originals never change until you say so.
- Git-powered review.
diffshows exactly what changed.applypatches your project cleanly, preserving individual commits. - No permission prompts. The container is disposable — agents run with full access inside the sandbox.
- Persistent agent state. Session history and config survive stops and restarts.
- Easy retry.
yoloai resetre-copies your original for a fresh attempt.
# Latest release
go install github.com/kstenerud/yoloai/cmd/yoloai@latest
# Latest development version (unstable)
go install github.com/kstenerud/yoloai/cmd/yoloai@mainRequires Go 1.26+. The binary is placed in $GOPATH/bin (typically ~/go/bin).
git clone https://github.com/kstenerud/yoloai.git
cd yoloai
git tag
# then git checkout your chosen tag
make build
sudo mv yoloai /usr/local/bin/ # or add to PATHIt's a single Go binary, with no runtime dependencies beyond your chosen backend. On first run, yoloAI builds its base image and creates ~/.yoloai/.
# Authenticate (yoloAI picks up existing credentials automatically)
export ANTHROPIC_API_KEY=sk-ant-... # Claude Code
export GEMINI_API_KEY=... # Gemini CLI
# Or just let it pick up your already authenticated session
# 1. Spin up a sandbox. Agent starts working immediately when you supply a prompt here
yoloai new fix-bug ./my-project --prompt "fix the failing tests"
# 2. See what the agent changed
yoloai diff fix-bug
# 3. Apply the good parts to your real project
yoloai apply fix-bug
# 4. Toss the container
yoloai destroy fix-bugyoloai new exploration ./my-project -a
# You're inside the agent, running in tmux in the sandbox.
# Ctrl-B, D to detach.
# yoloai attach exploration to reconnect.For longer tasks, work in a commit-by-commit loop. Keep two terminals open — one for yoloAI, one for your normal shell.
┌─ YOLO shell ──────────────────────┬─ Outer shell ─────────────────────┐
│ │ │
│ yoloai new myproject . -a │ │
│ │ │
│ # Tell the agent what to do, │ │
│ # have it commit when done. │ │
│ │ yoloai apply myproject │
│ │ # Review and accept the commits. │
│ │ │
│ # ... next task, next commit ... │ │
│ │ yoloai apply myproject │
│ │ │
│ │ # When you have a good set of │
│ │ # commits, push: │
│ │ git push │
│ │ │
│ │ # Done? Tear it down: │
│ │ yoloai destroy myproject │
└───────────────────────────────────┴───────────────────────────────────┘
The agent works on an isolated copy, so you can keep iterating without risk. Each apply patches the real project with only the new commits since the last apply.
| Backend | Supported Hosts | Dependencies |
|---|---|---|
| docker | Linux, macOS, Windows (WSL2) | Docker Engine, Docker Desktop, or OrbStack |
| podman | Linux, macOS | Podman (brew install podman on macOS) |
| containerd | Linux | Kata Containers |
| apple | macOS (Apple Silicon) | Apple Container |
| tart | macOS (Apple Silicon) | Tart (brew install cirruslabs/cli/tart) |
| seatbelt | macOS (any) | None (uses built-in sandbox-exec) |
Optionally upgrade the OCI runtime for stronger isolation:
| Mode | Description |
|---|---|
container |
Default runc — standard Linux namespaces and cgroups |
container-enhanced |
Userspace kernel (gVisor/runsc) — syscall interception, no KVM needed |
container-privileged |
All capabilities, seccomp/AppArmor unconfined — use for Docker-in-Docker and Compose |
vm |
Kata Containers (QEMU) — hardware VM isolation |
vm-enhanced |
Kata + Firecracker microVM — lightweight VM isolation |
# Use gVisor for all new sandboxes
yoloai config set isolation container-enhanced
# Or per sandbox
yoloai new task . --isolation container-enhancedvm and vm-enhanced require Kata Containers to be installed.
| Mode | Description |
|---|---|
claude |
Runs Claude Code via API key or subscription credentials (default) |
codex |
Runs Codex via API key or subscription credentials |
gemini |
Runs Gemini via API key or subscription credentials |
aider |
Runs Aider (your config is copied in) |
opencode |
Runs OpenCode (your config is copied in) |
shell |
Runs a tmux shell with all agents credentials seeded |
idle |
Runs an idle process to allow MCP proxying |
Use yoloai system agents to list available agents.
- Usage Guide — commands, flags, workdir modes, configuration, security
- Roadmap — upcoming features
- Architecture — code navigation for contributors
Early access. Core workflow works, rough edges expected. Feedback welcome.