Sandbox

An isolated computer for every run

Each agent works on its own cloud machine: your repos cloned in, credentials scoped below any developer, and nothing left behind at teardown. Give it exactly the tools and access the job needs, and no more.

Sandboxrun #314
bootisolated container · 1 vCPU · 4 GiB
clonesplitshift-web, splitshift-api · gh authenticated
run158 steps · 4m02s · PR #314 opened
teardownfilesystem destroyed · credentials revoked
Nothing this run installed, wrote, or broke reaches the next one

Isolation

A fresh machine for every run

Every run starts in its own Linux container with the repos already cloned and gh authenticated, and the container is destroyed when the run ends. Size it up to 16 vCPU, 64 GiB of memory, and 24 hours when the job needs it.
agent sandbox · splitshift-apiGitHub App token
$ git push --force origin main
remote: error: GH006: Protected branch update failed
! [remote rejected] main -> main (protected branch hook declined)
$ gh pr create --fill
https://github.com/splitshift-hq/splitshift-api/pull/1842
No admin permissions, so an agent can never change the rules it works under

Less than a developer

Agents can open PRs, not rewrite history

Agents never hold a developer's identity. They act through the Ellipsis GitHub App with the repos and permissions you granted at install, and repo administration is not one of them. Your branch protections apply with no bypass, and an agent cannot edit protections, settings, or collaborators, no matter what its prompt says.
agents/oncall-assistant.yamlread-only IAM user
sandbox:  variables:    - name: AWS_ACCESS_KEY_ID    - name: AWS_SECRET_ACCESS_KEY
$ aws logs tail /aws/lambda/trade-engine --since 1h
2026-07-03T09:14:22 ERROR TradeExpiryWorker: lock not released
$ aws rds delete-db-instance --db-instance-identifier prod-db
An error occurred (AccessDenied) when calling the DeleteDBInstance operation

Scoped credentials

Hand agents exactly the access they need

Sandbox variables inject credentials you mint, so you choose the blast radius: give a debugging agent read-only AWS keys and it can tail production logs but never touch a resource. Values are stored write-only. Nothing lands in the config file, and nothing can be read back out.
agents/issue-to-pr.yamlruns at image build
sandbox:  image:    setup: |      poetry install      pnpm install --frozen-lockfile
first run · builds the image3m40s
every run after · boots the snapshot8s

Your toolchain

Bake your environment into the image

A setup script runs once at image build, after your repos are checked out, and the result is snapshotted. Dependency installs happen on the first run; every run after boots the warm image. Per-run lifecycle hooks cover whatever should not be cached.

Explore the platform