AI agent sandboxes

Point an AI coding agent at your production database safely — scoped, observed, and reversible.

AI agent sandboxes are available in the alpha. The keon sandbox commands (cli-v0.1.31+) and the console Sandboxes view described here are live; capabilities are still maturing, so expect rough edges and tell us what breaks.

Kisenon lets you hand a coding agent (Claude Code, Cursor, your own) a database it can change freely — without risking production. A sandbox is a per-run fork of your branch with a scoped credential, a live action log, and a server-side promote step.

Why it's safe

Two guarantees, both deterministic — no LLM sits in the trust path:

The agent can't touch production. It connects with a scoped, non-superuser credential to a fork. It never holds a credential that can write main. Promotion runs server-side and only applies changes that already passed in the sandbox.
You see exactly what it did. Every statement is attributed and streamed to a read-only console — the real SQL, not a summary.

The loop

keon sandbox run \
  --migrate "alembic upgrade head" \
  --verify  "pytest tests/db"
# → green/red verdict + schema diff + a sandbox you can inspect

keon sandbox promote <id>   # cp applies the validated changes to main

The agent stays in control of the loop; the bound is what makes it safe.

Promote: self-serve or human-approved

Each project chooses a promote_mode:

Mode	Who commits to `main`
`self` (default)	The agent promotes once its checks pass — within its bounds.
`human`	The agent proposes; an owner/admin reviews the diff + action log and clicks Approve.

What a sandbox is not

Not a code sandbox — it scopes your database, not the agent's process.
Not an LLM judge — capture, replay, and review are byte-deterministic.

Try it

Try the alpha at kisenon.com and see the quickstart.