Open source SDK · Works with any LLM

Purpose-built runtime for
AI agent execution

Run agent code and tools inside an isolated environment with deterministic replay. Move from “it worked on my machine” to “we can prove what happened.”

See How It Works Book a Demo

Agent BrainLLM / Reasoning

→

↓

Hardened RuntimeSaph Runtime

CapabilitiesLimitsReplay

→

↓

External WorldTools + Systems

Sub-msSandbox isolation

Spin up isolated environments in microseconds for every agent run.

100%Deterministic replay

Every execution is reproducible. Same inputs, same outputs, always.

10,000+Parallel branches

Run thousands of workflow variations cheaply for evals and search.

HOW IT WORKS

Three parts, one contract

Virtual Filesystem├── /workspace ✓├── /tmp ✓├── /home ✗└── /secrets ✗

Sandboxed Runtime

Isolated execution
environment

Agent code runs in a minimal, isolated environment with a virtual filesystem and controlled time.

Sandbox

fs.read()

→

Host

policy ✓

creds

Host-Controlled Tools

Sandbox requests,
host decides

Side effects happen through host operations you define. Credentials and policy stay outside.

Execution Timeline

init→fs.read→llm.call→done

↻ replaySame output hash ✓

Replayable Execution

Deterministic replay
for every run

Every run produces a compact record. Reproduce what happened exactly.

Tool Permissions

Read filesAllowed

Write filesScoped

Allowed

NetworkBlocked

PaymentsBlocked

⚠ tool_call('network.fetch') → rejected

SECURITY MODEL

Nothing is allowed
unless you grant it

Tool access is explicit and validated at runtime. Define what your agent can touch, scope parameters, and block everything else by default.

Explicit tool allowlists with parameter validation

Scoped permissions for sensitive operations

Blocked calls with detailed rejection logs

AUDIT ARTIFACTS

Every run produces
an audit artifact

Structured records of inputs, tool calls, outputs, and replay bundles. Export incident reports for audits or customers.

Execution Receipt{ "receipt_id": "rx_a3f7c2e91d", "inputs": { "prompt": "...", "files": 3 }, "capabilities": ["fs.read", "fs.write"], "tool_calls": 4, "outputs": { "files": 2, "stdout": "..." }, "replay_link": "saph://replay/rx_a3f7"}

USE CASES

What you can do with it

Agent Debugging

Reproduce failures exactly. Diff runs. Debug without guesswork.

Safe Tool Use

Let agents use shell utilities and file workflows without ambient access.

Parallel Evals

Run many variations of a workflow cheaply for evals, search, or testing.

Enterprise Isolation

A safer way to run agent workloads without heavy per-run infrastructure.

Security that doesn't rely on “please behave”

Most agent security today is prompts and policies. Saph assumes the agent will eventually do something weird and designs around that.

Isolation

Limits blast radius. Every agent runs in its own sandbox.

Capabilities

Prevents ambient authority. Nothing runs unless explicitly granted.

Replay

Makes incidents understandable. Replay any execution exactly.

Runtime now, control later

Start with the runtime. Add enforcement when your automation gets serious.

Saph RuntimeSandbox + Replay

Start here →

Saph ControlAuthorization + Approvals

Add when high-stakes

Ship agents that can
execute safely

Try the sandbox or talk to us about your use case.

Book a Demo Try the Sandbox

Purpose-built runtime forAI agent execution