Design and implementation

A. Five requirements.

The two gaps from the study imply five requirements for any agent-native filesystem:

Visibility into the current state of all changes.
Auditability of the full session history.
Preventive control before an access takes effect.
Corrective control afterwards — revocability for users, recoverability for agents.
Transparency in both directions: no agent changes, and any POSIX-compliant filesystem suffices, even without native CoW snapshots or extended attributes.

And, of course, performance — every access sits on the critical path of an agent session.

B. Architecture.

YoloFS is a Linux stackable filesystem that interposes between the agent and the underlying filesystem. The user mounts YoloFS with a project-local config file, then runs an agent either inside or through it. To the agent, file operations look normal. To the user, the session is no longer a stream of opaque commands.

                User process / AI agent
                          │
                          ▼  VFS syscall
   ┌──────────────────────────────────────────────┐
   │                   YoloFS                       │
   │   ┌────────────────┐    ┌──────────────────┐ │
   │   │  Permission    │ →  │     Staging      │ │
   │   │     gating     │    │     layer        │ │
   │   └────────────────┘    └──────────────────┘ │
   └──────────────────────────────────────────────┘
                          │  vfs_*() on lower FS
                          ▼
              Lower filesystem (ext4 / xfs / …)

For every VFS operation the permission gating layer runs first: it resolves the effective rule for the path. If the rule is ask, the thread sleeps until the userspace daemon answers. If the rule is allow or read-only, the staging layer then routes the operation: reads come from the staged inode if the file has been modified, otherwise from base; writes go to staged inodes. Final I/O is delegated to the lower filesystem via vfs_*().

YoloFS is a kernel module + userspace CLI. The kernel handles the critical path; the CLI handles higher-level operations (diff, snapshot management, commit) by reading shared on-disk state and issuing ioctls. The mount sits on top of the entire root filesystem to ensure completeness.

C. Staging — fast, revocable mutations.

The problem with naïve staging

Mirroring the base directory tree in an upper layer (à la OverlayFS) is too expensive: creating a file in a nested directory requires creating all its parent directories in the upper layer; renaming a file triggers a full copy even without content change; renaming a directory recursively copies the entire subtree. YoloFS sits on the critical path of every agent operation — it cannot pay this cost.

Decoupling contents from paths

YoloFS uses three structures, kept independent on purpose:

Flat file store. When an existing file is first opened for writing, its contents are copied into a staged file indexed by an integer ino. New files and truncating writes (O_TRUNC) skip the copy and allocate empty. After this initial allocation, file I/O passes through to the lower filesystem with no further indirection.
In-memory override tree. For each path, a node records where its content resolves to. Three states: StagedFile(ino, gen) → a file in the store; BasePath(src) → a path in the lower filesystem (enables zero-copy renames); Tombstone → marks the path as deleted. A path not in the tree is implicitly BasePath(self).
Append-only directory journal. Every change to the override tree appends a record. Three action records: S p ino (stage), R src dst (rename), D p (delete). The kernel only writes; the CLI reads the journal to audit, diff, or commit.

What this buys you

Zero-copy rename. Renaming a file or even a 100k-file directory just rewires a few override-tree pointers and appends one journal record.
Zero-copy truncating write. echo > file doesn't read the original; it allocates an empty staged inode directly.
Single lookup. Path resolution checks the override tree once, then falls through to base — versus OverlayFS's per-component upper+lower lookup.
Works on any base FS. No whiteout support needed; staged data is just regular files in a hidden directory.

Audit and commit are user-driven. The journal and file store are ordinary files on the base filesystem; the CLI parses the journal to build a diff at any point. Commit replays journal actions onto the base; abort drops the staged file store and clears the override tree.

D. Snapshots and travel — non-destructive history.

Why conventional rollback is wrong for agents

ZFS, Btrfs, and WAFL support rollback by restoring a snapshot and discarding everything after. For an agent, that erases the evidence of the mistake: the user can no longer inspect the abandoned actions, and the agent cannot return to them later if the rollback itself was wrong.

Generation-based snapshots

YoloFS keeps a single global generation counter incremented on every snapshot or travel. Each StagedFile records the generation it was created in. When a staged file is opened for writing and its generation is stale, YoloFS performs copy-on-write — allocating a fresh file rather than overwriting the old one. Old generations stay alive as travel targets while the active branch grows.

Markers, segments, and liveness

Snapshots and travels are markers in the same append-only journal: P name for snapshot, T name g for a travel to generation g. Markers partition the journal into segments. A travel makes the segments between target and current state dead: they remain in the journal for audit and as future travel targets, but no longer contribute to the staged view. Liveness is itself dynamic — traveling can resurrect dead segments.

Rebuild past state in userspace; keep the kernel lean

When the agent travels, the CLI computes segment liveness, replays the live journal segments in order to rebuild the override tree at the target generation, serializes the result, and hands it to the kernel via an ioctl. The kernel atomically swaps in the new override tree. Common operations like lookup and readdir stay O(1) regardless of how many snapshots exist — the kernel only ever sees the current tree.

E. Progressive permission.

Why conventional models don't fit

Unix DAC can't help — the agent runs as the user. Landlock, AppArmor, and SELinux are monotonically restricting: tighten only. Mount namespaces are monotonically expanding: expose only. In practice, broad policies allow harmful accesses; narrow policies block legitimate work and push users to disable safety entirely.

Rule tree

Each path can be one of five states:

allow — full access in the subtree.
read-only — reads OK, all writes denied.
deny — blocked, but path remains visible in readdir.
hidden — invisible: readdir skips it, stat/open behave as if absent.
ask — default; blocks the thread until the user decides.

Top-down resolution, bottom-up revalidation

The effective permission is computed during path lookup: walk root → target, carrying the current state and replacing it whenever a more specific rule is encountered. The result is cached on the in-memory inode (where VFS's inode_permission check fires).

A global version number guards the cache. When a rule is added or removed, YoloFS bumps the version — no subtree traversal. On the next access, a stale inode walks up the dentry chain until it finds the nearest ancestor with a rule. Revalidation cost is proportional to path depth, not subtree size.

Ask protocol

When access hits an ask state, the kernel blocks the thread and enqueues a request — path, operation, process name — for the userspace daemon. The daemon answers with allow/deny and may install a rule for future accesses, at any path (not just the one that triggered). Common pattern: install on a parent so the next 100 accesses to the subtree don't ask again.

Why this matters for friction. Codex's "don't ask again for sed -i" rule is either too broad (allow any in-place edit) or too narrow (a 300-char one-liner that won't recur). YoloFS's rule sits on the file path the agent actually touched — so it generalizes correctly, regardless of which command issued the syscall.

F. Implementation.

2.5k

LoC of C in the kernel module

6.2k

LoC of Rust in the userspace CLI

Linux 6.8

stackable VFS interposition

Override tree and rule tree are maintained on VFS dentries — staged entries are pinned, so the dcache stays correct and rename chains resolve naturally.
Staged data lives under .yolofs/ in the project. File contents go in files/, sharded into subdirectories to avoid huge flat directories. The journal is at .yolofs/journal.
Configuration is a yolofs.toml in the project root: rules, mount options, ask defaults, timeouts, checkpoint policy.
Unprivileged mounting via user namespaces — no root needed.
Composable: staging and permission gating are independent layers, either can be disabled at mount time.
Claude Code integration uses Claude's PreToolUse hook for Bash to route shell commands through the YoloFS CLI, so every command runs inside the staged sandbox.

For an end-to-end CLI walkthrough — init, rules, ask prompts, diff, travel, and commit — see the demo on the home page.

G. How YoloFS differs from existing systems.

vs. OverlayFS (staging model)

Aspect	YoloFS	OverlayFS
Model	Explicit commit / abort with checkpoints	Live union — upper is the state
Truncating write	Zero-copy (empty inode)	Full copy-up, then truncate
Rename	Zero-copy via dirent metadata	`vfs_rename()` with copy-up
Lookup	One lookup (override tree → base)	Two lookups (upper + lower)
On-disk format	Flat inode store + journal — any base FS	Requires whiteout support (ext4/xfs)

vs. Landlock (permission model)

Aspect	YoloFS	Landlock
Default policy	Ask (block + prompt)	Deny (handled rights only)
Overlapping rules	Nearest-ancestor wins (both directions)	Additive only — can't deny child of allowed parent
Dynamic rules	Add / remove / change at runtime	Immutable after enforce
Steady-state cost	O(1) via inode cache + version counter	O(depth × log n) per ancestor
Scope	Per-mount	Per-process (cred-attached)

vs. ZFS / Btrfs snapshots

Native CoW snapshots cover predefined namespaces and target archival or backup workloads. They do not adapt to changes made by an interactive agent (granularity is fixed) and they support only destructive rollback. YoloFS snapshots adapt to the agent's actual changes, work on any base filesystem, and preserve the full branching history so the user can audit abandoned branches and the agent can travel forward again.

vs. version-control systems (git, etc.)

Git handles text-based source files inside one repository. Agents operate on the version history itself (git reset --hard, git clean) and routinely destroy uncommitted work that git alone cannot recover. YoloFS treats git commands as ordinary file operations — so the user can recover even if the version history itself is corrupted by the agent.

H. Performance, briefly.

Single-file I/O matches bare ext4. Metadata operations are typically faster than OverlayFS — sometimes faster than ext4 for files that are already staged. Snapshots scale to hundreds without slowing reads or writes. On a real kernel-development workflow (build, edit, rebuild, commit, across 100k files) YoloFS adds ~3.5 s of commit overhead to a workload that's otherwise as fast as ext4; OverlayFS is 18% slower; BranchFS (a recent FUSE-based research filesystem) adds 2 minutes to a 20-second build. Full numbers are in §6 of the paper.

See the performance evaluation →