Blog

Your agent loses 90% of its workspace over and over

· 7 min read

Git versions the code, the agent harness saves its conversation, but the deps, build cache, and tool configs are gone. Bento packages your full workspace as OCI artifacts so nothing gets lost.

by George Fahmy
agentsworkspacememoryopen-sourceconfigurationssandbox

Git versions the code. The agent harness saves its conversation. But the other 90% is gone when the session ends. The 200MB of installed packages, the build cache that took 3 minutes to warm up, the .env file you assembled by hand, the MCP configs, the tool settings.

Next session, the agent starts reinstalling deps, skills, rebuilding caches, and asking you questions it already asked yesterday. I keep running into this with every agent I use (Claude Code, Codex, Amp, Stakpak, OpenClaw).

This isn’t a niche complaint. There are GitHub issues with hundreds of reactions asking for persistent memory across sessions. Developers report spending 10-20 minutes per session just rebuilding lost context. An entire ecosystem of workaround tools has emerged: session bookending skills, external memory MCP servers, manual context dump scripts.

The sandbox fragmentation problem

Every sandbox platform is building their own snapshot format to fix this. E2B has pause/resume with Firecracker microVM snapshots. Fly.io Sprites has copy-on-write checkpoints backed by object storage. Daytona is building snapshots into their sandbox platform. None of them speak the same language. (I wrote about the landscape of agent sandboxes recently, the fragmentation is real.)

Meanwhile we have OCI, the open standard behind Docker images. Every cloud provider and registry already speaks it. Helm uses it for Kubernetes charts. Flux uses it for GitOps manifests. Docker Agent uses it for sharing agent team configs. The infrastructure is sitting right there and nobody has used it for agent workspace state -yet-.

Agent bento

Bento is a Go CLI that decomposes your agent workspace into layers. Deps at the bottom (big, rarely changes), agent state in the middle (memory, plans, skills), project files on top (code, tests, everything else). Pack it into a standard OCI artifact. Push to any registry. Pull it down somewhere else and pick up where you left off.

bento init
bento save -m "auth refactor halfway done"
bento open cp-3
bento fork cp-3 -m "trying a different approach"
bento push ghcr.io/myorg/workspaces/my-project

What I’m happy with so far

It auto-detects your agent(s), and keeps detecting. Bento uses composable extensions that auto-detect agents, languages, and tools on every save and diff. Drop into a project with .claude/ and it knows it’s Claude Code. Start using Codex mid-project? It picks that up automatically on the next save. Currently supports Claude Code, Codex, OpenCode, OpenClaw, and Cursor, each with detailed support for session capture, credential exclusion, and post-restore hooks.

It captures session history from outside the workspace. Claude Code stores sessions in ~/.claude/projects/, Codex in ~/.codex/sessions/, OpenCode in ~/.local/share/opencode/. Bento follows those paths and pulls the relevant session files into the checkpoint. When you restore, the agent gets its full conversation state back.

Checkpoints are self-describing. Each checkpoint stores workspace metadata: the git repos it depends on (branch, sha, remote for each), active extensions, and the OS/arch it was created on. So bento open on a new machine knows what the workspace needs without you telling it.

Watch mode. bento watch runs a background filesystem watcher that auto-checkpoints as you work. Project files are detected instantly via fsnotify, deps and agent state are checked periodically to avoid file descriptor exhaustion on large directories. Old checkpoints are pruned automatically with tiered retention (full granularity for the last hour, hourly for 24h, daily for 7d).

bento watch                          # start watching (Ctrl-C to stop)
bento watch --debounce 5 -m "wip"   # 5s quiet period, custom message

Lifecycle hooks. You can attach shell commands to save, restore, and push. Pre-hooks abort on failure, post-hooks warn but continue. Useful for running make clean-temp before save or make setup after restore.

Standard OCI layers, not custom formats. Every layer is a plain OCI image layer, the same format Docker uses. COPY --from=<bento-ref> works in Dockerfiles. docker pull works. No special tooling needed to inspect what’s inside.

Secrets never touch the registry. Env vars can be plain values or references to env vars, files and in the near future AWS Param Store, Vault, 1Password CLI. The new bento env CLI makes managing these easy: bento env set, bento env show, bento env export -o .env. Bento stores the refs, not the values. A pre-save scan catches credentials before they’re packed.

Why an open standard matters

There’s no business model here. I built bento because I need it for my own work and I think the format should be an open standard (Apache 2.0).

The pattern has worked before. The community standardized container images through OCI. Helm standardized Kubernetes package distribution by adopting OCI artifacts. KitOps and ModelPack are doing the same for ML model packaging. Agent workspaces need the same treatment, a shared format so you can save a checkpoint in one environment and open it in a completely different one.

Right now every platform is reinventing this wheel. The longer that continues, the harder it gets to move your work between tools. Bento is my attempt to prevent that lock-in before it hardens.

It’s early. Feedback on the spec welcome. Extension contributions for more agents very welcome.

github.com/kajogo777/bento

Appendix: the state of agent workspace tooling

I did extensive research before building bento. Here’s a summary of what exists and where the gaps are.

What agents lose between sessions. Every major agent (Claude Code, Codex, Cursor, OpenCode, OpenClaw) stores its state differently. Claude Code uses .claude/ with JSONL session files and CLAUDE.md for instructions. Codex uses .codex/ with TOML config and AGENTS.md. Cursor uses .cursor/rules/ in MDC format. OpenCode uses .opencode/ and opencode.json. OpenClaw uses SOUL.md and IDENTITY.md. None of these are portable across agents, and most of the valuable state (session transcripts, accumulated memory) lives in the user’s home directory, not the workspace.

The cost of environment rebuilds. Node.js node_modules typically consumes 200MB-1GB per project. Rust target/ directories run 5-10GB. Python virtual environments average 400MB+. Rebuilding from scratch takes seconds to minutes depending on project size. Codex Cloud caches containers to reduce cold starts from 48s to 5s. SWE-bench optimized their Docker layer hierarchy to reduce total storage from 3,129GB to 67GB through better layer sharing. These numbers validate the semantic layer approach: shared base layers get deduplicated across checkpoints.

Git worktrees won code isolation, lost environment isolation. Every multi-agent tool (Codex Desktop, Claude Squad, Worktrunk) converged on git worktrees for parallel agent work. But worktrees only isolate code, not environment. Two worktrees both running npm run dev on port 3000 will conflict. Each needs its own node_modules. .env files and database state don’t exist in new worktrees.

Container checkpointing exists but misses the point. CRIU captures raw process memory for container migration. Podman can push CRIU checkpoints as OCI images. GKE Pod Snapshots does the same for Kubernetes with gVisor. These produce opaque binary blobs that are architecture-dependent, uninspectable, and can’t be partially restored. Bento captures semantic file layers you can inspect, diff, and compose.

OCI is ready for this. OCI Image Spec v1.1 (GA since February 2024) added the artifactType field and the Referrers API, making it trivial to store non-container artifacts in any registry. GHCR, Docker Hub, ECR, Artifact Registry, Harbor, and Zot all support it. ORAS (a CNCF Sandbox project) provides the Go library that Helm, Flux, and now bento use for OCI operations.