website/src/content/docs/agent-os/security.mdx
For the isolation model and trust boundaries, see Security Model.
Restrict CPU and memory per actor to prevent runaway agents.
import { agentOs } from "rivetkit/agent-os";
import { setup } from "rivetkit";
import common from "@rivet-dev/agent-os-common";
import pi from "@rivet-dev/agent-os-pi";
const vm = agentOs({
options: {
software: [common, pi],
maxMemoryMb: 512,
maxCpuPercent: 50,
},
});
export const registry = setup({ use: { vm } });
registry.start();
Control which ports and hosts the VM can access.
import { agentOs } from "rivetkit/agent-os";
import { setup } from "rivetkit";
import common from "@rivet-dev/agent-os-common";
const vm = agentOs({
options: {
software: [common],
loopbackExemptPorts: [8080, 3000],
},
});
export const registry = setup({ use: { vm } });
registry.start();
Use the onBeforeConnect hook to validate clients before they access the agent.
import { agentOs } from "rivetkit/agent-os";
import { setup } from "rivetkit";
import common from "@rivet-dev/agent-os-common";
import pi from "@rivet-dev/agent-os-pi";
const vm = agentOs({
onBeforeConnect: async (c, params) => {
const isValid = await verifyToken(params.token);
if (!isValid) {
throw new Error("Unauthorized");
}
},
options: { software: [common, pi] },
});
export const registry = setup({ use: { vm } });
registry.start();
async function verifyToken(token: string): Promise<boolean> {
// Your authentication logic
return token === "valid-token";
}
Agents request permission before using tools. See Permissions for auto-approve, selective approval, and human-in-the-loop patterns.
Preview URLs use randomly generated 32-character alphanumeric tokens with configurable expiration. See Networking & Previews for token management.
expireSignedPreviewUrl to immediately revoke a tokenEach VM has its own virtual filesystem. Files are isolated per actor instance.
/home/user is persistent and survives sleep/wake