website/src/content/cookbook/ai-agent-workspace.mdx
Patterns for giving every AI agent its own computer with agentOS: one Rivet Actor per agent that owns a portable, lightweight in-process OS running on Wasm and V8. Use it for code interpreters that keep state between runs, agents that ship artifacts behind shareable preview URLs, per-user dev environments, and scheduled maintenance agents. agentOS is in preview and the API is subject to change.
This entry is about giving an agent a workspace. For conversation memory, message queues, and streaming chat patterns, see AI Agent.
The agent-os collection is reference code, one sub-example per capability; treat it as patterns to copy into your project rather than a turnkey app. The agent-os-e2e example is the complete end-to-end walkthrough.
| Example | Starter Code | Use When |
|---|---|---|
| Hello World | GitHub | You want the minimal loop: boot a VM lazily on the first action, write a file, read it back. |
| Filesystem | GitHub | The agent needs the full file surface: recursive listing, stat, move, delete, and custom mounts. |
| Git | GitHub | The agent works with real git repos inside the workspace: init, commit, branch, and clone via exec. |
| Processes | GitHub | The agent runs shell commands with pipes and long-lived spawned programs. |
| Network | GitHub | The agent serves HTTP inside the VM and you need vmFetch or signed preview URLs. |
| Cron | GitHub | The workspace runs scheduled commands or recurring agent work. |
| Tools | GitHub | You want your backend functions exposed as CLI commands inside the workspace. |
| Agent Session | GitHub | You drive a Pi coding agent session inside the workspace. Requires ANTHROPIC_API_KEY. |
| Sandbox Mounting | GitHub | The agent needs native binaries or a real OS, mounted into the VM from a Docker-backed sandbox. Requires Docker. |
| End-to-End Walkthrough | GitHub | You want one runnable script covering files, processes, preview URLs, and a streaming Pi agent session. |
The whole backend is one registry with one agentOs() actor:
import { agentOs } from "rivetkit/agent-os";
import { setup } from "rivetkit";
import common from "@rivet-dev/agent-os-common";
import pi from "@rivet-dev/agent-os-pi";
const vm = agentOs({
options: { software: [common, pi] },
});
export const registry = setup({ use: { vm } });
registry.start();
See the Quickstart for the client side and project layout.
client.vm.getOrCreate(["my-agent"]) gives each agent its own workspace; key by user id for per-user dev environments. Each workspace has its own filesystem, processes, and networking with no shared state and no cross-contamination (see the overview).software option installs packages such as @rivet-dev/agent-os-common (a meta-package of Wasm command-line tools: coreutils, sed, grep, gawk, findutils, diffutils, tar, and gzip), @rivet-dev/agent-os-git (git), and @rivet-dev/agent-os-pi (the Pi coding agent). See Software.vmBooted event); when nothing is active, the actor sleeps and broadcasts vmShutdown, then wakes on the next action.What survives a sleep/wake cycle (see Persistence):
| Data | Across sleep/wake |
|---|---|
| Session transcripts and event history | Persist in actor SQLite as events stream. listPersistedSessions and getSessionEvents read them back without booting the VM, and resumeSession picks a session back up in a rebooted VM. |
| Signed preview URL tokens | Persist in actor SQLite. Requests are validated against the stored token and the VM reboots lazily to serve them, so preview URLs keep working after sleep. |
| Files | Persist when the mount is backed by a persistent driver (database-backed, S3, or a sandbox mount). In-memory mounts come back empty on wake. |
| Processes, shells, and cron jobs | Do not persist. Restart long-running processes and reschedule cron jobs on wake (recommended extension). |
The actor holds itself awake while sessions, processes, shells, or hooks are active, then sleeps after a grace period.
| Area | Use It For | Key Actions | Docs | Example |
|---|---|---|---|---|
| Filesystem | Give the agent a file tree to read and write | readFile, writeFile, mkdir, readdir, move | Filesystem | GitHub |
| Processes | Run commands and long-lived programs | exec, spawn, waitProcess, killProcess | Processes | GitHub |
| Shells | Interactive terminals with streamed output | openShell, writeShell, resizeShell, closeShell | Processes | No standalone example |
| Networking and preview URLs | Reach services inside the VM and share them externally | vmFetch, createSignedPreviewUrl, expireSignedPreviewUrl | Networking | GitHub |
| Cron | Scheduled commands and recurring agent sessions | scheduleCron, listCronJobs, cancelCronJob | Cron | GitHub |
| Agent sessions | Drive a coding agent inside the workspace | createSession, sendPrompt, resumeSession, closeSession | Sessions | GitHub |
Two details worth knowing up front:
createSignedPreviewUrl returns a relative path plus the token and expiry. Build the full URL with the client handle's getGatewayUrl() method; it is a client method, not an actor action.exec and session action types only. Callback cron actions are defined in server code and do not serialize through listCronJobs.Only the Pi agent (@rivet-dev/agent-os-pi) is currently supported as a session agent; Amp, Claude Code, Codex, and OpenCode are coming soon. See Sessions.
createSession("pi", { env: { ANTHROPIC_API_KEY } }) returns a sessionId. The VM does not inherit the host process.env, so API keys are passed explicitly per session or kept server-side through the LLM gateway.sessionEvent to stream the agent's output, such as message chunks, as it works.sendPrompt(sessionId, ...) starts a turn; cancelPrompt stops one in flight.permissionRequest event and answer with respondPermission, or the server auto-approves with the onPermissionRequest config hook (see Permissions).resumeSession continues a session in the rebooted VM, and listPersistedSessions plus getSessionEvents read history without booting the VM at all.Expose your backend functions to the agent as CLI commands inside the workspace. Define a toolkit with toolKit() and hostTool() (Zod-schema'd JavaScript functions on the host), pass it via agentOs({ options: { toolKits: [...] } }), and it is installed as a command such as agentos-weather forecast --city Paris --days 3 and injected into the agent's system prompt. The agent calls your backend with no HTTP endpoints or MCP servers to stand up, and CLI-shaped tools are code mode compatible for large token savings. See Tools and the tools example.
agentOS is not a replacement for sandboxes; it is designed to work alongside them. When a workspace needs native binaries, browsers, compilation, or desktop automation, use sandbox mounting: start a Docker-backed sandbox with SandboxAgent.start({ sandbox: docker() }), project its filesystem into the VM as a native directory (for example /sandbox) with createSandboxFs, and expose sandbox process control as host tools with createSandboxToolkit. Filesystem actions like writeFile and readFile project transparently through the mount while heavy workloads run in the container.
See Sandbox Mounting for the hybrid model and agentOS vs Sandboxes for when each side wins: the lightweight VM has a near-zero cold start (~6 ms) and installs with npm install, while sandboxes are full Linux environments billed per second of uptime.
| Topic | Summary |
|---|---|
| Topology | One vm[workspaceId] actor per agent or per user; the actor key is the workspace identity. |
| Ingress | Actor actions for files, processes, networking, cron, and sessions; a realtime connection for streamed events. |
| Streaming | sessionEvent per agent event, processOutput and processExit for spawned processes, shellData for interactive shells. |
| Persistence | Session transcripts, event history, and preview tokens in actor SQLite; files persist through persistent mounts. |
Actors
<AccordionGroup> <Accordion title='vm[workspaceId]'>vm[workspaceId], for example client.vm.getOrCreate(["my-agent"])readFile, writeFile, mkdir, readdir, readdirRecursive, stat, exists, move, deleteFileexec, spawn, writeProcessStdin, waitProcess, listProcesses, killProcessopenShell, writeShell, resizeShell, closeShellvmFetch, createSignedPreviewUrl, expireSignedPreviewUrlscheduleCron, listCronJobs, cancelCronJobcreateSession, sendPrompt, cancelPrompt, respondPermission, resumeSession, closeSession, destroySession, listPersistedSessions, getSessionEventsvmBootedvmShutdownsessionEventpermissionRequestprocessOutputprocessExitshellDatacronEventagent_os_sessions and agent_os_session_events (session metadata plus seq-ordered transcript events)agent_os_preview_tokens (signed preview URL tokens with expiry)agent_os_fs_entries (file content for database-backed mounts)Lifecycle
sequenceDiagram
participant C as Client
participant A as vm actor
participant V as agentOS VM
participant P as Pi session
C->>A: getOrCreate(["my-agent"])
C->>A: writeFile("/tmp/hello.txt", ...)
Note over A,V: first action boots the VM
A-->>C: vmBooted
C->>A: exec("echo hello | tr a-z A-Z")
A->>V: run command
V-->>A: {exitCode: 0, stdout}
C->>A: spawn("node", ["/tmp/server.mjs"])
C->>A: createSignedPreviewUrl(8080, 60)
A-->>C: {path, token, expiresAt}
C->>A: fetch(gatewayUrl + path)
Note over A: token checked in SQLite, request proxied into the VM network
C->>A: createSession("pi", {env})
A->>P: start session
C->>A: sendPrompt(sessionId, ...)
loop streamed agent output
P-->>A: agent event
A-->>C: sessionEvent
end
Note over A: idle, sleeps after grace period (vmShutdown)
C->>A: resumeSession(sessionId)
Note over A,V: wake reboots the VM, restoring transcripts, preview tokens, and persistent mounts
onBeforeConnect hook in the agentOs() config so only authorized callers reach a workspace. Signed preview URL requests deliberately skip it because the token is the credential; browsers navigating a preview URL cannot supply actor connection params.permissionRequest events for human-in-the-loop approval via respondPermission, or run a server-side onPermissionRequest policy for automated pipelines. See Permissions.expireSignedPreviewUrl. Preview responses carry permissive CORS headers, so do not serve private data on a preview port without app-level auth.createSession env, or keep keys entirely server-side with the LLM gateway. Session keys are injected into the session environment inside the VM and are never stored in actor config or SQLite.maxMemoryMb, maxCpuPercent, see Security). Active sessions, processes, and shells hold the actor awake, so add per-workspace session caps and token budgets as a recommended extension.