website/src/content/posts/2026-04-04-introducing-agentos/page.mdx
Unix gave humans a common language to control machines. Today we're releasing agentOS to give agents the same power.
agentOS is a lightweight VM powered by WebAssembly and V8 isolates. Each agent gets its own POSIX-compliant filesystem, processes, and networking. The same isolation technology trusted by every Chrome tab on the planet, now purpose-built for AI agents. Fully open-source under Apache 2.0.
npm install.Boot a VM, create an agent session, and interact with the agent's filesystem.
<CodeGroup> ```ts @nocheck server.ts import { agentOs } from "rivetkit/agent-os"; import { setup } from "rivetkit"; import common from "@rivet-dev/agent-os-common"; import pi from "@rivet-dev/agent-os-pi";const vm = agentOs({ options: { software: [common, pi] }, });
export const registry = setup({ use: { vm } }); registry.start();
```ts @nocheck client.ts
import { createClient } from "rivetkit/client";
import type { registry } from "./server";
const client = createClient<typeof registry>("http://localhost:6420");
const agent = client.vm.getOrCreate(["my-agent"]);
// Stream events as they arrive
agent.on("sessionEvent", (data) => {
console.log(data.event);
});
// Create a session and send a prompt
const session = await agent.createSession("pi", {
env: { ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY! },
});
const response = await agent.sendPrompt(
session.sessionId,
"Write a hello world script to /home/user/hello.js",
);
console.log(response);
// Read the file the agent created
const content = await agent.readFile("/home/user/hello.js");
console.log(new TextDecoder().decode(content));
Traditional sandboxes spin up a full Linux container for each agent. That means seconds of cold start, gigabytes of memory, and a network hop back to your backend for every tool call.
agentOS takes a different approach. The VM runs inside your Node.js process using V8 isolates and WebAssembly. Agents get a full POSIX environment without the overhead of a container. Your backend functions are exposed directly as CLI commands inside the VM, so there's no network round-trip, no API keys to inject, and no auth to configure.
| agentOS VM | Full Sandbox | |
|---|---|---|
| Cold start | ~6 ms | Seconds |
| Cost | Runs in your process | Pay per second of uptime |
| Backend integration | Direct via host tools | Network calls |
| API keys | Stay on the server | Injected into sandbox |
| Permissions | Granular, deny-by-default | Coarse-grained (container-level) |
| Infrastructure | npm install | Vendor account + API keys |
When you need a real Linux kernel for browsers, compilation, or desktop automation, agentOS can spin up a full sandbox on demand and mount it into the VM as a native filesystem directory. The agent reads and writes sandbox files the same way it reads local files.
Host tools let you expose your backend directly to agents. Define a JavaScript function with a Zod schema, and it becomes a CLI command the agent can call from inside the VM.
import { agentOs, hostToolkit } from "rivetkit/agent-os";
import { setup } from "rivetkit";
import common from "@rivet-dev/agent-os-common";
import pi from "@rivet-dev/agent-os-pi";
import { z } from "zod";
const tools = hostToolkit("project", {
listIssues: {
description: "List open issues from the project tracker",
args: z.object({
status: z.enum(["open", "closed", "all"]).default("open"),
}),
handler: async (c, args) => {
const issues = await fetchIssues(args.status);
return issues.map((i) => `#${i.id}: ${i.title}`).join("\n");
},
},
createPr: {
description: "Create a pull request",
args: z.object({
title: z.string(),
branch: z.string(),
}),
handler: async (c, args) => {
const pr = await createPullRequest(args.title, args.branch);
return `Created PR #${pr.number}: ${pr.url}`;
},
},
});
async function fetchIssues(status: string) {
return [{ id: 1, title: "Fix login bug" }];
}
async function createPullRequest(title: string, branch: string) {
return { number: 42, url: "https://github.com/example/repo/pull/42" };
}
const vm = agentOs({
options: {
software: [common, pi],
toolkits: [tools],
},
});
export const registry = setup({ use: { vm } });
registry.start();
The agent sees these as shell commands: agentos-project list-issues --status open. No MCP configuration, no auth handshake. Tool handlers run on the host with full access to your databases and services. The agent never sees the credentials, only the tool's input/output. Because tool calls are shell commands, agents can use code mode, reducing token usage by up to 80%.
agentOS is deny-by-default. No syscalls are bound until you explicitly configure them. Network access, filesystem mounts, and process spawning are all opt-in.
maxMemoryMb and maxCpuPercent per agent.Schedule agents on cron, process work through durable queues, and coordinate multi-agent pipelines with workflows.
agentOS is Apache 2.0 licensed and free to self-host. It's just an npm package. Run it on your laptop, Railway, Vercel, Kubernetes, or on-prem. No vendor lock-in. For managed infrastructure, Rivet Cloud handles deployment and scaling.