Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Agent OS is the agent-facing wrapper around secure-exec. It provides ACP session
- Local development therefore needs no mode flip: clone/keep a sibling `../secure-exec` checkout, `pnpm install` there once (or cargo panics in `v8-runtime/build.rs` with "missing Node dependencies at .../packages/build-tools/node_modules"), and build its registry packages (`just registry-native` + `just registry-build` there) for the shell/software links. `just secure-exec-status` inspects; `node scripts/secure-exec-dep.mjs release-revert` restores the file-dep state if a swap leaked.
- **The ref (`.github/refs/secure-exec`)** is the ONLY committed secure-exec version state: one full 40-char sha that CI materializes `../secure-exec` at, publishes derive the preview identity from, and the sibling build cache keys on. Bump it with `just secure-exec-bump [sha]` (defaults to the sibling checkout's current commit) — never hand-edit. Bump WHEN: (a) agent-os work needs a secure-exec change — merge that change to secure-exec main first, then bump to the merge sha; (b) before cutting a release-preview/release that must carry newer secure-exec. The sha must stay reachable in rivet-dev/secure-exec (main-merged shas always are; squash-merges orphan branch heads). Each new sha's first CI run rebuilds the sibling from scratch (slow, then cached). See "Publishing against secure-exec" and the `bump-secure-exec` skill.
- Keep generic runtime, kernel, VFS, language execution, generic registry software, and packaged agent definitions/adapters in secure-exec.
- Agent OS owns ACP, sessions, toolkit semantics, quickstarts, docs, and the AgentOs facade.
- Agent OS owns ACP, sessions, binding group semantics, quickstarts, docs, and the AgentOs facade.
- Call OS instances VMs, never sandboxes.
- Keep root `package.json` scripts limited to Turbo orchestration; put repo-specific commands in `justfile` recipes.
- The protocol has no backwards compatibility. Clients and the sidecar ship in same-version lockstep, so never add protocol or config versioning, runtime negotiation, fallbacks, or converters. Configs such as `CreateVmConfig` carry no `version` field; the single same-version wire handshake is the only version check. Change the protocol freely and update both sides together.
Expand Down Expand Up @@ -72,11 +72,11 @@ Trust model (decide which side of the boundary something is on before judging wh

## Limits, Bounds & Observability

Every limit, timeout, bounded queue/buffer, and per-entity collection MUST be bounded by default, warn as it approaches, and fail clearly. This applies to both the secure-exec limits agent-os forwards AND agent-os-owned bounds (ACP/session/frame timeouts, the sidecar event buffer, session/shell-id retention, host-tool registration caps, in-VM adapter log buffers). The canonical statement lives in secure-exec root `CLAUDE.md` → "Limits, Bounds & Observability"; agent-os adds:
Every limit, timeout, bounded queue/buffer, and per-entity collection MUST be bounded by default, warn as it approaches, and fail clearly. This applies to both the secure-exec limits agent-os forwards AND agent-os-owned bounds (ACP/session/frame timeouts, the sidecar event buffer, session/shell-id retention, host-binding registration caps, in-VM adapter log buffers). The canonical statement lives in secure-exec root `CLAUDE.md` → "Limits, Bounds & Observability"; agent-os adds:

- **Forward, don't reimplement.** Resource limits (`limits.resources/jsRuntime/python/wasm/acp/tools/...`) are secure-exec's; agent-os forwards them on the wire and surfaces them in `AgentOsOptions.limits` — never duplicate the enforcement or the defaults TS-side. Agent-os owns only the ACP/session/client-layer bounds.
- **Warn-on-approach + typed error for agent-os-owned bounds.** ACP method timeouts (`initialize`/`session/new`/`session/prompt`/default — `acp_extension.rs`), the native-sidecar frame timeout, and the event buffer must emit a structured near-threshold signal (default ≥80%) and fail with a typed error that names the limit and how to raise it. ACP timeout errors already carry `data.kind === "acp_timeout"` (keep using `isAcpTimeoutErrorData`); extend the rest to match. The default 120s ACP method timeout is the adapter-stall failure mode — make it observable, not a silent 120s hang.
- **No unbounded per-entity collections.** Anything that grows per session / process / shell / toolkit (`_sessions`, tracked-process maps, socket-lookup caches, toolkit registries) must be a bounded collection that warns on eviction, or carry an explicit, documented cap. Enforce registration caps (`maxRegisteredToolkits`, etc.) at registration time, not silently at use time. Silent LRU eviction without a log is a footgun.
- **No unbounded per-entity collections.** Anything that grows per session / process / shell / binding group (`_sessions`, tracked-process maps, socket-lookup caches, binding group registries) must be a bounded collection that warns on eviction, or carry an explicit, documented cap. Enforce registration caps (`maxRegisteredBindingGroups`, etc.) at registration time, not silently at use time. Silent LRU eviction without a log is a footgun.
- **Host-visible.** A limit warning/error that fires inside the VM or sidecar is useless if it never reaches the host — route it through the agent-process log channel (`onAgentStderr` / the ACP-extension forward) and a structured trace channel, the same path that makes adapter stderr observable.

## Agent Sessions
Expand Down
2 changes: 1 addition & 1 deletion crates/CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ These are hard rules with no exceptions:
- **`RequestPayload::PermissionRequest` is not the kernel permission system.** Kernel permissions route through `PermissionBridge`; the protocol payload is an unsupported legacy host-callback-shaped frame and should be dropped with the ACP core-removal work.
- **Rust permission globs are segment-scoped by default.** In kernel/sidecar permission rules, single `*` and `?` match within one path segment and stop at `/`; use `**` when a rule needs to authorize nested paths or resources across separators.
- **Inspection RPC permissions are separate from runtime setup permissions.** `FindListener` / `FindBoundUdp` require `network.inspect`, and `GetProcessSnapshot` requires `process.inspect`; test fixtures that exercise those handlers still need `child_process.spawn` and `network.listen` allowed so the guest process and listener can start before the inspection request runs.
- **Toolkit registration bootstrap and toolkit invocation use different permission paths.** In `crates/sidecar/src/tools.rs`, sidecar-owned `register_host_callbacks(...)` work should temporarily swap the bridge policy to `PermissionsPolicy::allow_all()` while it refreshes `/bin/agentos*` command stubs, then restore the VM policy; actual guest host-tool execution is separately gated by `binding.invoke` against `<toolkit>:<tool>` resources.
- **Toolkit registration bootstrap and binding group invocation use different permission paths.** In `crates/sidecar/src/tools.rs`, sidecar-owned `register_host_callbacks(...)` work should temporarily swap the bridge policy to `PermissionsPolicy::allow_all()` while it refreshes `/bin/agentos*` command stubs, then restore the VM policy; actual guest host-binding execution is separately gated by `binding.invoke` against `<binding group>:<tool>` resources.
- **Sidecar request handlers that need rollback must keep fallible mutations inside a `Result`-returning closure.** In handlers like `register_host_callbacks(...)`, a bare block with `?` returns from the whole request handler before rollback runs; wrap the mutation block in `(|| -> Result<_, SidecarError> { ... })()` so restore/fail-closed cleanup still executes on errors.
- **Native-sidecar VM bootstrap must keep a temporary static policy installed.** During `create_vm` and `configure_vm`, swap in `PermissionsPolicy::allow_all()` for sidecar-owned `/bin`/command-path reconciliation instead of clearing the stored policy entirely, or the `LocalBridge` fallback will deny internal filesystem checks before the guest-visible policy is restored.
- **Filesystem-side teardown races must fail closed too.** In `crates/sidecar/src/filesystem.rs`, guest filesystem and Python VFS handlers should treat missing VMs or active processes as stale teardown races: log and return a rejection/`Ok(())` instead of `expect(...)`, because dispose can win after a request is queued but before the response is emitted.
Expand Down
10 changes: 5 additions & 5 deletions crates/agentos-sidecar/src/AGENTOS_SYSTEM_PROMPT.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@ Known limitations:

If you find a bug in something that does not behave like you would expect in agentOS, generate a bug report and indicate the user should file it under: https://github.com/rivet-dev/rivet/issues (This repository holds agentOS inside of it.)

## Tools CLI
## Bindings CLI

Tools are available as CLI commands:
Bindings are available as CLI commands:

- `agentos list-tools` — list all available toolkits and tools
- `agentos-{toolkit} {tool} --help` — show usage for a specific tool
- `agentos-{toolkit} {tool} --flag value` — invoke a tool
- `agentos list-bindings` — list all available binding groups and bindings
- `agentos-{binding_group} {binding} --help` — show usage for a specific binding
- `agentos-{binding_group} {binding} --flag value` — invoke a binding

Loading
Loading