Title: WASM shell tools cannot read files from agentOS VFS, including files created by the shell itself
Summary
Using @rivet-dev/agent-os-core with @rivet-dev/agent-os-common, WASM shell tools like cat, grep, and sha256sum fail with Permission denied when reading:
- files written via
vm.writeFile(...), and
- files created by the WASM shell itself.
This reproduces without Pi, LLM credentials, or any app-specific code.
Repro
Standalone repro gist:
Files in the gist:
Package versions:
@rivet-dev/agent-os-core@0.1.1@rivet-dev/agent-os-common@0.0.260331072558
Run:
npm install
npm run repro
Node version used locally:
Expected
cat, grep, and sha256sum should be able to read files in the VM filesystem.- This should work both for host-written files (
vm.writeFile) and shell-created files.
Actual
All of these return nonzero with Permission denied, for example:
WARN could not retrieve pid for child process
grep: /mnt/scratch/input/host-written.txt: Permission denied (os error 2)
WARN could not retrieve pid for child process
cat: /tmp/wasm-shell-cat.txt: Permission denied
WARN could not retrieve pid for child process
sha256sum: /tmp/wasm-shell-sha.txt: Permission denied
The file metadata appears normal from the host API. For the host-written file, vm.stat() returned:
{
"mode": 33188,
"size": 36,
"isDirectory": false,
"isSymbolicLink": false,
"atimeMs": 1775333947328,
"mtimeMs": 1775333947328,
"ctimeMs": 1775333947328,
"birthtimeMs": 1775333947328,
"ino": 3,
"nlink": 1,
"uid": 0,
"gid": 0
}mode: 33188 is 0100644, so the host API sees a normal world-readable file.
Notes
AgentOs.create() appears to default host kernel permissions to allowAll.- The failure also reproduces via direct
vm.exec(...), outside agent sessions.
- Every
vm.exec() call emits WARN could not retrieve pid for child process on stderr before any command output. This may be a related symptom or diagnostic clue.
- There is an errno inconsistency in the failures:
grep reports Permission denied (os error 2) where os error 2 is ENOENT, while cat and sha256sum report plain Permission denied. That may help narrow down whether this is happening in the WASI/VFS layer.
- This makes it look like a VFS/WASM-shell integration bug or limitation rather than session approval config.
Question
Is there a missing filesystem permission or mount configuration needed for WASM commands to read VFS files, or is this a bug?
Title: WASM shell tools cannot read files from agentOS VFS, including files created by the shell itself
Summary
Using
@rivet-dev/agent-os-corewith@rivet-dev/agent-os-common, WASM shell tools likecat,grep, andsha256sumfail withPermission deniedwhen reading:vm.writeFile(...), andThis reproduces without Pi, LLM credentials, or any app-specific code.
Repro
Standalone repro gist:
Files in the gist:
package.jsonrepro.mjsPackage versions:
@rivet-dev/agent-os-core@0.1.1@rivet-dev/agent-os-common@0.0.260331072558Run:
Node version used locally:
Expected
cat,grep, andsha256sumshould be able to read files in the VM filesystem.vm.writeFile) and shell-created files.Actual
All of these return nonzero with
Permission denied, for example:The file metadata appears normal from the host API. For the host-written file,
vm.stat()returned:{ "mode": 33188, "size": 36, "isDirectory": false, "isSymbolicLink": false, "atimeMs": 1775333947328, "mtimeMs": 1775333947328, "ctimeMs": 1775333947328, "birthtimeMs": 1775333947328, "ino": 3, "nlink": 1, "uid": 0, "gid": 0 }mode: 33188is0100644, so the host API sees a normal world-readable file.Notes
AgentOs.create()appears to default host kernel permissions toallowAll.vm.exec(...), outside agent sessions.vm.exec()call emitsWARN could not retrieve pid for child processon stderr before any command output. This may be a related symptom or diagnostic clue.grepreportsPermission denied (os error 2)whereos error 2isENOENT, whilecatandsha256sumreport plainPermission denied. That may help narrow down whether this is happening in the WASI/VFS layer.Question
Is there a missing filesystem permission or mount configuration needed for WASM commands to read VFS files, or is this a bug?