Rivet introduced agentOS, an embedded agent runtime built on WASM and V8 isolates with backend embedding, mounted filesystems, and built-in orchestration. If you run agents in production, compare it against separate sandbox infrastructure.
You can read the product page, browse the repo, and Rivet even published separate docs for Security & Auth and Persistence & Sleep. The oddest reveal is how much of the pitch is about deleting infrastructure: no sidecar, no Kubernetes operator, and no per-agent credentials for mounted systems embedded runtime filesystem mounts.
Rivet's main bet is architectural, not cosmetic. agentOS runs agents inside the host process, using WebAssembly and V8 isolates instead of booting full sandboxes for each run.
The GitHub README and product page describe the same trade: near-zero startup time and direct access to host functions, without the network hops and duplicate auth layers that come with external sandbox infrastructure.
Rivet published three headline numbers in the launch thread, then linked a dedicated benchmarks page for methodology.
The docs say these figures come from the same data source used on the marketing page, and point readers to ComputeSDK benchmarks for an independent comparison set.
The strongest product idea here is filesystem-first access. Instead of teaching agents a different integration shape for every data source, Rivet mounts systems as directories and lets the host handle secrets.
That model bundles a few concrete claims:
The agentOS page pairs that with host tools, Git access, and session APIs. The result looks less like a hosted coding sandbox and more like a local runtime abstraction you can wire straight into an existing backend.
Rivet is also shipping the control plane inside the runtime. The launch thread lists the guardrails and coordination features as first-party primitives, not bolt-ons.
Security controls called out in the thread and Security & Auth docs include:
Orchestration features listed in the thread:
The docs go a step further than the tweet thread and show agent-to-agent communication as a host-tool pattern, not a magic built-in protocol, in the Agent-to-Agent Communication guide.
The launch thread ends with portability, but the more interesting documentation detail is lifecycle. Rivet's Persistence & Sleep page says /home/user is backed by a persistent filesystem, session transcripts are stored with sequence numbers for replay, and sleeping sessions get a 15-minute grace period by default before the VM kernel state is dropped.
According to the docs, these survive sleep: files in /home/user, session records, session event history, preview URL tokens, and cron definitions. Running processes, active shells, and in-memory mounts do not. Wake-up can happen automatically when a client reconnects or a cron job fires, which makes agentOS look less like a stateless sandbox and more like a resumable agent host.
Say hello to agentOS (beta) A portable open-source OS built just for agents. Powered by WASM & V8 isolates. 🔗 Embedded in your backend ⚡ ~6ms coldstarts, 32x cheaper than sbxs 📁 Mount anything as a file system (S3, SQLite, …) 🥧 Use Pi, Claude Code/Codex/Amp/OpenCode soon
Why WebAssembly + V8? Traditional sandboxes boot entire VMs or containers. agentOS runs agents inside lightweight VMs within your own process. Same isolation technology behind Google Chrome. Battle-tested at planet scale. No VMs. No containers. No Docker images to pull. Just Show more
The numbers: Cold start (p99): agentOS: 6.1 ms Fastest sandbox: 3,150 ms → 516x faster Memory per coding agent: agentOS: ~131 MB Sandbox minimum: ~1,024 MB → 8x less RAM Cost per execution-second: agentOS (AWS on-demand): $0.00000058/s Cheapest mainstream sandbox: Show more
Agents think in files. agentOS mounts anything as a familiar directory tree: - S3 buckets - SQLite databases - Google Drive - Host file system The host handles credential scoping. Agents never see API keys or secrets. They just read and write files like they always do.
agentOS embeds directly into your existing backend. No separate infra. No sidecar. No Kubernetes operator. $ npm install rivetkit Your APIs. Your auth. Your toolchains. Agents run inside your own process, where your code already lives. A few lines of TypeScript and you're Show more
Security model: - Granular CPU & memory limits per agent - Programmatic network allowlists - Isolated network namespace per agent - Bring your own auth (API keys, OAuth, JWTs) Same sandboxing that protects billions of Chrome tabs. Now protecting your agents.
Built-in orchestration. No glue code. - Webhooks for external events - Multiplayer: multiple clients observe one agent - Agent-to-agent delegation - Durable workflows with retries - Queues for backpressure - Persistent SQLite for structured state Everything agents need to Show more
agentOS is open source and runs anywhere: Your laptop. Railway. Vercel. Kubernetes. ECS. Lambda. Cloud Run. A Raspberry Pi. One npm package. No vendor lock-in. Same API everywhere.
