Skip to content

WASM shell tools cannot read VFS files, including files created by the shell itself #1432

Open
Open
WASM shell tools cannot read VFS files, including files created by the shell itself#1432
@alanpog

Description

@alanpog
alanpog
opened on Apr 4, 2026

Title: WASM shell tools cannot read files from agentOS VFS, including files created by the shell itself

Summary

Using @rivet-dev/agent-os-core with @rivet-dev/agent-os-common, WASM shell tools like cat, grep, and sha256sum fail with Permission denied when reading:

  • files written via vm.writeFile(...), and
  • files created by the WASM shell itself.

This reproduces without Pi, LLM credentials, or any app-specific code.

Repro

Standalone repro gist:

Files in the gist:

  • package.json
  • repro.mjs

Package versions:

  • @rivet-dev/agent-os-core@0.1.1
  • @rivet-dev/agent-os-common@0.0.260331072558

Run:

npm install
npm run repro

Node version used locally:

v24.14.1 (linux x64)

Expected

  • cat, grep, and sha256sum should be able to read files in the VM filesystem.
  • This should work both for host-written files (vm.writeFile) and shell-created files.

Actual

All of these return nonzero with Permission denied, for example:

WARN could not retrieve pid for child process
grep: /mnt/scratch/input/host-written.txt: Permission denied (os error 2)
WARN could not retrieve pid for child process
cat: /tmp/wasm-shell-cat.txt: Permission denied
WARN could not retrieve pid for child process
sha256sum: /tmp/wasm-shell-sha.txt: Permission denied

The file metadata appears normal from the host API. For the host-written file, vm.stat() returned:

{
  "mode": 33188,
  "size": 36,
  "isDirectory": false,
  "isSymbolicLink": false,
  "atimeMs": 1775333947328,
  "mtimeMs": 1775333947328,
  "ctimeMs": 1775333947328,
  "birthtimeMs": 1775333947328,
  "ino": 3,
  "nlink": 1,
  "uid": 0,
  "gid": 0
}

mode: 33188 is 0100644, so the host API sees a normal world-readable file.

Notes

  • AgentOs.create() appears to default host kernel permissions to allowAll.
  • The failure also reproduces via direct vm.exec(...), outside agent sessions.
  • Every vm.exec() call emits WARN could not retrieve pid for child process on stderr before any command output. This may be a related symptom or diagnostic clue.
  • There is an errno inconsistency in the failures: grep reports Permission denied (os error 2) where os error 2 is ENOENT, while cat and sha256sum report plain Permission denied. That may help narrow down whether this is happening in the WASI/VFS layer.
  • This makes it look like a VFS/WASM-shell integration bug or limitation rather than session approval config.

Question

Is there a missing filesystem permission or mount configuration needed for WASM commands to read VFS files, or is this a bug?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions