Agent libOS: A Library-OS-Inspired Runtime for Long-Running, Capability-Controlled LLM Agents
Title: Agent libOS: A Runtime Environment for Long-Running LLM Agents with Capability-Based Control
Abstract
Large language model (LLM) agents are transitioning from simple request-response assistants into persistent software entities. These agents maintain state across multiple model invocations, branch into subtasks, await external triggers, solicit human authorization, create new tools, and execute side effects that require resumption and auditing capabilities. To address these complexities, this paper introduces Agent libOS, a library-OS-inspired runtime substrate designed specifically for LLM agents.
Agent libOS operates atop standard host operating systems. It deliberately avoids implementing hardware drivers, kernel-mode isolation, or POSIX-compatible OS features. Instead, it conceptualizes an agent as an "AgentProcess"—a schedulable execution unit possessing a distinct process identity, parent-child lineage, lifecycle state, and a tool table derived from an AgentImage. This model incorporates typed Object Memory, explicit capabilities, human approval queues, checkpoints, event handling, and comprehensive audit records.
The core design principle of Agent libOS is that tools function as libc-like wrappers, while runtime primitives serve as the authority boundary. Actions such as filesystem and object access, sleep commands, human approval requests, JIT tool registration, and external side effects are strictly verified at primitive boundaries using explicit capabilities and policy enforcement.
We outline the system’s design, threat model, Python-based prototype, and safety-focused evaluation. The current prototype features async scheduling, namespace-scoped Object Memory, integrated human approval workflows, one-shot permission grants, per-process working directories, shell and image-registration primitives, Deno/TypeScript JIT tools via a libOS syscall broker, filesystem/object bridge tools, an injectable Resource Provider Substrate, deterministic demos, real-model smoke scripts, and 123 regression tests. Rather than focusing on enhancing planner accuracy, Agent libOS provides a runtime substrate that enables long-running LLM agents to be scheduled, authorized, resumed, and audited effectively, eliminating the need to treat tool dispatch as the primary trust boundary.
Source: arXiv Generated at: 2026-06-03 00:00:00 UTC
