Agent libOS proposes a library-OS runtime for long-running LLM agents
Yingqi Zhang presents Agent libOS, a library-OS-inspired runtime substrate that treats LLM agents as schedulable processes with explicit capabilities, lifecycle state, and audit records rather than relying on tool dispatch as the trust boundary.
Score breakdown
Agent libOS addresses a structural gap in LLM agent infrastructure by shifting the trust and authority boundary from tool dispatch to runtime primitives, enabling long-running agents to be scheduled, authorized, resumed, and audited in a principled way.
- 01Agent libOS is a library-OS-inspired runtime substrate for LLM agents, presented by Yingqi Zhang.
- 02The system models each agent as an `AgentProcess` with process identity, parent-child lineage, lifecycle state, typed Object Memory, explicit capabilities, and audit records.
- 03Its central design rule: tools are libc-like wrappers; runtime primitives are the authority boundary — not tool dispatch.
Yingqi Zhang's paper introduces Agent libOS, a runtime substrate for LLM agents that draws inspiration from library operating systems. The system runs above a conventional host OS and does not implement hardware drivers, kernel-mode isolation, or a POSIX-compatible OS layer. Instead, it reframes an LLM agent as an `AgentProcess`: a schedulable execution subject carrying process identity, parent-child lineage, lifecycle state, a tool table derived from an `AgentImage`, typed Object Memory, explicit capabilities, human queues, checkpoints, events, and audit records. The central design principle is that tools act as libc-like wrappers while runtime primitives constitute the true authority boundary — meaning filesystem access, object access, sleeps, human approval, JIT tool registration, and external side effects are all enforced at primitive boundaries under explicit capabilities and policy.
The paper describes the full design, threat model, a Python prototype, and a safety-oriented evaluation.
The paper describes the full design, threat model, a Python prototype, and a safety-oriented evaluation. The prototype implements async scheduling, namespace-local Object Memory, runtime-integrated human approval, one-shot permission grants, per-process working directories, shell and image-registration primitives, Deno/TypeScript JIT tools over a libOS syscall broker, filesystem/object bridge tools, an injectable Resource Provider Substrate, deterministic demos, real-model smoke scripts, and 123 regression tests. Rather than targeting improvements to planner accuracy, Agent libOS focuses on demonstrating a runtime substrate in which long-running LLM agents can be scheduled, authorized, resumed, and audited in a principled way.
Key facts
- 01Agent libOS is a library-OS-inspired runtime substrate for LLM agents, presented by Yingqi Zhang.
- 02The system models each agent as an `AgentProcess` with process identity, parent-child lineage, lifecycle state, typed Object Memory, explicit capabilities, and audit records.
- 03Its central design rule: tools are libc-like wrappers; runtime primitives are the authority boundary — not tool dispatch.
- 04Filesystem access, human approval, JIT tool registration, and external side effects are all checked at primitive boundaries under explicit capabilities and policy.
- 05The Python prototype includes async scheduling, Deno/TypeScript JIT tools over a libOS syscall broker, one-shot permission grants, and per-process working directories.
- 06The prototype ships with 123 regression tests, deterministic demos, and real-model smoke scripts.
- 07The paper's goal is not to improve planner accuracy but to demonstrate a runtime in which agents can be scheduled, authorized, resumed, and audited.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 9, 2026 · 17:05 UTC. How this works →