Agent Sessions run inside isolated sandbox containers. This page lists the operating system, preinstalled tools, and resource limits for the runtime.
Operating System
| Item | Value |
|---|
| Distribution | Ubuntu 22.04 LTS (Jammy) |
| Architecture | x86_64 (amd64) |
| Kernel | Linux 5.10.134 (LIFSEA container engine, based on Linux 5.10 LTS) |
| Tool | Version | Description |
|---|
| git | 2.34+ | Version control |
| curl | 7.81+ | HTTP client |
| wget | 1.21+ | File download |
| jq | 1.6+ | JSON processing |
| vim | 8.2+ | Text editor |
| unzip / tar | system | Archive tools |
| ssh | OpenSSH 8.9+ | SSH client |
| make | 4.3+ | Build tool |
Language Runtimes
| Language | Version | Package manager |
|---|
| Python | 3.12.x | pip 24+ |
| Node.js | 20.x LTS | npm 10+ |
| Go | 1.22.x | go mod |
Package Managers
| Tool | Description |
|---|
| apt | System package management |
| pip | Python packages |
| npm | Node.js packages |
Working Directory
The Agent’s default cwd is /app. Note that $HOME points to /data (a different directory), so ~/ expands to /data, not the cwd. For uploaded file mount paths, see Files and Mounts.
Use the Environment’s packages field to install additional dependencies:
{
"config": {
"packages": {
"apt": ["postgresql-client", "redis-tools", "ffmpeg"]
}
}
}
apt/pip/npm keys install system packages, Python packages, and Node.js packages respectively.
You can also instruct the Agent in its system prompt to install additional dependencies on demand.
Networking
Network access is governed by the Environment’s config.networking field (object form required):
| Type | Description |
|---|
unrestricted | The container can reach the public internet (default) |
limited | Only known-safe public services and package managers are reachable |
allowed_hosts | Only the listed hosts are reachable |
{
"config": {
"networking": {
"type": "allowed_hosts",
"allowed_hosts": [
"api.github.com",
"registry.npmjs.org"
]
}
}
}
Resource Limits
| Resource | Default limit | Description |
|---|
| CPU | 4 vCPU | Allocated processor cores |
| Memory | 8 GB | Available RAM |
| Disk | 25 GB | Workspace storage (overlay filesystem, ~18 GB usable) |
| Execution time | 30 minutes | Maximum duration of a single turn |
When memory or disk limits are exceeded, the process is OOM-killed or writes fail. Consider reminding the Agent in the system prompt to be mindful of resource usage.
File Persistence
- Within the same Session, files persist across turns.
- Container temporary storage is retained for 24 hours only. For Sessions inactive beyond 24 hours, the container disk may be reclaimed and files on disk are not guaranteed to be preserved.
- After disk reclamation, the Session itself remains usable — the platform re-initializes the container environment on demand, but files previously produced on disk (e.g., cloned repositories, generated intermediate artifacts) will be lost.
- When the Session ends (archived or deleted), the container and its files are destroyed immediately.
- For long-term persistence, upload files to platform storage via the Files API.
Disk reclamation does not terminate the Session. If your workflow depends on intermediate files persisting across days, upload critical artifacts to the Files API at the end of each turn and re-mount them when resuming.
Execution User
All commands run as root inside the container. whoami returns root, but the USER environment variable is not set (empty string). Agents can install system packages and write to any system directory without sudo. If restrictions are needed, specify them in the Agent’s system prompt.
Environment Variables
Variables preset in the container:
| Variable | Value | Description |
|---|
| HOME | /data | User home directory (~/ expands here, different from cwd /app) |
| USER | (not set, empty string) | Note: the USER environment variable is not injected; use whoami to get the actual identity, which returns root |
| SHELL | /bin/bash | Default shell |
| LANG | en_US.UTF-8 | Locale |
