The 6 building blocks of every Agent OS agent.
Sub-millisecond key-value storage with TTL, backed by Redis.
• Keys are automatically namespaced to your agent — no key collisions between agents.
• Memory quota tracked via Redis. Default: 100 MB per agent.
mem_set→ trueStore a value with optional expiry.
keystringrequiredCache key (namespaced per agent)valueanyrequiredValue to store (serialized to JSON)ttlnumberoptionalSeconds until expiry (omit for no expiry)mem_get→ value or nullRetrieve a value by key.
keystringrequiredCache keymem_delete→ trueDelete a key.
keystringrequiredCache key to deletemem_list→ string[]List all keys with an optional prefix.
prefixstringoptionalFilter keys by prefixmem_incr→ new value (number)Atomically increment a numeric key.
keystringrequiredKey to incrementamountnumberoptionalIncrement by (default 1)mem_expire→ trueUpdate the TTL of an existing key.
keystringrequiredKey to updatettlnumberrequiredNew TTL in secondsCloud file storage with per-agent isolation, backed by Supabase Storage.
• All paths are isolated per agent — /data/file.txt for agent A is different from /data/file.txt for agent B.
• Default storage quota: 1 GB per agent.
• File data is base64-encoded in transport. Use Buffer.from(data, "base64") in Node.js.
fs_write→ { path, size_bytes }Write a file (base64 encoded content).
pathstringrequiredFile path e.g. /data/report.jsondatastring (base64)requiredFile content encoded as base64contentTypestringoptionalMIME type e.g. application/jsonfs_read→ { data (base64), contentType, size }Read a file (returns base64 encoded content).
pathstringrequiredFile path to readfs_list→ { files: [{ name, path, size, contentType }] }List files in a directory.
pathstringrequiredDirectory path e.g. /data/fs_delete→ trueDelete a file.
pathstringrequiredFile path to deletefs_mkdir→ trueCreate a directory marker.
pathstringrequiredDirectory pathfs_stat→ { path, size_bytes, contentType, created_at, updated_at }Get file metadata.
pathstringrequiredFile pathFull PostgreSQL with per-agent schema isolation. Run real SQL queries safely.
• Each agent gets a private PostgreSQL schema (agent_{agentId}). No cross-agent access.
• All queries are parameterized — SQL injection is not possible.
• pg_catalog, information_schema, and system tables are blocked.
db_create_table→ trueCreate a new table in the agent's schema.
tablestringrequiredTable name (alphanumeric + underscore)schemaarrayrequiredColumn definitions [{column, type, primaryKey?, nullable?}]db_insert→ inserted rowsInsert one or more rows.
tablestringrequiredTable namedataobject | arrayrequiredRow data or array of rowsdb_update→ number of rows updatedUpdate rows matching a condition.
tablestringrequiredTable namedataobjectrequiredFields to updatewhereobjectrequiredWHERE clause {column: value}db_delete→ number of rows deletedDelete rows matching a condition.
tablestringrequiredTable namewhereobjectrequiredWHERE clause {column: value}db_query→ query results arrayRun a parameterized SQL query.
sqlstringrequiredSQL query with $1, $2 placeholdersparamsarrayoptionalParameter values for placeholdersdb_transaction→ array of resultsExecute multiple SQL statements atomically.
queriesstring[]requiredArray of SQL statementsOutbound HTTP with SSRF protection and domain allowlisting.
• Private IP ranges are blocked (10.x, 192.168.x, 127.x, 172.16–31.x, 169.254.x).
• Cloud metadata endpoints are blocked (metadata.google.internal, etc).
• HTTPS is required for all requests.
• Domain allowlisting can be configured per-agent or globally.
net_http_get→ { status, headers, body }Make a GET request to an external URL.
urlstringrequiredFull URL (must be HTTPS)headersobjectoptionalCustom request headersnet_http_post→ { status, headers, body }Make a POST request.
urlstringrequiredFull URLbodyanyrequiredRequest bodyheadersobjectoptionalCustom request headersnet_http_put→ { status, headers, body }Make a PUT request.
urlstringrequiredFull URLbodyanyrequiredRequest bodyheadersobjectoptionalCustom request headersnet_http_delete→ { status, headers, body }Make a DELETE request.
urlstringrequiredFull URLheadersobjectoptionalCustom headersnet_dns_resolve→ string[] of IP addressesResolve a hostname to IP addresses.
hostnamestringrequiredDomain name to resolveSandboxed code execution for Python, JavaScript, and Bash.
• Processes run in an isolated temp directory. No access to host filesystem.
• Output (stdout/stderr) is limited to 1 MB per stream.
• Timeout default is 30 seconds; can be up to 5 minutes (300,000 ms).
proc_execute→ { stdout, stderr, exitCode, duration_ms }Execute code in a sandboxed process.
codestringrequiredSource code to executelanguagestringrequired"python" | "javascript" | "bash"timeoutnumberoptionalMax execution time in ms (default 30000, max 300000)envobjectoptionalAdditional env vars to injectproc_schedule→ { taskId, nextRunAt }Register a cron job to run code on a schedule.
codestringrequiredCode to runlanguagestringrequiredLanguagecronExpressionstringrequiredCron expression e.g. "0 * * * *"proc_spawn→ { processId }Spawn a child agent for a task.
agentIdstringrequiredChild agent ID to activateproc_kill→ trueKill a running process or disable a scheduled task.
processIdstringrequiredProcess/task ID to killproc_list→ { processes: [...], scheduledTasks: [...] }List recent processes and scheduled tasks.
Redis-backed pub/sub messaging for agent coordination.
• Topics are private by default — only your agent can publish/subscribe.
• Public topics enable cross-agent coordination.
events_publish→ truePublish a message to a topic.
topicstringrequiredTopic namemessageanyrequiredMessage payloadisPublicbooleanoptionalAllow other agents to subscribe (default false)events_subscribe→ message[]Get recent messages from a topic.
topicstringrequiredTopic to readsincestring (ISO)optionalOnly messages after this timestampevents_unsubscribe→ trueRemove a subscription from a topic.
topicstringrequiredTopic to unsubscribe fromevents_list_topics→ string[]List all topics the agent has subscribed to.