Summary
Spawned subprocesses inside the AgentOS VM kernel cannot make outbound HTTPS requests. The VM network policy (allowOutbound: true + allowedHosts) works for the main Node.js process but does not route traffic from child processes spawned via this.spawn() in createSession.
Environment
- Platform: Fly.io, 1GB VM, Node 22
- SDK:
@rivet-dev/agent-os-core@0.1.1
- Agent:
pi (adapter: pi-acp@0.0.26, agent: @mariozechner/pi-coding-agent@0.73.0)
Reproduction
Network config:
network: {
allowOutbound: true,
allowedHosts: ["api.groq.com", "api.x.ai", "api.openai.com"],
}Steps:
createSession("pi", { env: { GROQ_API_KEY: "..." } }) is called- SDK resolves
pi-acp adapter, spawns subprocess via this.spawn()
- ACP
initialize succeeds
- ACP
session/new sent — Pi calls getAvailableModels() → HTTPS to api.groq.com
- Request never completes — hangs until 120s ACP timeout
Error: ACP request session/new (id=2) timed out after 120000ms
Root cause analysis
Systematically ruled out:
- Not auth: Pi
hasAnyPiAuthConfigured() passes. Hang is after auth, during HTTPS.
- Not provider-specific: Tested xAI, Groq, OpenAI — all timeout at 120s.
- Not OOM: 1GB VM, no OOM kills.
- Not adapter-specific: OpenCode crashes differently; Pi gets further (completes initialize).
- ACP protocol works: initialize handshake succeeds over stdin/stdout pipes.
- Host-side HTTP works: Host tools calling Go API via fetch work fine.
Conclusion: The VM kernel network adapter (createNodeHostNetworkAdapter()) does not intercept/route outbound HTTPS from spawned subprocesses. Only the main process has network access.
Relevant code paths
agent-os.js:1096-1133 — spawns adapter via this.spawn("node", [binPath, ...launchArgs])agent-os.js:279-368 — AgentOs.create sets up createNodeHostNetworkAdapter()
Workaround
Using a synthetic session ID without calling createSession. VM is available for host tools and VFS only — but no real ACP agent sessions work.
Impact
Blocks all ACP coding agent sessions in production. No coding agent (Pi, OpenCode, Claude Code) can reach its LLM API from inside the sandbox.
Summary
Spawned subprocesses inside the AgentOS VM kernel cannot make outbound HTTPS requests. The VM network policy (
allowOutbound: true+allowedHosts) works for the main Node.js process but does not route traffic from child processes spawned viathis.spawn()increateSession.Environment
@rivet-dev/agent-os-core@0.1.1pi(adapter:pi-acp@0.0.26, agent:@mariozechner/pi-coding-agent@0.73.0)Reproduction
Network config:
Steps:
createSession("pi", { env: { GROQ_API_KEY: "..." } })is calledpi-acpadapter, spawns subprocess viathis.spawn()initializesucceedssession/newsent — Pi callsgetAvailableModels()→ HTTPS toapi.groq.comError: ACP request session/new (id=2) timed out after 120000msRoot cause analysis
Systematically ruled out:
hasAnyPiAuthConfigured()passes. Hang is after auth, during HTTPS.Conclusion: The VM kernel network adapter (
createNodeHostNetworkAdapter()) does not intercept/route outbound HTTPS from spawned subprocesses. Only the main process has network access.Relevant code paths
agent-os.js:1096-1133— spawns adapter viathis.spawn("node", [binPath, ...launchArgs])agent-os.js:279-368—AgentOs.createsets upcreateNodeHostNetworkAdapter()Workaround
Using a synthetic session ID without calling
createSession. VM is available for host tools and VFS only — but no real ACP agent sessions work.Impact
Blocks all ACP coding agent sessions in production. No coding agent (Pi, OpenCode, Claude Code) can reach its LLM API from inside the sandbox.