# Agent libOS：受库操作系统启发的长时间运行、能力可控的LLM智能体运行时

- 来源：HuggingFace Daily Papers（社区热门论文）
- 发布时间：2026-06-02 08:00
- AIHOT 分数：64
- AIHOT 链接：https://aihot.virxact.com/items/cmpzjq2v8045hslkpkvryb1id
- 原文链接：https://arxiv.org/abs/2606.03895

## AI 摘要

Agent libOS是一个运行在常规主机操作系统之上的运行时基底，将LLM智能体建模为可调度的AgentProcess，具备进程标识、父子关系、生命周期、工具表、类型化对象内存、显式能力、人工队列、检查点、事件和审计记录。其核心设计原则是：工具是类似libc的包装器，运行时原语（文件系统访问、对象访问、休眠、人工审批、JIT工具注册、外部副作用）作为权限边界，按显式能力和策略进行检查。当前Python原型实现了异步调度、命名空间局部对象内存、运行时集成的人工批准、一次性权限授予、每进程工作目录、shell与图像注册原语、Deno/TypeScript JIT工具、文件系统/对象桥工具、可注入的资源提供者基底，以及123个回归测试。Agent libOS旨在展示一个可调度、授权、恢复和审计长时间运行LLM智能体的运行时基底，而不将工具分发视为信任边界。

## 正文

Large language model (LLM) agents are evolving from request-response assistants into long-running software actors: they maintain state across model calls, fork subtasks, wait for external events, request human authority, generate tools, and perform side effects that must be resumed and audited. This paper presents Agent libOS, a library-OS-inspired runtime substrate for LLM agents. Agent libOS runs above a conventional host operating system; it does not implement hardware drivers, kernel-mode isolation, or a POSIX-compatible operating system. Instead, it treats an agent as an AgentProcess: a schedulable execution subject with process identity, parent-child lineage, lifecycle state, a tool table derived from an AgentImage, typed Object Memory, explicit capabilities, human queues, checkpoints, events, and audit records. Its central design rule is tools are libc-like wrappers; runtime primitives are the authority boundary. Filesystem access, object access, sleeps, human approval, JIT tool registration, and external side effects are checked at primitive boundaries under explicit capabilities and policy. We describe the design, threat model, Python prototype, and safety-oriented evaluation. The current prototype implements async scheduling, namespace-local Object Memory, runtime-integrated human approval, one-shot permission grants, per-process working directories, shell and image-registration primitives, Deno/TypeScript JIT tools over a libOS syscall broker, filesystem/object bridge tools, an injectable Resource Provider Substrate, deterministic demos, real-model smoke scripts, and 123 regression tests at the time of writing. Rather than improving planner accuracy, Agent libOS demonstrates a runtime substrate in which long-running LLM agents can be scheduled, authorized, resumed, and audited without treating tool dispatch as the trust boundary.
