cd /news/developer-tools/filesystem-volumes-arrived-multi-ens… · home topics developer-tools article
[ARTICLE · art-45260] src=loomcycle.dev ↗ pub= topic=developer-tools verified=true sentiment=↑ positive

Filesystem Volumes arrived. Multi-ensemble isolation in one runtime (v1.1.0)

Loomcycle v1.1.0 introduces Filesystem Volumes, replacing the global jail with per-agent read-only or read-write filesystem roots. The update enforces spawn confinement, removes legacy jail environment variables, and adds ephemeral run-scoped volumes that auto-purge. The new system is demonstrated in exp8, where a dispatcher agent creates an ephemeral volume, clones a repository, and fans out reviewer agents without MCP round-trips.

read2 min views15 publishedJun 26, 2026

loomcycle v1.1.0 ships Filesystem Volumes (RFC AH, Phases 1 through 5). Per-agent ro/rw filesystem roots replace the global jail. Phase 1: a Volume is {name, path, mode: ro|rw}; an AgentDef binds to a named subset, file tools take an optional volume arg, ro/rw is enforced (Bash refuses ro). The load-bearing invariant is spawn confinement: a sub-agent's volume set is parent intersect child, with ro/rw resolving to the more restrictive. The TOCTOU-safe resolveInsideRoot is unchanged; only which root is passed in changes. Phase 2a adds the dynamic VolumeDef substrate, tenant-scoped, runtime-mutable, with a runtime-derived path that never accepts a caller-supplied directory. Names match a strict regex; no slashes, no dots, no path injection. The op set is create/delete/purge, not retire/promote/fork. Phase 2b adds ephemeral run-scoped volumes: create with ephemeral=true, the runtime provisions under _ephemeral//, auto-purges when the top-level run completes (terminally, in any state). Run-tree isolation: the ephemeral set is created fresh per top-level run, inherited by sub-agents, never crosses between runs. Behind four fences for the purge; a singleton sweeper backstops crashed runs; d runs skipped so snapshot-and-resume keeps its working tree. Phase 3 BREAKING: the legacy jail env vars (LOOMCYCLE_READ_ROOT, WRITE_ROOT, BASH_CWD) are removed. Volumes are now the sole filesystem mechanism. An agent not bound to any volume has no filesystem access. A deploy still setting the retired env vars fails at config-load with a migration hint. Migration is one-line: replace the three env vars with a single default volume in the new volumes: yaml block. Phase 4 ships a Volumes tab in the Web UI; Phase 5 closes cross-transport parity (HTTP, gRPC, MCP, TypeScript adapter, Python adapter all carry the same surface). The killer demo: exp8 ships as a self-contained directory; a dispatcher agent creates an ephemeral volume, git-clones loomcycle into it, fans out 8 reviewer agents via Agent op=parallel_spawn (in-process barrier, no MCP round-trip), each writes findings to Memory, a consolidator merges them into a report on the default volume, the ephemeral volume auto-purges when the dispatcher exits. Contrasts with exp7 (external MCP fan-out, pre-cloned static ro volume, operator-driven barrier). Six PRs (#510 through #515). The Paca conversation that surfaced the multi-ensemble shared-jail problem produced its answer at the runtime level.

── more in #developer-tools 4 stories · sorted by recency
── more on @loomcycle 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/filesystem-volumes-a…] indexed:0 read:2min 2026-06-26 ·