Filesystem operations
Filesystem operations cross a trust boundary. Keep paths narrow, copy only the files required for the task, and avoid broad host mounts for generated or third-party code.
Copy files
Section titled “Copy files”mvmctl cp ./input.json agent-sandbox:/work/input.jsonmvmctl cp agent-sandbox:/work/output.json ./output.jsonUseful options:
mvmctl cp --create-parents ./input.json agent-sandbox:/work/in/input.jsonmvmctl cp --force agent-sandbox:/work/output.json ./output.jsonmvmctl cp --max-bytes 16777216 agent-sandbox:/work/output.json ./output.jsonExactly one endpoint uses VM:/absolute/path form. Guest paths are validated by the guest filesystem policy before read or write.
Use controlled mounts
Section titled “Use controlled mounts”For short-lived one-shot runs:
mvmctl run --add-dir ./fixtures:/work:ro -- python /work/test.pyWritable host shares require a dev or permissive profile:
mvmctl run --profile dev --add-dir ./workspace:/work:rw -- bash -lc 'cd /work && make test'Volumes
Section titled “Volumes”Managed local volumes are encrypted at rest by mvm and must be unlocked before mounting:
mvmctl volume create agent-cachemvmctl volume unlock agent-cachemvmctl volume mount agent-sandbox --volume agent-cache --guest /cache --rwLock the volume again after use:
mvmctl volume lock agent-cacheSee Persistent workspaces for volume lifecycle, snapshots versus volumes, and cleanup policy.
Security notes
Section titled “Security notes”- Do not mount
$HOME, credential directories, SSH agents, cloud config, or browser profiles into untrusted guests. - Prefer copy-in/copy-out over writable mounts for agent tasks.
- Use byte caps for machine-driven downloads.
- Treat guest output files as untrusted input when reading them on the host.