Agents that don't bleed tokens on tool descriptions.
One toolbox the model already speaks. No per-vendor SDK, no schema dump in the system prompt.
catlsgreptail1 toolbox0 schemas
omnifs.
Open a path, read the world.
Agents and humans shouldn't deal with APIs. omnifs projects external services into local paths you can cat, ls, grep, and pipe.
$npm install -g @0xff-ai/omnifs
the toolbox already speaks omnifs
catlsgreptarrsyncfindvimtailxargsheadwcdiff
A live session
Every service, one path away.
Mounts are WASM components the host loads at startup. New ones ship without recompiling the runtime.
$ ls /omnifs/github/0xff-ai/omnifs
_actions _issues _prs _repo
$ cat …/_issues/_open/1432/title
Crash on long context with quantized model
$ cat /omnifs/dns/ethereum.org/a
104.18.18.79
The provider catalog, growing every day
The whole directory.
Every provider answers the same read ops, so every row is reachable with ls and cat. 5 live, 13 in progress, more landing every week.
| # | Color | Provider | Summary | Paths |
|---|---|---|---|---|
| 01 | /github→ | repos, issues, PRs, CI as files | /github/{owner}/github/{owner}/{repo} | |
| 02 | /docker→ | containers and compose, projected | /docker/system/info.json/docker/system/version.json | |
| 03 | /arxiv→ | papers at a path | /arxiv/papers/{id}/arxiv/papers/{id}/paper.pdf | |
| 04 | /linear→ | issues as files | /linear/teams/linear/teams/{KEY}/issues/_open | |
| 05 | /dns→ | dig, without dig | /dns/{name}/dns/{name}/{type} | |
| // wip | ||||
| 06 | /cloudflare | the edge, locally | /cf/zones/cf/zones/{zone}/records | |
| 07 | /discord | servers on disk | /discord/{server}/channels/discord/{server}/{channel}/latest | |
| 08 | /huggingface | models you can cat | /hf/models/{owner}/{model}/hf/models/{owner}/{model}/files/{path} | |
| 09 | /kubernetes | kubectl, but cat | /k8s/{context}/namespaces/k8s/{context}/{ns}/pods | |
| 10 | /mcp | tools and other agents as files | /mcp/{server}/mcp/{server}/tools | |
| 11 | /oci | images, manifests, layers | /oci/{registry}/{repo}/oci/{registry}/{repo}/tags/{tag}/manifest | |
| 12 | /postgres | tables as directories | /pg/{db}/tables/pg/{db}/{table} | |
| 13 | /redis | keys at your fingertips | /redis/{db}/keys/redis/{db}/{key} | |
| 14 | /s3 | buckets you can browse | /s3/{bucket}/s3/{bucket}/{key} | |
| 15 | /slack | grep your channels | /slack/{workspace}/channels/slack/{workspace}/{channel}/latest | |
| 16 | /spotify | playlists at a path | /spotify/playlists/spotify/playlists/{id}/tracks | |
| 17 | /stripe | payments, projected | /stripe/customers/stripe/customers/{id} | |
| 18 | /vercel | deploys you can ls | /vercel/{project}/deployments/vercel/{project}/deployments/{id} | |
Anatomy of a path
The path is the protocol.
A host runtime plus a catalog of WASM components. Three operations on the wire. Cache and credentials live in the host.
$ strace -f cat /omnifs/<path>
/omnifs/github/0xff-ai/omnifs/_repo/README.md
FUSEwasm32-wasip2WIT v1lookup_childlist_childrenread_filecapacity-bounded cacheevent invalidationcontinuationsHTTPS calloutswebhook signalsdraft namespace
What's behind a path
Every mount is a provider.
A provider is one component: the code that maps a single service into paths. A mount is that provider, attached under /omnifs. The path is the surface; the provider is what answers.
a path access the WIT call it becomes
$ ls /omnifs/github/0xff-ai/omnifs list_children(/0xff-ai/omnifs) $ cat /omnifs/github/…/_issues/1432/title read_file(…/1432/title, text/plain) $ stat /omnifs/dns/ethereum.org/a lookup_child(/ethereum.org/a) a mount is a provider · three ops on the wire answer every path
Securely sandboxed
Providers are trusted with nothing.
Each provider is a Wasm component behind a strict WIT interface: a pure function from a path to bytes. It holds no state, and reaches upstream only through capabilities the host grants. Credentials never enter it; the host keeps auth and injects it behind every call.
your tools
read /github/…/title →
← title bytes
omnifs host http stack · authentication · cache wasm sandbox
provider pure · bytes → bytes
api.github.com
call + injected auth →
← response bytes
a provider can
- render bytes for a path
- call upstream via a granted capability
- ask the host for a capability
a provider cannot
- choose what it may reach
- see the credential behind a call
- read your env, disk, or other mounts
- remember anything between calls
lookup_child list_children read_file wasm32-wasip2 WIT v1
Cached at the edge
Your tools expect a local disk.
rg, find, and vim seek, stat, and re-read without thinking; point them at a remote API naively and you would melt it. So omnifs fetches each object once into a content-addressed cache and serves every read from there. Bounded by capacity, invalidated by events, never by a clock.
reads
$ cat …/1432/issue.mdcold · fetch + canonical-write
$ cat …/1432/issue.jsonwarm · rendered from the canonical
object cache · canonical store
no canonical yet
canonical-write /github/0xff-ai/omnifs/_issues/1432
capacity-bounded event invalidation content-addressed no TTLs version short-circuit
Rendered, not stored
One object, many representations.
A path's bytes are rendered, not stored. Read issue.md, then issue.json, then issue.raw: one object, one cached canonical model, rendered three ways. The extension picks the content type; the second read never touches upstream. Live things, like a tail -f log, skip the model and stream straight through.
canonical model
readextension → content type
$ cat …/1432/issue.mdtext/markdown
$ cat …/1432/issue.jsonapplication/json
$ cat …/1432/issue.rawapplication/octet-stream
one fetch · one canonical model · rendered on read
bring your service
Want to write a provider?
A provider is a Wasm component behind one small interface. Implement it in any language that targets wasm32-wasip2, mount it locally with omnifs dev, and point real tools at it. The SDK does the heavy lifting; an open catalog is next.
What it unlocks
Four shapes of work.
Search and edit across services in one shell.
rg, vim, pipe — the cross-service grep your CLI soup never got around to. Edit lands with mutations.
rgvimpipegithub+linear+slack1 invocation
Local sovereignty over data you don't host.
Mirror, archive, version-control, snapshot, pipe. The exit door is cp -r.
cp -rgitrsynclocal-firstvendor-neutral
A cache and sync layer you didn't have to write.
Capacity-bounded caching, event-driven invalidation, content-addressed bytes. Build the interesting half.
cacheinvalidatereplayevent-drivenbounded
Inspect a cluster without kubectl.
Pods, namespaces, logs as files. ls a namespace, tail a pod — no context to juggle.
k8slstaillogs
Triage an incident across services.
A failing CI run, the container, the open issue — github, docker, linear in one shell.
githubdockerlinear1 shell