Rev.2 implemented · 19 crates · 4,475 tests

AI-Native Linux.
A governed OS platform.

Revision 2 locked the constitutional core — 11 architectural layers of typed actions, policy decisions, AIOS-FS objects, verification, and append-only evidence — and it is now implemented: 19 Rust crates, 4,475 tests passing, all cargo gates green. Revision 3 turns that core into a governed, AI-native operating-system platform through five governed planes: explicit security posture, governed app capsules, kernel portability, driver capsules, and a native AI control plane. The constitutional rule, "AI proposes, never executes," still leads.

An iconys Engineering Intelligence Linux distribution project.

Explore the platform View the roadmap
AI-OS.NET — network octopus logo 
Human Goal
  -> Cognitive Core
  -> Semantic Runtime
  -> Policy Kernel
  -> Capability Runtime
  -> Linux / Cloud / Devices

One cognitive layer. Many render targets. One shared operational state.

19 Rust Crates Rev.2 L0–L10 implemented — aios-action … aios-distribution
4,475 Tests Passing 0 failed; all four cargo gates green
11 Layers REAL (E2+) Every layer backed by evidence, not just spec
0 Deferred Surfaces M20 discharged the last — cognition + verification
REVISION 2 — WHAT'S REAL TODAY

Not a promise.
Working code.

Revision 2 is implemented. The eleven-layer L0–L10 model exists as 19 Rust crates with 4,475 tests passing and all four cargo gates green — the cognitive shell, policy kernel, and append-only evidence log are running code, not a specification.

§22 golden path — FULL-REAL 
recovery-safe boot
  -> mount /aios
  -> versioned AIOS-FS object
  -> semantic view
  -> verified typed action
  -> append-only evidence chain
  -> rendered result
View the full roadmap →

The §22 golden path runs end-to-end with no stubs: recovery-safe boot, mount /aios, a versioned AIOS-FS object, a semantic view, one verified typed action, an append-only evidence chain, and a rendered result.

Every layer is REAL with E2+ evidence: cognitive core, policy kernel, capability runtime, AIOS-FS, vault broker, renderers (CLI / KDE / Web), network, hardware, and distribution.

The constitution is enforced in code, not prose — AI proposes-never-executes (INV-002 at six sites), recovery without cognition, secrets-as-capabilities, append-only evidence.

M20 discharged the last deferred surfaces: the L5 cognitive agent / plan / memory RPCs and the 22 Tier-3 verification primitives are now real and tested.

REVISION 3 — FIVE GOVERNED PLANES

From constitution
to platform.

Rev.2 is the proven foundation. Rev.3 turns that constitutional core into a governed, AI-native operating-system platform — adding five planes that each stay inside the same discipline: typed, policy-checked, evidenced, rollbackable. This is contract-grade specification; the planes are pinned at CONTRACT grade with clean Capella traceability.

Zero forbidden layer inversions, zero consumes cycles, append-only evidence. Ten new invariants (INV-025..034) extend the constitution to cover the platform layer.

01

Explicit Security Posture

Four profiles — DEV_RELAXED, SECURE_DEFAULT, STIG_ALIGNED, AIRGAP_HIGH — plus a FIPS_STRICT overlay. Measured boot (TPM + firmware dual chain, IMA/EVM, dm-verity), a SELinux MAC plane, a STIG/NIST/CIS control map with scanner, SBOM/provenance/VEX, and GDPR right-to-erasure by crypto-shred.

02

Governed App Capsules

Every app is a bounded capsule with rollback and evidence. Windows apps and games run through per-app Wine/Proton capsules. Package-agnostic intake (Package Rosetta) does shadow install with a package passport across deb, rpm, flatpak, snap, appimage, nix, oci, and source.

03

Kernel Personality & Portability

Linux is the gold path. BSD, RTOS, microVM, WASI, and unikernel personalities are admitted only through a signed KernelCapabilityMatrix — never by pretending all kernels are equal. A need-driven adaptive kernel forge builds with canary boot.

04

Driver & Firmware Capsules

Drivers are high-risk capsules: solved, lab-tested, signed, canary-booted, and rollbackable. Never "run the vendor script as root." Firmware moves through the same disciplined capsule plane.

05

Native AI Control Plane

Three terminal modes — LX, MIX, AI — over a typed-action fabric, with EU AI Act technical controls and AI evaluation & model governance. "AI proposes, never executes": never root, never self-approves, never mutates evidence.

CORE IDEA

A distribution,
not an assistant.

AIOS is a real Linux distribution. Linux stays the execution substrate — kernel, drivers, scheduler, syscalls — and AIOS adds a typed distribution layer on top: capability translation, latency routing, AIOS-FS object truth, policy decisions, verification, evidence, and sandbox composition. Rev.2 is the foundation that pins the layer; Rev.3 is the platform layer built on it.

Capability Translator

Maps intent to known typed capabilities through catalog-bound translation, not shell generation.

Latency Tiering

Routes simple commands through deterministic paths and escalates only when cognition is needed.

AIOS-FS Contracts

Defines immutable objects, versions, chunks, pointer promotion, semantic views, and conflicts.

Policy Kernel

Default-deny decision engine with hard denies, request-bound approvals, and simulation.

EXECUTION MODEL

Goals become verified
typed actions.

AI never directly executes shell commands. It proposes semantic operations. The Policy Kernel checks them. The Capability Runtime performs them through typed adapters. Verification proves the result.

Goal prepare Rust dev environment
Plan toolchain, IDE, checks, sample project
Typed Action package.install, file.write, service.enable
Policy approval, deny rules, scoped permissions
Verify cargo works, editor launches, evidence saved
CONSTITUTIONAL CORE

AI proposes,
never executes.

INV-002 is the headline rule. Six independent enforcement sites turn it from aspirational language into a measurable runtime property. Every bypass attempt produces permanent forensic evidence — bounded AI agency becomes auditable, not just promised.

Tier 5 audit cycle 2: zero findings on the six-site enforcement map. The constitutional core is mechanically intact.

L4.2 Vault hard-deny SUBJECT_KIND_REJECTED_FOR_VAULT
L10 Package install gate APP_AI_DIRECT_INSTALL_ATTEMPTED_BLOCKED
L8.1 Network egress AI_DIRECT_INTERNET_DENIED
L3 Capability runtime queue AI_INTERACTIVE_QUEUE_DOWNGRADE
L5 Cognitive proposing FSM AGENT_DIRECT_FS_WRITE_BLOCKED
L0 Self-grading prohibition AGENT_SELF_GRADING_BLOCKED
REVISION 2 CONTRACTS BY LAYER

The proven foundation. Eleven layers pinned at contract grade — the constitutional core that Rev.3's five governed planes build on.

L0

Constitutional Core

24 invariants, evidence grades E0–E5, status taxonomy, signed bundle loaded at boot.

L1

Boot & Recovery

First-boot stages, recovery boundary, dedicated kernel pipeline, fail-closed installer.

L2

AIOS-FS

Object model, query/view language, namespace layout, conflict resolution.

L3

Service Graph Runtime

Unit manifests, A/B promotion FSM, capability runtime gRPC, adapter model.

L4

Policy + Identity + Vault

Default-deny kernel, identity model, vault broker (use-without-reveal), approvals, override.

L5

Cognitive Core

Intent / planning / proposing FSM, capability translator, latency tiering, model router.

L6

Apps + Compatibility

Cross-ecosystem runtime, package object model, compatibility knowledge, sandbox composition.

L7

Renderers

Surface composition, shared UI schema, visual language, KDE Plasma + Web + CLI.

L8

Network + Hardware

Hardware graph, network policy, DNS/VPN, firmware trust, GPU resource model.

L9

Observability

Evidence log (FOREVER hash chain), verification grammar, failure handling, telemetry.

L10

Distribution

Repository model, marketplace, external bridges (Flathub/OCI/distro repos).

XX

Cross-Cutting

Action envelope, MVP golden path, constitutional meta-principles, ProxGuard reference.

REFERENCE SYSTEM APP
/aios/apps/proxguard

Independent convergence
on the same disciplines.

ProxGuard is a deterministic, auditable application control plane built independently from AIOS. Its constitution reaches the same architectural rules from the opposite direction — sim/prod separation, append-only evidence, typed-not-shell, AI-as-proposer.

Two systems converging on the same constitution without coordination is positive validation of the architecture. ProxGuard becomes the first sandboxed AIOS system app at /aios/apps/proxguard, exposing typed capabilities while AIOS holds authority in policy, vault, sandbox, verification, and evidence.

proxguard.service.simulate
proxguard.service.deploy
proxguard.dns.plan
proxguard.dns.apply
proxguard.gateway.route
proxguard.audit.read

Architectural alignment matrix

INV-002 AI is OPTIONAL; AI output is advisory only AI proposes, never executes
INV-002 site map Allowlisted CLI ops; no shell execution Typed actions, not commands
INV-005 sim.evidence_pack + prod.audit_event append-only Evidence append-only
L3 / L9 boundary Production never calls orchestrator/simulation Strict executor / evidence split
S15.3 Adapter Model RuntimeAdapter ABC: Docker / Kubernetes / Nomad Runtime abstraction by adapter
Closed vocabulary Pinned error codes E001..E9xx Closed-enum reject discipline
FIRST BOOT

Generic boot.
Dedicated host.

The base system starts with a stable generic Linux kernel. After installation, AI-OS builds a machine-specific hardened kernel in a sandbox, validates it, and switches only after evidence passes.

01

Install a minimal Linux base with a generic kernel.

02

Map the exact hardware, firmware, buses, devices, drivers, and threat surface.

03

Fetch trusted kernel sources and prepare a host-specific configuration.

04

Build a hardened kernel in a sandbox with reproducible evidence.

05

Boot the new kernel atomically and keep a recovery path through the base system.

AIOS-FS

Recovery stays boring.
The new system lives in /aios.

AIOS-FS is a semantic filesystem direction: read-only base, isolated app cells, persistent evidence, typed metadata, and human-readable recovery outside the cognitive layer.

/root

Recovery island. Small, protected, boring, always bootable.

/aios

Semantic filesystem root for apps, memory, state, evidence, and user work.

App cells

Every application gets an isolated read/write work area and declared capabilities.

Read-only base

System image is immutable by default. Changes are layered, audited, and reversible.

UNIFIED UX

KDE Desktop

Native Plasma shell, KRunner workflows, widgets, panels, tray, Wayland.

Web Interface

Remote and tablet access to the same state, same workflows, same cognitive core.

CLI + Voice

Low-friction text and voice surfaces over the same semantic runtime.

Not commands.
A governed platform.

Revision 2 is the proven constitutional core: action envelopes, capability translation, latency tiers, AIOS-FS, policy, verification, evidence, and sandbox composition. Revision 3 builds on it with five governed planes — security posture, app capsules, kernel portability, driver capsules, and a native AI control plane.

Explore the platform View the roadmap