AI-Native Linux.
A governed operating-system platform.
Revision 2 is the constitutional core: a complete contract-grade stack across eleven layers (L0–L10), with implementation underway. Revision 3 builds on that proven foundation, turning AIOS from a constitutional Linux distro into a governed, AI-native OS platform through five planes (sections S16–S28).
Governance / Evidence / Safety
Append-only evidence, policy gates, approvals, rollback rules, and operator trust boundaries.
Kernel and Host Bootstrap
Generic Linux boot, hardware map, sandboxed host kernel build, atomic boot switch, recovery path.
AIOS-FS
Authoritative semantic object store under /aios: objects, versions, chunks, pointers, views, conflicts.
AIOS-SGR / Capability Runtime
Desired-state runtime and typed adapters for service, package, network, repo, secret, and filesystem actions.
Policy / Identity / Vault
Default-deny decisions, hard denies, request-bound approvals, secret use-without-reveal, subject identity.
Cognitive Core
Capability translator, latency tiering, intent engine, planner, memory, model governance, agents.
Apps / Packages / Compatibility
Linux, Windows, Android, and optional infrastructure apps such as ProxGuard under /aios/apps.
Renderers
KDE Plasma, Web, CLI, voice, and mobile as render targets over the same cognitive state.
Network / Hardware / Devices
Device graph, network graph, service exposure, peripheral permissions, and edge/cloud bridges.
Observability / Admin / Ops
OpenTelemetry, Prometheus, Loki, eBPF signals, health checks, and incident evidence.
Distribution / Ecosystem
Installer base, repositories, package policy, extension contracts, and developer SDK.
Five governed planes, just completed at contract grade, extend the Rev.2 core into a full AI-native OS platform: explicit security posture, governed app capsules, kernel personality and portability, driver and firmware capsules, and a native AI control plane.
Security posture & measured boot
Four profiles (DEV_RELAXED, SECURE_DEFAULT, STIG_ALIGNED, AIRGAP_HIGH) plus a FIPS_STRICT overlay, measured boot over TPM and firmware dual chain, IMA/EVM, dm-verity, and a SELinux MAC plane.
Control map & supply chain
STIG / NIST / CIS control map with a built-in scanner, plus SBOM, provenance, VEX, and GDPR right-to-erasure by crypto-shred.
App capsules & Package Rosetta
Every app a bounded capsule with rollback and evidence; package-agnostic intake with shadow install and package passport across deb, rpm, flatpak, snap, appimage, nix, oci, and source.
Kernel personality & portability
Linux is the gold path. BSD, RTOS, microVM, WASI, and unikernel are admitted through a signed KernelCapabilityMatrix and need-driven adaptive forge with canary boot, never by pretending all kernels are equal.
Driver & firmware capsules
Drivers are high-risk capsules: solved, lab-tested, signed, canary-booted, and rollbackable, never a vendor script run as root.
Native AI terminal & typed actions
Three terminal modes (LX, MIX, AI) over a typed-action fabric. AI proposes, never executes: never root, never self-approves, never mutates evidence.
AI evaluation & model governance
Model governance with evaluation gates and EU AI Act technical controls aligning AI behaviour to the policy kernel before it ever touches the system.
Containers & Kubernetes plane
Governed container and Kubernetes workloads brought under the same capsule, policy, and evidence discipline as native apps.
Fleet & federated identity
Fleet operation across many machines with federated identity, so policy and evidence hold consistently at scale.
Backup / DR & capsule mobility
Backup and disaster recovery with capsule mobility, so workloads move between machines with their state, policy, and rollback intact.
Constitutional time plane
A trusted time plane so evidence ordering, approvals, and rollback windows stay anchored and tamper-evident.
Workstation / Gaming / Video
A workstation profile for gaming and video work, including Windows apps and games through per-app Wine / Proton capsules.
Mobile + Voice renderers
Mobile and voice render targets over the shared UI schema, extending the cognitive surface beyond the desktop.
AI plans.
Policy decides.
The Policy Kernel is the operating constitution. It defines what the AI can do, what needs approval, what is impossible, and what evidence must be saved.
AI cannot access SSH keys without explicit capability grant.
AI cannot modify firewall policy without approval.
AI cannot delete recursively across user or system roots.
Every privileged change receives an evidence record.
System base is read-only; changes are layered and reversible.
Recovery remains outside the cognitive layer through /root.
S1.1 Capability Translator
Compiles intent into known catalog capabilities. Model output is validated against manifests and schemas before any action draft exists.
intent -> catalog retrieval -> target binding -> ActionEnvelope.request
S1.2 Latency Tiering
Uses deterministic paths for exact commands and escalates to local or powerful models only when ambiguity requires it.
restart nginx -> T1 direct path -> service.restart
S2.4 Verification Grammar
Defines typed success checks: service.active, package.installed, http.ok, aiosfs.pointer, evidence.exists.
verification.type = "service.active"
S0.1 Action Envelope
Proto-first request/execution separation, lifecycle FSM, idempotency, causality, error envelope, trace, sandbox, dry-run.
S1.3 AIOS-FS Object Model
Objects, immutable versions, content-addressed chunks, pointers, transactions, recovery-readable metadata.
S2.1 Query/View Language
Semantic views over object metadata with constrained DSL and rebuildable projections.
S2.2 Implementation Space
Userspace authoritative store with FUSE and portal projections first; custom kernel module deferred.
S2.3 Policy Kernel
Default deny, hard denies, exact request approvals, policy schema, simulation, decision evidence.
S3.1 Evidence Log
Append-only WAL, sealed segments, hash chain, indexes, compaction boundaries, redaction.
S3.2 Sandbox Composition
Most-restrictive composition across adapter, app manifest, request hint, policy, and runtime safety floor.
R1 ProxGuard Reference App
Optional AIOS app and capability provider for service deployment, DNS, gateway routing, and audit reading.
KDE Renderer
Qt/QML Plasma shell, panels, widgets, KRunner, system tray, Wayland control, and desktop-native workflows.
Web Renderer
Next.js/WebAssembly surface for remote operation, tablet access, workstation mirroring, and future collaboration.
Cognitive Core |- KDE Renderer -> Qt/QML Plasma |- Web Renderer -> Next.js / WebAssembly |- CLI / Voice -> Semantic commands |- Mobile -> Remote cognitive surface
Linux native
Preferred path: declarative packages, containers, Flatpak/AppImage policies, and verified service units.
Windows apps
Smart installer classifies EXE/MSI, chooses Wine/Proton/Bottles-style runtime, applies per-app prefixes, and falls back to VM when needed.
Android apps
APK support through isolated Android runtime such as Waydroid-style containerization with explicit device and filesystem permissions.
Infrastructure apps
ProxGuard can run as /aios/apps/proxguard and expose typed service, DNS, gateway, and audit capabilities through AIOS policy.
App boundary
/aios/apps/proxguard with private state, manifest, sandbox profile, verification plan, and rollback pointer.
Capability provider
Exports proxguard.service.*, proxguard.dns.*, proxguard.gateway.*, and proxguard.audit.* actions.
Authority stays in AIOS
No raw host authority. Docker, DNS, firewall, vault, and gateway operations pass through policy and evidence.
Architecture is the product.
Revision 2 is the agent-readable contract core: typed actions, capability translation, latency tiers, AIOS-FS, policy, verification, evidence, and sandbox composition. Revision 3 builds on it with five governed planes that make AIOS a full AI-native OS platform. AI proposes, never executes.