VectraOS is a language-neutral, architecture-neutral specification for a single-user, multi-machine, capability-secure OS. Fix the primitives and the wire formats; let the implementer choose the language and the silicon. This page is the executive view.
Every OS feature you have ever used is either built from these or replaced by something simpler. There is no seventh. If a port thinks it needs one, that is a specification bug.
One address space, one handle table, one signal mask. Never duplicated by fork — only spawned, explicitly, by a parent that holds the right to do so. A child inherits nothing it was not handed. The unit of failure containment, scheduling, and capability ownership.
A typed reference to a kernel object, re-validated on every syscall. No ambient authority — every right traces back to a capability the Task was handed. A RingCap is not a MemCap. Capabilities narrow one way: you can hand on a strictly weaker version, never a stronger one.
A shared-memory single-producer / single-consumer queue. Every service-to-client interaction rides one. The kernel checks the capability at bind time, not send time, so the hot path is lock-free user code with a single fence. Big payloads ride alongside as a handed-over MemCap — zero copy.
A fixed-width bitmask per Task with one operation: wait until any of these bits is set. select, poll, and epoll all reduce to this — no descriptor-table scan, no busy polling. The kernel wakes you the instant a bit fires.
A typed handle table built at spawn time — the manifest of a child's entire authority. It replaces argv/environ: named slots, each carrying a typed capability. The child reads its authority by name, not by magic descriptor number. No slot zero with hidden meaning.
Untyped memory. Every kernel object — page tables, Task structs, Ring storage — is physical memory retyped from a parent Reticle by userspace. There is no kernel heap. This is the architectural reason the kernel cannot DOS itself on memory: every allocation was already owned by the Task that asked for it.
Nothing is added. Familiar things are reconstructed out of the six — or shown to be unnecessary.
| The thing you know | Is just… |
|---|---|
| A file descriptor | a RingCap to the filesystem service (+ a MemCap for zero-copy reads) |
| A socket | a RingCap to the networking service |
| A mutex | a single Signal bit on a waiting Task |
| A process spawn | a Reticle retyped into a Task struct, page tables, code page, and a Bundle |
| A sandbox inside one program | a Compartment — a refinement of Task, not a new primitive |
When in doubt, push the feature out to userspace. This is the single most load-bearing piece of advice in the entire corpus.
One trap entry per architecture. Fewer than 50 syscalls, grouped by primitive. A Task is the union of an address space, a capability table, a signal mask, scheduling state, and a register save area. That is the whole shape.
Three invariants, no SLOC budget: readable by one human in one sitting; no third-party code the team hasn't read line by line; no runtime more capable than bare metal provides.
no heap · no kmalloc · no slab
no filesystem · no notion of a file
no driver code — drivers are Tasks
no IP stack · no sockets · no DNS
no fork · no threads · no Unix signals
no GC · no ARC · no hidden allocator
The kernel does not panic in normal operation. A faulting Task is halted and a signal is delivered to whoever holds its supervisor capability. A user-mode fault never corrupts kernel state — by construction.
256 bits of entropy behind 24 BIP39 words. Derives an Ed25519 keypair that signs your Machine certificates. The recovery ceremony is the mnemonic — there is no recovery email, no account, no third party. The words stay in your head.
A per-machine key generated locally, sealed on disk with a passphrase (Argon2id + ChaCha20-Poly1305), unlocked at login. It signs day-to-day artefacts. Cheap by design: a compromised Machine costs one certificate, never the Person.
Every consumer declares a level. Sloppy for a session id, available instantly.
Standard for a TLS nonce. High refuses to return until enough
independently-sourced entropy is mixed — and Person-key generation accepts nothing less.
TLS 1.3 to the outside world, and only 1.3 — no legacy ciphersuites, not even behind a flag. Inside your Fleet, Machines authenticate by certificate directly, no CA bundle. The TLS service only ever holds ciphertext; your cleartext never leaves your address space.
Identity says who you are. Capabilities say what a Task may do. Neither answers
where the bytes a Task legitimately read are allowed to flow. Kernel-level information-flow
labels close that gap. A Task that has touched your data has its label raised; sending that data over
the network requires a LabelCap you never handed out. The kernel rejects the send,
full stop. "No model on someone else's computer by default" is not a policy preference — it is
what the kernel admits when no egress label for your personal tokens exists in any Bundle.
Every artefact is the SHA-256 of its canonical bytes. The receiver always verifies; mirrors are interchangeable. Whoever hands you the bytes does not matter — only the bytes do.
A manifest of declared dependencies and capabilities, a payload, a maintainer-signed claim, a certificate chain back to a Person, optional rebuilder attestations, and a transparency-log proof.
Peer discovery via a Kademlia-class DHT. Chunks are Merkle-verified as they arrive, so a corrupt peer fails fast. The receive buffer is the install buffer — zero copy. Air-gapped installs work; the proof rides along.
Append-only, Merkle-organised, signed by named Operators, gossip-checked between peers. Certificate-Transparency-shaped on purpose. A split view is publicly detectable. Not a blockchain — a notary's ledger.
Before anything installs, your local vpkg service
checks: the maintainer signature verifies, the certificate chains to a Person you know, N independent
rebuilders agree (default 3), the claim appears in the log, and the declared capability footprint does
not exceed what you authorised. Foreign code lives behind a single Foreign Service Task — one ring, one
capability footprint — so a CVE in a vendored library is one Task's problem, not the system's.
Everything that is not one of the six primitives is a userspace Task. A service is exactly one Task
holding the receive end of a well-known Ring, with capabilities only to what it needs, supervised by a
parent that holds its Task capability and decides its restart policy. The same shape repeats from the
lowest driver to the desktop shell. init is the parent of everything; the shell is one of
its grandchildren.
A path like SYS:bin/vshell is a naming root — a RingCap to the naming service — plus a path it interprets. The Plan 9 idea, rebuilt on capabilities. A Task without the root cannot even read the path.
The kernel forwards IRQs through IRQ capabilities; DMA buffers are pinned MemCap ranges; hotplug arrives as Ring messages. A buggy driver fault halts a Task, not the kernel.
A new architecture attaches by binding eleven abstract seams — memory model, paging, traps, interrupts, timer, boot, and so on. Need a twelfth? That is a specification bug.
POSIX is present as a bridge — exactly enough to host a C compiler, an editor, and a build system — never as the substrate. A second, narrower personality runs unmodified upstream Linux drivers as Tasks. Native VectraOS applications consume neither.