The substrate is running. This is where the Rust port goes next: a standard library you can hold in your head, a userland of single-purpose services, a curated set of frameworks, and a first-party application environment — all in Rust, all distributed as verified bytes. Executive view.
A small, no_std-first set of Rust crates — the foundation a single programmer can keep in their head while writing a freestanding kernel, a service, and an application.
Userland Tasks implementing one canonical pattern: a Ring inbox, a signal-mask event loop, a declared capability footprint, supervised restart.
A curated, opinionated set of Rust crates for GUI, graphics, audio, storage, documents, and Fleet-aware sync — not a monolithic "Foundation."
A first-party environment: editor, terminal, files, mail, calendar, notes, browser — proof the stack is livable, not just bootable.
What it refuses is the design: no implicit allocator, no ambient async runtime, no global mutable state, no reflection-based dependency injection, no deserialization that can execute code, no path-as-string operations.
UTF-8-validated strings; a real monotonic / wall-clock split with explicit confidence on the wall clock.
Confidence-levelled RNG (Sloppy / Standard / High). Ed25519, ChaCha20, BLAKE3, Argon2id — the trust primitives, in the box.
Binary, JSON, msgpack — derive-driven, with no code-execution-on-deserialize, ever.
Typed paths (never string formatting), Read/Write traits, file operations layered over the filesystem service.
Structured logging with no global singleton; a clean main entry shape, args, env, exit codes.
An mpsc Channel, capability-based async, and a cooperative executor — the one-signal-wait-per-loop model, as a library.
In the Rust port, the spec's capability typestate maps onto
newtypes, move semantics, and #[must_use]; "freestanding" maps onto #![no_std]
and an explicit allocator. The guarantees the reference language encodes in its type system, the Rust
port enforces through a disciplined subset plus tooling — a real demotion, named openly, and survivable.
Each is a Rust ELF: a struct-of-arrays state, a cooperative executor, a Ring inbox plus a signal mask. Not a daemon doing many things — a single purpose, supervised.
Supervision and spawning; machine-topology discovery. The Rust init and topod already run today.
Input event dispatch; suspend / shutdown / reset. Drivers arrive as Tasks holding IRQ capabilities.
The filesystem and block layer — in userland, where files belong. vfsd routes today, fronting a FAT32 backend and a ported OpenZFS pool on a real disk. The kernel never learns what a file is.
The Person and Machine keys; cross-Machine coordination across your Fleet.
The IP stack, DNS-over-TLS, and TLS 1.3 sessions — each a separate Task, none of them in the kernel.
The display compositor, font rendering, notifications — the path from pixels to a human.
A small set of first-party Rust crates — the good parts of CoreData, SwiftUI, and the BeOS kits, without the runtime baggage. Data-oriented by default: widget trees and entities as columnar arrays, not reference-typed object soup.
GUI toolkit. A declarative DSL over a struct-of-arrays widget tree. The object model doubles as the accessibility surface.
Explicit GPU rendering — bindless resources, explicit barriers, frame pacing. A thin Rust face over the driver.
App data and persistence: declare, query, observe, migrate — over SQLite-WAL. CoreData's good parts, none of the KVO.
A block-tree document model. Every document is a tree of typed, content-addressed, mergeable Blocks.
Fleet-aware per-record sync. Signed deltas; conflicts arrive as data, surfaced for you to resolve — never silently overwritten.
High-level open-protocol clients (HTTP/2, JMAP, CalDAV…) and a transparency-log verification client.
A second wave covers media and format (image, vector, codec registry, PDF, print) and scientific computing (a BLAS/LAPACK lineage, an HDF5/Arrow lineage, a plotting lineage). Curated — not a thousand half-maintained packages from a registry you don't trust.
A modal, LSP-integrated editor; a fast terminal; a Git client; a debugger across Rust, C, C++.
A column-view file browser with content-addressed search; photos, music, EPUB and PDF.
Mail (IMAP/SMTP), calendar (CalDAV), markdown notes, an RSS/Atom reader. Open protocols only.
A word processor, a spreadsheet, a slide tool — backed by VectraDoc and VectraStore.
A network-only browser: HTML, CSS, and real typography. No JavaScript, no Wasm, no surveillance runtime.
The administration CLI and the system documentation browser. The machine, legible to its owner.
A Kademlia-class DHT, Merkle-verified chunks, the transparency log, and the trust-policy gate — packaged as Rust services. Every install is verified bytes, air-gap-capable.
Install the OS and you get a development environment by default — the Rust toolchain itself shipped as a signed, content-addressed package. No "developer edition," no separate install.
0% platform fee. No store. Developers sign license Bundles straight to your Person, valid Fleet-wide. The project funds itself on grants, support, and conformance — never on rent extracted from you.
The kernel boots and runs a real userland today — preemptive SMP, kernel threads, a C standard
library, Rust std, and a ported OpenZFS filesystem on a virtio-blk disk are all running.
Everything above that on this page is still the direction, not a release date. We name the
gap honestly: the curated frameworks and the first-party application environment are largely ahead of us.
The discipline that makes the kernel auditable — small surfaces, no hidden dependencies, no silent caps —
is the same discipline that will make the climb slow and the result worth trusting.
A spec without a working implementation is academic. We are building the working implementation, in the open, in a language you can read.