Technology deep dive

How NexaCore OS is built.

A microkernel written in Rust from scratch, a system-call ABI that treats AI and attestation as first-class operations, a privacy model rooted in hardware, and a scripting language designed to run untrusted code safely. This page is for readers who want the mechanisms, not the slogans. It describes what exists in the repository today; planned work is marked as such.

Rust 2024 · no_std Boots on real hardware ABI v1 · frozen

Section 1

The microkernel and its system-call ABI

NexaCore OS runs on a custom microkernel for x86-64, written in Rust and built for the bare-metal target x86_64-unknown-none. The foundational crates are no_std with explicit heap allocation, and the kernel forbids unsafe code outside tightly reviewed boundaries. There is no inherited C runtime.

As of v0.3.0-alpha.1, the kernel boots via UEFI, walks 4-level page tables, isolates each process behind its own address space (per-process CR3), schedules with a per-CPU run queue under a local-APIC timer, and brings up multiple cores — including live AP start-up, cross-CPU context switching, and TLB shootdown. Drivers for NVMe, VirtIO-net, and e1000e run in user space, not in the kernel.

NexaCore OS system layers From the bottom: hardware with a Trusted Execution Environment; the Ring 0 microkernel; and Ring 3 user space containing drivers, the AI runtime, ncScript, and the agent layer — all reached through the versioned system-call ABI. Ring 3 · user space User-space drivers NVMe · virtio-net AI runtime transformer · GGUF ncScript capability-gated Agents five-agent layer system-call ABI · v1 — 58 calls Microkernel — Ring 0 memory · scheduler · IPC · capabilities · multi-core Hardware — x86-64 Trusted Execution Environment · Intel TDX / AMD SEV-SNP
NexaCore OS layers — applications, scripts, and agents reach the kernel only through a small, versioned system-call ABI.

A capability replaces the ambient permission

NexaCore OS does not use Unix-style ambient authority, where any process running as a user can do whatever that user can do. Instead, every privileged action requires a capability token: a signed object that names one action, one resource, and a time window. Capabilities are attenuable (a process can derive a strictly weaker child capability for a task it delegates), revocable (short time-to-live plus a revocation path), and rooted in hardware key material. A process that holds no capability for an action simply cannot perform it.

The ABI is small, and it is frozen

The system-call interface is versioned as a single monotonic integer. Version 1 is frozen: a breaking change requires an explicit, documented proposal and a version bump. The current build implements 58 system calls. They are grouped into the subsystems below.

System-call ABI v1 — subsystems and representative calls
SubsystemRepresentative calls
MemoryMemMap, MemUnmap
Scheduling & processTaskCreate, ProcessSpawn, GetCwd
IPCIpcCreateChannel, IpcSend, IpcReceive
CapabilitiesCapValidate, CapAttenuate, CapRevoke
TEE & attestationTeeAttest, TeeVerifyQuote, TeeSeal
I/O & consoleFdRead, FdWrite, WriteConsole
Driver frameworkMmioMap, DmaMap, IrqAttach, DriverLoad
Block deviceBlkRegister, BlkLookup
DisplayDisplayMap
AI runtimeAiInvoke, AiStream, AiEmbed, AiClassify, AiTranscribe
FilesystemFsOpen, FsStat, FsListDir
NetworkingNetSocket, NetConnect, NetSend, NetRecv

User-space drivers are loaded through DriverLoad, which verifies a signed package (an Ed25519 manifest signature plus a BLAKE3 image hash) before the kernel mints the narrow capabilities the driver declared — for the exact memory regions and interrupts it needs, and nothing more.

Section 2

AI as a first-class system service

Inference is not an application bolted onto the OS; it is a system service reached through the ABI. Any program can ask the kernel to run a model the same way it asks to read a file, and the request is subject to the same capability checks.

AI system calls — signaturesABI v1
AiInvoke(model_id, input)        -> output
AiStream(model_id, input, chan)  -> session_id   # token-by-token streaming
AiEmbed(model_id, input)         -> embedding: [f64]
AiClassify(model_id, input)      -> label: String
AiTranscribe(model_id, audio)    -> text: String

Every AI call requires the ai.invoke capability. A program with no such grant cannot reach a model at all.

The engine

The runtime ships a from-scratch inference engine: a transformer forward pass with multi-head attention, a SwiGLU feed-forward network, and RMSNorm, paired with a GGUF tensor loader (dequantizing F16/BF16 weights to F32) and a byte-level BPE tokenizer. The full pipeline — tokenize, load, forward, decode — runs inside a Ring 3 user-space service and has been verified on real hardware. A provider layer can also route to local runtimes when present, behind a resilient router.

Why Mixture-of-Experts matters for a mesh

Large NexaCore OS models use a Mixture-of-Experts (MoE) architecture: each layer holds many expert sub-networks, but only the top two are activated for any given token. That sparsity is what makes federation practical — only a small slice of an otherwise huge model is touched per token, so the volume of data crossing the network between nodes stays low. The four execution tiers below trade locality for capacity.

Execution tiers
TierWhere it runsIndicative scaleNetwork
0 — LocalThe device only (default)~8B parametersNone
1 — Personal clusterYour own devices on the LAN, discovered automatically and linked over mutual-TLS~70B parameters<5 ms RTT
2 — Federated meshOpt-in peer-to-peer network of attested nodes, MoE experts spread across peers100B+ parameters≥30 ms RTT
3 — Commercial cloudExternal provider, last resortProvider-definedExplicit per-request consent

Section 3

Privacy enforced by cryptography, not by policy

The mesh is built on a simple, hard constraint: a node that does not follow the rules cannot produce traffic the rest of the network will accept. Several mechanisms combine to make that true.

Hardware attestation, first

Before any payload is exchanged, peers present a remote-attestation report from their Trusted Execution Environment — Intel TDX or AMD SEV-SNP at launch, with Apple Secure Enclave and ARMv9 CCA planned. The report proves which code is running. A peer that cannot attest is not admitted.

TEE-only envelopes

A payload's session key is sealed to the destination's attestation. Only the genuine, attested NexaCore OS binary on the receiving machine can decrypt it. A relaying node moves bytes it cannot read.

Compliance proofs

Each payload carries a proof that it meets the protocol's privacy rules — STARK proofs for complex predicates, signatures for simple assertions. The proofs use a transparent setup and are designed to remain sound against quantum adversaries.

Tokenized by default

Personal data is replaced with deterministic, session-scoped tokens at the system-call boundary, and routing metadata is protected with format-preserving encryption so that even traffic shape leaks little.

TEE-only decryption envelope The sender seals a payload's session key to the destination's hardware attestation; relay peers forward the bytes without being able to read them; only the attested TEE on the destination can decrypt. Sender seals to attestation Relay peer forwards, cannot read Attested TEE decrypts payload sealed envelope · session key bound to the destination's attestation
A relaying node moves bytes it cannot read; only the genuine, attested binary on the destination can open the envelope.

The primitives, named

The brand voice of this project forbids phrases like “military-grade”. Instead, here are the actual primitives. Cryptography is drawn from the audited RustCrypto family: Ed25519 for signatures, X25519 for key agreement, ChaCha20-Poly1305 for authenticated encryption, BLAKE3 and SHA-2 for hashing, and Argon2 for password hashing. Mesh transport is planned on QUIC with the Noise protocol framework. Format-preserving encryption uses the NIST FF1/FF3-1 constructions.

Section 4

ncScript — a language designed to run untrusted code safely

ncScript is NexaCore OS's scripting language: a small, Rust-flavoured language whose interpreter is a no_std library with zero production dependencies, building for both the host and the bare-metal kernel target. The pipeline is conventional — lexer, parser, abstract syntax tree, tree-walking interpreter — but two properties make it unusual: every effect is denied by default until a capability grants it, and every run executes under deterministic resource limits. The verified examples below are taken directly from the interpreter's own test suite.

Try it: a guided tutorial

A guided, in-browser tutorial — thirteen short lessons, each one runnable and editable. Step through with Prev / Next, change the code, and Run. Everything executes on your machine; the capability gate and the step budget are real.

Lesson 1 / 13

Lesson

scratch.ncseditable
Ctrl / Cmd + Enter
outputready

This in-browser interpreter is an independent JavaScript re-implementation of a documented subset of ncScript, for demonstration. The canonical interpreter is the Rust nexacore-script crate; host effects (fs, net, ai, agent) are mocked and a step budget bounds every run. For the full language, read the ncScript manual.

The smallest program

Every program has a main function. print is built in and always available — it needs no capability, because writing to the script's own output buffer is not a system effect.

hello.ncsncScript
fn main() {
    print("Hello, world");
}

Familiar syntax

Functions, let/mut bindings, expressions-as-values, and recursion behave the way a Rust or Swift reader expects.

recursion.ncsncScript
fn fib(n) {
    if n < 2 { n } else { fib(n - 1) + fib(n - 2) }
}

fn main() {
    fib(10)        // => 55
}

Collections, loops, and structs

loop.ncsncScript
fn main() {
    let mut sum = 0;
    for x in [1, 2, 3, 4] {
        sum = sum + x;
    }
    sum            // => 10
}
struct.ncsncScript
struct P { x: Int, y: Int }

fn main() {
    let p = P { x: 3, y: 4 };
    p.x + p.y      // => 7
}

Pattern matching, Result, and the ? operator

Errors are values. match supports or-patterns and guards; the ? operator propagates an Err and returns early, exactly as in Rust.

match.ncsncScript
fn classify(n) {
    match n {
        0 | 1      => 100,    // or-pattern
        p if p < 0 => -1,     // guard
        p          => p
    }
}
try.ncsncScript
fn get(ok) {
    if ok { Ok(7) } else { Err(42) }
}

fn use_it(ok) {
    let v = get(ok)?;   // `?` propagates Err
    Ok(v + 1)
}

fn main() {
    match use_it(true) {
        Ok(x)  => x,        // => 8
        Err(e) => e
    }
}

Deny-by-default capabilities

This is the heart of the language. A script declares, in its header, exactly which system effects it intends to use. Anything it does not declare, it cannot do. A script with no declared capabilities is pure computation: it can calculate, but it cannot touch the filesystem, the network, or a model. Capability scopes are hierarchical — a grant for /etc/nexacore covers /etc/nexacore/notes/a.txt but rejects /etc/passwd — and the check runs before any input/output happens.

read-notes.ncsncScript
// Capabilities are declared in the script header.
// Deny-by-default: an effect not listed here cannot run.
#![capabilities(fs.read("/etc/nexacore"), ai.invoke)]

fn main() {
    // `fs::read` is a host effect, gated by the `fs.read` capability.
    // Scope "/etc/nexacore" admits this path and would reject "/etc/passwd",
    // and the decision is made before any byte is read.
    let notes = fs::read("/etc/nexacore/notes/a.txt");
    print(notes);
}

A subtle but important guarantee: if no host effect handler is installed, a call like net::connect("x") is not an error and is not I/O — it is inert data. The language has no ambient access to the outside world. Effects exist only where the host explicitly provides them, gated by a capability the script explicitly requested.

How a host effect is gated An effect call is checked against the declared capabilities and their scope before any input or output runs; failing either check denies the effect. fs::read(path) effect call capability declared? scope matches path? effect runs read happens yes yes CapabilityDenied no no
Deny-by-default: both checks run before any I/O. A missing capability or an out-of-scope path stops the effect.

A pure standard library

The bundled standard library is deliberately effect-free. The string module (and a math module) perform pure computation only, so they are always safe to call regardless of capabilities.

stdlib.ncsncScript
fn main() {
    let parts = string::split("a,b,c", ",");  // ["a", "b", "c"]
    let n     = string::len("héllo");         // 5 — counts characters
    let up    = string::upper("nexacore");        // "NexaCore"
    print(string::from_int(parts.len()));   // prints "3"
}

Deterministic resource limits

The host embeds the interpreter and hands it a budget. The interpreter counts instructions, tracks live memory, watches an injected clock, and bounds call depth — so an infinite loop, a memory bomb, or runaway recursion ends cleanly with a typed error instead of taking the host down. Limits are deterministic, which means the same script and budget behave identically every run.

host embedding · Rustnexacore-script
// Host side (Rust): every script runs under a hard, deterministic budget.
let limits = Limits {
    max_steps:       Some(1_000_000),  // instruction budget — stops infinite loops
    max_alloc_bytes: Some(64_000),     // live-memory ceiling
    deadline_micros: Some(5_000_000),  // wall-clock deadline (injected clock)
    max_call_depth:  Some(64),         // recursion guard — no host stack overflow
};

let (value, output) = run_with_limits(src, limits)?;

A module system resolves use a::b imports across scripts, checks that the imported symbol is actually exported, orders modules so dependencies load first, and rejects import cycles — all before execution begins.

Delegating to the built-in agents

NexaCore OS ships five specialised system agents — an Orchestrator, a Guidance agent, a System Administrator, a Security & Performance agent, and a Task agent. A script does not command them directly; it states an intent through a declared capability, and the Orchestrator routes the work to the right agent under the Security agent's watch. The binding that exposes this to ncScript is on the roadmap; the snippet below is illustrative of its intended shape, not yet a running test.

delegate.ncsDesign preview
// The `agent.task` capability lets this script delegate a goal.
// The Orchestrator dispatches it; the Security agent screens it.
#![capabilities(agent.task)]

fn main() {
    let summary = agent::task("summarise today's files in ~/reports");
    print(summary);
}

Read about the five built-in agents

Status. The lexer, parser, interpreter, capability gate, deterministic limits, the pure string/math modules, and the module resolver are implemented and tested. The remaining standard-library modules and the capability-gated bindings that connect scripts to live system services are landing incrementally. Syntax shown here is taken from the interpreter's test suite and runs today.

Section 5

Stack and versioning

Language
Rust, 2024 edition (minimum supported compiler 1.85)
Kernel target
x86_64-unknown-none, no_std, bare-metal UEFI boot
Cryptography
RustCrypto family — ed25519-dalek, x25519-dalek, chacha20poly1305, sha2, blake3, argon2
Serialization
postcard as the canonical internal wire format (a compact, no_std format)
Mesh transport
Planned on QUIC (quinn) with the Noise framework (snow)
Compliance proofs
STARK proof system (transparent setup, post-quantum sound)
Trusted hardware
Intel TDX, AMD SEV-SNP at launch; Apple Secure Enclave and ARMv9 CCA planned
Versioning
Semantic Versioning for the OS; the system-call ABI carries its own monotonic version (v1, frozen); the mesh protocol negotiates its version at handshake
License
Open source — see the repository LICENSE

Section 6

Implementation state

NexaCore OS is in Phase 1 (microkernel proof of concept), with Phase 2 (AI runtime) advancing in parallel. The table records what is implemented versus scaffolded as of v0.3.0-alpha.1.

Component status
LayerStateNotes
Foundational crates (types, crypto, capability)Implementedno_std; RFC test vectors per primitive; crypto awaiting external review
MicrokernelBoots on hardwareMulti-core, per-process isolation, user-space drivers live on a hypervisor
AI runtimeE2E verifiedTransformer + GGUF loader + BPE tokenizer; serves from Ring 3 on hardware
ncScriptCore completeLexer, parser, interpreter, capabilities, limits, module system; stdlib landing
Shell & desktopFunctionalBare-metal graphical desktop and terminal shell
P2P mesh & agentsScaffoldedProtocol spec and agent architecture defined; implementation advancing
Concrete TEE backendsPlannedTrait surface plus a development mock today; TDX / SEV-SNP backends next
Stability of design comes before speed of delivery.

The full backlog and the design documents behind each decision live in the project's documentation set. The visual and verbal identity used across this site follows the project's brand pack.

Back to the overview