A clean-slate Rust operating system built around capabilities, objects, and native services.
Not Unix in new clothes. Not Windows rewritten. A fresh standalone OS path, built carefully from the first boot.

Implementation Plan | Release Plan | Release Notes | Security Controls | Security

Aesynx

Aesynx is a Rust no_std operating-system project with a clean-slate goal: a standalone OS that does not begin by copying Unix, Linux, or Windows. Its native model is built around explicit capabilities, per-core ownership, service queues, driver isolation, an immutable object graph, structured userspace, and AI-ready telemetry from day one.

The long-term goal is a different kind of general-purpose system, not a compatibility skin over old assumptions. Paths, processes, packages, drivers, snapshots, and automation should be native Aesynx concepts first. Unix or Linux compatibility can exist later as an isolated service, but it must not define the kernel, userspace, or security model.

Aesynx is also explicitly not planned as one huge OS binary: components should remain separately identified, signed, versioned, updateable, and rollback-capable.

The first major milestone is a serious x86_64 QEMU release with a coherent security model, clear non-claims, and release gates that block tagging until checks and pentest evidence are complete. The project is early, but the direction is intentionally standalone.

Aesynx is licensed under the European Union Public Licence 1.2.

What Works Today

v0.25.0 is the current service queue model candidate.

Current boot path:

• Builds a release-profile freestanding x86_64-unknown-none kernel ELF.
• Packages the kernel into a Limine ISO and records Rust, Limine, xorriso, and QEMU versions in the image manifest.
• Boots in QEMU and validates kernel-owned serial markers.
• Normalizes Limine handoff metadata into Aesynx BootInfo.
• Installs basic x86_64 GDT/TSS/IDT state, remaps and masks the legacy PIC, detects local APIC presence, and publishes checked IRQ vector allocation.
• Handles a returning breakpoint exception.

Diagnostics and timer smoke:

• Panic smoke emits bounded, escaped, redacted panic diagnostics.
• Exception smoke emits redacted CR2 presence/page-offset, CR3 low bits, public RFLAGS, interrupt state, and decoded page-fault bits.
• Timer smoke programs PIT IRQ0 in QEMU, observes three controlled ticks, converts ticks into monotonic nanosecond values, wakes one bounded sleep request, acknowledges each interrupt, and disables the smoke IRQ.

Memory and mapping model:

• Boot memory accounting reports checked total, usable, reserved, kernel, bootloader, framebuffer, ACPI, bad, and frame-count values before [TEST] memory-map=ok.
• The bounded bitmap frame allocator smoke verifies one-frame allocation/free, contiguous allocation/free, debug state, double-free detection, and atomic failure behavior before [TEST] frame-allocator=ok.
• The bounded x86_64-shaped page-table mapper model covers map, unmap, protect, contiguous range map/protect/unmap, typed and checked root-table identity, checked status accounting, fail-closed translation, checked byte-range translation, permission lookup/change, mapped/unmapped range checks, candidate kernel/user address-space checks, physical-alias prevention, redacted debug output, consistency audit, empty-table reclamation, and explicit TLB flush targets before [TEST] page-table=ok.

Kernel mapping policy:

• Linker-exported section boundaries feed a safe aesynx-mm policy descriptor.
• QEMU validates section layout, text RX, rodata read-only/NX, data RW/NX, reserved heap, guard page, and null-page invariants.
• Every v0.16 paging-policy-model *_ok=true marker plus [TEST] paging-policy-model=ok is required before normal boot success.

Address-space activation and CPU hardening:

• Audited mapper state streams into x86_64 hardware-shaped page tables in a static activation arena.
• The kernel switches to a private activation stack and loads an Aesynx-owned CR3 root before terminal boot success.
• The activation stack is mapped RW/NX with an unmapped guard page and QEMU requires [TEST] kernel-stack-guard=ok.
• Post-CR3 CPU hardening enables NX, write-protect, and CPUID-gated SMEP/SMAP/UMIP where supported, then reports read-back redacted booleans before [TEST] cpu-hardening=ok.
• Early entropy policy classifies x86_64 RDRAND/RDSEED support behind CPUID checks, distinguishes deterministic anti-confusion generation counters from attacker-unpredictable random tokens, keeps random-token policy disabled until a runtime self-test-backed read path exists, and reports only redacted booleans before [TEST] entropy-policy=ok.
• A bounded static kernel heap is initialized after CR3 activation and CPU hardening; fixed slab classes cover small allocations, page-sized runs cover larger allocations, and QEMU smokes Box, Vec, BTreeMap, slab reuse, page-run allocation/free, stress allocation/free, invalid-free telemetry, double-free detection, and explicit OOM rejection before [TEST] heap=ok.
• A fixed-capacity kernel capability table is smoke-tested after CR3 activation: root creation, permission checks, audited derivation, audited grant, audited revoke lifecycle, cross-owner child authority reduction, stale CapId rejection, redacted status telemetry, and cap-fault telemetry are required before [TEST] cap=ok and [TEST] cap-audit=ok.
• Memory capability enforcement now gates a mapper-facing checked mapping descriptor API: a derived subrange capability with MAP|READ can authorize one read-only mapping descriptor, while missing READ, missing WRITE, and range-escape requests fail before mapping construction and before [TEST] memory-cap=ok.

Fuzz and property gates:

• cargo xtask fuzz-smoke runs bounded BootInfo normalization fuzz seeds and deterministic byte-shaped mutations.
• Mapper property tests sweep map/unmap round trips, failed-operation atomicity, duplicate-frame rejection, range-walk bounds, and audit drift detection.

Area	Status	Notes
Rust workspace	Active	Modular crate layout with no root src/ implementation pile.
Toolchain	Active	Stable Rust 1.96.0, edition 2024, resolver 3, and x86_64-unknown-none for the first boot ELF.
Kernel crate policy	Active	Crates under crates/ must be no_std, deny unsafe by default, and avoid external dependencies without exceptions.
Capability model	Tagged	v0.22.0; private non-copy authority values, checked CapId slot/generation layout, fixed-capacity kernel capability table, permission validation, audited derive/grant/revoke paths, slot generation stale-id rejection, revoke authority checks, redacted capability/table/audit debug output, cap-fault telemetry, and memory-map authorization based on capability kind, range, and MAP/READ/WRITE/EXECUTE permissions.
Object model	Tagged	v0.23.0; host-side aesynx-object-model crate with nonzero redacted object IDs, explicit object kinds, immutable node metadata, duplicate/self-reference rejection, append-only graph insertion, missing-reference rejection, and reachability over references plus predecessor links.
Kernel object registry	Tagged	v0.24.0; no_std fixed-capacity aesynx-object registry with memory, endpoint, queue, and task-placeholder objects, local core ownership, create/list/delete operations, generation-backed slot recycling, redacted object debug output, and capability reference resolution against object ID, kind, generation, revocation epoch, and permission.
Service queue model	Active candidate	v0.25.0; host-side aesynx-ipc-model crate with explicit service kinds, request/completion structures, fixed-capacity ring queue behavior, fail-closed full/empty handling, FIFO wraparound tests, modeled release/acquire publish-observe ordering evidence, and redacted IPC/service debug output before kernel service queues land.
Memory model	Model active	Page flags make writable+executable and user-global mappings unrepresentable; long-term memory should become object-native, purpose-tagged, capability-scoped, and snapshot-aware.
OS world model	Planned	Kernel-stamped facts should feed a native world service so Aesynx can explain boot, memory, packages, drivers, capabilities, snapshots, and policy decisions without putting a database in ring 0.
IPC model	Model active	Kernel-stamped message headers, caller requests, and bounded inline payloads.
Bytecode model	Model active	Fuel limit and capability-typed permission checks.
Logging model	Model active	Bounded single-record log messages.
Build path	Active	x86_64 target metadata, linker script, Cargo config validation, stable freestanding kernel ELF build, and an optional nightly custom-target probe.
QEMU first boot	Active	cargo xtask image creates a release-profile Limine ISO and cargo xtask qemu verifies descriptor/IRQ setup, checked memory-map/frame-allocator/page-table markers, every v0.16 paging-policy-model *_ok=true marker, [TEST] paging-policy-model=ok, [TEST] kernel-cr3=ok, [TEST] kernel-stack-guard=ok, [TEST] bootinfo=ok, [TEST] boot=ok, post-CR3 CPU hardening, [TEST] cpu-hardening=ok, v0.18.1 entropy policy evidence with [TEST] entropy-policy=ok, the v0.18 kernel heap smoke with [TEST] heap=ok, the v0.20 kernel capability-table smoke with [TEST] cap=ok, the v0.21 memory-capability mapping-descriptor gate with [TEST] memory-cap=ok, and the v0.22 capability audit/telemetry gate with [TEST] cap-audit=ok from Rust _start.
Fuzz/property smoke	Active candidate	v0.16.1; cargo xtask fuzz-smoke runs BootInfo fuzz seeds, deterministic BootInfo byte mutations, and mapper property sweeps before live CR3 activation.
BootInfo normalization	Tagged	Limine memory map, executable address, HHDM, RSDP, and framebuffer metadata normalize into dependency-free aesynx-boot structures.
Early diagnostics	Tagged	Boot phase tracking and cargo xtask qemu --panic-smoke verify readable panic output with [TEST] panic=ok.
GDT and TSS	Tagged	Early x86_64 boot installs an Aesynx-owned GDT, TSS, and double-fault IST stack, verified with [TEST] gdt=ok.
IDT and exceptions	Tagged	Early x86_64 boot installs an IDT with deterministic halt-and-log catch-all entries for every vector, handles breakpoint, page-fault, and double-fault vectors, and verifies [TEST] exception=ok.
Fault decoding	Tagged	v0.9.0; page-fault smoke prints redacted CR2 presence/page offset, CR3 low bits, public RFLAGS, interrupt state, and decoded error bits.
Interrupt controller baseline	Tagged	v0.10.0; remaps/masks legacy PIC IRQs, detects local APIC presence, defines checked IRQ vectors, and exposes an EOI path.
Timer ticks	Tagged	v0.11.0; opt-in QEMU timer smoke programs PIT IRQ0, records a tick counter, and verifies timer tick 1..3 plus [TEST] timer=ok.
Monotonic time and sleeps	Tagged	v0.12.0; converts timer ticks into monotonic instants, schedules a bounded sleep request, and verifies timer delayed-log, [TEST] sleep=ok, and [TEST] timer=ok.
Physical memory map	Tagged	v0.13.0; rejects invalid/overlapping regions and reports checked total/usable/reserved bytes, frame counts, and kernel/bootloader reserved accounting with [TEST] memory-map=ok.
Bitmap frame allocator	Tagged	v0.14.0; safe aesynx-mm bitmap allocator model plus QEMU smoke for bounded early alloc/free, contiguous allocation, debug states, double-free detection, and atomic failure behavior with [TEST] frame-allocator=ok.
Page table mapper	Tagged	v0.15.0; safe bounded aesynx-mm page-table mapper model with x86_64-shaped tables, mapper-issued typed root-table identity, checked root-table identity, checked status accounting, non-empty kernel and user address-space candidate preflights, audit-backed map/unmap/protect, fail-closed translation, checked contiguous byte-range translation, audit-backed permission lookup, contiguous range map/protect/unmap plus lookup, upfront range validation, bounded range walks, audit-backed unmapped range checks, audit-backed mapped-range checks, page-presence checks, kernel-only policy checks, kernel high-half user-access guard checks, user low-half kernel-privilege guard checks, no-user-space policy checks, no-executable policy checks, no-writable policy checks, no-device policy checks, no-global policy checks, map-time no-physical-alias policy checks with const-capacity bounded side-index audit, audit-backed kernel-range policy checks, audit-backed user-range policy checks, write-protected range checks, non-executable range checks, executable range checks, normal-memory range checks, local range checks, high-half kernel-space checks, low-half user-space checks, read-only mapping visit, redacted mapping summaries, redacted page-table debug output, virtual range permission verification, fail-closed leaf decoding including hardware Accessed/Dirty bits, permission lookup/change, consistency audit, empty-table reclamation, explicit TLB flush targets, conservative TLB flush merging, and QEMU smoke with [TEST] page-table=ok.
Kernel mapping policy	Tagged	v0.16.0; linker-exported section boundaries feed a safe aesynx-mm policy descriptor that verifies section layout, text RX, rodata read-only/NX, data RW/NX, reserved heap, guard page, and null-page invariants before [TEST] paging-policy-model=ok.
Kernel-owned address space	Tagged	v0.16.2; audited mapper state now streams redacted x86_64 hardware-shaped page-table entries using Limine's normalized kernel physical placement, copies used tables into a static activation arena, switches to a private kernel activation stack, loads an Aesynx-owned CR3 root, and QEMU requires hardware_copied=true plus [TEST] kernel-cr3=ok.
CPU hardening and stack guards	Tagged	v0.16.3; CPUID-gated EFER.NXE, CR0.WP, SMEP, SMAP, and UMIP policy is host-tested and QEMU-smoked with redacted read-back cpu-hardening booleans; the terminal activation stack is mapped separately with an unmapped guard page and [TEST] kernel-stack-guard=ok.
Limine handoff module split	Tagged	v0.16.4; Limine ABI structs, constants, request statics, link-section markers, and ABI assertions now live in a private limine/abi.rs module while normalization flow remains in limine.rs.
Early heap	Tagged	v0.17.0; bounded static bump allocator, global allocator wrapper, post-CR3 Box/Vec/BTreeMap smoke, and explicit OOM rejection before [TEST] heap=ok.
Slab/page heap	Tagged	v0.18.0; bounded static reusable kernel heap with fixed slab classes, page-sized runs, aggregate stats, invalid-free and free-while-free double-free telemetry, zero-before-reuse host coverage, and QEMU allocation/free stress before [TEST] heap=ok; allocation-epoch stale raw-pointer detection remains future work.
Early entropy semantics	Tagged	v0.18.1; safe entropy policy crate, x86_64 CPUID classification for RDRAND/RDSEED, explicit runtime self-test evidence, deterministic anti-confusion generation counters, random-token gating that rejects CPUID-only evidence, and redacted QEMU telemetry before [TEST] entropy-policy=ok.
Native snapshots	Planned	Content-addressed object roots make snapshots and rollback object-layer primitives rather than path-first filesystem features.
Native package manager	Planned	Content-addressed package objects, declarative generations, explicit tracks, SBOM/provenance, and capability manifests.
Future bootloader	Planned	Limine is current; a future Rust UEFI bootloader should be a minimal security gateway for signed/measured Aesynx boot capsules.
Post-quantum readiness	Planned	Crypto-agile boot, package, update, and identity metadata with room for hybrid classical plus post-quantum validation.
Supply-chain checks	Active	cargo deny, cargo audit, SBOM generation, Dependabot, SHA-pinned GitHub Actions, and CodeQL default Rust workflow.
Release gate	Active	Tags require local checks, SBOM, CodeQL on GitHub, and a passing pentest report for the exact commit.

Planned Next

Area	Status	Target
Real arch mechanisms	Planned	Core identity, timestamp, production page tables, and CPU setup.
Capability services	Planned	Concrete revocation epoch store, audit backend, object registry, and authenticated call paths.
Native userspace	Planned	aesh, structured pipelines, WASM components, and capability-scoped command execution.
OS world service	Planned	Signed/versioned facts, branchable worlds, policy-aware queries, context packs, and AI-safe explanations over deterministic OS evidence.
Package manager	Planned	aepkg/aepkgd roadmap for search, install, update, rollback, repair, and future store UI.
Post-quantum readiness	Planned	Crypto-agile signature envelopes and trust policy before signed boot capsules, package registries, or update metadata.

Local Checks

Run the full repository gate:

scripts/checks.sh

Generate the source SBOM:

scripts/generate-sbom.sh

Validate the current kernel build path:

cargo xtask build-kernel

Create and smoke-test the current Limine QEMU image:

cargo xtask image
cargo xtask qemu

Run the full current QEMU smoke suite:

cargo xtask qemu-suite

Run the deliberate panic diagnostics smoke:

cargo xtask qemu --panic-smoke

Run the deliberate exception smoke:

cargo xtask qemu --exception-smoke

Run the controlled timer smoke:

cargo xtask qemu --timer-smoke

These commands require Limine 12.3.2 or newer, xorriso, and qemu-system-x86_64. The generated manifest records the exact Rust, Limine, xorriso, and QEMU version banners.

Try the documented custom-target experiment when a nightly toolchain is available:

cargo xtask build-kernel --custom-target-probe

After a pentest report is completed for a tag:

cargo xtask release-ready v0.25.0

Security Posture

Aesynx treats boot, memory, capabilities, IPC, driver authority, userspace ABI, WASM execution, telemetry, AI policy, build tooling, GitHub workflows, and dependency metadata as high-risk. The project prefers internal kernel primitives, narrow unsafe boundaries, no ambient authority, explicit capabilities, and small modules that can be reviewed and tested.

Every release tag is blocked until the exact commit being tagged has a passing pentest report in security/pentest/<tag>.md.

Documentation

• Implementation Plan
• Userspace Vision
• SDK Roadmap
• Memory Model Roadmap
• OS World Roadmap
• Package Manager Roadmap
• Driver Roadmap
• Release Plan
• Architecture Decisions
• Build Skeleton
• QEMU Image Skeleton
• First Serial Boot
• BootInfo Normalization
• Early Diagnostics
• Release Candidate Notes Archive
• v0.25.0 Release Candidate Notes
• Bootloader Roadmap
• Storage Roadmap
• Hosted Execution Roadmap
• Post-Quantum Readiness
• Security Policy
• Threat Model
• Security Controls
• Supply-Chain Security
• Kernel Engineering Policy
• Unsafe Policy
• Modularity Policy
• Licensing Notes
• License
• Initial Idea