A clean-slate operating system built for everything from microcontrollers to Mars orbiters.
No POSIX baggage. No GPL chains. No corporate masters.
Written in Zig, Nim, and soon Janus;
designed for a world that refuses to be governed by a kernel from 1991.
Fifty years of accumulated decisions optimised for IBM mainframes still dictate how your phone boots, how your satellite processes telemetry, and how your server allocates memory. The entire stack; from POSIX syscalls to the GNU toolchain to the Linux driver model; is technical debt masquerading as tradition.
Designed by committee to unify competing Unixes. It succeeded. It also froze computing in amber. The syscall interface assumes fork/exec, blocking I/O, and a flat filesystem. None of these assumptions hold for real-time drones, distributed mesh networks, or sovereign edge nodes. We do not patch 1988. We replace it.
The GPL was designed to protect freedom. In practice it created a monoculture where hardware vendors ship binary blobs because they cannot integrate with copyleft code without surrendering their IP. The result: broken drivers, firmware extraction scripts, and a permanent dependency on vendor goodwill. Our Libertaria License solves this by making it profitable to cooperate.
Qualcomm's Snapdragon X2 runs 20% slower on Linux than Windows. USB4 falls back to USB2. Fan control does not exist. Laptops crash from thermal runaway. This is not a bug; it is the structural consequence of a driver model that makes vendor participation economically irrational. The incentive architecture is wrong.
The Linux kernel is a fundamentally anti-security project. It began as a rejection of a more robust and secure OS design. It continues today as nearly entirely written in a memory unsafe language where tiny mistakes lead to endless severe vulnerabilities. The Linux kernel runs in ring 0 with 30+ million lines of C. Every CVE is a potential kernel compromise. Every driver bug is a privilege escalation vector. We do not patch the symptoms. We replace the architecture.
Linux has 30+ million lines of code running in ring 0. Every CVE in a device driver is a kernel compromise. The "security" consists of hoping millions of lines of C do not contain memory corruption bugs. They do. Every month. Nexus runs a <5KB kernel with memory-safe logic and crash-isolated drivers. Security by architecture, not audit.
Nexus separates physics (hardware control) from logic (policy decisions) from membrane (application compatibility). Each layer can crash independently. Each layer can be replaced at runtime. The kernel does not know what a "file" is. It moves sectors. The membrane decides what they mean.
Written in Zig. Direct MMIO access to hardware registers. Atomic ring buffers. DMA mappings. Interrupt service routines. This layer owns the pipe and the watchdog — raw data movement at sub-nanosecond latency, plus the Paranoid Watchdog that monitors L1's heartbeat, audits capability integrity, and detects correlated radiation events. If L1 panics, L0 restarts it. If L1 hangs, L0 notices. If everything fails, L0 fires the Phoenix Protocol and reboots from immutable firmware.
Written in Nim. Fiber-based scheduling with the Harmonic Scheduler. ARC/ORC deterministic memory management; no garbage collection pauses. The kernel owns the valve; deciding which fibers run, which channels yield, and when to enter Silence (WFI hardware sleep). Policy over physics.
The adoption bridge. POSIX shims translate legacy syscalls to native channels at a measurable performance penalty; the Entropy Tax. Native applications get zero-copy event-driven I/O. Legacy applications work, but they pay for the privilege. The tax incentivises migration. Economics, not evangelism.
A fiber that panics doesn't crash the system — it restarts from its immutable image with a fresh capability space. No halt. No reboot. No operator intervention. Two independent observers — L0 and L1 — monitor behavior and reach conclusions independently. Neither trusts the other. This is Autonomous FDIR: Fault Detection, Isolation, and Recovery that meets ECSS-E-ST-70-41C requirements for onboard autonomy.
Written in Zig. Zero Nim dependencies. Survives L1 breakage. If L0 says “quarantine fiber X” and L1 disagrees, L0 wins. Always.
Per-fiber behavioral baselines via Welford's online algorithm. Tracks execution burst patterns, syscall mix, channel throughput. After 1000 samples, the baseline locks. Deviations beyond 3σ emit anomaly events.
One kernel. Three paranoia levels. Set at boot, adapted at runtime. The boot profile is the floor — the system can escalate but never drop below it.
Laptop. Desktop. Zero overhead. Restart trap + circuit breaker + BEB logging.
0b0000_0111Industrial. Automotive. Adds heartbeat monitor + behavioral baselines.
0b0001_1111Space. Nuclear. Full FDIR stack: correlator, CSpace audit, verdict ring, TMR.
0b1111_1111User-mode fibers are untrusted code running in someone else's sandbox. They are enforced by three independent mechanisms – any one of which is sufficient to prevent abuse. Together, they form a defense stack where runaway fibers get throttled before the circuit breaker even trips.
Every resource access – console, filesystem, network, memory – is gated by a typed, revocable capability in the fiber's CSpace. No capability, no access. Capabilities are granted from the fiber's embedded BKDL manifest at load time. On respawn, L0 re-parses the manifest and re-grants from scratch. Least-privilege by default.
OpenBSD-style pledge masks restrict which categories of operations a fiber can perform.
A fiber pledged to STDIO cannot open network sockets. A fiber pledged to RPATH
cannot write files. Pledges can only be narrowed, never widened – the initial mask is derived
from the manifest, and any attempt to escalate is denied and logged.
stimecmp Fires. No Negotiation.
Every user-mode fiber has a time budget set by its Spectrum tier. Before entering userland,
the kernel arms the RISC-V stimecmp register (Sstc extension) to the fiber's
budget deadline. If the fiber exceeds its budget without yielding, the hardware interrupts it.
The fiber is preempted, logged, and the Ratchet takes over.
When a fiber exceeds its budget, it earns a strike. Three strikes trigger Spectrum demotion: Photon → Matter → Gravity → Void. Demotion is self-reinforcing – a lower tier means a longer budget, but lower scheduling priority. A fiber demoted to Void runs only when nothing else needs the CPU. The system doesn't kill misbehaving code – it starves it into compliance.
Budget exhaustion events are logged to the Boot Error Buffer (BEB) for forensic analysis and emitted to the System Truth Ledger (STL) for real-time observability. Kernel fibers (S-mode) are exempt from preemption – they're trusted code that yields cooperatively. The boundary is structural: SPP=0 gets the iron fist, SPP=1 gets the honour system.
Cold restart reloads the fiber from its immutable image – it starts from main().
Warm restart resumes from a saved snapshot: registers, call chain, and domain state.
The fiber picks up where it left off. A navigation fiber keeps its accumulated position error.
A science fiber keeps its partial dataset. The kernel saves the hard parts; the fiber saves what only it understands.
The kernel always saves the trap frame (32 RISC-V GPRs + PC + status) and the fiber's stack snapshot. This is mechanical, deterministic, zero fiber-author involvement. Every fiber gets warm restart for free – no opt-in, no manifest changes, no serialization code.
sscratch
Fibers that have domain state worth preserving call sys_checkpoint()
at application-defined safe points with a serialized blob (up to 32 KB).
The kernel stores it alongside the register snapshot. On restore, the fiber's
on_restore callback rebuilds heap state from the blob.
.npk manifest; kernel passes blob pointer + length via a0/a1sys_checkpoint(null, 0) saves only registers + stack
16 fibers × 2 copies × 41 KB = 1.26 MB. Fixed at compile time.
Dedicated physical region at 0x8600_0000, kernel-only, zeroed at boot.
The CheckpointRegionInit STL event proves it was cleaned this boot cycle.
Fiber-initiated. Stack copy + BLAKE3 + dual write. Sub-100 μs.
< 100 μsVerify BLAKE3. Copy stack + blob. Re-enter at saved PC or restore callback.
< 100 μsBoth copies corrupt? Cold restart from .npk. Always a safe path.
Cold → main()Every operating system since Unix trusts the hardware vendor's core classification. Linux reads ACPI tables and obeys. Windows follows Intel Thread Director hints. Even QNX; the hardest RTOS on Earth; believes whatever the Device Tree says. Nexus benchmarks every core at boot, classifies by measured performance, and reclassifies dynamically when thermal conditions change. The vendor tells you what the core is. We measure what it does.
Fastest single-thread IPC in the topology. 1–4 cores. VSync, audio DMA, touch response—when latency is measured in microseconds, Apex delivers. The blade.
Strong multi-thread at reasonable power draw. Your browser, your editor, your compiler at full load. The backbone of interactive computing where throughput and responsiveness meet.
Best performance-per-watt. Indexers, transcoders, background builds—work that runs for hours without thermal stress. Throughput-per-joule, not latency.
The last core awake. Heartbeats, BLE scans, push notifications. The 99.7% of wall-clock time where nothing visible happens. Micro-watts at idle.
A Raspberry Pi Cortex-A76 is Apex on a standalone Pi. Place it in a Scout cluster alongside an M3 Max—the same core becomes Ember. Classification is relative to the topology, not absolute to the silicon. There is no absolute power. Only relative sovereignty.
The Crucible runs at boot in under 14ms for an 8-core SoC. But hardware changes. When thermal throttling degrades a core, the scheduler demotes it in real-time. When a Scout node joins the cluster, every core across every machine is reclassified against the new global topology. This is Driver Sovereignty applied to the CPU itself.
No other system does this. Linux EAS is static. Windows Thread Director is Intel-proprietary. Apple GCD is Apple-only. None of them reclassify dynamically under thermal load. None of them operate across machine boundaries.
Nexus does not trust your CPU. It benchmarks every core at boot, classifies by measured performance, and reclassifies dynamically when thermal conditions change. Your Mars rover's scheduler adapts to radiation-degraded silicon in real-time. No ground intervention. No firmware update. Physics, not prayers.
Your finger touches the screen and the response is instant—because touch input lands on an Apex core, not whatever core a round-robin scheduler had free. Your compiler runs in the background without stuttering the UI—because it grinds on Mill cores while Apex stays reserved for Photon bursts. Invisible excellence. The best thing an OS can do is disappear.
We do not believe in one language to rule them all. We believe in matching the tool to the physics of the problem domain. Three languages; three roles; zero overlap.
The scalpel. Comptime evaluation, no hidden allocations, C-level control without C-level insanity. Every HAL driver, every DMA ring, every interrupt handler is Zig. Where a single misplaced byte kills the system, Zig's explicitness is not a feature; it is a survival mechanism.
The architect. Python-like expressiveness with deterministic ARC/ORC memory management. Fibers, channels, schedulers; the logic layer where policy decisions happen at microsecond scale. Nim's macro system lets us embed domain-specific languages directly into the kernel. Expressive. Fast. Safe.
The horizon. janus-lang.org. Our own language, currently in development, designed to unify the HAL and kernel layers into a single coherent system language. When Janus matures, the Zig/Nim split converges. Until then, we ship with what works. Pragmatism over purity.
Nexus operates under the Libertaria License; a four-tier structure (LCL/LSL/LUL/LVL) designed to prevent corporate capture while making vendor cooperation profitable. We use copyright to simulate physics. The core cannot be enclosed. Period.
Ed25519 signatures, BLAKE3 hashing, XChaCha20-Poly1305 encryption; baked into the kernel, not bolted on as an afterthought. Every binary is signed. Every package has a provenance chain. Every filesystem operation is content-addressable. Sovereignty starts with cryptographic identity.
The Sovereign Bazaar distributes packages over a mesh network using content-addressed storage. No central repository. No single point of failure. No corporation decides what software you can install. Chapter Networks form the distributed backbone; BitTorrent semantics with filesystem-native integration.
A <5KB nanokernel means a minimal attack surface measured in kilobytes, not megabytes. Drivers run as isolated NipCells; a GPU driver crash cannot touch the kernel. Capability-based security algebra governs every resource access. The Pledge/Unveil model restricts what each component can see and do. There is no root. There is no god-mode. There is only the capability you were granted.
AI is not an afterthought bolted onto a 1970s process model. Nexus treats autonomous agents as native system entities with their own capability spaces, resource budgets, and communication channels. An agent can spawn fibers, access hardware through the Bus, and coordinate with other agents over typed channels. The scheduler understands inference workloads. The NPU is a Bus device, not a hack.
We do not share the GPL's allergic reaction to firmware blobs. Under the Libertaria License, vendors ship signed NIP packages containing their firmware and HAL shims. The community extracts, packages, and distributes driver capsules for hardware that vendors neglect. Security is enforced through driver signing and reputation scores; not through legal fiction.
Five domains, each with distinct physics. /Cas/ for immutable content-addressed artifacts.
/Nexus/ for the system brain. /Cell/ for ephemeral runtime containers.
/Bus/ for plug-and-play service discovery. /Data/ for persistent state.
No /etc. No /usr/local/lib. No FHS archaeology.
TCP/IP was designed for universities in the 1970s. It identifies machines by rented addresses, authenticates nothing at the transport layer, and trusts every packet until proven malicious. Fifty years later, the entire security industry exists to patch this foundational failure. Nexus does not patch TCP/IP. Nexus replaces it. Identity-centric transport. Encrypted by default. DDoS-immune at L2. IPv6 for the legacy world; sovereign protocols for everything else.
Universal Transport and Control Protocol. Identity-centric – packets are addressed by CellID, not IP. NACK-based reliability eliminates ACK storms. Unknown CellIDs are dropped at L2 before they touch the kernel – DDoS is structurally impossible against nodes that never existed on your address table. Full kernel state machine. No userspace socket overhead.
The sovereign wire format. Every frame is encrypted – Noise XX handshakes for live streams, XChaCha20-Poly1305 for store-and-forward. 88-byte header + 68-byte trailer. No plaintext mode. No "optional" encryption toggle. The wire is hostile by assumption. LWF treats cleartext as a protocol violation, not a configuration choice.
Peer-to-peer block exchange over SBI binary frames. Every content chunk identified by its BLAKE3 hash. Zstd-compressed in transit. Merkle DAG synchronisation means only the delta transfers – not the file, not the block, just the diff. BitTorrent semantics with filesystem-native integration and cryptographic verification.
CellID address resolution table maps sovereign identities to reachable endpoints. RELAY_FORWARD enables kernel-level frame forwarding – any Nexus node can route LWF frames for other nodes without userspace involvement. Yggdrasil integration provides IPv6 overlay mesh for peer discovery. No DNS. No NAT. No DHCP. Identity is the address.
iptables filters anonymous packets. LPF filters identified peers. Every packet on 0x88B5 already carries a cryptographic identity – SipHash CellID, Ed25519 verification, Noise XX session. The filter doesn't discover who's talking; it already knows. 80% of what iptables does is pre-solved by the protocol layer.
Ring 0 (Zig, L0): CellID allowlist, O(1) bitmap, line-rate. Ring 1 (Janus DSL): policy engine, hot-reload, zero-drop swap. Ring 2 (Membrane): deep inspection, threat intel, cluster overflow.
The Libertaria protocol stack runs natively inside NexusOS as a freestanding NPL payload. Noise XX handshake, BLAKE3 identity, XChaCha20-Poly1305 AEAD – all in a 100KB capsule binary linked with Monocypher. No libc. No std. No compromise. LWF frames bypass LwIP entirely – VirtIO to capsule in zero copies.
Every mainstream filesystem assumes a block device, an FTL, a kernel, and gigabytes of RAM. NexFS assumes nothing. Flash-native. Content-addressed. Mesh-distributed. One codebase runs on an 8 KB microcontroller and a 352 TB Homenode and a planetwide mesh. u64 addressing. 64 zettabytes per volume. Zero dependencies.
NexFS operates directly on raw NAND, NOR, and SPI flash. No flash translation layer. No block device abstraction. Wear levelling, erase management, and bad block handling are filesystem concerns – not hardware hacks. F2FS works with the FTL; NexFS replaces it.
Native UTCP protocol with BLOCK_WANT/PUT and DAG_SYNC. Peer discovery, gossip protocol, content-defined delta sync (~5% bandwidth for updates). No other filesystem is its own BitTorrent. The Kinetic Credits economy incentivises nodes to share. Storage that replicates itself.
8.5 KB RAM on a microcontroller. 64 ZB address space on a 352 TB Homenode. Same codebase, same binary. ZFS needs 768 MB. Btrfs needs 64 MB. ext4 needs 8 MB. NexFS runs on hardware where those filesystems can't even load – and scales to hardware where they struggle to address.
TimeWarp snapshots aren't just CoW pointers – they're verifiable Merkle DAG commitments with cryptographic chain-of-custody. A snapshot is a proof, not a bookmark. 128 bytes per snapshot. Atomic rollback via single Root Register write.
Every chunk is identified by its BLAKE3 hash at write time. FastCDC variable chunking (16–64–256 KB) achieves 90–95% dedup for similar data. ZFS dedup eats 5+ GB RAM per TB. Btrfs dedup is an offline afterthought. NexFS dedup is how storage works.
BLAKE3-256 data checksums. Per-inode selectable hashing (BLAKE3-256, BLAKE3-128, XXH3-64). Dual superblock failover. Full-volume scrub. ext4 and F2FS can't even detect silent data corruption. NexFS makes it structurally impossible.
Four modes: per-bucket block compression for Core profile (RLE on satellites), per-DAG-node and per-CAS-chunk for Sovereign (ZSTD levels 1–22). ZSTD:2 on hot system paths, ZSTD:18 on cold archives – on the same volume. Double-checksum integrity: XXH3-64 pre-gate catches bit flips before decompression, piped during streaming compress at zero extra cost. No other filesystem offers per-file compression level control with block-level granularity.
Scattered superblock replicas spread up to 10 copies across the volume – survive catastrophic
block failure where dual-copy filesystems lose everything. Feature flags with runtime tuning:
enable compression, dedup, recompression without reformatting. COW background recompression
upgrades stored data to better algorithms without risking a single byte.
tune2fs for the sovereign age.
Full comparison with 8 filesystems across 12 dimensions: NexFS vs. The Field
Every package in Nexus is a NIP (Nexus Immutable Package); cryptographically signed, content-addressed by BLAKE3 hash, distributed over a decentralised mesh. No version conflicts. No dependency hell. The Paradox Resolver uses CDCL-based constraint solving to handle variants, sources, and build flags simultaneously.
Content-Addressed Storage (CAS): Two packages with identical contents produce identical hashes. Deduplication is automatic. Distribution is BitTorrent-native. The filesystem is the package cache.
Provenance Chain: Every package carries a tamper-evident log of its build inputs, compiler version, and signing key. You can verify not just what you are running but how it was made and by whom.
Configurable Hashing: BLAKE3 for speed, XXH3 for checksums, SipHash for DoS resistance. Choose the algorithm that fits your threat model. Default: BLAKE3.
One architecture. Three build profiles (Core/Sovereign/Mesh). Every target from a Cortex-M4 to a 1024-node server farm to a radiation-hardened satellite. The same kernel. The same tools. The same security model.
Sub-100ms boot. <5KB kernel. WFI sleep. Perfect for edge nodes and IoT.
Hard real-time scheduling. Harmonic alignment to sensor Hz. Deterministic execution.
Adaptive FDIR with dual-layer anomaly detection. Unkillable fibers. ECSS-E-ST-70-41C autonomous recovery. Radiation boot profile.
Native agent scheduling. NPU as Bus device. Typed channels for agent coordination.
Mesh distribution. Content-addressed deployment. Zero-downtime hot-swap upgrades.
Media server. Torrent client. Virtualisation host. Decentralised storage node. All native.
Simulation workloads on sovereign infrastructure. GPU compute via SignalForge graph engine.
Capability-based security. CSpace integrity auditing. Full provenance chain. Hardened boot profile with behavioral anomaly detection.
"We love OpenBSD's attitude toward security. We love DragonflyBSD's pragmatic approach to kernel architecture. We love Plan 9's vision of everything-as-a-file-system. We respect what they built. We refuse to be limited by what they inherited."
Nexus draws from the best of the BSD tradition; the audacity to rethink, the discipline to execute, the honesty to admit when something is broken. But we do not carry their POSIX baggage. We do not maintain their compatibility shackles.
Every military microkernel, every automotive RTOS, every "certified" real-time operating system charges you a fortune for mediocre architecture wrapped in compliance paperwork. QNX, VxWorks, INTEGRITY; they sell you the illusion of safety at enterprise prices. We build actual safety at kernel-architecture level and give you the source code.
The Chimera Architecture means every driver and filesystem runs in three modes without code changes: monolithic (performance), microkernel (isolation), or unikernel (cloud/edge/satellite). One codebase. Three deployment physics. No vendor lock-in. No per-seat licensing. No compliance theatre.
Nexus is pre-alpha. It is incomplete. It is ambitious beyond reason.
That is precisely why we need you. We are not looking for people who want to use
an operating system. We are looking for people who want to build one.
Kernel hackers. Systems programmers. Zig and Nim enthusiasts.
Cryptographers. Hardware engineers. Astrophysicists who are tired of running
simulations on bloated Linux clusters. Anyone who looked at the state of computing
and thought: we can do better than this.