A secure bridge from
human consciousness
to the electron.

That's the destination. Today, no shipping general-purpose OS holds together all five of the constraints below. Each was built for a different problem and made different tradeoffs. CambiOS is the bet that the next era needs all five — and that retrofitting won't get us there.

  • Architecturally enforced security. A five-job microkernel; everything else in user space; capabilities at every IPC boundary. Security as structure, not policy on top of a permissive substrate.
  • Sovereign identity. Cryptographic keys, kernel-enforced. No vendor account between you and your machine. No password to phish.
  • Sovereign data. Content-addressed storage, owned by the principal that created it. No service in the middle scanning, indexing, or reporting.
  • Sovereign network. An identity-routed overlay where the destination is a public key. Infrastructure can't surveil or redirect what it can't decrypt. (Designed; UDP/IP slice runs today.)
  • AI as infrastructure, optional by tier. Local models supervise verification, behavioral monitoring, and compatibility translation. The kernel runs without any of it on the embedded tier. (Architectural; AI subsystem on roadmap.)

All five live in software. The privileged silicon underneath — Intel ME, AMD PSP, Apple Secure Enclave, the TPM stack — is a separate fight, and not one CambiOS pretends to win. For now, the software side has to stop adding to the problem. Change starts with awareness and we'll cross that bridge when we get there.

Computer security requirements have shifted more since the advent of Mythos than in the thirty years before it. Legacy OSes — built on permissive substrates with telemetry-as-product baked in — can't catch up by patching. CambiOS starts from scratch and gives you back your machine, to the extent that we can.

This is what we've built so far.

892 unit tests passing
x86_64 boots in QEMU
AArch64 boots in QEMU
RISC-V boots in QEMU
Bare-metal tooling ready
Kernel
Microkernel in Rust (no_std). Five jobs: scheduling, memory, IPC, capabilities, interrupts. Everything else is user-space.
Security
Capability-based IPC. Zero-trust interceptor. Signed ELF loading. W^X enforcement. Every message carries an unforgeable sender principal.
Identity
Every process has an Ed25519 identity enforced by the kernel — no usernames, no passwords, no central authority. Hardware key support is in progress.
Access
Who you are and what you can do are separate concerns. The policy service enforces per-process syscall allowlists. Capabilities govern IPC. The audit ring logs every enforcement decision.
Storage
Content-addressed ObjectStore. Blake3 hashing. Ed25519 signatures on every object. Persistent on virtio-blk, survives reboot.
Networking
UDP/IP stack with ARP and NTP demo. Virtio-net and Intel I219-LM drivers built; bare-metal bring-up pending. Identity-routed overlay network on the roadmap.
Verification
47 Kani proof harnesses across 6 proof crates — memory allocator, ELF parser, capability manager, user-slice validators, and DTB parser. Proof authoring found and fixed 10 real integer-overflow sites in production code. The proofs formally back the capability-soundness claim. CLAIMS.md tracks the gap between proven and aspirational.
Platforms
x86_64 (SMP, 2 CPUs; compositor + GPU scanout + input routing live). AArch64 (SMP, GICv3). RISC-V (SMP, Sv48 paging). All three boot to a shell with full service parity.

Target Architecture

The full intended stack. Items marked (roadmap) are designed but not yet built — everything else is running today.

+============================================================+ | Applications | | Native CambiOS apps | Win32 / POSIX compat (roadmap) | +============================================================+ | System Services | | Shell | Compositor | Policy service | Update (roadmap) | +============================================================+ | OS Services | | Network stack | Graphics | Device drivers | VFS (roadmap) | +============================================================+ | Core Services | | Identity | Audit | AI engine (roadmap) | Social (roadmap) | +============================================================+ | Microkernel | | Scheduling | Memory | IPC | Capabilities | Interrupts | +============================================================+ | Hardware | | x86_64 | AArch64 | RISC-V | (future) | +============================================================+

CambiOS boots, schedules, runs user-space services, signs and verifies binaries, and handles IPC -- with a real security model enforced at every boundary.

Every box above the microkernel is an isolated user-space process. Every message between them is capability-checked. A buggy filesystem service can't take down the kernel. A compromised network driver can't read another process's memory. The isolation is enforced by the architecture -- there's no policy layer to misconfigure.

The documentation is honest: STATUS.md lists what works and what doesn't, feature by feature. ASSUMPTIONS.md catalogs every numeric bound in the codebase. ADRs record architecture decisions with rationale and rejected alternatives.

Read the architecture document. Read the manuals -- they walk real things through the system. Read the philosophy if you want to know why. Read why not just use X? if that's the first thing you wanted to ask.

Commitments

No telemetry. No analytics, no phone-home, no usage reporting. Telemetry was never part of the design -- there's nothing to turn off.

No backdoors. No remote access mechanism that bypasses the capability model. No "emergency" channels. No "debug" overrides that work without the user's explicit action.

Your stack is yours. No DRM. No activation. No mandatory accounts. Secure boot protects your boot chain from tampering -- the signing keys are yours.