Astrid is a portable, capability-secure operating system for composable software.
-
Updated
Jul 18, 2026 - Rust
Astrid is a portable, capability-secure operating system for composable software.
Sandboxed plugin VM with typed capabilities, deterministic replay, and time-travel debugging — written in Rust.
Jacquard is a small programming language designed for a regime in which most code is written by machine-learning models and reviewed by people.
Native Rust runtime for adversarial extension workloads with deterministic replay, cryptographic decision receipts, and fleet-scale containment.
A scripting language for cowboy coders
plan-bound authorization architecture for governing privileged effects in untrusted computational agents.
Electron runtime layer providing protocol-based separation, component assembly, and capability-based process control.
KAIROS-ARK is a high-performance, Rust-based Agent Runtime Kernel built for industrial-grade reliability. It delivers sub-100µs dispatch latency, event-sourced deterministic replay, and kernel-enforced capability sandboxing, bridging Python prototypes and production AI systems.
A ground-up Rust microkernel operating system exploring intent-centric computing, capability security, semantic knowledge, and privacy-first system architecture.
A capability-native research kernel for explicit authority, isolated execution, temporal state, and verifiable system boundaries. It is particularly efficient with WebAssembly
A capability-centric programming language. Hand-written compiler in Python.
Resource-safe, effect-typed programs in syntax you already know. A checked affine core with familiar Faces — JavaScript-, Python-, functional-, and pseudocode-shaped surfaces — compiling to typed WebAssembly.
The Estate's primary MCP server — GitHub, GitLab, and 115+ capability cartridges. Formally verified BoJ-server-ABI in Idris2 0.8.0 (%default total) with safety lemmas for credential isolation.
my tinkering notebook (blog)
A local, open-source capability gateway for AI agents — one AI-native self-describe endpoint so any agent can discover, understand, be granted, and call the software on your machine, under a trust model you can see, scope, and revoke.
JavaScript on genode using the Moddable XS engine
Provenance-gated tool calls for AI agents. A local YAML+CEL policy gates each tool call on the provenance of its arguments. Deterministic, in-process, no model.
The Kernel of CharlotteOS, An Experimental Modern Operating System
Add a description, image, and links to the capability-security topic page so that developers can more easily learn about it.
To associate your repository with the capability-security topic, visit your repo's landing page and select "manage topics."