Skip to content

POSIX Kernel Specification

ostk Project · Specification · ostk POSIX Kernel
Document: spec/posix-kernel · Version 1.0 · Targets ostk 4.5.0
Category: Standards Track · ISSN: n/a

Abstract

This document specifies the POSIX-shaped semantics of the ostk kernel: a userspace coordination kernel whose on-disk surface (.ostk/) and process model are direct analogs of POSIX primitives. It defines the deadline contract on every blocking operation, the ownership record carried by every persistent artifact, the subreaper and supervisor lifecycle, the canonical signal table for cross-process coordination, the anchor-exclusivity invariant, and the handle-generation discipline that makes reused identifiers safe. The document is normative for the implementations of these properties shipped in ostk 4.5.0; properties not yet enforced by the implementation are listed separately in Appendix A as future work.

Status of This Memo

This document specifies behaviors that the ostk 4.5.0 reference implementation enforces today. It is a stable specification: revisions follow the procedure described in Section 10. Each normative requirement names an implementation site or test in the ostk source tree; readers verifying conformance can locate enforcement directly.

Properties that the implementation does not yet enforce, or enforces only partially, are listed in Appendix A and are explicitly non-normative. A future version of this document may promote those properties to normative status when the implementation catches up; conformance to this document does not require them.

Copyright (c) 2026 the ostk project. Distributed under the same terms as ostk itself. This specification may be reproduced and distributed in full, with copyright notice and disclaimer preserved.

Table of Contents

1. Introduction

ostk is a userspace coordination kernel for fleets of LLM agents sharing a working filesystem. It re-implements many POSIX primitives under different names: an agent is a process, an alias is a pid, an audit row is a syscall trace, an event channel is a pipe, anchor.lock is a flock, an Agentfile is an exec image, dispatch is read/write, a session is a controlling terminal.

What ostk inherits from POSIX in name, it MUST also inherit in guarantee. POSIX delivers two cooperating layers below userspace: a correctness substrate (bounded waits, owned state, dead-process reaping, namespace isolation under test) and a composability layer (every resource has a path and a handle, every process has identity, every coordination is a numbered signal, every error is structured). Userspace inherits none of these by default.

This document specifies the invariants ostk imposes to obtain those layers, the supporting mechanisms that implement them, and the conformance criteria by which an implementation may be tested.

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Throughout this document, "the kernel" refers to the ostk kernel substrate (the in-process library and the supervising daemon), and "an implementation" refers to a build of the ostk source tree claiming conformance to this document. Statements without RFC 2119 keywords are descriptive.

1.2. Terminology

Owner.
The process — identified by (pid, started_at, build_id, host) — that wrote a piece of .ostk/ state.
Reap.
Atomic removal of state whose owner is dead, via rename(2) into the graveyard followed by deferred unlink.
Anchor.
The single per-project-root ostk daemon process holding .ostk/anchor.lock.
Supervisor.
A process (ostk init, launchd, or systemd) that owns a listening socket and is responsible for orphan reaping and anchor fencing.
Kernel RPC.
Any call into the ostk kernel from a client (CLI, MCP server, embedded agent loop, TUI).
Signal.
A numbered coordination primitive from the closed table defined in Section 4.5. ostk signals are NOT OS signals; they are envelope-level coordination delivered over the kernel UDS.
Handle generation.
A monotonic counter (gen) appended to every reusable handle ID such that (id, gen) uniquely identifies a resource instance across its entire lifetime.
Fencing token.
Monotonic token returned by the anchor on handle acquisition; subsequent operations that present a stale token are rejected.

1.3. Document Structure

Section 2 sketches the architecture. Section 3 defines the process model. Section 4 enumerates seven normative invariants. Section 5 specifies the syscall-shaped surface. Section 6 contains worked examples. Section 7 defines conformance. Section 8 lists security considerations. Section 9 collects references. Section 10 describes the revision procedure. Appendix A captures non-normative notes and future work.

2. Architecture Overview

An ostk deployment on a single host consists of:

  • A project root — a directory containing a .ostk/ subdirectory, which holds all kernel state.
  • An anchor — the single ostk daemon process per project root, holding .ostk/anchor.lock and serving kernel RPCs over a Unix domain socket.
  • Zero or more agents — processes spawned under the anchor that perform work and write state.
  • An optional supervisor (ostk init) — a long-running process that runs the subreaper loop, fences anchor-lock losers, and adopts orphaned agents. The subreaper role is also the boot-time scope of the anchor itself when no supervisor is present.

All kernel state is path-addressable under .ostk/. All cross-process coordination crosses one of two boundaries: the anchor's UDS (for kernel RPCs) or the journal (an append-only audit chain at .ostk/journal.jsonl). The kernel is auditable with jq, grep, and git; this is a design constraint, not an accident.

3. Process Model

3.1. Anchors and Agents

An implementation SHALL ensure that at most one anchor process holds .ostk/anchor.lock at any time per project root. Anchor lock acquisition is non-blocking (flock(LOCK_EX | LOCK_NB)); a process that observes the lock held SHALL either fail with a structured error or, where a supervisor is running, be fenced by the supervisor. Section 4.6 (Invariant VI) makes this normative.

Agents are spawned by the anchor and recorded in .ostk/fleet/. Each spawned agent has a unique alias and an AgentHandle carrying its identity. The relationship between alias, handle, and the underlying process is governed by Invariants II and VII.

3.2. Lifecycle

Each agent passes through a documented lifecycle. An implementation SHALL emit an audit row at each transition:

  • spawningspawnedrunning
  • runningfrozen (entered on SIGFREEZE; exited on SIGRESUME)
  • runningexitingreaped

Signals delivered to an agent in state spawning SHALL be queued and dispatched on the transition to spawned. Signals delivered to an agent in state exiting or reaped SHALL return SignalTargetGone. SIGRESUME SHALL be dispatched immediately to an agent in state frozen; SIGKILL SHALL bypass the queue per its uncatchable semantics. See Section 4.5.

3.3. Process Identity

Every agent carries an Owner record — (pid, started_us, build_id, host) — that uniquely identifies the writing process across its entire lifetime, including across PID reuse. The pair (pid, started_us) defeats PID-reuse races: a recycled PID has a different proc_start_micros, so liveness checks fail closed.

The full Unix process-identity quad (pid, ppid, pgid, sid) is described as future work in Appendix A.1: the implementation currently records pid and ppid via the Owner record but does not yet thread pgid/sid through every audit row.

4. Invariants

An implementation conforming to this document SHALL satisfy each of the seven invariants in this section. Each invariant is given a short name, a normative statement, a non-normative rationale, a non-normative consequence (when violation has system-level impact), and one or more illustrative examples.

4.1. Invariant I: Bounded Wait

Statement. Every operation in the ostk kernel API that can block MUST accept a deadline. Any code path whose documented semantics include "wait forever" is a specification violation.

Rationale.

POSIX provides a deadline-bearing sibling for every blocking primitive: select(tv), poll(timeout), pthread_mutex_timedlock, flock(LOCK_NB), connect + alarm, pidfd + ppoll. Userspace inherits none of these by default. Without an explicit deadline contract, a stale daemon, a wedged file lock, or a mis-framed RPC will hang the caller.

Consequence.

The kernel exposes DeadlineError with structured fields (op, deadline, elapsed, holder, remediation). The remediation field SHALL be a literal shell command an operator can paste verbatim.

Example.

A blocking RPC with a 2-second deadline returns a structured error if the holder is stuck:

DeadlineError
{
    "op":          "agents.spawn",
    "deadline":    "2s",
    "elapsed":     "2.013s",
    "holder":      {"pid":12345,"started_us":1761539600123456},
    "remediation": "kill 12345"
}

4.2. Invariant II: Owned State

Statement. Every mutable artifact the kernel reads or writes under .ostk/ MUST carry an ownership record identifying the creating process. Every reader MUST verify owner liveness before trusting the contents. State whose owner is dead MUST be reaped atomically before re-use.

Rationale.

POSIX enforces ownership at the OS level: file locks, open file descriptors, and process IDs are tagged by the kernel and released when the owning process dies. Userspace state files have none of those guarantees by default. Owned State adds them explicitly.

Record format.

Textual files (JSONL, TOML, plaintext) SHALL carry a two-line prefix:

.ostk/<file> (textual header)
# ostk-owner v1 pid=<pid> started_at=<ISO8601> build_id=<hex16> host=<hostname>
# ostk-owner-end
<file content>

Binary files SHALL carry a 64-byte fixed prefix beginning with magic b"OSTKOWN1" and containing pid, started_us, build_id, and hostname.

Liveness check.

An implementation SHALL test owner liveness via:

kernel/ownership.rs::Owner::is_alive
kill_zero(self.pid)
    && proc_start_micros(self.pid) == Some(self.started_us)

The kill(pid, 0) probe tests existence; the started_us equality defeats PID-reuse races.

Reader contract.

Every function that reads .ostk/ state SHALL: (1) parse the owner record and reject unowned state with Error::Unowned; (2) call owner.is_alive(); (3) if dead, reap_one(path) — rename into .ostk/graveyard/; (4) if alive, return contents.

Fail-closed write.

Implementations MUST refuse to write a header when proc_start_micros(pid) returns failure. A header without a verifiable started_us is unowned, not degraded; falling through to wallclock-now would create silently self-fenced records.

4.3. Invariant III: Subreaper

Statement. An ostk deployment MUST run exactly one subreaper process whose responsibility is walking .ostk/ state and reaping artifacts whose owner is dead. The singleton property MUST be enforced via OS flock on a dedicated lock file. No other kernel subsystem MAY perform background reaping.

Rationale.

Without a single reaper, two processes could race to rename the same dead-owner file. The OS flock on the subreaper's lock file is auto-released when the holding process exits for any reason; the same Owned State fallback that protects every other artifact protects the subreaper itself.

Reap atomicity.

Reap SHALL be implemented as rename(path, .ostk/graveyard/<unix_micros>-<basename>). .ostk/ MUST reside on a single filesystem so that rename is atomic; cross-filesystem layouts SHALL be rejected at startup and on every per-rename check (Section 4.4).

Build-id orphan adoption.

Before the first reap pass, the supervisor SHALL walk .ostk/ and adopt every file whose owner header has build_id == current_build_id AND is_alive() == false. Adoption rewrites the owner header in place to name the running supervisor's pid, exactly once per file per boot, and emits one audit row carrying the prior dead owner's identity for forensics. Adoption is not a liveness exemption: post-adoption, the standard reader contract applies.

4.4. Invariant IV: Root Namespace Isolation

Statement. Every code path that resolves .ostk/ MUST route through a single state_dir(root) function. Under cfg(test) or when OSTK_TEST=1 is set, state_dir(None) SHALL panic if OSTK_STATE_DIR is unset, and SHALL panic if OSTK_STATE_DIR is not an absolute path. Resolving to the project git root in a test context is a specification violation.

Rationale.

The hazard class RNI closes is substrate corruption from inside the same process tree: a test process that resolves .ostk/ to the live project would write audit rows, take locks, and reap state belonging to the production fleet. Userspace cannot rely on the OS to prevent this; the kernel MUST.

Single-filesystem requirement.

  1. Startup check. The implementation SHALL verify on init that the resolved .ostk/ root and the graveyard target reside on the same filesystem (equal stat.st_dev); on mismatch, init SHALL refuse to start with StateDirCrossFilesystem.
  2. Per-rename check. Immediately before each rename(src, graveyard_dst), the reaper SHALL stat(src) and verify src.st_dev == graveyard_dst.parent.st_dev; on mismatch, the reaper SHALL refuse the operation. This catches bind-mounts introduced inside .ostk/ after the startup check.

Test helper.

An implementation SHOULD provide an OstkTestRoot::new() helper that returns a configured tempfile::TempDir, sets OSTK_STATE_DIR to its path, and on Drop restores the prior value of the env var.

4.5. Invariant V: Signal Table Closure

Statement. All cross-process coordination MUST be expressible as a signal from a closed, numbered table. Ad-hoc per-call-site cancel, redirect, or pause mechanisms are specification violations and SHALL be re-expressed as signals against the table below. Amendments SHALL be additive; signal numbers SHALL NOT be renumbered.

Rationale.

Signal Table Closure depends on Bounded Wait: a signal handler that can hang is a specification violation that subsumes its containing signal. ostk signals are NOT OS signals; they are envelope-level coordination delivered over the kernel UDS, which decouples them from OS-signal handling restrictions (re-entrancy, async-signal-safe set) and lets handlers run normal code with full access to allocators and async runtimes.

Canonical table.

# Name Catchable Semantics
1SIGCANCELyesGraceful stop at next checkpoint; unwind cleanly; write agent.cancelled row.
2SIGREDIRECTyesInject a user message via the side-channel payload; continue from current turn.
3SIGRELOADyesRe-read Agentfile and kernel registers; keep pid and open handles.
4SIGFREEZEyesPause at next checkpoint; remain addressable; no turns until resume.
5SIGRESUMEn/aResume from freeze (delivered to a frozen process only).
6SIGHUPyesControlling session detached; reconfigure (redial proxy, re-open logs).
7SIGQUOTAyesBudget warning crossed; agent SHOULD wrap up its current intent.
8SIGBAILyesOperator-issued bail; agent writes a bail row and exits.
9SIGSTOPnoDaemon-level freeze for migration / standby handoff.
15SIGTERMyesAsk the agent process to exit gracefully.
63SIGKILLnoFence; uncatchable; watchdog writes agent.fenced post-mortem.

Delivery to lifecycle states.

  • Signals to spawning SHALL be queued and dispatched on transition to spawned; they MUST NOT be dispatched against a partial identity.
  • Signals to frozen SHALL be queued; SIGRESUME and SIGKILL are the only exceptions.
  • Signals to exiting or reaped SHALL return SignalTargetGone with the agent's last known identity in the error.

4.6. Invariant VI: Anchor Exclusivity

Statement. Every project root MUST have at most one active anchor daemon at any time. A process that attempts to acquire .ostk/anchor.lock while another anchor holds it SHALL either fail immediately with a structured error (when no supervisor is running) or be fenced by the supervisor (when one is). The enforcement path SHALL be observable via the audit journal.

Rationale.

Without exclusivity, two anchors could write to .ostk/journal.jsonl concurrently, producing inconsistent hash chains and rendering audit verification untenable. Anchor Exclusivity does not say "only one process may attempt to acquire the lock"; it says that at most one may hold it. Contention is the mechanism by which the invariant is enforced.

Fencing tokens.

Every kernel RPC response from the anchor SHALL carry an anchor_epoch — a monotonic counter incremented on every anchor start. Clients that observe a strictly lower epoch than the last received one SHALL treat the in-flight operation as OperationRetryable and reconnect via the supervisor's listening socket. The anchor_epoch appears on every response frame, not only on the handshake; this prevents a zombie anchor from serving stale responses on an already-accepted connection.

4.7. Invariant VII: Handle Lifetime Uniqueness

Statement. A handle identifier (alias, page-id, subscription-id, any resource ID that can be cycled) MUST NOT be reused for a new resource until every handle referencing the prior resource has been closed or fenced. Handles MUST carry a monotonic generation counter (gen) such that (id, gen) uniquely identifies a resource instance across its entire lifetime, including through reap-reallocate cycles.

Rationale.

POSIX itself violates Handle Lifetime Uniqueness for PIDs — PID reuse is real, which is why Owned State (Section 4.2) uses (pid, started_us) to disambiguate. Every userspace system that cares pays the tax in fencing tokens, generation counters, or pidfd-style handles. ostk extends the same discipline to all reusable handle types.

Reader discipline.

A client that caches a handle MUST re-validate the gen before operating on it. The kernel exposes a structured HandleStale error carrying both the seen and current gen; clients SHALL surface this error rather than retrying silently against the new resource.

5. Syscall Surface

The kernel exposes a small set of structured errors and a deadline-bearing RPC contract. The error surface is normative; alternative implementations satisfying the same invariants MAY use different error names but MUST preserve the field semantics.

kernel/error.rs::KernelError
pub enum KernelError {
    Deadline(DeadlineError),                                          // §4.1
    StaleOwner { path, owner, remediation },                          // §4.2
    Unowned { path, remediation },                                    // §4.2 migration
    Reaped { path, owner, when },                                     // §4.3
    NoStateDir { remediation },                                       // §4.4
    StateDirCrossFilesystem { path, remediation },                    // §4.4
    SignalUnknown { name, table },                                    // §4.5
    SignalTargetGone { target, last_owner },                          // §4.5 lifecycle
    AnchorFenced { winner_pid, remediation },                         // §4.6
    AnchorEpochStale { client_epoch, server_epoch, remediation },     // §4.6
    HandleStale { handle_id, seen_gen, current_gen },                 // §4.7
    OperationRetryable { new_socket, new_epoch },                     // §4.6
}

The mapping from kernel-level requirements to underlying OS primitives is:

Requirement Linux macOS / BSD Fallback
Bounded connectconnect + SO_SNDTIMEOsameO_NONBLOCK + select loop
Bounded lock acquirefcntl(F_OFD_SETLKW)flock(LOCK_NB) + deadline loopLOCK_NB + bounded sleep
PID-death notificationpidfd_open + pollkqueue EVFILT_PROCpoll kill(pid, 0)
Process livenesskill(pid, 0)samesame
Process start-time/proc/<pid>/stat field 22proc_pidinfofail closed
Atomic file moverename (single-fs only)samesame
Single-fs checkstat.st_dev comparesamesame
Signal delivery to agentUDS frame; not OS signalsamesame
Fencing tokenmonotonic u64 per anchor startsamesame

6. Examples

The examples in this section are illustrative. Exact CLI surface is governed by the kernel ABI and may evolve; see Section 1.2.

Example 1: reading state with a dead owner.

reader contract (§4.2)
let raw = fs::read(&path)?;
let (header, body) = parse_owner_header(&raw)?;          // §4.2 parse
if !header.is_alive() {                                    // §4.2 check
    reap_one(&path)?;                                    // §4.2/§4.3 rename
    return Err(KernelError::Reaped { path, owner: header, when: now() });
}
Ok(body)

Example 2: bounded RPC with deadline.

bounded kernel call (§4.1)
let resp = client
    .call("agents.spawn", payload, Duration::from_secs(2))   // §4.1
    .await?;
verify_anchor_epoch(&resp)?;                                 // §4.6

Example 3: signal table inspection.

The closed table is exposed by the kernel; an unknown signal name returns a structured error including the canonical table:

SignalUnknown error
SignalUnknown {
    name: "SIGFOO",
    table: [
        ("SIGCANCEL", 1), ("SIGREDIRECT", 2), ("SIGRELOAD", 3),
        ("SIGFREEZE", 4), ("SIGRESUME", 5),  ("SIGHUP", 6),
        ("SIGQUOTA", 7),  ("SIGBAIL", 8),    ("SIGSTOP", 9),
        ("SIGTERM", 15),  ("SIGKILL", 63),
    ],
}

Example 4: handle generation.

kernel/handle_gen.rs::validate
// Client cached alias "alpha" at gen=3.
match validate(&state_dir, "agent", "alpha", 3) {
    Ok(()) => /* still gen 3; safe to use */,
    Err(KernelError::HandleStale { seen_gen, current_gen, .. }) => {
        // resource was reaped and recreated; current_gen > seen_gen
    }
    Err(other) => return Err(other),
}

7. Conformance

An implementation conforms to this specification when it satisfies every normative (MUST / SHALL / REQUIRED) statement in Sections 1 through 5. Statements using SHOULD / RECOMMENDED are non-normative guidance; statements in Appendix A are non-normative future work and are not part of conformance.

Conformance is partitioned into two levels:

  • Core Conformance. Sections 4.1 (Bounded Wait), 4.2 (Owned State), 4.3 (Subreaper), 4.4 (Root Namespace Isolation), and 4.7 (Handle Lifetime Uniqueness). The reference implementation enforces these in src/kernel/deadline.rs, src/kernel/ownership.rs, src/kernel/init_subreap.rs, src/util/paths.rs, and src/kernel/handle_gen.rs respectively.
  • Extended Conformance. Sections 4.5 (Signal Table Closure) and 4.6 (Anchor Exclusivity). The reference implementation enforces these in src/kernel/signals.rs and src/kernel/anchor.rs respectively. Extended Conformance subsumes Core Conformance.

The journal verification primitive at ostk audit verify is the canonical conformance test surface for the audit-chain properties referenced in Sections 4.2 and 4.3: an implementation under test SHOULD be exercised against a synthetic incident, and ostk audit verify SHOULD return a clean result on the recovered state. The verification primitive is implemented at src/commands/journal.rs.

An implementation that claims conformance SHOULD list the source-tree paths that enforce each invariant in its release notes; readers verifying conformance can audit those paths directly.

8. Security Considerations

8.1. Threat Model.

This document specifies a single-host coordination kernel. The threat model assumes (a) the local user is trusted with respect to their own .ostk/; (b) other local processes outside the trust boundary may attempt to cause hangs, lock contention, or audit-chain corruption; (c) operating-system features (file permissions, process isolation, filesystem semantics) are reliable.

8.2. Properties This Specification Addresses.

  • Resource exhaustion via hangs. The Bounded Wait invariant (Section 4.1) ensures every kernel operation has a deadline, eliminating the indefinite-block class.
  • Stale-state corruption. Owned State (Section 4.2) ensures that any artifact whose creating process is dead is reaped before re-use. (pid, started_us) ownership defeats PID-reuse races.
  • Test-substrate contamination. Root Namespace Isolation (Section 4.4) prevents test processes from corrupting the live .ostk/ by failing closed when an explicit root is not provided.
  • Concurrent-anchor split-brain. Anchor Exclusivity (Section 4.6) ensures that at most one anchor holds the lock per project root; concurrent attempts are either rejected or fenced. Per-response anchor_epoch closes the zombie-anchor mid-stream window.
  • Stale-handle confusion. Handle Lifetime Uniqueness (Section 4.7) ensures cached handle identifiers cannot silently address the wrong resource: HandleStale is raised on any post-reap reuse.

8.3. Properties This Specification Does NOT Address.

The following are out of scope and are addressed by other specifications, or are explicitly future work:

  • Cross-host coordination. Federation across hosts requires a separate trust and transport model.
  • Distributed consensus. No quorum protocol is specified; single-host guarantees only.
  • Capability-pin escapes. Capability-pin enforcement and policy are documented in companion documents on the trust model and capability pins; this specification only requires that pin enforcement integrates with the audit journal.
  • Audit-chain signing and key rotation. The journal hash chain is specified here; signing keys, rotation, and revocation are governed by the attestation envelope (OAE) specification, not this document.
  • Identity spoofing within a single trust graph. Out of scope; the trust model document handles identity tier graduation and revocation.
  • Replay attacks. The kernel relies on the journal's hash chain plus per-response anchor_epoch to detect replay across anchor rotations; cross-host replay is not in scope.
  • Network attackers. No network surface is specified; clients connect to the kernel via local Unix domain sockets.

8.4. Known Gaps.

The full POSIX process-identity quad (pid, ppid, pgid, sid) is not yet enforced on every audit row (see Appendix A.1). Consumers that require process-group-level kill semantics SHOULD treat process-group operations as best-effort until that work lands. The Connection Continuity property described in Appendix A.3 is partially implemented as the OperationRetryable error variant; transparent client reconnection is not currently a kernel guarantee.

9. References

9.1. Normative References

  • [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, https://www.rfc-editor.org/info/rfc2119.
  • [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, May 2017, https://www.rfc-editor.org/info/rfc8174.
  • [POSIX.1-2024] IEEE and The Open Group, "IEEE Standard for Information Technology — Portable Operating System Interface (POSIX) Base Specifications, Issue 8", IEEE Std 1003.1-2024.
  • [ostk-source] ostk reference implementation, https://github.com/os-tack/ostk.ai. Sections cited above point at file paths in this tree.

9.2. Informative References

  • Linux pidfd_open(2), pidfd_send_signal(2) — kernel 5.3+.
  • FreeBSD / macOS kqueue(2), EVFILT_PROC with NOTE_EXIT.
  • flock(2), fcntl(2) — advisory file locking.
  • systemd.socket(5) and launchd.plist(5) — supervisor-owned listening sockets.
  • FUSE: libfuse(3), the Rust fuser crate.
  • Kleppmann, M., "How to do distributed locking" (2016) — fencing tokens.
  • Plan 9 from Bell Labs — "everything is a file" namespace doctrine.
  • FreeBSD capsicum(4) — capability-mode filesystem access.
  • Companion ostk specifications: Kernel Specification, Five Laws, Coordination Primitives, Trust Model.

10. Revision Procedure

This document is versioned alongside the ostk reference implementation. A revision SHALL bump the document version, list the substantive changes, and (where the change is normative) cite the implementing change in the source tree. Revisions that promote an Appendix A entry to a normative section SHALL be accompanied by tests demonstrating enforcement.

Revisions that retract a normative requirement SHALL document the prior wording in an "Acknowledged Failure Modes" entry so the public record of the kernel's design errors remains intact.

Appendix A. Non-Normative Notes (Future Work)

This appendix collects properties described in the working draft that are not yet enforced by the ostk 4.5.0 reference implementation. Conformance to this document does not require any of the following. A future revision MAY promote these to normative sections.

A.1. Process Identity Quad — Not Yet Implemented

The working draft specifies that every agent SHALL carry the full Unix process-identity quad (pid, ppid, pgid, sid) on every audit row that mentions it. The 4.5.0 implementation records pid and (via the supervisor adoption protocol) ppid, but does not yet thread pgid and sid through the agent-state schema. New verbs of the shape ostk ps, ostk pstree, and ostk pkill -g <pgid> depend on this work landing.

A.2. VFS Mount of /ostk — Partially Implemented

The working draft specifies that every kernel-visible resource SHALL have both a stable filesystem path under /ostk/… and a serializable handle. The 4.5.0 implementation defines the namespace in src/kernel/vfs/namespace.rs and the lifecycle in src/kernel/vfs/lifecycle.rs, but the FUSE mount that exposes the namespace at the OS level is gated behind a Cargo feature and is not yet a stability-promised surface. Once the FUSE layer ships unfeatured, this property will be promoted to a normative invariant.

A.3. Connection Continuity — Partially Implemented

The working draft specifies that a client holding a valid kernel handle SHALL continue to make progress after the serving anchor is replaced, without re-establishing state. The 4.5.0 implementation defines the OperationRetryable and AnchorEpochStale error variants and includes a server-side reconnect_with_replay path, but a fully transparent client reconnect library is future work. Until that ships, an anchor swap during an in-flight operation MAY surface as a typed error rather than a transparent retry.

A.4. Recovery Protocol — Implemented; Promotion Pending

The working draft specifies a recovery protocol for operator-acknowledged audit-chain breaks: a journal.reset row format with a discontinuous-genesis prev-hash sentinel, an ostk init --assess --dry-run reporter, and the inverse-direction ostk recovery graveyard plan / adopt verbs. The 4.5.0 implementation ships these (see src/main.rs, src/kernel/recovery_v22.rs, src/kernel/migrate_legacy.rs) but their on-wire formats are still subject to revision and are therefore not yet normative.

A.5. Migration Windowing — Implemented; Operator Surface Stabilizing

Phased rollout policy specifies hard cutover at the introducing phase plus an in-process migration walk performed as the first action of ostk init start. The implementation lives in src/kernel/migrate_legacy.rs; migration walker and reaper walker share a SKIP_NAMES contract. Operator-facing migration ergonomics continue to evolve and are not yet locked into this specification.