Glossary
Key terms used throughout Nexus OS documentation.
Core Concepts
| Term | Definition |
|---|---|
| Rumpk | The Nexus sovereign unikernel kernel. Zig HAL + Nim logic. 280KB, 12 syscalls. |
| Rumkv | Type-1 hypervisor layer operating at EL2 (ARM64), Ring-1 (x86), or M-Mode (RISC-V). |
| ION Ring | Lock-free single-producer/single-consumer ring buffer used for all IPC. |
| SysTable | Fixed ABI contract at a known physical address (0x83000000 on RISC-V, 0x50000000 on ARM64). 240 bytes. Never changes. |
| Fiber | Cooperative execution context within the kernel. Not a thread — no preemptive multitasking at kernel level. |
| Membrane | The libnexus.a compatibility layer. A "biosuit" that wraps POSIX calls and routes them through sovereign abstractions. |
| ProvChain | Cryptographic audit ledger using BLAKE3 + Ed25519. Records every boot, module load, and state change. |
| Grafting | Strategic borrowing of code from Linux/BSD ecosystems, wrapped in sovereign abstractions and security constraints. |
| Sovereignize | The process of replacing grafted foreign code with native Nexus implementations. |
Package Taxonomy
| Type | Name | Purpose | Example |
|---|---|---|---|
| NPS | Nip Sensor | Single-purpose sensor firmware | Temperature probe |
| NPL | Nip Library | Drivers and filters in isolated VMs | WiFi driver, printer driver |
| NPX | Nip eXtension | Hot-loadable hooks (eBPF replacement) | Packet filter, tracing |
| NPM | Nip Module | Pure logic libraries | Orbital math, crypto |
| NPK | Nip Package | End-user applications | Firefox, KDE |
| NPI | Nip Interface | API bridges | HTTP adapter, gRPC |
Isolation
| Term | Definition |
|---|---|
| NipCell | Lightweight isolation container. GoboLinux-style symlink isolation. The "Flatpak killer". |
| Nexter | Heavy container using namespace/jail/VM-based isolation. KDL blueprints replace Dockerfiles. |
| CSpace | Capability space. 64 slots per fiber. Each slot holds a typed capability (channel ID + permission mask). |
| Pledge | OpenBSD-style capability restriction. One-way ratchet — once pledged, permissions can only shrink, never grow. |
| Unveil | Filesystem visibility restriction. A process can only see paths it has been explicitly granted access to. |
Security
| Term | Definition |
|---|---|
| Capability Algebra | The 7 primitive operations: SPAWN, SEND, RECV, MAP, MASK, TICK, GRANT. |
| Law of Decay | Capabilities degrade over time and delegation depth. Prevents privilege accumulation. |
| Kinetic Economy | Energy-budget rate limiting. Every operation costs energy. Prevents DoS by exhausting budgets. |
| TOFU+ | Trust On First Use with key pinning. Initial trust establishment for network peers. |
| Airlock | Quarantine zone for untrusted code. New modules enter the airlock before being granted system access. |
Storage
| Term | Definition |
|---|---|
| NexFS | The Nexus filesystem. Dual-axis design: storage class (Atom/Sovereign/Archive) × network scope (Local/Cluster/Federation). |
| CAS | Content-Addressable Store. Files addressed by their BLAKE3 hash, not by path. |
| CDC | Content-Defined Chunking. Files split at content boundaries for efficient deduplication and sync. |
| DAG | Directed Acyclic Graph. Version history stored as a Merkle DAG for efficient branching and merging. |
| TimeWarp | Instant filesystem snapshots using copy-on-write DAG nodes. |
| Sovereign FSH | The Nexus filesystem hierarchy: /Cas, /Nexus, /Cell, /Bus, /Data. Replaces POSIX FHS. |
| Block Valve | The kernel's storage interface. The kernel passes sectors; it does not interpret them. |
| BAM | Block Allocation Map. Tracks free/used blocks in NexFS. |
Network
| Term | Definition |
|---|---|
| NetSwitch | Kernel-level L2 packet demuxer. Routes frames by EtherType to the correct ION Ring. |
| UTCP | Unikernel Transport Control Protocol. Identity-centric, NACK-based sovereign transport. EtherType 0x88B5. |
| LWF | Libertaria Wire Frame protocol. EtherType 0x4C57. Part of the Libertaria protocol stack. |
| CellID | SipHash-128 identity used by UTCP. Nodes dial by CellID, not IP address. |
| LwIP | Lightweight IP stack, grafted from the open-source project and running in userland (Membrane). |
Build System
| Term | Definition |
|---|---|
| KDL | Configuration language used for recipes, manifests, system blueprints, and service definitions. |
| BKDL | Binary KDL. Packed manifests embedded in ELF sections for boot-time parsing. |
| STC | Standard Template Construct. A system profile definition (Tiny, Micro, Core, Fleet, Unikernel). |
| BEB | Boot Extension Block. Updatable microcode that extends Rumpk without modifying its frozen core. |
| Variant-CID | Cryptographic content identifier that uniquely identifies a specific build variant of any artifact. |
Display
| Term | Definition |
|---|---|
| Surface Manager | Sovereign compositor. Zero-copy rendering, 120Hz Photon scheduling. |
| HUD | Heads-Up Display. Visual filesystem interface mounted at /Bus/hud/. |
| SSP | Surface Submission Protocol. How applications submit frames to the compositor. |
Scheduling Spectrums
| Spectrum | Deadline | Use Case |
|---|---|---|
| Photon | 2ms | Interrupt handlers, DMA, real-time I/O |
| Matter | 10ms | Network processing, input events |
| Gravity | 50ms | Background computation, housekeeping |
| Void | Unlimited | Idle tasks, opportunistic work |