Security
Security in Nexus OS is not a feature — it is the architecture. Every component, every interface, every communication channel is designed around capability-based access control, cryptographic provenance, and least-privilege enforcement.
Design Principles
No Default Access
Nothing is accessible unless explicitly granted. A fiber starts with zero capabilities. It must be granted specific capabilities (console access, network access, filesystem access) through its boot manifest or by a parent fiber.
One-Way Ratchet
Capabilities can only shrink, never grow. Once a fiber pledges to a restricted capability set, it cannot acquire new capabilities. This is enforced by hardware privilege levels.
Crash ≠ Compromise
A crashed fiber is killed and restarted from its signed binary. Its state is recovered from ProvChain checkpoints. A crash is a reliability event, not a security event.
Everything Is Auditable
Every capability grant, every pledge restriction, every module load, every boot event is logged to the ProvChain ledger. nexus verify can check any running system against its audit trail.
Components
- Capability Algebra — The 7 primitive operations that govern all access control
- Pledge System — OpenBSD-style capability restriction with hardware enforcement
- Kinetic Economy — Energy-budget DoS prevention
Security Stack
┌────────────────────────────────┐
│ ProvChain │ Immutable audit trail
│ BLAKE3 + Ed25519 │ Every event logged
├────────────────────────────────┤
│ Pledge / Unveil │ Process-level restriction
│ One-way capability ratchet │ Hardware-enforced
├────────────────────────────────┤
│ CSpace │ Per-fiber capability set
│ 64 slots, typed channels │ Kernel-managed
├────────────────────────────────┤
│ Capability Algebra │ 7 primitive verbs
│ SPAWN SEND RECV MAP MASK │ Foundation layer
│ TICK GRANT │
├────────────────────────────────┤
│ Kinetic Economy │ Energy budgets
│ 3-strike ratchet │ DoS prevention
├────────────────────────────────┤
│ Hardware Isolation │ PMP / MPU / MMU
│ Privilege modes (M/S/U) │ Physical enforcement
└────────────────────────────────┘ProvChain
ProvChain is the cryptographic audit ledger that records every significant system event:
| Event | What's Logged |
|---|---|
| Boot | Hardware fingerprint, kernel hash, timestamp |
| Module load | NPL Variant-CID, pledge mask, capability grants |
| Capability grant | Source fiber, target fiber, capability type |
| Pledge restriction | Fiber ID, old mask, new mask |
| Crash/restart | Fiber ID, fault type, restart count |
Each entry is signed with Ed25519 and chained with BLAKE3 hashes. Tampering with any entry invalidates the entire chain from that point forward.
TOFU+ Trust Establishment
For network peers, Nexus uses Trust On First Use Plus (TOFU+) with key pinning:
- First contact: Exchange Ed25519 public keys
- Pin: Store the peer's key in the local trust store
- Verify: All subsequent communication verified against the pinned key
- Airlock: Unknown peers enter a quarantine zone before being granted access
This eliminates dependency on certificate authorities while providing strong identity assurance.