The Operating System
Built for AI Agents
Not a framework. Not a container. Not a toy.
A single Rust binary that is the entire operating system userspace.
Autonomous agents are running on
architecturally unsafe foundations.
Shared Filesystems
Current agent frameworks give every agent access to the same filesystem. A compromised agent can read, modify, or delete any other agent's data. There are no boundaries — just hope.
Plaintext Secrets
API keys in .env files. Credentials passed as environment variables. One prompt injection and every secret on the system is exfiltrated. This isn't a hypothetical — it happens daily.
No Resource Limits
Agents can consume unlimited CPU, memory, and network bandwidth. A single runaway agent can take down the entire system. There's no isolation, no quotas, no governance.
npm-scale Supply Chain
Thousands of transitive dependencies, each a potential attack vector. Agent skills built on npm packages with arbitrary code execution. You can't audit what you can't see.
These aren't edge cases. They're the default architecture of every major agent platform shipping today.
Security isn't a feature.
It's the design constraint.
Single Binary, Entire Userspace
One statically-linked Rust binary replaces the entire OS userspace. No shell. No coreutils. No package manager. No interpreter. After the kernel boots, there is /octant — and nothing else. The attack surface isn't minimised. It's eliminated.
Capability Manifests
Every agent operates under a cryptographically signed manifest that defines exactly what it can see, touch, execute, and communicate with. Default-deny everything. Allow only what's explicitly granted. The manifest drives namespace isolation, syscall filtering, network rules, credential scoping, and resource limits — all from a single TOML document.
10-Layer Defence Stack
Hardware identity. Verified boot. Immutable root filesystem. Rust memory safety. Agent identity with lineage tracking. Linux namespace isolation. Per-agent seccomp-BPF syscall filtering. AES-256-GCM encrypted credentials vault. SHA-256 hash-chain tamper-evident audit ledger. Multi-model parliamentary governance. Each layer assumes every other layer has failed.
Tamper-Evident Audit Trail
Every agent action is recorded as a semantic event in a SHA-256 hash chain. Not raw syscalls — meaningful, queryable records: "sysadmin-nginx read /var/log/nginx/error.log". Delete or modify any entry and the chain breaks. You can't cover tracks that are cryptographically linked.
OpenClaw, ClawdBot, MoltBot —
cool demos, dangerous defaults.
Let's be clear: projects like OpenClaw, ClawdBot, and MoltBot are genuinely interesting. They've captured the imagination of developers who want autonomous agents that can actually do things — browse, code, manage servers, interact with the real world.
The problem isn't the vision. The problem is the architecture. These frameworks bolt agent capabilities onto systems designed for human operation, then hope the LLM doesn't do anything stupid. When it inevitably does — and prompt injection guarantees it will — there is nothing between the compromised agent and your entire system.
A toy that works in a demo becomes a liability in production.
| Attack Vector | Typical Agent Frameworks | OctantOS |
|---|---|---|
| Prompt injection → shell | Full shell access via agent | Namespace + seccomp filtered execution |
| Malicious skills/plugins | npm packages with system access | Compiled signed binaries, no interpreter |
| Credentials | Plaintext .env files | AES-256-GCM vault, scoped tokens |
| Lateral movement | Shared filesystem, shared user | Separate namespaces per agent |
| Supply chain | npm dependency chain | Single binary + signed packages |
| Audit trail | Minimal logging | Hash-chain tamper-evident ledger |
| OS modification | User write access to everything | Immutable root, dm-verity verified |
| Resource exhaustion | No per-agent limits | cgroup v2 hard limits per agent |
This isn't about bashing open-source projects. It's about recognising that autonomous agents represent a fundamentally new security challenge that requires a fundamentally new architecture. You wouldn't run a nuclear power plant on Windows XP. You shouldn't run autonomous agents on frameworks that store secrets in plaintext.
From hardware to operator.
One binary, every layer.
/octant— single statically-linked Rust binaryAfter the kernel transfers control to /octant, there is no other software on the system. No shell. No coreutils. No package manager. No interpreter. Every capability is compiled into the single binary.
Source-available.
Not open source. Here's why.
The trust model breaks if anyone can fork it.
OctantOS's security depends on signed manifests, verified boot chains, a curated package repository, and a tamper-evident audit trail. If the source is fully open, anyone can strip those guarantees, rebuild the binary, and call it "OctantOS" — but without the security properties that make it worth using.
We're not hiding code. We're protecting a trust chain.
What's transparent
- Complete architecture documentation — publicly available, no NDA
- Security model — fully documented, independently auditable
- Manifest specification — open format, no lock-in
- Select components open-sourced — coreutils, common types, tooling
- Source inspection for partners and enterprise customers under agreement
What's protected
- Core runtime binary — the signed artifact that guarantees security properties
- Proprietary integrations — LLM routing, distributed mesh, governance engine
- The ability to rebuild a version that bypasses the security model
This is the same approach taken by HashiCorp, Elastic, MongoDB, and others who've learned that for infrastructure and security products, the market understands the difference between transparency and giving away the keys to the castle. We believe in open documentation, open standards, and a closed trust chain.
Interested in what we're building?
OctantOS is under active development. We're looking for early design partners, infrastructure teams who are tired of duct-taping security onto agent frameworks, and anyone who thinks autonomous agents deserve a proper operating system.