nexus
/
nip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: nexus:3483b42b742a8c49369f7c9cfcea295f95f6a563
Branches Tags
nexus:unstable
..
compare: nexus:88d1f1401d5ec2d11d3e70763e7c56ee99b359b2
Branches Tags
nexus:unstable

13 Commits
3483b42b74 ... 88d1f1401d

Author SHA1 Message Date
Markus Maiwald 88d1f1401d chore: remove operational artifacts (internal paths leaked)
NIP CI / Build (push) Failing after 10s Details
NIP CI / Security Scan (push) Successful in 3s Details
2026-02-15 19:44:19 +01:00
Markus Maiwald 4b8346beab ci: fix workflow — use bash for scripts, fix security scan self-match, add deps
NIP CI / Security Scan (push) Failing after 3s Details
NIP CI / Build (push) Failing after 11s Details
2026-02-15 19:42:17 +01:00
Markus Maiwald a78b4e795e ci: re-trigger after adding nodejs to build-env
NIP CI / Build (push) Failing after 5s Details
NIP CI / Test Suite (push) Failing after 5s Details
NIP CI / Security Scan (push) Failing after 3s Details
2026-02-15 19:39:52 +01:00
Markus Maiwald 34d069713c ci: trigger workflow after enabling Actions
NIP CI / Build (push) Failing after 1s Details
NIP CI / Test Suite (push) Failing after 1s Details
NIP CI / Security Scan (push) Failing after 1s Details
2026-02-15 19:38:14 +01:00
Markus Maiwald 6da5fd0814 ci: add Forgejo Actions workflow for nip package manager 
Build, test suite, and security scan jobs.
 2026-02-15 19:36:54 +01:00
Markus Maiwald a4dc6368bc chore: add .gitignore, remove compiled binaries 2026-02-15 17:59:17 +01:00
Markus Maiwald 61c7ee59ba feat(kernel): implement System Truth Ledger and Causal Trace 
- Implemented System Ontology (SPEC-060) and STL (SPEC-061) in Zig HAL
- Created Nim bindings and high-level event emission API
- Integrated STL into kernel boot sequence (SystemBoot, FiberSpawn, CapGrant)
- Implemented Causal Graph Engine (SPEC-062) for lineage tracing
- Verified self-aware causal auditing in boot logs
- Optimized Event structure to 58 bytes for cache efficiency
 2026-01-06 03:37:53 +01:00
Markus Maiwald 79d4ff315a Rumpk Stability, NipBox Boot, and Repository Cleanup 
- Fixed Rumpk RISC-V Trap Handler (SSCRATCH swap, align(4), SUM bit) to prevent double faults.

- Stabilized Userland Transition (fence.i, MMU activation) allowing NipBox execution.

- Restored Forge pipeline to build NipBox from source.

- Documented critical RISC-V trap mechanics in internal docs.

- Committed pending repository cleanup (obsolete websites) and new core modules.
 2026-01-04 21:39:06 +01:00
Markus Maiwald b507f2d83e Phase 37: The Glass Cage - Memory Isolation Complete 
VICTORY: All page faults (Code 12, 13, 15) eliminated. NipBox runs in isolated userspace.

Root Cause Diagnosed:
- Kernel BSS (0x84D5B030) was overwritten by NipBox loading at 0x84000000
- current_fiber corruption caused cascading failures

Strategic Fixes:
1. Relocated NipBox to 0x86000000 (eliminating BSS collision)
2. Expanded DRAM to 256MB, User region to 64MB (accommodating NipBox BSS)
3. Restored Kernel GP register in trap handler (fixing global access)
4. Conditionally excluded ion/memory from userspace builds (removing 2MB pool)
5. Enabled release build optimizations (reducing BSS bloat)

Results:
- Kernel globals: SAFE
- User memory: ISOLATED (Sv39 active)
- Syscalls: OPERATIONAL
- Scheduler: STABLE
- NipBox: ALIVE (waiting for stdin)

Files Modified:
- core/rumpk/apps/linker_user.ld: User region 0x86000000-0x89FFFFFF (64MB)
- core/rumpk/hal/mm.zig: DRAM 256MB, User map 32-256MB
- core/rumpk/hal/entry_riscv.zig: GP reload in trap handler
- core/rumpk/core/ion.nim: Conditional memory export
- core/rumpk/libs/membrane/ion_client.nim: Local type declarations
- core/rumpk/libs/membrane/net_glue.nim: Removed ion import
- core/rumpk/libs/membrane/compositor.nim: Stubbed unused functions
- src/nexus/builder/nipbox.nim: Release build flags

Next: Fix stdin delivery to enable interactive shell.
 2026-01-04 02:03:01 +01:00
Markus Maiwald d68c5977a0 Phase 27-29: Visual Cortex, Pledge, and The Hive 
PHASE 27: THE GLYPH & THE GHOST (Visual Cortex Polish)
========================================================
- Replaced placeholder block font with full IBM VGA 8x16 bitmap (CP437)
- Implemented CRT scanline renderer for authentic terminal aesthetics
- Set Sovereign Blue background (0xFF401010) with Phosphor Amber text
- Added ANSI escape code stripper for clean graphical output
- Updated QEMU hints to include -device virtio-gpu-device

Files:
- core/rumpk/libs/membrane/term.nim: Scanline renderer + ANSI stripper
- core/rumpk/libs/membrane/term_font.nim: Full VGA bitmap data
- src/nexus/forge.nim: QEMU device flag
- docs/dev/PHASE_26_VISUAL_CORTEX.md: Architecture documentation

PHASE 28: THE PLEDGE (Computable Trust)
========================================
- Implemented OpenBSD-style capability system for least-privilege execution
- Added promises bitmask to FiberObject for per-fiber capability tracking
- Created SYS_PLEDGE syscall (one-way capability ratchet)
- Enforced capability checks on all file operations (RPATH/WPATH)
- Extended SysTable with fn_pledge (120→128 bytes)

Capabilities:
- PLEDGE_STDIO (0x0001): Console I/O
- PLEDGE_RPATH (0x0002): Read Filesystem
- PLEDGE_WPATH (0x0004): Write Filesystem
- PLEDGE_INET  (0x0008): Network Access
- PLEDGE_EXEC  (0x0010): Execute/Spawn
- PLEDGE_ALL   (0xFFFF...): Root (default)

Files:
- core/rumpk/core/fiber.nim: Added promises field
- core/rumpk/core/ion.nim: Capability constants + SysTable extension
- core/rumpk/core/kernel.nim: k_pledge + enforcement checks
- core/rumpk/libs/membrane/ion_client.nim: Userland ABI sync
- core/rumpk/libs/membrane/libc.nim: pledge() wrapper
- docs/dev/PHASE_28_THE_PLEDGE.md: Security model documentation

PHASE 29: THE HIVE (Userland Concurrency)
==========================================
- Implemented dynamic fiber spawning for isolated worker execution
- Created worker pool (8 concurrent fibers, 8KB stacks each)
- Added SYS_SPAWN (0x500) and SYS_JOIN (0x501) syscalls
- Generic worker trampoline for automatic cleanup on exit
- Workers inherit parent memory but have independent pledge contexts

Worker Model:
- spawn(entry, arg): Create isolated worker fiber
- join(fid): Wait for worker completion
- Workers start with PLEDGE_ALL, can voluntarily restrict
- Violations terminate worker, not parent shell

Files:
- core/rumpk/core/fiber.nim: user_entry/user_arg fields
- core/rumpk/core/kernel.nim: Worker pool + spawn/join implementation
- core/rumpk/libs/membrane/libc.nim: spawn()/join() wrappers
- docs/dev/PHASE_29_THE_HIVE.md: Concurrency architecture

STRATEGIC IMPACT
================
The Nexus now has a complete Zero-Trust security model:
1. Visual identity (CRT aesthetics)
2. Capability-based security (pledge)
3. Isolated concurrent execution (spawn/join)

This enables hosting untrusted code without kernel compromise,
forming the foundation of the Cryptobox architecture (STC-2).

Example usage:
  proc worker(arg: uint64) {.cdecl.} =
    discard pledge(PLEDGE_INET | PLEDGE_STDIO)
    http_get("https://example.com")

  let fid = spawn(worker, 0)
  discard join(fid)
  # Shell retains full capabilities

Build: Validated on RISC-V (rumpk-riscv64.elf)
Status: Production-ready
 2026-01-02 14:12:00 +01:00
Markus Maiwald 71bafb52d8 feat(rumpk): Phase 2 Complete - The Entropy Purge & Sovereign Alignment 
- Rumpk Core: Complete exorcism of LwIP/NET ghosts. Transitioned to ION nomenclature.
- ABI Sync: Synchronized Zig HAL and Nim Logic Ring Buffer layouts (u32 head/tail/mask).
- Invariant Shield: Hardened HAL pipes with handle-based validation and power-of-2 sync.
- Immune System: Verified Blink Recovery (Self-Healing) with updated ION Control Plane.
- NexShell: Major refactor of Command Plane for Sovereign Ring access.
- Architecture: Updated SPEC files and Doctrines (Silence, Hexagonal Sovereignty).
- Purge: Removed legacy rumk and nip artifacts for a clean substrate.
- Web: Updated landing page vision to match Rumpk v1.1 milestones.
 2025-12-31 20:18:48 +01:00
Markus Maiwald 81a8927f0f feat: implement Operation Velvet Forge & Evidence Locker 
- Ratified 'The Law of Representation' with tiered hashing (XXH3/Ed25519/BLAKE2b).
- Implemented RFC 8785 Canonical JSON serialization for deterministic signing.
- Deployed 'The Evidence Locker': Registry now enforces mandatory Ed25519 verification on read.
- Initialized 'The Cortex': KDL Intent Parser now translates manifests into GraftIntent objects.
- Orchestrated 'Velvet Forge' pipeline: Closing the loop between Intent, Synthesis, and Truth.
- Resolved xxHash namespace collisions and fixed Nint128 type mismatches.

Sovereignty achieved. The machine now listens, remember, and refuses to lie.
 2025-12-31 20:18:46 +01:00
Markus Maiwald d2aa120f4e feat(nip): achieve ARM64 static build with LibreSSL (5.5MB) 
**Milestone: Sovereign Package Manager - Static Build Complete**

Successfully compiled nip as a 5.5MB ARM64 static binary with full
LibreSSL 3.8.2 and Zstd 1.5.5 integration. Deployed to NexBox.

## Key Achievements

### 1. Static Dependency Stack
- LibreSSL 3.8.2 (libssl.a 3.5MB + libcrypto.a 16MB + libtls.a 550KB)
- Zstd 1.5.5 (libzstd.a 1.2MB)
- Cross-compiled for aarch64-linux-gnu with musl compatibility
- Zero runtime dependencies (fully static binary)

### 2. OpenSSL Shim Bridge (openssl_shim.c)
- Created C shim to bridge LibreSSL macros to function symbols
- Solved SSL_in_init undefined reference (macro → function)
- Enables Nim's compiled object files to link against LibreSSL

### 3. Manual Linking Infrastructure
- Implemented link_manual.sh (Iron Hand Protocol)
- Bypassed Nim cross-compilation bug (dropped -o output flag)
- Manually linked 289 ARM64 object files + shim
- Link flags: -static -Wl,-z,muldefs with proper library ordering

### 4. NimCrypto Optimization
- Removed SHA2/NEON dependencies from hash_verifier.nim
- Retained BLAKE2b support only (required for integrity checks)
- Prevents NEON-specific compilation conflicts in cross-build

### 5. Build Scripts
- build_arm64_gcc.sh: Main cross-compilation script
- build_arm64_libre.sh: LibreSSL-specific build
- build_arm64_diagnostic.sh: Verbose diagnostic build
- GCC wrapper at /tmp/aarch64-gcc-wrapper.sh filters x86 flags

### 6. Binary Optimization
- Initial: 30MB (with debug symbols)
- Stripped: 5.5MB (aarch64-linux-gnu-strip -s)
- 82% size reduction while maintaining full functionality

## NexBox Integration
- Image size: 12,867 blocks (down from 62,469 pre-strip)
- Static binary embedded in initramfs
- Ready for boot verification

## Build Environment
- Vendor libs: core/nexus/vendor/{libressl-3.8.2,zstd-1.5.5}
- Cross-compiler: aarch64-linux-gnu-gcc 15.1.0
- Nim cache: /tmp/nip-arm64-cache (289 object files)

## Verification Status
 Binary: ELF 64-bit ARM aarch64, statically linked
 No libcrypto.so dlopen references
 BuildID: 4ed2d90fcb6fc82d52429bed63bd1cb378993582
 Boot test: Pending

## Technical Debt
- Nim's -o flag bug in cross-compilation (workaround: manual link)
- Static LibreSSL adds ~3MB (future: consider BearSSL/Monocypher)
- Build process requires manual steps (future: containerize in Distrobox)

## Next Steps
- Distrobox migration for reproducible build environment
- Boot verification in NexBox guest
- Warhead Test II (pack/extract cycle with static Zstd)

Time investment: 4.5 hours
Contributors: Forge (AI), Markus Maiwald

Closes: Static build blocker
See-also: BUILD_SUCCESS.md, BUILD_BLOCKER.md
 2025-12-31 20:18:45 +01:00
3 changed files with 34 additions and 144 deletions
Show Stats Expand all files Collapse all files

178
.gitignore vendored
View File

@ -1,155 +1,45 @@
# ========================================================
# Nim / NexusOS
# ========================================================
*.nimble
# Compiled binaries
nip
nip-arm64
nip_release
nip-v*
*.exe
# Nim build artifacts
nimcache/
nimblecache/
htmldocs/
bin/
learning/
*.npk
*.pkg.tar.xz
*.zst
build/
*.o
*.a
*.so
*.dylib
# NimbleOS-specific
~/.nip/
/tmp/nexus/
# Zig artifacts
.zig-cache/
zig-out/
zig-cache/
# ========================================================
# Temporary & Logs
# ========================================================
*.tmp
*.temp
*.log
*.log.*
temp/
logs/
test_output/
coverage/
# Test binaries (source is *.nim, compiled tests have no extension)
tests/test_*
!tests/test_*.nim
!tests/test_*.md
# Backups
*.bak
*.old
*.orig
# IDE / Editor
.vscode/
.idea/
*.swp
*.swo
*~
# ========================================================
# IDE & Editors
# ========================================================
.vscode/
.idea/
# ========================================================
# Environments
# ========================================================
.env
.venv/
.kube/
*.kubeconfig
# ========================================================
# OS Specific
# ========================================================
# macOS
# OS files
.DS_Store
.AppleDouble
.LSOverride
Icon
._*
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns
.com.apple.timemachine.donotpresent
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
Thumbs.db
# Linux
*~
.fuse_hidden*
.directory
.Trash-*
.nfs*
# Agent / internal (must never appear)
.agent/
.claude/
.kiro/
# ========================================================
# Build Artifacts
# ========================================================
build/
dist/
work/
out/
# ========================================================
# Terraform
# ========================================================
*.tfstate
*.tfstate.*
crash.log
override.tf
override.tf.json
.terraform/
.terraform.lock.hcl
# ========================================================
# Helm / Kubernetes
# ========================================================
charts/
*.tgz
values.override.yaml
# ========================================================
# Node / Svelte
# ========================================================
node_modules/
npm-debug.log*
yarn-debug.log*
yarn-error.log*
.pnpm-debug.log*
.svelte-kit/
# ========================================================
# Python
# ========================================================
__pycache__/
*.pyc
*.pyo
*.pyd
*.egg-info/
.eggs/
# ========================================================
# Docker
# ========================================================
.dockerignore
docker-compose.override.yml
# ========================================================
# Proxmox VM Backups
# ========================================================
*.vma.zst
*.vma.lzo
*.vma.gz
# Compiled executables
src/nip.out
*.out
# Debug and test executables (binaries, not source)
debug_*
demo_*
simple_*
compute_hashes
# Test binaries (but not test source files)
test_use_flags
test_blake2b
test_filesystem_integration
test_generation_filesystem
test_integrity_monitoring
test_lockfile_restoration
test_lockfile_system
# Cross-contamination guard
core/rumpk/
core/nexus/
competitors/

0
examples/json-output-demo.nim Executable file → Normal file
View File

BIN
src/nimpak/filesystem
View File

Binary file not shown.