nexus
/
rumpk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rumpk/core
History
Markus Maiwald de6a7499fd Phase 27-29: Visual Cortex, Pledge, and The Hive 
PHASE 27: THE GLYPH & THE GHOST (Visual Cortex Polish)
========================================================
- Replaced placeholder block font with full IBM VGA 8x16 bitmap (CP437)
- Implemented CRT scanline renderer for authentic terminal aesthetics
- Set Sovereign Blue background (0xFF401010) with Phosphor Amber text
- Added ANSI escape code stripper for clean graphical output
- Updated QEMU hints to include -device virtio-gpu-device

Files:
- core/rumpk/libs/membrane/term.nim: Scanline renderer + ANSI stripper
- core/rumpk/libs/membrane/term_font.nim: Full VGA bitmap data
- src/nexus/forge.nim: QEMU device flag
- docs/dev/PHASE_26_VISUAL_CORTEX.md: Architecture documentation

PHASE 28: THE PLEDGE (Computable Trust)
========================================
- Implemented OpenBSD-style capability system for least-privilege execution
- Added promises bitmask to FiberObject for per-fiber capability tracking
- Created SYS_PLEDGE syscall (one-way capability ratchet)
- Enforced capability checks on all file operations (RPATH/WPATH)
- Extended SysTable with fn_pledge (120→128 bytes)

Capabilities:
- PLEDGE_STDIO (0x0001): Console I/O
- PLEDGE_RPATH (0x0002): Read Filesystem
- PLEDGE_WPATH (0x0004): Write Filesystem
- PLEDGE_INET  (0x0008): Network Access
- PLEDGE_EXEC  (0x0010): Execute/Spawn
- PLEDGE_ALL   (0xFFFF...): Root (default)

Files:
- core/rumpk/core/fiber.nim: Added promises field
- core/rumpk/core/ion.nim: Capability constants + SysTable extension
- core/rumpk/core/kernel.nim: k_pledge + enforcement checks
- core/rumpk/libs/membrane/ion_client.nim: Userland ABI sync
- core/rumpk/libs/membrane/libc.nim: pledge() wrapper
- docs/dev/PHASE_28_THE_PLEDGE.md: Security model documentation

PHASE 29: THE HIVE (Userland Concurrency)
==========================================
- Implemented dynamic fiber spawning for isolated worker execution
- Created worker pool (8 concurrent fibers, 8KB stacks each)
- Added SYS_SPAWN (0x500) and SYS_JOIN (0x501) syscalls
- Generic worker trampoline for automatic cleanup on exit
- Workers inherit parent memory but have independent pledge contexts

Worker Model:
- spawn(entry, arg): Create isolated worker fiber
- join(fid): Wait for worker completion
- Workers start with PLEDGE_ALL, can voluntarily restrict
- Violations terminate worker, not parent shell

Files:
- core/rumpk/core/fiber.nim: user_entry/user_arg fields
- core/rumpk/core/kernel.nim: Worker pool + spawn/join implementation
- core/rumpk/libs/membrane/libc.nim: spawn()/join() wrappers
- docs/dev/PHASE_29_THE_HIVE.md: Concurrency architecture

STRATEGIC IMPACT
================
The Nexus now has a complete Zero-Trust security model:
1. Visual identity (CRT aesthetics)
2. Capability-based security (pledge)
3. Isolated concurrent execution (spawn/join)

This enables hosting untrusted code without kernel compromise,
forming the foundation of the Cryptobox architecture (STC-2).

Example usage:
  proc worker(arg: uint64) {.cdecl.} =
    discard pledge(PLEDGE_INET | PLEDGE_STDIO)
    http_get("https://example.com")

  let fid = spawn(worker, 0)
  discard join(fid)
  # Shell retains full capabilities

Build: Validated on RISC-V (rumpk-riscv64.elf)
Status: Production-ready
 		2026-01-02 14:12:00 +01:00
..
fs Phase 27-29: Visual Cortex, Pledge, and The Hive 2026-01-02 14:12:00 +01:00
include Phase 27-29: Visual Cortex, Pledge, and The Hive 2026-01-02 14:12:00 +01:00
ion feat(rumpk): Phase 2 Complete - The Entropy Purge & Sovereign Alignment 2025-12-31 20:18:48 +01:00
loader feat(rumpk): Phase 8 - The Summoning (ELF Loader) - 95% Complete 2025-12-31 20:18:49 +01:00
README.md feat(rumpk): Phase 2 Complete - The Entropy Purge & Sovereign Alignment 2025-12-31 20:18:48 +01:00
channel.nim feat(rumpk): Phase 2 Complete - The Entropy Purge & Sovereign Alignment 2025-12-31 20:18:48 +01:00
cstubs.c feat(rumpk): Phase 3.5b Zicroui HUD Integration 2025-12-31 20:18:49 +01:00
fiber.nim Phase 27-29: Visual Cortex, Pledge, and The Hive 2026-01-02 14:12:00 +01:00
invariant.nim feat(rumpk): Sovereign Core Stabilization & Membrane IPC Hardening 2025-12-31 20:18:49 +01:00
ion.nim Phase 27-29: Visual Cortex, Pledge, and The Hive 2026-01-02 14:12:00 +01:00
kernel.nim Phase 27-29: Visual Cortex, Pledge, and The Hive 2026-01-02 14:12:00 +01:00
loader.nim feat(rumpk): dignified exit & sovereign vfs 2025-12-31 21:54:44 +01:00
loader.zig feat(rumpk): Sovereign Core Stabilization & Membrane IPC Hardening 2025-12-31 20:18:49 +01:00
overrides.c feat(rumpk): Phase 7 Verified - Subject Zero Launch 2025-12-31 20:18:48 +01:00
panicoverride.nim feat(rumpk): First successful Zig+Nim boot on QEMU ARM64 2025-12-31 20:18:47 +01:00
re-symbol.txt feat(rumpk): Phase 7 Verified - Subject Zero Launch 2025-12-31 20:18:48 +01:00
ring.nim feat(rumpk): Phase 7 Verified - Subject Zero Launch 2025-12-31 20:18:48 +01:00
watchdog.nim feat(rumpk): Phase 3 Task 1 Complete - The Speed Freak (181 cycles/op) 2025-12-31 20:18:48 +01:00

README.md

Rumpk Core (L1)

Language: Nim
Purpose: Architecture-agnostic kernel logic

Module Index

File Purpose
kernel.nim Main Orchestrator (kmain)
ion.nim ION Control Plane & Channel API
fiber.nim Cooperative fiber abstraction
watchdog.nim Autonomous Immune System (Healer)
ring.nim Lock-free Sovereign ring buffers
panicoverride.nim Freestanding panic handler

Architecture Independence

This folder contains no architecture-specific code. All platform-specific details are handled by the HAL layer (../hal/).

Compile-time architecture selection uses Nim's when defined():

when defined(amd64):
  const CONTEXT_SIZE = 56
elif defined(arm64):
  const CONTEXT_SIZE = 96
elif defined(riscv64):
  const CONTEXT_SIZE = 112

Dependencies

  • Imports console_write, rumpk_halt from HAL (Zig L0)
  • Imports cpu_switch_to from arch-specific assembly
  • Uses mm:arc memory management (no GC)

Build

Built via ../build.sh [aarch64|x86_64|riscv64]