Skip to content
OSTK
SECTION_01 // ARCHITECTURE

System Architecture

A single Rust binary. Three layers: the kernel, the daemon, and drivers. No runtime dependencies.

The Kernel

Statically linked. Seven primitives built on Unix-inspired filesystem operations. Boots from .ostk/ and begins tracking.

KERNEL_SUBSYSTEMS

WRITE_TRACKING Every file write intercepted, assigned a generation counter via OCC
CONFLICT_RESOLUTION Hot PR — auto-merge, mechanical rebase, or manual. Three tiers.
OUTPUT_COMPRESSION 3-tier pipeline: strip ANSI, dedup lines, classify before agent context
CAPABILITY_ENFORCEMENT Deny-based pins at tool layer (policy.rs), Landlock/Seatbelt at syscall layer via nono sandbox (kernel/sandbox.rs)
AUDIT_TRAIL Append-only events. fold(audit.jsonl) reconstructs the fleet
SECRET_MEDIATION API keys resolved from keychain at call time, never in agent context
FLEET_COORDINATION Spawn, drain, reap, rehydrate. Heartbeat crash detection.
DANGEROUS_CMD_DETECT 14 pattern detectors scan every shell command before agent sees output

The Daemon

ostk listen starts the kernel daemon — a long-lived anchor process that holds the socket, the process table, and the scheduler.

SESSION_MGMT

Agents run as managed sessions. Each has its own context, heartbeat, and drain snapshot.

SCHEDULER_TICK

Background task wakes the scheduler on a timer. Inspects fleet state, dispatches work, reaps dead sessions.

CRASH_RECOVERY

Drain snapshots at every turn boundary. On restart, fold(audit.jsonl) reconstructs fleet and rehydrates sessions.

CLIENT_MULTIPLEX

TUI, MCP clients, CLI one-shots, and IDE extensions attach/detach via kernel socket. Sessions persist.

The daemon is a cache, not a ledger. Source of truth is the filesystem — audit.jsonl, gen_table.jsonl, drain snapshots. A restart reconstructs identical state from disk. SESSION_TOPOLOGY

Write Interception

Default: ostk intercepts at the tool layer. Agents call kernel primitives (file:edit, file:write, file:create) that apply policy, locking, and version tracking before bytes hit disk. No LD_PRELOAD, no ptrace, no kqueue observer.

Tool-layer interception has one honest limitation: if an agent escapes the tool path — by invoking a shell that writes directly — the kernel never sees it. ostk addresses this two ways:

  1. Process sandbox (always on): the nono subsystem enforces filesystem restrictions at the OS layer — Landlock on Linux, Seatbelt on macOS. Agents physically cannot write outside their allowed paths, regardless of how they try. Implemented in src/kernel/sandbox.rs.
  2. FUSE passthrough (optional): ostk mount (built with --features fuse) mounts a FUSE filesystem that mirrors the project tree and logs every write op through the kernel. Optional because FUSE adds dependencies; off by default. Implemented in src/fuse/passthrough.rs.

Tool-layer covers the expected path; the OS sandbox covers the escape path; FUSE is the observability upgrade for users who want every byte logged regardless of how it got written. No single interception layer is load-bearing on its own.

FCP Drivers

Drivers extend the kernel with domain capabilities via the File Context Protocol — MCP servers that let LLMs interact with complex file formats through a verb-based DSL.

INTERNAL_DRIVERS

fcp-screen [tty] TUI rendering — fleet status, work queue, permission modals
fcp-web [] Web page reading — fetch, render, extract content from URLs
fcp-llm [] LLM inference — CpuDriver trait, provider routing (Anthropic, Gemini, Mistral)

EXTERNAL_DRIVERS

fcp-rust Rust analysis via rust-analyzer — crate graph, type resolution, diagnostics os-tack/fcp-rust
fcp-python Python intelligence via pylsp — query and refactor Python codebases os-tack/fcp-python
fcp-drawio Create and edit draw.io diagrams through intent-level commands os-tack/fcp-drawio
fcp-pdf Semantic PDF operations — extract, search, and manipulate PDF content os-tack/fcp-pdf
fcp-sheets Semantic spreadsheet operations — query and edit cells, formulas, ranges os-tack/fcp-sheets
fcp-slides Slide deck operations for presentation file formats os-tack/fcp-slides
fcp-midi Semantic MIDI music composition — notes, tracks, instruments os-tack/fcp-midi
fcp-regex Regex construction via named fragment composition os-tack/fcp-regex
fcp-terraform Terraform HCL generation — modules, resources, variables os-tack/fcp-terraform

FRAMEWORK

fcp File Context Protocol specification — verb-based DSL for file operations os-tack/fcp
fcp-core Shared framework for building FCP servers (TypeScript + Python) os-tack/fcp-core
fcp-core-rust Shared Rust framework for building FCP servers os-tack/fcp-core-rust
RELATED: KERNEL_SPEC SESSION_TOPOLOGY COMPRESSION MCP_PROXY