For sixty years, operating systems have been written for humans typing into terminals. The kernel doesn't care what's at the keyboard — it just knows the syscall came from a process owned by some user. Whether that process is a curious developer or an autonomous agent looping on a goal, the OS shrugs and obliges.
This worked when "the process" was always a person. It doesn't work now. Agents are programs that you didn't write, calling capabilities you didn't pre-authorize, doing work whose consequences you may or may not want. The retrofit — read-only flags, scoped tokens, prompt-engineered "guardrails" — is the operating-system equivalent of duct tape.
KruxOS is a substrate built the other way around. Every action an agent can take is a typed capability with a known input shape and a policy gate in front of it. A deterministic engine decides: autonomous, notify, approval-required, or blocked. A human supervises from a dashboard. Every invocation lands in a hash-chained audit log. No LLM in the trust path. No prompt that can be jailbroken. Just rules you can read.
We think this is what running agents at scale actually looks like. Not because we're confident in any single model — but because we're certain that the substrate, not the model, is what decides whether agents can be trusted with consequential work.
Every agent action is a typed capability. Capabilities are versioned, documented, and tested. There is no "exec arbitrary code" escape hatch.
The policy engine is YAML, not an LLM. It evaluates in microseconds. You can read it. You can diff it. You can prove what it allows.
Every call — allowed, denied, deferred — lands in a hash-chained CBOR log. Replayable. Tamper-evident. The receipts of every decision.
Sandboxing happens at the Linux kernel: namespaces, cgroup v2, seccomp BPF, Landlock, nftables. Five layers. Not a sandbox library.
Frontier, open, or offline. KruxOS doesn't care which model is driving — capabilities are the same, policy is the same, audit is the same.
The dashboard exists for the human in the loop. Dense, terminal-adjacent, no marketing language. State first. Adjectives never.
Altvale is a small umbrella for infrastructure tools we think should exist. KruxOS is the first thing we're shipping. More to come.