the operating system
for AI agents

no ssh. no shell. no attack surface.
just agents.

your agents run on an OS built for humans.

ssh exists. a shell exists. an attack surface exists.

every layer you don't need is a layer that can break.

00 — WHAT WE REMOVED

every traditional OS ships with layers built for human operators. NullBox strips all of them. what's left is only what agents need.

NO CRON
scheduled tasks are declared in AGENT.toml, not hidden in crontabs
NO DBUS
no desktop, no inter-process messaging bus needed
NO SYSTEMD
agents are managed by the hypervisor, not a bloated init system
NO SSHD
no remote shell access. ever. agents don't need it
NO SHELL
no bash, no sh, no zsh. zero interactive access
NO INTERACTIVE LOGIN
nobody logs in. the OS runs agents, not sessions
NO PACKAGE MANAGER
immutable rootfs. nothing gets installed at runtime
NO MUTABLE ROOTFS
the filesystem is read-only. what shipped is what runs
~15 BINARIES TOTAL
a typical Linux distro ships 2,000+. we ship what agents need, nothing more

01 — ARCHITECTURE

16 layers from bare metal to skill registry. click any layer to see how it works.

16 HARBOR +

Verified skill registry

cryptographically signed skill packages. agents pull only verified tools — no supply chain attacks.

 
 
 
  
 
  
 
 15 EDGE POWER  + 
 
 
 
Offline mode, cpufreq
 
agents keep running when the network drops. dynamic CPU frequency scaling for battery-powered edge devices.
 
 
 
 
  
 
  
 
 14 PHOENIX  + 
 
 
 
Self-healing via eBPF health probes
 
eBPF probes detect agent failures in microseconds. crashed agents restart automatically from their immutable image.
 
 
 
 
  
 
  
 
 13 FORGE  + 
 
 
 
Pre-deploy testing sandbox
 
every agent is tested in a throwaway microVM before production. capability proofs verify it does only what it claims.
 
 
 
 
  
 
  
 
 12 SWARM  + 
 
 
 
Multi-agent orchestration
 
coordinate dozens of agents across machines. message passing between microVMs with zero shared memory.
 
 
 
 
  
 
  
 
 11 GATE  + 
 
 
 
Human-in-the-loop approvals
 
high-risk actions (delete files, send emails, spend money) pause and wait for human approval before executing.
 
 
 
 
  
 
  
 
 10 WATCHER  + 
 
 
 
Merkle-chained audit log
 
every agent action is logged in a tamper-proof merkle chain. you can prove exactly what happened and when.
 
 
 
 
  
 
  
 
 09 PROVENANCE  + 
 
 
 
Ed25519 identity per agent
 
every agent gets a unique cryptographic identity bound to the hardware TPM. agents can prove who they are.
 
 
 
 
  
 
  
 
 08 CTXGRAPH  + 
 
 
 
Shared agent memory graph
 
agents share context through a structured knowledge graph. no raw file dumps — typed, queryable, versioned.
 
 
 
 
  
 
  
 
 07 CLOAKPIPE  + 
 
 
 
Mandatory PII redaction
 
all data leaving an agent passes through CloakPipe. PII is detected and redacted before it hits any external API.
 
 
 
 
  
 
  
 
 06 SENTINEL  + 
 
 
 
LLM firewall + eBPF enforcement
 
inspects prompts and responses in real-time. blocks prompt injection, data exfiltration, and policy violations at the kernel level.
 
 
 
 
  
 
  
 
 05 WARDEN  + 
 
 
 
Credential vault, dm-crypt
 
API keys and secrets live in an encrypted vault. agents request credentials at runtime — they never see the raw keys.
 
 
 
 
  
 
  
 
 04 EGRESS  + 
 
 
 
Default-deny network
 
all outbound traffic is blocked by default. agents can only reach domains explicitly listed in AGENT.toml.
 
 
 
 
  
 
  
 
 03 ACCELERATOR  + 
 
 
 
GPU/NPU/TPU isolation
 
hardware accelerators are partitioned per agent. one agent can't starve another of GPU time or read its VRAM.
 
 
 
 
  
 
  
 
 02 CAGE  + 
 
 
 
Per-agent microVM isolation
 
every agent runs in its own Firecracker microVM. dedicated kernel, dedicated filesystem, hardware-level isolation — not containers.
 
 
 
 
  
 
  
 
 01 KERNEL  + 
 
 
 
Linux 6.18 LTS, KSPP hardened
 
stripped-down Linux kernel with Kernel Self-Protection Project patches. minimal syscall surface. no modules loaded at runtime.
 
 
 
 
  
  
 
 
   
 
 
  
02 — HOW IT WORKS
  
  
  

four steps from bare metal to a running, sandboxed AI agent.

  
  
  
  
 01 
 FLASH 
 
 
 Write NullBox to a USB drive or SD card. Boot it. The entire OS is a ~100MB read-only image — no installer, no setup wizard, no configuration. It just runs. 
 
 $ dd if=nullbox.img of=/dev/sdX bs=4M 
 
  
  
 
 
 
 
 
  
 02 
 DECLARE 
 
 
 Define your agent in a single AGENT.toml file. What APIs it can call, what files it can read, how much memory it gets. If it's not declared, it doesn't exist. 
 
 network.allow = ["api.openai.com"] 
 
  
  
 
 
 
 
 
  
 03 
 ISOLATE 
 
 
 Each agent boots inside its own microVM with a dedicated kernel and filesystem. One compromised agent can't touch another — hardware-enforced, not just namespaces. 
 
 agent → microVM → own kernel → own rootfs 
 
  
  
 
 
 
 
 
  
 04 
 ENFORCE 
 
 
 Everything is default-deny. Network, filesystem, shell access — all blocked unless explicitly allowed in AGENT.toml. The OS enforces the rules, not the agent. 
 
 deny * → allow only what's declared 
 
  
   
 
 
 
 
 
 
  
03 — CAPABILITY MANIFEST
  
  
  
 
[agent]
name = "researcher"
version = "1.2.0"

[capabilities]
network.allow = ["api.openai.com", "api.exa.ai"]    # default deny
filesystem.read = ["/data/research"]
filesystem.write = ["/data/research/output"]
shell = false
max_memory_mb = 512

[tools]
read_files = { risk = "low" }
delete_files = { risk = "critical" }    # human approval required
 
  
  
 
 
 
 
  
04 — TARGET HARDWARE
  
  
 
  
 RASPBERRY PI 5 8GB + AI HAT 
  
 
  
 JETSON AGX THOR Blackwell GPU 
  
 
  
 x86_64 VPS $6-20/mo 
  
 
  
 OLD LAPTOP USB bootable 
  
  
 
 
 
 
 
 
  
 

nothing unnecessary.
everything enforced.

 
   
  

open source — MIT / Apache-2.0