From the lineage of Unix and Plan 9 comes the future

Safe agents are
free agents.

InferNode is a lightweight operating system with mathematically proven isolation of AI agents. When an agent can only see what you grant, you can trust it to do more—and the human-AI team finally works.

Get Started See the Security Model
Proven TLA+ / SPIN / CBMC
15 MB RAM footprint headless configuration
<1s cold start headless configuration
Open Source MIT Licensed

See it in action

You and your agent, side by side.

Veltro runs applications, composes tools, and acts on your behalf—all within a namespace you control. You see everything it sees. It touches nothing you haven’t granted.

infernode
Veltro AI agent running on InferNode OS. Left panel shows the agent conversation exploring a fractal application through 9P filesystem commands. Center panel renders a Mandelbrot set fractal. Right panel displays the namespace browser with mounted services, active tools, and loadable capabilities.
Agent conversation
Application output
Namespace browser

The Problem

AI agents are powerful.
That's the problem.

An AI agent that can read your files, call APIs, and spawn sub-processes is extraordinarily useful. It is also extraordinarily dangerous when it shares your operating system, your credentials, and your network access.

Today's answer is guardrails: sandboxes bolted on top, permission dialogs, policy layers you hope hold. The agent runs inside your world and you trust the cage. History suggests this is unwise.

InferNode inverts the model entirely.

Each agent gets its own namespace—a view of the world constructed from only the resources you explicitly mount. There is no cage because there is nothing to cage. The agent cannot access your credentials, your email, or your SSH keys because in its namespace, those things do not exist.

This changes everything. A provably contained agent is an agent you can trust with real autonomy. More autonomy means more productivity. And that is the point: security is not a constraint on the human-AI team. It is the foundation that makes the team possible.

Read the full manifesto →

Secure

Each AI agent runs in its own isolated namespace. It can only see what you explicitly grant. This is not a policy layer—it is how the operating system works, proven with formal verification.

Sovereign

You choose where your data lives and where your compute runs. Cloud, edge, local, or all three at once. No vendor decides for you.

Composable

Every resource—a GPU, an LLM, a database, a sensor—appears as a file. Plug anything into anything, across any device, with a single command.

Open

MIT licensed. Read the source, modify it, deploy it, sell it. No contributor license agreements. No license rug-pulls. No strings.

Capability-Based Security

If you didn't grant it,
it doesn't exist.

Today, most agent frameworks give you two choices. Run the agent on your own machine—with your credentials, your network, and your data—and hope the guardrails hold. Or hand everything to a cloud platform that isolates the agent by moving your data onto someone else's computer. One trusts the agent too much. The other trusts the cloud too much.

InferNode works differently. Each agent gets its own namespace—a view of the world constructed from only the resources you explicitly share. Try to access something you weren't given? It doesn't error. It simply does not exist. There is no attack surface because there is no surface.

This isn't a claim. The isolation model has been formally verified across three independent tools—TLA+, SPIN, and CBMC: 11 invariants proven across 19.3 million states (exhaustive), 3.17 billion states in an extended run, and 113 CBMC assertions—zero violations. Verification runs automatically in CI on every push.

Because agents are provably contained, you can give them more freedom—more tools, more data, more autonomy—without more risk. Safe agents are productive agents.

Full verification report →
agent namespace
; # Grant the agent access to docs and LLM
; mount /n/docs /agent/data
; mount /n/llm /agent/llm
; # Agent can see docs and LLM
; ls /agent/
data/ llm/
; # Your credentials, email, SSH keys?
; ls /home/ /credentials/ /email/
   # nothing. they don't exist in this namespace.
; # Prompt injection tried to read SSH keys?
; cat /home/.ssh/id_rsa
   # nothing to cat. the path doesn't exist.

Quantum-Safe Cryptography

experimental

InferNode ships preliminary implementations of ML-KEM (FIPS 203) and ML-DSA (FIPS 204)—the NIST-standardised, lattice-based algorithms the industry is migrating to now. Both NIST Level 3 (ML-KEM-768 / ML-DSA-65) and Level 5 (ML-KEM-1024 / ML-DSA-87) parameter sets are supported, with constant-time arithmetic throughout.

This work is not yet recommended for production, but cryptographic agility is a first-class design goal. When classical public-key cryptography is broken, InferNode will already have a path—running natively on the same lightweight OS that protects your agents today.

Why Now

Three trends are converging.

InferNode exists at the intersection of shifts that are making secure, distributed AI not just possible—but inevitable.

Trust needs proof, not promises.

As AI agents gain autonomy, “we tested it” is no longer enough. Prompt injection, confused deputies, privilege escalation—the attack surface grows with every capability you grant. Regulated industries are starting to require formal verification. InferNode’s isolation model is proven with TLA+, SPIN, and CBMC. The math exists. Ask for it.

Agents need a secure runtime.

Every major platform is racing to build multi-agent systems—LangGraph, CrewAI, OpenAI Agents, AWS Strands. But they all run agents with ambient authority inside your OS. Nobody has solved the fundamental problem: how do you let an agent do real work without giving it the keys to everything? InferNode’s namespaces are that answer.

Local inference just got real.

Small language models can now handle the majority of real-world queries on local hardware. Efficiency is improving at a staggering rate. The assumption that useful AI requires a cloud API is no longer true—and when your AI runs locally, you need an OS designed for it, not a browser tab.

A note on footprint: InferNode’s base runtime starts at ~15 MB RAM with a 2-second cold start. Real-world workloads—multiple agents, graphics, large models—will use more, as with any system. The point isn’t that it stays at 15 MB. It’s that it starts there, so it can run on hardware where heavier runtimes can’t even boot.

The Computer Is the Network

Your devices. One namespace. No cloud required.

Every resource—a GPU, a sensor, an LLM, a database—appears as a file. Mount it from anywhere. Your AI agent sees a single, seamless workspace.

Cloud GPU /n/compute optional Laptop /n/docs /n/code Jetson /n/gpu /n/inference Veltro AI Agent Local LLM /n/llm Raspberry Pi /n/sensors All peers. No center. You choose what connects.

Mount anything

A GPU cluster, a local LLM, a sensor feed, a cloud API—all appear as files. One command: mount tcp!host!port /n/resource

Agents see files, not APIs

Your AI agent reads and writes files. It doesn't need SDKs, API keys, or OAuth tokens. If a resource is mounted, the agent can use it.

Cloud is a peer, not a master

Connect to cloud services when you want. Disconnect when you don't. Your namespace works either way. No dependency. No lock-in.

Distributed by Design

Code moves. Apps stretch. Nothing restarts.

In InferNode, software isn’t installed—it’s mounted. Applications don’t run “on a machine”—they run across your namespace. These aren’t abstractions. This is how the OS works.

Hot-load code over the network

Dev Laptop sensor-filter.dis Write once Jetson (edge) sensor-filter.dis loaded & running Raspberry Pi sensor-filter.dis loaded & running What just happened: New code deployed to every device on the network. No restart. No container rebuild. No deployment pipeline.
hot-load a module from the network
; bind /n/devbox/dis/sensor-filter.dis /dis/sensor-filter.dis
# That's it. The module is now available locally.
# It was fetched over the network, on demand.
# Update the source? Every device gets the new version next load.

For developers

Compile a module on your laptop. Every device on your network can load and run it immediately—no redeploy, no container push, no deployment pipeline. Update it once, and every device picks up the change on next load.

In practice

Push a new ML preprocessing filter to a fleet of edge sensors. Roll out a security patch to every node in your mesh. Add a capability to an AI agent across all devices. All without downtime.

Run there. See here.

GPU Server (remote) LLM inference data analysis model training Heavy compute runs here input / commands display / results Your Laptop (local) You see and interact with the app as if it were local. It isn't. You interact here Connected via 9P protocol
run an app on the GPU server, display on your laptop
; import tcp!gpuserver!9999 /n/remote
; mount /n/remote /mnt/compute
; /mnt/compute/bin/analyse -data /n/local/dataset.csv
# Runs on the GPU server. Results display on your screen.
# To you, it looks like a local app. The network is invisible.

For developers

Applications export their interfaces as files over 9P. Mount a remote app’s namespace locally and interact with it as if it were running on your machine. The network boundary disappears at the OS level.

In practice

Run LLM inference on a GPU server in the closet, interact from your laptop. Analyse a dataset on a powerful remote machine, see results on a tablet in the field. One namespace. The hardware is irrelevant.

The Interface

Every resource is a file.
No SDK required.

InferNode exposes everything—LLMs, sensors, databases, agents—as files through the 9P protocol. That single architectural choice eliminates entire categories of integration complexity. No client libraries. No API wrappers. Just standard file operations.

9P Inside — InferNode uses the 9P protocol to expose every resource as a file
Go 9P server — runs on host
// Expose an LLM as a filesystem
func (s *LLMSrv) Read(fid *p9p.Fid) {
if fid.Path == "response" {
fid.Write(s.llm.Complete(s.prompt))
}
}
// mount tcp!host!564 /n/llm
Python 9P server — runs on host
# Expose a sensor feed as a file
class SensorServer(p9p.Server):
def read(self, path, n, off):
return sensor.read().encode()
# mount tcp!pi!564 /n/sensors
# Any language. Zero InferNode SDK.
rc inside InferNode
# Mount external services
mount tcp!llm-host!564 /n/llm
mount tcp!pi!564 /n/sensors
# Use them — just files
echo 'summarise' >/n/llm/0/ask
cat /n/llm/0/response
cat /n/sensors/temperature

One protocol. Any language.

Inside InferNode, every resource is a file—you interact with LLMs, sensors, and agents using open(), read(), write(). From the outside, any language that speaks 9P—a simple, open protocol—can connect to InferNode and work with its resources directly. No vendor SDK. No API wrapper. Just a well-documented protocol and the language you already know.

Build a service. It becomes native.

Write a service in any language. Expose it via 9P. It becomes a file in the namespace—indistinguishable from a built-in resource. Other agents, tools, and users can mount and use it immediately. The filesystem is the universal contract.

Explore the source on GitHub →

The System

One secure OS. Use it your way.

InferNode is the foundation—provably isolated namespaces for every agent, on any hardware. On top of it, choose the interface that fits how you work. Or use no interface at all.

Veltro

The autonomous agent

Veltro is an AI agent that lives in a namespace, not inside an application. It reads files, invokes tools, queries LLMs, and spawns sub-agents—all within the boundaries you define. Headless or interactive. Your choice.

Namespace-isolated — can only see what you grant
Sub-agents — spawn child agents with even fewer capabilities
LLM as a filesystem — mount any model at /n/llm

Lucia

Voice-first AI workspace

Lucia replaces the desktop with a conversational AI environment. Talk to your computer. The agent listens, acts, and presents results—documents, data, visualisations—without you ever opening an application. Security you can trust means an experience you can rely on.

Voice-controlled — speak naturally, the agent acts
Three-zone interface — conversation, presentation, and context at a glance
No apps to learn — the agent composes capabilities from your namespace

Xenith

Developer power tool

A text environment built for developers and AI agents working side by side. Forked from Acme with async I/O, dark mode, and a 9P interface that lets agents interact through file operations—no SDK required. Every agent action is observable in real time.

9P filesystem interface — agents read and write, no API needed
Observable — all agent activity visible to humans in real time
GPU-accelerated — SDL3 with Metal, Vulkan, and D3D backends
; InferNode — the 64-bit Inferno® OS that runs beneath it all. 15 MB RAM. 2-second startup. 630+ utilities. Formally verified isolation. Bell Labs lineage.

Veltro

Built for autonomous work.

An AI agent that lives in a namespace, not inside an application. Every capability is a file. Every boundary is structural.

Namespace-Isolated

Each Veltro instance sees only the resources you mount into its namespace. No ambient authority, no inherited credentials, no attack surface. Isolation is not enforced by policy—it is structural.

Sub-Agents

Veltro can spawn child agents with a subset of its own capabilities. Each sub-agent gets a further-restricted namespace. Delegation without escalation—the principle of least privilege, applied recursively.

LLM as Filesystem

Mount any language model at /n/llm via llm9p. Write a prompt to /n/llm/0/ask, read the completion back. Claude, Ollama, any backend—the agent sees files, not APIs. Swap providers without changing a line of code.

Multi-Device

Veltro runs on a Raspberry Pi, a Jetson, a laptop, or a server. Mount resources from any device on the network into the agent’s namespace using 9P. The agent doesn’t know or care where the data lives—it just works.

Use Cases

Built for people who can't afford to hope
the guardrails hold.

Agent Builders

Stop worrying about what your agent can access.

Building autonomous agents is terrifying when they share your OS. InferNode gives each agent an isolated namespace with only the tools and data you grant. Prompt injection? The agent literally cannot see anything outside its namespace. There is no attack surface.

namespace isolation capability-based security prompt injection resistant

Industrial & Critical Infrastructure

Formally verified. Not just tested.

Factory floors, energy grids, water systems—environments where a misbehaving AI agent isn’t an inconvenience, it’s a safety incident. InferNode’s isolation model is formally verified. Show your auditors the math, not a promise.

formal verification OT-ready safety-critical IEC 62443 aligned

Finance, Legal & Healthcare

Use AI without sending your data somewhere else.

Trading strategies, client records, patient data, legal discovery—too sensitive for someone else’s cloud. InferNode runs on your hardware with local LLMs. Formally verified isolation means you can prove containment to regulators and auditors, not just promise it.

local LLMs formal verification SOX / PCI-DSS / HIPAA air-gapped capable

Edge & Embedded

15 MB. A $35 board. Real AI.

Kubernetes on a Raspberry Pi is a bad joke. InferNode runs in 15 MB of RAM with a 2-second cold start. Deploy AI agents on Jetsons, Raspberry Pis, or any ARM64/AMD64 device—each in its own isolated namespace. With JIT compilation, it’s fast too.

15 MB RAM 2s startup ARM64 native JIT compiler

Mission-Critical Operations

Works where the cloud doesn’t.

Disconnected environments, austere conditions, contested networks—places where cloud APIs are a liability, not a luxury. InferNode runs entirely on local hardware, meshes devices peer-to-peer, and keeps working when the uplink goes down. Every agent stays contained.

air-gapped peer-to-peer mesh edge-native zero cloud dependency

Distributed Systems

Your devices, working as one.

Mount a GPU from across the room or across the country. InferNode’s 9P protocol makes remote resources appear as local files. Build a mesh of devices that share compute, storage, and sensors—each node isolated, the whole system composable.

9P protocol peer-to-peer cloud optional zero middleware

Quick Start

Launch the app or build from source.

On macOS, download and run. On Linux, download the GUI or headless tarball, or build from source. Either way—under a minute.

InferNode app icon

InferNode.app

macOS (Apple Silicon) — open the DMG, drag to Applications, launch.

Download latest
Docker — any platform
# Pull and run (amd64 or arm64, auto-detected)
$ docker run -it ghcr.io/infernode-os/infernode:latest
Linux x86_64 — download and run (SDL3 bundled)
Download latest tarball
# GUI (Lucia) &mdash; self-contained, no dependencies
$ tar xzf infernode-*-linux-amd64-gui.tar.gz
$ cd infernode-*-linux-amd64-gui
$ ./infernode
# Build from source (GUI)
$ git clone https://github.com/infernode-os/infernode.git && cd infernode
$ ./install-sdl3.sh
$ ./build-linux-amd64.sh # or build-linux-arm64.sh
# Launch Lucia GUI
$ ./run-lucia-linux.sh
x86_64 Linux
ARM64 Linux (Jetson, RPi)
ARM64 macOS (Apple Silicon)
x86_64 Windows (coming soon)
🐳 Docker (amd64 + arm64)