From the lineage of Unix and Plan 9

Safe agents are
free agents.

InferNode is a lightweight operating system with mathematically proven isolation. When an agent can only see what you grant, you can trust it to do more—and the human-AI team finally works.

Get Started See the Security Model
Proven TLA+ / SPIN / CBMC
15 MB RAM footprint
2s cold start
MIT licensed

The Problem

AI agents are powerful.
That's the problem.

An AI agent that can read your files, call APIs, and spawn sub-processes is extraordinarily useful. It is also extraordinarily dangerous when it shares your operating system, your credentials, and your network access.

Today's answer is guardrails: sandboxes bolted on top, permission dialogs, policy layers you hope hold. The agent runs inside your world and you trust the cage. History suggests this is unwise.

InferNode inverts the model entirely.

Each agent gets its own namespace—a view of the world constructed from only the resources you explicitly mount. There is no cage because there is nothing to cage. The agent cannot access your credentials, your email, or your SSH keys because in its namespace, those things do not exist.

This changes everything. A provably contained agent is an agent you can trust with real autonomy. More autonomy means more productivity. And that is the point: security is not a constraint on the human-AI team. It is the foundation that makes the team possible.

Read the full manifesto →

Secure

Each AI agent runs in its own isolated namespace. It can only see what you explicitly grant. This is not a policy layer—it is how the operating system works, proven with formal verification.

Sovereign

You choose where your data lives and where your compute runs. Cloud, edge, local, or all three at once. No vendor decides for you.

Composable

Every resource—a GPU, an LLM, a database, a sensor—appears as a file. Plug anything into anything, across any device, with a single command.

Open

MIT licensed. Read the source, modify it, deploy it, sell it. No contributor license agreements. No license rug-pulls. No strings.

Capability-Based Security

If you didn't grant it,
it doesn't exist.

Today, most agent frameworks give you two choices. Run the agent on your own machine—with your credentials, your network, and your data—and hope the guardrails hold. Or hand everything to a cloud platform that isolates the agent by moving your data onto someone else's computer. One trusts the agent too much. The other trusts the cloud too much.

InferNode works differently. Each agent gets its own namespace—a view of the world constructed from only the resources you explicitly share. Try to access something you weren't given? It doesn't error. It simply does not exist. There is no attack surface because there is no surface.

This isn't a claim. The isolation model has been formally verified using TLA+, SPIN, and CBMC. Mathematical proof, not just testing. Show your auditors the math.

Because agents are provably contained, you can give them more freedom—more tools, more data, more autonomy—without more risk. Safe agents are productive agents.

agent namespace
; # Grant the agent access to docs and LLM
; mount /n/docs /agent/data
; mount /n/llm /agent/llm
; # Agent can see docs and LLM
; ls /agent/
data/ llm/
; # Your credentials, email, SSH keys?
; ls /home/ /credentials/ /email/
  # nothing. they don't exist in this namespace.
; # Prompt injection tried to read SSH keys?
; cat /home/.ssh/id_rsa
  # nothing to cat. the path doesn't exist.

Why Now

Three trends are converging.

InferNode exists at the intersection of shifts that are making secure, distributed AI not just possible—but inevitable.

Trust needs proof, not promises.

As AI agents gain autonomy, “we tested it” is no longer enough. Prompt injection, confused deputies, privilege escalation—the attack surface grows with every capability you grant. Regulated industries are starting to require formal verification. InferNode’s isolation model is proven with TLA+, SPIN, and CBMC. The math exists. Ask for it.

Agents need a secure runtime.

Every major platform is racing to build multi-agent systems—LangGraph, CrewAI, OpenAI Agents, AWS Strands. But they all run agents with ambient authority inside your OS. Nobody has solved the fundamental problem: how do you let an agent do real work without giving it the keys to everything? InferNode’s namespaces are that answer.

Local inference just got real.

Small language models can now handle the majority of real-world queries on local hardware. Efficiency is improving at a staggering rate. The assumption that useful AI requires a cloud API is no longer true—and when your AI runs locally, you need an OS designed for it, not a browser tab.

A note on footprint: InferNode’s base runtime starts at ~15 MB RAM with a 2-second cold start. Real-world workloads—multiple agents, graphics, large models—will use more, as with any system. The point isn’t that it stays at 15 MB. It’s that it starts there, so it can run on hardware where heavier runtimes can’t even boot.

The Computer Is the Network

Your devices. One namespace. No cloud required.

Every resource—a GPU, a sensor, an LLM, a database—appears as a file. Mount it from anywhere. Your AI agent sees a single, seamless workspace.

Cloud GPU /n/compute optional Laptop /n/docs /n/code Jetson /n/gpu /n/inference Veltro AI Agent Local LLM /n/llm Raspberry Pi /n/sensors All peers. No center. You choose what connects.

Mount anything

A GPU cluster, a local LLM, a sensor feed, a cloud API—all appear as files. One command: mount tcp!host!port /n/resource

Agents see files, not APIs

Your AI agent reads and writes files. It doesn't need SDKs, API keys, or OAuth tokens. If a resource is mounted, the agent can use it.

Cloud is a peer, not a master

Connect to cloud services when you want. Disconnect when you don't. Your namespace works either way. No dependency. No lock-in.

Distributed by Design

Code moves. Apps stretch. Nothing restarts.

In InferNode, software isn’t installed—it’s mounted. Applications don’t run “on a machine”—they run across your namespace. These aren’t abstractions. This is how the OS works.

Hot-load code over the network

Dev Laptop sensor-filter.dis Write once Jetson (edge) sensor-filter.dis loaded & running Raspberry Pi sensor-filter.dis loaded & running What just happened: New code deployed to every device on the network. No restart. No container rebuild. No deployment pipeline.
hot-load a module from the network
; bind /n/devbox/dis/sensor-filter.dis /dis/sensor-filter.dis
# That's it. The module is now available locally.
# It was fetched over the network, on demand.
# Update the source? Every device gets the new version next load.

For developers

Compile a module on your laptop. Every device on your network can load and run it immediately—no redeploy, no container push, no deployment pipeline. Update it once, and every device picks up the change on next load.

In practice

Push a new ML preprocessing filter to a fleet of edge sensors. Roll out a security patch to every node in your mesh. Add a capability to an AI agent across all devices. All without downtime.

Run there. See here.

GPU Server (remote) LLM inference data analysis model training Heavy compute runs here input / commands display / results Your Laptop (local) You see and interact with the app as if it were local. It isn't. You interact here Connected via 9P protocol
run an app on the GPU server, display on your laptop
; import tcp!gpuserver!9999 /n/remote
; mount /n/remote /mnt/compute
; /mnt/compute/bin/analyse -data /n/local/dataset.csv
# Runs on the GPU server. Results display on your screen.
# To you, it looks like a local app. The network is invisible.

For developers

Applications export their interfaces as files over 9P. Mount a remote app’s namespace locally and interact with it as if it were running on your machine. The network boundary disappears at the OS level.

In practice

Run LLM inference on a GPU server in the closet, interact from your laptop. Analyse a dataset on a powerful remote machine, see results on a tablet in the field. One namespace. The hardware is irrelevant.

The Interface

Every resource is a file.
No SDK required.

InferNode exposes everything—LLMs, sensors, databases, agents—as files through the 9P protocol. That single architectural choice eliminates entire categories of integration complexity. No client libraries. No API wrappers. Just standard file operations.

Python
# Query an LLM via InferNode
with open("/n/llm/prompt", "w") as f:
f.write("Summarise this report")
with open("/n/llm/response") as f:
answer = f.read()
Go
// Read a sensor feed
data, err := os.ReadFile(
"/n/sensors/temperature")
// Write a command
os.WriteFile(
"/n/actuator/valve",
[]byte("open"), 0644)
Bash
# List available tools
ls /n/agent/tools/
# Send a task to an agent
echo "find anomalies" \
> /n/agent/task
# Read the result
cat /n/agent/result

One protocol. Any language.

Inside InferNode, every resource is a file—you interact with LLMs, sensors, and agents using open(), read(), write(). From the outside, any language that speaks 9P—a simple, open protocol—can connect to InferNode and work with its resources directly. No vendor SDK. No API wrapper. Just a well-documented protocol and the language you already know.

Build a service. It becomes native.

Write a service in any language. Expose it via 9P. It becomes a file in the namespace—indistinguishable from a built-in resource. Other agents, tools, and users can mount and use it immediately. The filesystem is the universal contract.

Explore the source on GitHub →

The System

One secure OS. Use it your way.

InferNode is the foundation—provably isolated namespaces for every agent, on any hardware. On top of it, choose the interface that fits how you work. Or use no interface at all.

Veltro

The autonomous agent

Veltro is an AI agent that lives in a namespace, not inside an application. It reads files, invokes tools, queries LLMs, and spawns sub-agents—all within the boundaries you define. Headless or interactive. Your choice.

Namespace-isolated — can only see what you grant
Sub-agents — spawn child agents with even fewer capabilities
LLM as a filesystem — mount any model at /n/llm

Stelle

Voice-first AI workspace

Stelle replaces the desktop with a conversational AI environment. Talk to your computer. The agent listens, acts, and presents results—documents, data, visualisations—without you ever opening an application. Security you can trust means an experience you can rely on.

Voice-controlled — speak naturally, the agent acts
Three-zone interface — conversation, presentation, and context at a glance
No apps to learn — the agent composes capabilities from your namespace

Xenith

Developer power tool

A text environment built for developers and AI agents working side by side. Forked from Acme with async I/O, dark mode, and a 9P interface that lets agents interact through file operations—no SDK required. Every agent action is observable in real time.

9P filesystem interface — agents read and write, no API needed
Observable — all agent activity visible to humans in real time
GPU-accelerated — SDL3 with Metal, Vulkan, and D3D backends
; InferNode — the 64-bit Inferno® OS that runs beneath it all. 15 MB RAM. 2-second startup. 630+ utilities. Formally verified isolation. Bell Labs lineage.

Use Cases

Built for people who can't afford to hope
the guardrails hold.

Agent Builders

Stop worrying about what your agent can access.

Building autonomous agents is terrifying when they share your OS. InferNode gives each agent an isolated namespace with only the tools and data you grant. Prompt injection? The agent literally cannot see anything outside its namespace. There is no attack surface.

namespace isolation capability-based security prompt injection resistant

Industrial & Critical Infrastructure

Formally verified. Not just tested.

Factory floors, energy grids, water systems—environments where a misbehaving AI agent isn’t an inconvenience, it’s a safety incident. InferNode’s isolation model is formally verified. Show your auditors the math, not a promise.

formal verification OT-ready safety-critical IEC 62443 aligned

Finance, Legal & Healthcare

Use AI without sending your data somewhere else.

Trading strategies, client records, patient data, legal discovery—too sensitive for someone else’s cloud. InferNode runs on your hardware with local LLMs. Formally verified isolation means you can prove containment to regulators and auditors, not just promise it.

local LLMs formal verification SOX / PCI-DSS / HIPAA air-gapped capable

Edge & Embedded

15 MB. A $35 board. Real AI.

Kubernetes on a Raspberry Pi is a bad joke. InferNode runs in 15 MB of RAM with a 2-second cold start. Deploy AI agents on Jetsons, Raspberry Pis, or any ARM64/AMD64 device—each in its own isolated namespace. With JIT compilation, it’s fast too.

15 MB RAM 2s startup ARM64 native JIT compiler

Mission-Critical Operations

Works where the cloud doesn’t.

Disconnected environments, austere conditions, contested networks—places where cloud APIs are a liability, not a luxury. InferNode runs entirely on local hardware, meshes devices peer-to-peer, and keeps working when the uplink goes down. Every agent stays contained.

air-gapped peer-to-peer mesh edge-native zero cloud dependency

Distributed Systems

Your devices, working as one.

Mount a GPU from across the room or across the country. InferNode’s 9P protocol makes remote resources appear as local files. Build a mesh of devices that share compute, storage, and sensors—each node isolated, the whole system composable.

9P protocol peer-to-peer cloud optional zero middleware

Quick Start

Running in 3 commands.

Clone, build, run. You'll see the ; prompt in under a minute.

terminal
# Clone the repository
$ git clone https://github.com/NERVsystems/infernode.git
$ cd infernode
# Build for your platform
$ ./build-linux-amd64.sh # or build-linux-arm64.sh
# Run
$ ./emu/Linux/o.emu -r.
# You're in Inferno®
; ls /dis
0intro.dis acme.dis asm.dis ...
; cat /dev/sysctl
Fourth Edition (20120928)
x86_64 Linux
ARM64 Linux (Jetson, RPi)
ARM64 macOS (Apple Silicon)
x86_64 Windows (coming soon)