Oxide OS is a microkernel where AI agents aren't guests running on top — they're the reason the kernel exists.
You deploy 50 AI agents. They need isolation, communication, supervision. Linux gives them none of it natively. So you bolt on Docker, Redis, Kubernetes, iptables — layers on layers of workarounds.
A compromised agent in Docker can still probe the network, read environment variables, access shared volumes. Containers are walls with holes.
Agents need three external services (Redis, RabbitMQ, gRPC) just to send each other messages. For an OS primitive.
Agent crashes. Nothing restarts it with the right context. Kubernetes can restart pods, but it doesn't understand agent hierarchies.
"How do we let AI act autonomously without giving it the keys to the kingdom?" Nobody has a good answer.
Don't add agent support on top. Build it in. Every kernel primitive — scheduling, memory, security, communication — designed for autonomous AI.
Every resource access requires an unforgeable kernel token. An agent with zero capabilities can do nothing. Delegation enforces subsets only. Revocation cascades instantly.
Message passing, shared memory, pub/sub channels, request/reply with timeouts. All kernel-native. All capability-gated. Zero external services.
Erlang-style crash resilience. RestartOne, RestartAll, Escalate policies. Agents form hierarchies. Parents control children's fate.
PCI bus discovery, virtio-net with split virtqueues, virtio-blk with DMA ring buffers. Real kernel, real I/O, real packets.
Memory safety at every layer. unsafe only at hardware boundaries. No garbage collector. No runtime. 5,384 lines.
AgentConfig with system_prompt, model binding, tools, capabilities, restart policy. Agents are kernel primitives, not userspace processes.
Every line below is real output from QEMU. Hit play.
Click any layer to explore. From agents down to bare metal.
Open source. Real kernel. Built for what comes next.