Most operating systems and application frameworks treat startup as an opaque event. A user clicks an icon; some time passes; a window appears. The interval between intent and interface is a black box — filled with dynamic linking, configuration parsing, service discovery, and dependency resolution, none of which is visible to the user or instrumentable by external tooling.
The problem compounds in distributed architectures. A microservice mesh may have dozens of health checks, but no single command that answers: is the whole system alive, and how long did that take to determine?
We propose a boot protocol — s_wake — that makes every phase explicit, measurable, and fail-visible. The protocol has four phases:
Each phase has a clear success/failure signal. No phase is hidden behind a package manager or build system. The binaries are pre-compiled; the heartbeats are nanosecond operations wrapping millisecond I/O.
The core insight is that health verification should be cheaper than the thing being verified. A cargo invocation (even with cached builds) costs 300–800ms of overhead per call. A direct binary execution costs 3–10ms. For 14 nodes, that is the difference between 10 seconds and 600 milliseconds.
| Method | Per-Node | 14 Nodes | Overhead |
|---|---|---|---|
| cargo run (cached) | ~700ms | ~10s | Build system, dependency graph |
| Direct binary | ~9ms | ~625ms | Process spawn only |
| Ratio | ~78× faster | ||
Each hub binary accepts --heartbeat, which boots its stage registry, runs a zero-input pulse through every declared path, and reports alive/dead counts. The pipeline DAG is the test harness: if a stage can instantiate and accept a null pulse, it is alive.
If individual heartbeats are independent (no shared state, no lock contention), then total sweep time should scale linearly with node count. Deviations from linearity reveal scheduling artifacts, cache pressure, or hidden coupling.
The fourteen hubs span five workspace roots (core, rings, storage, devtools, ui), each with its own Cargo workspace. The heartbeat binary lives inside each workspace's target directory — built once, executed many times.
Once heartbeats confirm liveness, the system activates the PulseMesh — a shared-memory transport layer for typed envelopes. Each hub enters its tick loop, reading and writing PulseEnvelope structs through memory-mapped ring buffers.
The mesh operates on a broadcast/listen model. Hubs declare their listen filters — type-name prefixes like chamber/* or canon/* — and the hub's tick loop delivers matching envelopes without serialization. The memory is shared; the types are zero-copy.
This is not TCP. There are no sockets, no serialization, no buffering. The ring buffer is a mmap'd region with atomic read/write cursors. Latency is bounded by cache-line transfer time, not kernel syscall overhead.
For same-machine communication between trusted processes, shared-memory ring buffers eliminate serialization, syscall, and copy overhead. Throughput is bounded by memory bandwidth, not protocol overhead.
The traditional path from storage to screen is: filesystem → web server → HTTP → browser → DOM. Each layer adds latency, attack surface, and opacity.
The sovereign path is: Shadow (redb) → Library → sov:// protocol → wry WebView → native window.
Documents are stored in library.redb — an embedded key-value store backed by redb. Each document carries:
There is no filesystem path. The document's identity is its sov:id, and its body is retrieved by key, not by path traversal.
The native window registers a custom protocol handler — sov://localhost/* — that intercepts all navigation requests. Instead of hitting a web server, the handler:
No HTTP. No TCP. No port binding. The WebView renders the document as if it came from a server, but the data never leaves the process.
The final layer inverts the typical relationship between an AI agent and the system it operates on. Instead of the agent reading files and running commands — treating the system as a bag of text — the agent connects through a typed control plane.
The MCP bridge exposes three mirror-specific tools:
| Tool | Purpose | Latency Target |
|---|---|---|
| sov_mirror_action | Send any MirrorAction, receive MirrorMessage | <10ms |
| sov_mirror_status | Quick health: uptime, stages, lex entries | <5ms |
| sov_mirror_screenshot | Capture the current window to PNG | <500ms |
The protocol is newline-delimited JSON over a Unix domain socket. One MirrorAction per line in, one MirrorMessage per line out. The socket listener runs on a dedicated thread; the action processing shares the same SharedState and MirrorBackend as the webview IPC handler.
When an AI agent has typed access to the same action surface as the UI (topology, health, graph query, signal emission), it becomes an operator — not merely a code editor. The agent can observe system state, diagnose faults, and trigger remediation through the same control plane the human uses.
The claims above are architectural, not empirical. To validate them, we propose five benchmark suites:
Measure end-to-end time from app icon click to first UI paint, broken down by phase (heartbeat, mesh start, mirror launch). Compare against Electron app cold start (VS Code, Slack) and native app start (Finder, Terminal).
| Target | Warm | Cold |
|---|---|---|
| SovOS | <3s | <10s |
| VS Code (Electron) | ~4s | ~12s |
| Finder (native) | <1s | ~2s |
Methodology: instrument sovos-boot with per-phase timestamps. Use hyperfine for repeated trials. Measure Electron baselines with time open -a "Visual Studio Code".
Plot heartbeat sweep time against node count: 2, 4, 8, 14, 28, 56. Establish whether growth is linear or shows cache/scheduling artifacts. Compare direct binary execution against cargo run at each scale.
Hypothesis: linear up to ~28 nodes (fits in OS process cache), then sub-linear due to process spawn batching by the kernel.
Store 100 HTML documents in Library/Shadow. Mutate 10 on disk. Verify that: (a) Shadow detects staleness via content hash, (b) Kronos audit trail captures all mutations, (c) Merkle root changes are detectable. Measure false-positive and false-negative rates.
This tests the integrity guarantee of the Shadow store — not just that it stores documents, but that it detects tampering.
Measure round-trip time for MirrorAction through the UDS bridge: agent → sov-mcp → UDS → mirror-native → response. Compare against direct wry IPC latency (in-process callback). Establish the overhead of the bridge layer.
| Path | Target |
|---|---|
| wry IPC (in-process) | <1ms |
| UDS bridge (same machine) | <10ms |
| MCP full round-trip (stdio + UDS) | <50ms |
Saturate PulseMesh with typed envelopes from N producers to 1 consumer (mirror). Measure messages/sec and latency percentiles (p50, p99). Compare against TCP loopback and WebSocket equivalent payloads.
This validates Proposition 3.1. If shared-memory throughput is not significantly higher than TCP loopback, the architectural complexity is not justified.
The table below maps each architectural claim to its implementation in the sovOS codebase.
| Paper Concept | Sov Node / Module | Key File |
|---|---|---|
| Boot protocol | s_wake | s_wake |
| Direct-binary heartbeat | All 14 hubs | {ws}/target/{profile}/{hub} |
| PulseMesh transport | a_pulse, mesh-core, mesh-shm | core/a_sovOS/a_mesh/ |
| Shadow document store | a_library, knowledge-shadow | storage/a_knowledge/nodes/a_library/ |
| Kronos audit events | a_kronos | core/a_kronos/crates/kronos-core/ |
| sov:// custom protocol | mirror-native | ui/a_mirror/crates/mirror-native/src/main.rs |
| MCP control plane | sov-mcp | core/a_mcp/src/tools.rs |
| UDS IPC bridge | mirror-native | ui/a_mirror/crates/mirror-native/src/ipc_socket.rs |
| MCP mirror bridge | sov-mcp | core/a_mcp/src/mirror_bridge.rs |
| Native WebView (no Electron) | wry + tao | mirror-native Cargo.toml |
| App bundle + icon | SovOS.app | app/SovOS.app/ |
| Lexicon integrity | a_lexicon | core/a_sovOS/a_lexicon/ |
| Semantic embeddings | a_canon | storage/a_knowledge/nodes/a_canon/ |
| Graph manifold | a_ritas_chamber | storage/a_knowledge/nodes/a_ritas_chamber/ |
Every row in this table is a running system component, not a proposal. The boot protocol has been timed. The heartbeats have been counted. The documents are in Shadow. The socket is open. What remains is the empirical validation proposed in §6 — and the continued development of the system itself.