Technical Deep Dive

AII OS is a local-first operating system that gives AI models persistent state through a cryptographically verified ledger. This page covers the architecture in detail, for engineers who want to understand how it works under the hood.

01The identity is not the model.

The core insight of AII OS is a strict separation between identity (durable state, beliefs, memory, relationships) and substrate (the LLM that produces outputs). In conventional AI systems, these are coupled: the model's weights are the entirety of what the system "knows," and when the session ends, everything is lost.

AII OS breaks this coupling. The LLM becomes a replaceable inference engine. The identity lives in an append-only ledger that persists across sessions, model upgrades, provider changes, and hardware migrations.

Design principle

Swap models the way you'd swap hard drives. The identity persists because it lives in the ledger, not in the weights.

Agent framework

Session-scoped orchestration. Prompt chains, tool-calling, memory buffers. When the session ends, state is gone.

The model is the agent.

AII OS

Persistent identity infrastructure beneath the agent. The ledger records beliefs, commitments, relationships, reflections. These survive across all sessions.

The model is the CPU. The identity is the operating system.

02The ledger

At the core of AII OS is an append-only, human-readable JSON file. Every meaningful thing that happens to an identity is a line in this file.

Format

Each line is a JSON object with a SHA-256 hash, a pointer to the previous line's hash, and a payload:

{
  "hash": "sha256:7f3a2b9c...",
  "prev_hash": "sha256:3a7b8c9d...",
  "entry": {
    "seq": 42,
    "type": "belief.upsert",
    "layer": "identity",
    "ring": 3,
    "payload": {
      "claim": "The operator prefers direct communication.",
      "confidence": 0.87
    }
  }
}

Chain integrity

Each entry's hash is computed over the canonical JSON of the entry (AIII-CANONICAL-JSON-V1). Each prev_hash links to the prior entry, forming a chain. Tampering with any line breaks the chain. On boot, the daemon reads the entire ledger head-to-tail and verifies every hash before accepting the projection state.

What goes in the ledger

The ledger is not a general event bus or audit log. It records only two categories:

Plugin lifecycle, provider telemetry, conversation transcripts, agency bookkeeping, and runtime metrics are explicitly forbidden from the ledger. They live in projection tables or audit stores.

Projection

The ledger is the source of truth. The projection database (PostgreSQL or SQLite) is a materialized cache rebuilt from the ledger on boot. If the projection is corrupted or deleted, it rebuilds from the ledger. If the ledger is corrupted, the hash chain breaks and the system enters safe mode for repair and reboot.

03Ring authority model

Every identity-bearing event lives at a specific ring level. Rings are concentric: lower rings are more foundational and harder to change. Higher rings are more operational.

RingNameWhat lives hereWho authorizes
0CharacterConstitutional axiomsAIII platform key + genesis bundle
1CharterOperator governance, security policy, operational commitmentsOperator PQ attestation
2Operating doctrineProvenance-gated beliefs, relationship definitionsAgent-authored with supporting evidence
3Runtime contextProvisional thinking, experiences, reflections, learning, intentionsAgent self-authored (default)
4Working memoryCurrent task state, active working contextAgent-authored
5Security postureThreat recognition, defensive rules, operational awarenessSigned bundle from platform key

Ring gate

Every ledger write passes through a ring gate. The gate verifies that the session's authorization level permits writes to the target ring. Ring 0 and Ring 1 writes require platform or operator attestation respectively. Ring 2 requires provenance evidence (supporting edges). Rings 3 through 5 are agent-accessible.

For Ring 2 specifically, there's a second gate: a provenance check that counts supporting evidence edges. A Ring 2 belief must have sufficient provenance backing (referenced experiences, prior beliefs, or evidence edges). If it doesn't, it's rewritten to Ring 3.

04Cognitive architecture

The identity has a cognitive life that runs between conversations, not just during them. A rhythm processor drives several autonomous processes:

Handlers

Execution model

Each handler is dispatched with a cryptographic nonce. The LLM must echo the nonce in its structured output. The executor validates the nonce before processing any proposed events. This prevents replay attacks at the LLM execution boundary.

Handler output passes through a metacognition admission boundary before reaching the ledger. The admission check evaluates coherence, confidence, and duplicate detection. Events that fail admission are rejected with no ledger side effect.

05Plugin system

AII OS is extensible through WASM plugins. Each plugin declares an interface (e.g., web@1, network@1, agent@1) and operations within that interface.

Trust tiers

Every installed plugin resolves to a trust tier based on its cryptographic evidence:

TierLabelRequirements
T0UnsignedNo trust evidence. Operator policy determines if installable.
T1Author-signedPublisher-signed exact release + AIII publisher certificate.
T2ReviewedValid T1 + AIII reviewer signs exact-release review attestation.
T3PlatformPlatform-reserved release signature (internal plugins).

A broken or invalid trust object rejects the artifact. Artifacts are never silently downgraded to T0 or stripped to a lower tier. Invalid evidence means rejection, not fallback.

Sandboxing

Plugins run in sandboxed WASM runtimes with platform-appropriate isolation. Each plugin invocation gets capability-scoped permissions with per-invocation protection.

06Cryptographic design

Signature hierarchy

KeyPurposeAlgorithm
AIII platform keyRING0 bundle signing, genesis authorizationML-DSA-87 (post-quantum)
Operator keyRing 1 attestation, governanceML-DSA-87
Identity keyAll other ledger entries (beliefs, commitments, etc.)ML-DSA-87
Post-quantum by default

All ledger signatures use ML-DSA-87 (NIST FIPS 204, lattice-based). Ed25519 and other non-PQ signature schemes are forbidden for identity ledger lines. This is a forward-looking design choice: ledger entries should remain verifiable for decades.

07Witness server

The ledger is local. But a local file can be deleted, truncated, or rolled back by anyone with access to the machine. The witness server solves this.

The identity submits periodic bookmarks of its current ledger state to a witness server. The witness records the bookmark and returns a signed receipt. The receipt is stored in the ledger as evidence.

On the next submission, the witness checks that the identity's ledger has moved forward from the last bookmark. If the ledger has been rolled back, truncated, or forked, the witness rejects it.

What the witness stores

Only the latest bookmark for each identity: a sequence number, a ledger hash, and a timestamp. No ledger contents. No beliefs, memories, or personal data. No conversation history.

The witness never receives the ledger itself. It sees only cryptographic hashes, enough to detect tampering but not enough to read anything. Privacy is preserved by construction.

08Boot sequence

  1. Verify: Read the entire ledger. Check every hash. Check every signature.
  2. Restore: Load the latest checkpoint and database state.
  3. Replay: Apply any new events since the checkpoint.
  4. Ready: Agent loop starts.

If verification fails at any point, the system enters safe mode or halts. There is no skip path.

09What makes this different

What harnesses do

Wrap an LLM with tool-calling and prompt orchestration.

Session-scoped memory (context window, RAG, buffers).

Agent identity = system prompt + config.

State lives in the application layer.

Switching models = rebuilding the agent.

What AII OS adds

Persistent identity infrastructure beneath the model.

Cryptographic ledger that survives all sessions.

Agent identity = signed, verifiable, accumulated state.

State lives in the ledger, owned by the operator.

New models upgrade the CPU, the AI identity continues unchanged.

Abstract: a copper thread forming concentric loops

Want to go deeper?

The Plugin SDK, example plugins, and full design documentation are available on GitHub.

GitHub: aiii-dot-id ↗

← Back to aiii.id