Analytica AI OS — Engineers' Console

The OS is the company's brain, not another ERP. It reads the tools the company already runs — email, ERP, CRM, warehouse, even the server's own folders — almost entirely read-only. The product is the output: insight no single tool can see. Architecturally it's a modular system — a small kernel, a set of drivers that read the world, and userland that runs on top. Every module below is live in this origin.

BEAT 1

Read

Drivers pull from the tools the company already runs.

BEAT 2

Connect

Every source lands in one shared memory — the point of truth.

BEAT 3

Notice

It correlates across sources — sees what no one tool can.

BEAT 4

Advise

It raises an advisory — an email to the responsible human.

BEAT 5 · ASKS FIRST

Act

Acts only after a human approves. It asks before it acts.

● Live — running now ◐ Dry-run / partial — wired, gated ○ Planned — on the roadmap (RFC) Tap a live module to open it.

KERNELthe irreducible core — six subsystems

Memory● LIVE

The single point of truth — facts as (type, name, data).

Identity & Rings● LIVE

Ring 0–3 privilege levels. Who may do what.

Syscalls● LIVE

The complete verb set — six and only six.

Journal● LIVE

Append-only black box — even refusals land here.

Scheduler○ PLANNED

Request / event / clock triggers + spend limits.

Sandbox◐ PARTIAL

Staging ring — every build lands here first.

DRIVERSread the world — one standard contract

files● LIVE

Reads the host server's own folders. Read-only.

email◐ DRY-RUN

Sends advisories out. Composes + logs, never sends yet.

erp · crm○ PLANNED

The official numbers; who you sell to.

calendar · bank○ PLANNED

Where attention goes; the money truth.

USERLANDruns on the OS — agents are programs, not the OS

Shell● LIVE

The interface humans talk to. Powerless — only issues syscalls.

Agents● LIVE

Ring-3 employees with written mandates.

Advisories● LIVE

Ask-before-act. Seen in the live demo.

Reasoning (the CPU)○ PLANNED

Model reads memory → drafts insight. Userland, swappable. RFC-010.

Builders (MCP)○ PLANNED

Coding agents extend the OS. RFC-007.

KERNEL · INTERACTIVE

Live Syscall Console

Issue any of the six syscalls with a raw JSON payload and watch the kernel respond. The Shell has no power of its own — it only asks the kernel, which checks your ring before touching memory. Pick a ring (top right); lower rings see calls the kernel refuses.

EVERY CALL FLOWS THROUGH THIS PATH — IT LIGHTS UP PER SYSCALL, AND FLASHES RED AT THE KERNEL ON A REFUSAL

You

A human or an agent, carrying a ring

→

Shell

This console. Powerless — only issues syscalls

→

Kernel

Ring check, then dispatch — or refuse here

→

Memory

The single point of truth

→

Journal

Append-only — even refusals land here

Pick a ring (top right), then fire a syscall below. The diagram traces what the kernel does with it.

0

Facts in memory

Rows in the single point of truth

0

Distinct types

Schema the memory has learned

0

Journal entries

Every syscall ever made

0

Refused by the kernel

Ring checks the rings stopped

Compose a syscall

Choose the verb, edit the JSON payload, send it as the selected ring. The exact HTTP request is shown before the kernel's raw response.

Quick-fill

Syscall

Payload (JSON)

Kernel response

Success returns { "result": … }. A refusal returns { "error": …, "denied": true }. A bad payload returns { "error": … }. All three are journaled.

POST /api/syscall — send a call to see the request line

{
  "tip": "Fire any syscall on the left. The raw JSON the kernel returned shows here."
}

KERNEL · IDENTITY & RINGS

Ring Permission Matrix

Exactly what the kernel enforces in kernel/rings.js and syscalls.js. The rule is "highest (least-privileged) ring allowed". A higher ring number is less privileged: Ring 0 can do everything; Ring 3 is the most constrained.

The four rings

These colours are the canonical legend — rendered identically on every page and in every badge.

Ring 0 — Owner
Can change anything, including the OS itself.
#2DD4BF · user owner
Ring 1 — Dept Head
Full authority inside their department.
#5EEAD4 · user head
Ring 2 — Staff
Scoped read & write.
#94A3B8 · user staff
Ring 3 — Agent
Delegated human authority only — never its own.
#F5B84C · user agent

Syscall	Ring 0Owner	Ring 1Dept Head	Ring 2Staff	Ring 3Agent
queryread memory	ALLOW	ALLOW	ALLOW	ALLOW
recordwrite a fact	ALLOW	ALLOW	ALLOW	ALLOW
recordprotected type — agent · advisory · decision · app	ALLOW	ALLOW	DENY	DENY
reportlive snapshot	ALLOW	ALLOW	ALLOW	ALLOW
actexternal side effect	ALLOW	ALLOW	ALLOW	DENY
buildchange the OS	ALLOW	ALLOW	DENY	DENY
connectmount a driver	ALLOW	ALLOW	DENY	DENY

Two gates run on every call. First the verb gate (rings.js): query / record / report are open to any ring; act needs ring ≤ 2; build and connect need ring ≤ 1. Then, for record only, a type gate (syscalls.js): writing a protected type — agent, advisory, decision, app — also needs ring ≤ 1, because those facts govern the OS itself. Open the Syscall Console, switch to Ring 2/3, and fire the "record → protected type" quick-fill to watch the second gate refuse.

KERNEL · INTERFACE

The Six Syscalls

The complete verb set — six and only six. Everything the OS can ever do is one of these. Three read or write memory and are open to all; three are gated to higher rings.

query

Reads memory. With {type,name} it returns one fact; with {type} the whole type; with {} a count of every type. Reads change nothing — but are still journaled.

READany ring

Scoping deepens with the schema (RFC-001): a ring only sees what it is entitled to.

record

The only way state changes. Upserts a fact by (type,name). Payload {type,name,data}. Re-recording the same key updates it and bumps updated_at.

WRITEany ring*

*Protected types — agent · advisory · decision · app — require ring ≤ 1. They define the OS, not the business.

report

Composes a live snapshot from memory the instant it's called — counts by type plus recent activity. Never a stored copy, so it can't go stale.

READany ring

Payload is {}. A report is an artifact, computed; nothing is written back.

act

Touches the outside world through a driver — send, pay, post. Payload {driver,action}. The most guarded verb, because it has real-world effect.

EFFECTring ≤ 2

Ring 3 agents can never act directly — they advise, a human approves, then a ring ≤ 2 identity acts. The email driver is mounted in dry-run.

build

Changes the OS itself — a new feature or module. Payload {feature}. Never lands directly: it enters the builder pipeline sandbox → GitHub → approval → production.

SELFring ≤ 1

Builder interface (the MCP server) is RFC-007 — pending. Returns a pending status today.

connect

Mounts a new driver — the 60-second path to a new source. Payload {driver}. Drivers are the only way external state enters memory.

MOUNTring ≤ 1

The connector standard lives in drivers/ (see the Drivers module). files and email are mounted.

KERNEL · AUDIT

Live Journal

The append-only black box. Who called what, on which ring, and how it ended — ok or denied. Memory can be rebuilt by replaying it; auditors read it; the before/after proof number is computed from it.

auto-refreshing every 4s · latest 50 entries

When	Who	Ring	Syscall	Payload	Outcome

MODULES · DRIVERS

The Driver Interface

A driver is how the OS reads a tool the company already runs. Every driver implements the same four methods. New sources plug in against this one contract — that's the "connect in 60 seconds" promise.

auth()

Establish a session with the source and declare the authority it acts under. The driver never exceeds the ring it was delegated.

read(scope)

Pull external state in and map it to the company schema — {type,name,data}. The OS is mostly read: this is the method that runs most.

write(fact) optional

Push a change back out to the source. Optional per driver — many sources are read-only by design and simply throw.

health(scope)

Is the source reachable, and what does it look like? Returns {ok, …} so the OS can show a source as live or down.

Live example — the files driver READ-ONLY

The server the OS is installed on is itself a source. The files driver walks the host's folders, reads each document, and maps it to a document fact — {folder, ext, modified, size, preview}. It doesn't write to memory directly: it hands each document to a journaled record syscall, acting with delegated Ring 1 authority. So the company's own filesystem enters memory through exactly the same mediated, audited path as everything else. Its write() throws on purpose — the OS reads the company's files, it does not rearrange them.

Reading document facts the files driver loaded into memory…

MODULES · USERLAND

Agents as Ring-3 Actors

Agents are AI employees with written mandates. Each carries Ring 3 — delegated human authority, never its own. may[] lists what it's allowed to do; must_escalate is its hard limit. Read live from memory's agent facts.

An agent is just a fact of type agent — and a protected one, so only Ring 0/1 can write or change a mandate. At runtime the agent acts as the Ring 3 agent identity: it can query, record non-protected facts, and report — but the kernel refuses it act, build, and connect. When it reaches its must_escalate limit it raises an advisory — an email to the responsible human — and waits. It asks before it acts.

Loading agent facts from memory…