Skip to main content

What Is ElastOS Runtime?

What Is It?

Think of your computer today. When you install an app, that app can basically see everything -- your files, your photos, even your passwords if they're stored somewhere. You just trust it not to be evil. That's how PC2 v1 works too.

ElastOS Runtime is a new kind of operating system layer. Instead of trusting apps, it treats every app like an untrusted stranger. Every app runs in its own locked room (called a capsule), and it can't do anything unless it has a signed permission slip (called a capability token).

Imagine a building with a security desk:

  • The Runtime = the security desk. It checks IDs, issues visitor badges, and logs who goes where. It is very small (~5,000 lines of Rust code) and never changes unless absolutely necessary.
  • Capsules = the rooms. Each app runs in its own sealed room. A photo editor is one capsule. A file storage system is another. A chat app is another. They can't see into each other's rooms.
  • Capability tokens = visitor badges. When the photo editor needs to read a photo, it asks the security desk for a badge that says "can read photos/vacation.jpg for 1 hour." The security desk issues the badge, the photo editor shows it to the file storage room, and gets the photo. The badge expires in 1 hour, and the whole thing is logged.
  • The Shell = the receptionist. Today it is a Puter desktop that auto-approves everything. In the future, it will be an AI agent that intelligently decides: "Should this app get access to this file?" or even "Based on your preferences, I'll allow this but log it."

Why Is It Being Built?

Three reasons:

AI agents need boundaries. If you let an AI assistant access your files, you don't want it reading your medical records when you only asked it to edit a document. The runtime gives each AI agent a very specific, time-limited permission: "you can read this one file for 30 minutes."

Apps should prove they're safe. Every piece of code that runs has to be cryptographically signed. If someone tampers with an app, the signature breaks and the runtime refuses to load it. Like tamper-evident packaging for software.

Everything should be recorded. Every action -- every file read, every network request -- gets logged in an append-only audit trail. You can always go back and see exactly what happened.

Relationship to PC2

PC2 v1 (what is running now) is like a house with no locks on the interior doors. It works, it's convenient, and people use it. Runtime v2 adds locks, security cameras, and a front desk -- but keeps the same house.

At v2.0, the current Puter desktop becomes the shell capsule, dDRM becomes a provider capsule, and dApps become sandboxed app capsules. The user experience stays the same; the security model changes underneath. See the Roadmap for the full convergence timeline and current status.