fak

command module
v0.30.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 21, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

README

fak — the agent kernel

Treat the model like an untrusted program, and the tool call like a syscall. That one move is the whole idea. Everything an agent does to the outside world — call a tool, admit a result into its memory, reuse a cached answer — becomes a syscall that passes through a kernel the model doesn't control. From the security seat that kernel is a permission gate the agent can't talk its way past. From the performance seat it's a way to do the shared work once instead of every turn. The surprise of this project is that those turn out to be the same gate — and that owning that boundary lets you do things no production agent stack does today.

fak is not a faster model server. SOTA engines (vLLM, SGLang, llama.cpp) already win raw throughput and prefix-cache reuse, and fak doesn't try to beat them at it. It owns the questions they don't: which effects are allowed, which results may enter memory, when reuse is still legal, and what survives a session boundary.

▶ the headline benchmarks as a ~40-second reveal — full-resolution MP4 · stills below


fak by the benchmarks — receipts in a lab-release grammar

Four headline visuals, in the visual grammar a frontier lab ships a model card in. Each is generated from one source-of-truth data file, every figure traced to its commit — and honest by construction (a [NAIVE] number is fenced, competitor cells never carry a fabricated figure, and the single-stream throughput fak doesn't target is shown, not hidden). → The full benchmark gallery · every number, traced to its commit + artifact

1 · The headline — fak spans the whole boundary; the serving stacks span one band. Its cache is addressable (it reaches into the middle of a kept run); theirs is front-prefix only. fak carries a value in every row — an em-dash is a capability the stack doesn't ship, not a measured zero.

2 · The mechanism — re-prefill cost is linear; fak's resident, addressable KV is not. Three lenses: a structural per-cold-miss tax, a measured 9.7× WebVoyager elimination, and the conservative 4.1× vs a tuned warm-cache SOTA stack.

3 · The receipts — three pillars + an honest single-stream fence, on one card. Serving efficiency, correctness (the reuse is bit-exact), and a security kernel — with the [SOTA-style] 4.1× and the greyed [NAIVE] 139.3× marked so neither can be misread.

4 · The sweep — eight axes, fak (green) vs one honest reference each. The final panel is the fence fak does not target, inverted to the SOTA leader.


Two flips that are bigger than they sound

1. The permission policy runs inside the kernel. Most agent safety bolts a recognizer onto the outside of the loop — a pre-tool hook, a sidecar, a second model asked "is this safe?". Two weaknesses: the model can argue its way past a recognizer (prompt injection is exactly that), and when the outside thing crashes or times out the call usually runs anyway — fail-open, precisely when you're under attack. fak puts the check on the same call path as the tool call — one address space, no IPC, default-deny — so the gate isn't something the agent talks to, it's something its call passes through, like read() through the OS kernel. Refusing an irreversible action doesn't depend on catching the attack; it depends on the lever never having been wired up. For thirty years "more security" meant more checks to recognize bad things — a game attackers win. The flip is to stop recognizing and start not building the lever. → Policy in the kernel

2. The cache becomes addressable — past what any shipped engine offers. As a model reads, it builds a scratchpad of the work-so-far (the KV cache) so it doesn't re-read from scratch each turn. Every way production reuses that scratchpad today — vLLM, SGLang, the OpenAI / Anthropic prompt caches — only reuses it from the front: keep the run from the very first word, and the moment anything changes in the middle, everything after that point is thrown away and recomputed. That's most of the speed, and it's commoditized. What no shipped engine offers is the other direction: reach into the middle of a kept run, cut one span — a poisoned tool result, an expired secret — and leave the scratchpad bit-for-bit identical to a run that never saw it (checked against the reference at max|Δ| = 0, i.e. not one number differs). fak can, because it owns that scratchpad as a kernel object instead of renting it from a serving engine. That turns the cache from a speed structure into one policy can address: evict a span because a verdict said so, not because memory got tight — and prove it's gone. → Addressable KV cache


The tension these resolve

For most of computing history, every optimization came with a tax: a faster cache opened a coherence hole, a clever reuse trick added arcane state nobody else understood — speed and safety pulled opposite ways. fak's bet is that for agents they converge, because the safety boundary and the reuse boundary are the same boundary. One write-time gate decides whether a tool result may enter context (a security act) and pages its heavy bytes out to a content-addressed store (an optimization act). One read of the code calls it injection containment; the other calls it working-set pagingsame code. The correctness metadata is the performance metadata.

That's a claim about fak's object model shown by example, not a proven law — and it has an edge: the convergence doesn't hold on raw GPU throughput (fak pays for its bit-exact guarantee in memory), and it's a reuse win only for read-heavy fleets.


See it in 2 minutes (no key, no model, no GPU)

Just Go 1.26+. Or run it in a hosted notebook — free T4 GPU, nothing to install: Open In Colab (see notebooks/).

go run ./cmd/fak preflight --policy examples/customer-support-readonly-policy.json --tool refund_payment --args "{}"
go run ./cmd/fak preflight --policy examples/customer-support-readonly-policy.json --tool search_kb --args "{}"
go run ./cmd/fak agent --offline

refund_payment returns DENY (POLICY_BLOCK) — refused with a named reason. search_kb returns ALLOW. Then agent --offline runs the same task twice — tools wired directly vs. behind fak — and prints the before/after:

metric                       without fak   with fak
model turns                            9          7
injection in context                 YES         no
destructive op executed              YES         no
task completed (booked)              YES        YES

Both finish the task, but with fak the booby-trapped instruction never reaches the model and the dangerous action never runs. Full walkthrough: docs/repro-packet.md.


Why this matters now

An agent system's cost isn't one number — it's roughly agents × turns × working-set × reread-rate × legality checks, and the naive stack lets all five multiply. The waste isn't that the model is dumb; it's that the system keeps making it reread the same setup (five agents over fifty turns is 250 chances to reprocess the same shared prompt). You feel it as a cliff: a long conversation gets slower per turn because each turn reprocesses a longer history, and a single turn at long context is risky enough that whole workflows are built around not taking one. The frontier is full of these walls — KV residency, invalidation storms, tool-rate limits, approval queues.

fak attacks the one safe term, reread-rate, without deleting the proof reuse is still legal. We measure against the best already-shipped setup, not a strawman: on a 50-turn × 5-agent run that's ~4× vs a tuned warm-cache stack — the honest few-fold against state-of-the-art reuse. (Against the naive pattern that re-sends the whole growing context every turn it's ~60×, but beating naive is easy and we don't lead with it.) The counter-intuitive part: the first worker pays, everyone after reads for free, so more agents can mean less total work. Two fences: the reuse win is self-host only (an app that just calls a frontier API gets the safety floor, not the savings), and the frontier-scale "agent city" numbers are design targets, not measurements.

The benchmarks — the whole boundary, not one number. fak isn't a single-axis speedup; the breadth is the point. A capabilities sweep across the three pillars it spans — serving efficiency (it does the SOTA stack's reuse), correctness (that reuse is bit-exact — the thing no serving engine proves), and a security kernel (the default-deny gate, at syscall speed — the boundary they don't own) — with the single-stream throughput it doesn't target shown honestly below the line. The 4.1× is marked [SOTA-style], not a green win (its baseline is fak's own kernel held constant, so it isolates reuse); the seductive 139.3× is greyed and tagged [NAIVE] so it can't read as a SOTA result. Every number carries its commit and traces to the authority doc.

The breadth card, the capability matrix, and the per-benchmark sweep are at the top of this README; the full set lives in the benchmark gallery.

Every number, traced to its commit + artifact

And it's not one lucky box. The same pure-Go kernel — same bit-exact gates — is profiled across 4 distinct hardware platforms: Apple M3 Pro (Metal + arm64 NEON), AMD Ryzen 9 + Radeon RX 7600 (Vulkan), Intel + NVIDIA RTX 4070 (CUDA Ada), and an 8× A100 serving node (CUDA Ampere) — spanning 2 CPU ISAs, 4 GPU backends, and 4 operating systems. The deterministic results reproduce byte-for-byte across all of them. → The hardware matrix

Web agent workloads: the turn-tax is structural ✅

For web/browser agent benchmarks — WebVoyager, BrowseComp, Browser Agent Benchmark — the same story plays out at a different scale. Every navigation action re-prefills the entire browser context (DOM state, tool schemas, task history). That's 2K+ tokens per turn, times ~12 turns per task, times 586 tasks for WebVoyager.

Measured on real WebVoyager (643 tasks):

Workers Naive Re-Prefill fak Fused Net Elimination
1 170.9 M tokens 19.4 M tokens 8.8×
8 1.37 G tokens 141.3 M tokens 9.7×

The same elimination, generalized into three lenses — re-prefill cost climbs ~linearly with context, fleet, and turns while fak's resident, addressable KV stays flat (the middle panel is the measured WebVoyager 9.7× above):

The turn-tax (re-prefill vs KV persistence) is worker-independent — every agent pays it, every turn, regardless of fleet size. SOTA agents like Alumnium (98.5% WebVoyager success) achieve the same capability through fak at ~9× less prefill cost (measured). → Frontier WebBench baselines · WebBench prefill elimination


Security: the lock, not the screener

The capability gate refuses an irreversible action by structure — the tool was never allow-listed, so no amount of context changes the answer. A separate quarantine holds suspicious tool results out of the model's memory entirely. The detector that flags those results is the evadable part, and we say so: it's ≈100% evadable by design — a helpful bonus, never the floor. The floor is the lock (the lever doesn't exist) and the containment (the bytes never reach the model). An attacker has to beat two independent gates, not fool one classifier.

Same task — book the cheapest SFO→JFK flight after reading a booby-trapped refund policy — run twice, unmediated vs. behind fak:

model booked? trap reached the model?
gemini-2.5-flash (strong) ✓ → ✓ YES → no
gemini-2.5-flash-lite (weak) ✗ → ✓ YES → no
Qwen2.5-1.5B (local, CPU) ✓ → ✓ YES → no

The weak model is the case that matters: without fak it fell for the trap and booked nothing; with fak it ignored the trap and booked the flight. Across these runs the injection reached the unprotected baseline 5/5 and fak walled it off 5/5.


How far do you want to take it?

Every rung is useful on its own — you get value even if you never buy the whole thesis.

  • Front your existing model. fak serve puts the gate in front of any OpenAI-compatible server (Ollama, vLLM, a cloud provider). Keep your model and your stack; gain a reviewable allow-list, result quarantine, and an audit trail. This is where most people should start, and it's a complete product by itself.
  • Run the kernel offline. Author a policy, check a tool call, measure the adjudication boundary — no model, no network. (The 2-minute demo above.)
  • Go all in: the fused kernel. For the believers — run the model inside the kernel's address space, so the KV cache is a kernel object and the context-MMU and vDSO become real operations on attention state. This is where the two flips stop being framing and become mechanism: quarantine that reaches attention, prefix reuse the kernel owns, a finished session that reloads as a core dump. It's a correctness reference, not a production serving engine — but on a model that fits the GPU, the in-kernel CUDA decode already hits parity with llama.cpp Q8_0 (~120 tok/s on an RTX 4070) with an opt-in CUDA graph. Capability is still your model's job; the kernel gives you frontier-grade safety and ~$0 cost on a small local model today.

Guided tutorial (zero to first adjudicated call, real output at every step) · Getting started


What's real, what's not (we keep score)

fak is built to survive a skeptic reading the code. Every capability in fak/CLAIMS.md carries one machine-checked tag. The short version: the permission gate, the local-answer shortcut, the auto-repair ladder, the quarantine, the in-kernel model (math proven exact against a reference), and the OpenAI-compatible gateway are shipped and on the critical path, each closed by a test. The power/energy numbers are simulated (no power meter on the box). Sharing one KV pool with a separate serving engine is a labeled stub. And a 29-claim prior-art audit scored 0/29 novel — every primitive is established; the contribution is the assembly, putting them together as one in-process gate where the tool call is the checkpoint.


Install

One static binary — no clone, no Go toolchain. Full guide: Getting started.

curl -fsSL https://raw.githubusercontent.com/anthony-chaudhary/fak/main/install.sh | sh

Or grab a prebuilt archive (linux_amd64, darwin_amd64, darwin_arm64, windows_amd64), or run it in a container. Then:

fak policy --dump > floor.json   # a starter allow-list you can edit + review
fak serve --addr 127.0.0.1:8080 --base-url http://localhost:11434/v1 --model qwen2.5:1.5b

Install with Go (needs Go 1.26+): the module is the repo root, so go install github.com/anthony-chaudhary/fak/cmd/fak@latest drops fak onto your $(go env GOBIN) ($GOPATH/bin). Or from a clone: go build -o fak ./cmd/fak. Full install matrix: INSTALL.md.


Go deeper

If you want… Read
The two flips, from first principles Policy in the kernel · Addressable KV cache
Every benchmark number (single source of truth, traced to commit + artifact) fak/BENCHMARK-AUTHORITY.md
Every machine fak runs on (the hardware matrix — 4 platforms, 2 CPU ISAs, 4 GPU backends, 4 OSes) docs/HARDWARE-MATRIX.md
Web agent benchmark results (real WebVoyager: 8.8-9.7× measured) docs/webbench-baselines.md
The parable, personas, and when-the-win-kicks-in tables docs/concepts-and-story.md
What "tuned SOTA" means (the 10 optimizations fak sits on top of) docs/explainers/sota-optimizations.md
Shipped capabilities (runnable artifacts, claim tags) fak/CLAIMS.md, fak/STATUS.md
Policy / permissions fak/POLICY.md
Architecture (the registry seams, the frozen ABI) fak/ARCHITECTURE.md
Build your optimization on fak (researchers/teams: plug in → prove correct → prove faster → ship) fak/EXTENDING.md
First run, step by step (guided session, real output at every step) docs/fak/tutorial.md
Quick answers (what is fak, how it differs from a firewall / guardrails / vLLM, the threat model) docs/FAQ.md
A machine-readable map (for LLMs & answer engines) llms.txt
New here? START-HERE.md · Simple demo

About this repository

This repository is the canonical public home of the project's public content — it is edited directly here, not regenerated from a private mirror. A separate private repo holds only the operator-specific material that must never be published (machine names, IPs, lab hosts, internal paths).

Cite this work: machine-readable metadata is in CITATION.cff (GitHub renders a "Cite this repository" button from it).

License: Apache-2.0.

Topics: agent kernel · agent tool firewall · AI agent security · prompt injection defense · tool poisoning · capability security · default-deny permission gate · KV cache · addressable KV cache · LLM inference · LLM serving · self-hosted LLM · agentic AI · MCP tool security · Go.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
cmd
agentdojoredteam command
Command agentdojoredteam runs the dynamic AgentDojo-style red-team battery (internal/agentdojo) against the stacked defense and prints the PER-ATTACK verdict stream, then folds every outcome into a frozen harvest LabelRow corpus.
Command agentdojoredteam runs the dynamic AgentDojo-style red-team battery (internal/agentdojo) against the stacked defense and prints the PER-ATTACK verdict stream, then folds every outcome into a frozen harvest LabelRow corpus.
batchbench command
Command batchbench measures the AGGREGATE decode throughput of the multi-user batched decode (internal/model.BatchSession) as a function of batch size B — the "continuous batching" / multi-user serving regime MODEL-BASELINE-RESULTS.md scoped out as "vLLM's claim, not fak's".
Command batchbench measures the AGGREGATE decode throughput of the multi-user batched decode (internal/model.BatchSession) as a function of batch size B — the "continuous batching" / multi-user serving regime MODEL-BASELINE-RESULTS.md scoped out as "vLLM's claim, not fak's".
causalbench command
Command causalbench is the end-to-end demonstrator for fak's CAUSAL invalidation-on-external-write: a tool RESULT cached under an external world-state witness (a git commit / blob hash / etag) is evicted byte-exact — and only it — the moment a later external write REFUTES that witness, while every sibling cached under an unrefuted witness stays warm.
Command causalbench is the end-to-end demonstrator for fak's CAUSAL invalidation-on-external-write: a tool RESULT cached under an external world-state witness (a git commit / blob hash / etag) is evicted byte-exact — and only it — the moment a later external write REFUTES that witness, while every sibling cached under an unrefuted witness stays warm.
ctxbench command
Command ctxbench runs the fak security gates over a corpus of tool calls and tool results.
Command ctxbench runs the fak security gates over a corpus of tool calls and tool results.
ctxdemo command
Command ctxdemo is the live, on-box demo of fak's value in the MULTI-AGENT, MULTI-TURN, LONG-CONTEXT regime — the one where the context CHANGES every turn as tool calls land heterogeneous, variable-sized results.
Command ctxdemo is the live, on-box demo of fak's value in the MULTI-AGENT, MULTI-TURN, LONG-CONTEXT regime — the one where the context CHANGES every turn as tool calls land heterogeneous, variable-sized results.
deletioncert command
Command deletioncert is the end-to-end demonstrator for fak's provable-deletion receipt.
Command deletioncert is the end-to-end demonstrator for fak's provable-deletion receipt.
demorace command
Command demorace is the live, on-box demo of fak's value point: REUSE.
Command demorace is the live, on-box demo of fak's value point: REUSE.
diagtok command
Command diagtok is a throwaway diagnostic: it loads a GGUF via the same path simpledemo uses, then (1) round-trips a known string through the embedded tokenizer and (2) greedily decodes a ChatML prompt while printing each raw token id next to its decode.
Command diagtok is a throwaway diagnostic: it loads a GGUF via the same path simpledemo uses, then (1) round-trips a known string through the embedded tokenizer and (2) greedily decodes a ChatML prompt while printing each raw token id next to its decode.
fak command
Command fak is an agent tool firewall: one statically-linked Go binary that runs an agentic tool loop where every tool call passes through one in-process policy and quarantine boundary (adjudicate -> vDSO -> pre-flight/grammar -> dispatch -> context-MMU admit).
Command fak is an agent tool firewall: one statically-linked Go binary that runs an agentic tool loop where every tool call passes through one in-process policy and quarantine boundary (adjudicate -> vDSO -> pre-flight/grammar -> dispatch -> context-MMU admit).
fakchat command
Command fakchat runs an end-to-end chat completion with fak's OWN in-kernel engine — no llama-server, no external proxy.
Command fakchat runs an end-to-end chat completion with fak's OWN in-kernel engine — no llama-server, no external proxy.
fanbench command
Command fanbench runs the ONE-MASTER-GOAL → N-SUBAGENT fan-out sweep — the orchestrator-worker topology (one lead decomposes a goal, spawns N sub-agents, folds their results) swept from N=1 to N=1000+, the regime no public benchmark maps (see experiments/fanout/RESEARCH-BRIEF-fanout-2026-06-17.md).
Command fanbench runs the ONE-MASTER-GOAL → N-SUBAGENT fan-out sweep — the orchestrator-worker topology (one lead decomposes a goal, spawns N sub-agents, folds their results) swept from N=1 to N=1000+, the regime no public benchmark maps (see experiments/fanout/RESEARCH-BRIEF-fanout-2026-06-17.md).
fleetbench command
Command fleetbench runs the 2-D turn-tax sweep — turns-per-agent (T) × fleet size (A) — over the REAL kernel and writes the surface as JSON + CSV for curve fitting.
Command fleetbench runs the 2-D turn-tax sweep — turns-per-agent (T) × fleet size (A) — over the REAL kernel and writes the surface as JSON + CSV for curve fitting.
fleetserve command
Command fleetserve measures the CROSS-AGENT SHARED-PREFIX fleet workload — the regime where fak's kernel-owned KV cache structurally beats a per-slot serving engine (llama.cpp) by more than 2×, not by a faster kernel but by NOT REDOING WORK.
Command fleetserve measures the CROSS-AGENT SHARED-PREFIX fleet workload — the regime where fak's kernel-owned KV cache structurally beats a per-slot serving engine (llama.cpp) by more than 2×, not by a faster kernel but by NOT REDOING WORK.
gemma4diag command
Command gemma4diag loads a gemma4 GGUF ONCE and sweeps the uncertain forward axes (softmax scale 1.0 vs 1/sqrt(d), rope_freqs on/off, decoder-norm plain vs (1+w)), printing the top-k next-token predictions for a fixed prompt under each.
Command gemma4diag loads a gemma4 GGUF ONCE and sweeps the uncertain forward axes (softmax scale 1.0 vs 1/sqrt(d), rope_freqs on/off, decoder-norm plain vs (1+w)), printing the top-k next-token predictions for a fixed prompt under each.
ggufprobe command
Command ggufprobe dumps a GGUF file's architecture using fak's own internal/ggufload parser — no llama.cpp.
Command ggufprobe dumps a GGUF file's architecture using fak's own internal/ggufload parser — no llama.cpp.
gpucheck command
Command gpucheck is the real-model correctness witness for the GPU backend: it loads a HuggingFace safetensors checkpoint (e.g.
Command gpucheck is the real-model correctness witness for the GPU backend: it loads a HuggingFace safetensors checkpoint (e.g.
kpiprobe command
Command kpiprobe prints the RSI loop's demo KPI — the deterministic LRU hit-rate (internal/rsiloop.HitRate) over a fixed reference trace — as a single `KPI=<float>` line the loop's worktree Measurer parses.
Command kpiprobe prints the RSI loop's demo KPI — the deterministic LRU hit-rate (internal/rsiloop.HitRate) over a fixed reference trace — as a single `KPI=<float>` line the loop's worktree Measurer parses.
lensviz command
Command lensviz is a visual next-token debugger for fak's own in-kernel engine.
Command lensviz is a visual next-token debugger for fak's own in-kernel engine.
loadgen command
loadgen drives an OpenAI-compatible /v1/chat/completions endpoint at a sweep of concurrency levels and reports throughput.
loadgen drives an OpenAI-compatible /v1/chat/completions endpoint at a sweep of concurrency levels and reports throughput.
modelbench command
Command modelbench measures the in-kernel pure-Go forward pass latency so the fusion lane has a HONEST throughput baseline to set against the next-best ways to run the same model (HF transformers; see bench_hf.py for the witness side).
Command modelbench measures the in-kernel pure-Go forward pass latency so the fusion lane has a HONEST throughput baseline to set against the next-best ways to run the same model (HF transformers; see bench_hf.py for the witness side).
modelprof command
Command modelprof is the in-kernel forward pass inspecting ITSELF: it runs the modular bottleneck profiler (internal/model/profile.go) over a real decode and a real prefill, plus an uninstrumented Session.Step decode measurement.
Command modelprof is the in-kernel forward pass inspecting ITSELF: it runs the modular bottleneck profiler (internal/model/profile.go) over a real decode and a real prefill, plus an uninstrumented Session.Step decode measurement.
paritybench command
Command paritybench assembles the CROSS-MODEL parity artifact: it ingests the live fak-agent A/B reports for a ladder of LOCAL models (produced by tools/run_local_model.sh via the OpenAI-compatible shim) plus the committed FRONTIER reference cards (hosted Claude Haiku/Sonnet, measured + graded on the same frozen task), scores every card on the three never-blended axes (capability / safety / cost), and emits the parity table.
Command paritybench assembles the CROSS-MODEL parity artifact: it ingests the live fak-agent A/B reports for a ladder of LOCAL models (produced by tools/run_local_model.sh via the OpenAI-compatible shim) plus the committed FRONTIER reference cards (hosted Claude Haiku/Sonnet, measured + graded on the same frozen task), scores every card on the three never-blended axes (capability / safety / cost), and emits the parity table.
pipelinegen command
Command pipelinegen runs fak's NATIVE engine generating tokens across pipeline-parallel stages — the runnable form of the cross-device transport contract (internal/model/pipeline.go).
Command pipelinegen runs fak's NATIVE engine generating tokens across pipeline-parallel stages — the runnable form of the cross-device transport contract (internal/model/pipeline.go).
prefixlint command
Command prefixlint is the §A3 prefix-stability devtool (GLM52-HOSTED-CACHE- COHERENCE): it reads a recorded conversation and reports the provider-cache consequence — how many prompt tokens are cacheable across the session, how many are re-billed, the specific turn where the prefix broke, and the recoverable uplift from fixing volatile-ahead-of-stable ordering.
Command prefixlint is the §A3 prefix-stability devtool (GLM52-HOSTED-CACHE- COHERENCE): it reads a recorded conversation and reports the provider-cache consequence — how many prompt tokens are cacheable across the session, how many are re-billed, the specific turn where the prefix broke, and the recoverable uplift from fixing volatile-ahead-of-stable ordering.
q4kdiag command
q8bench command
Command q8bench is an INDEPENDENT verifier for the int8-quantized in-kernel forward path (internal/model: Model.Quantize + Session.Quant).
Command q8bench is an INDEPENDENT verifier for the int8-quantized in-kernel forward path (internal/model: Model.Quantize + Session.Quant).
q8kernel command
Command q8kernel is a self-contained kernel microbenchmark that isolates ONE question from all model/WSL/load overhead: in pure Go on this box, which GEMV kernel is fastest for the memory-bound batch-1 decode regime —
Command q8kernel is a self-contained kernel microbenchmark that isolates ONE question from all model/WSL/load overhead: in pure Go on this box, which GEMV kernel is fastest for the memory-bound batch-1 decode regime —
qwen35check command
Command qwen35check loads a Qwen3.5 / Qwen3-Next hybrid HF snapshot with fak's own in-kernel forward pass and greedy-decodes a few tokens from a given prompt (token ids), printing the generated ids.
Command qwen35check loads a Qwen3.5 / Qwen3-Next hybrid HF snapshot with fak's own in-kernel forward pass and greedy-decodes a few tokens from a given prompt (token ids), printing the generated ids.
radixbench command
Command radixbench benchmarks fak's KV-cache prefix reuse against SGLang's RadixAttention (arXiv:2312.07104 / NeurIPS 2024) on the metric SGLang's own paper headlines: CACHE HIT RATE — the fraction of prompt tokens served from cache instead of recomputed.
Command radixbench benchmarks fak's KV-cache prefix reuse against SGLang's RadixAttention (arXiv:2312.07104 / NeurIPS 2024) on the metric SGLang's own paper headlines: CACHE HIT RATE — the fraction of prompt tokens served from cache instead of recomputed.
rsicycle command
Command rsicycle drives ONE recursive-self-improvement keep-or-revert decision through fak's own non-forgeable keep-bit (internal/shipgate.Evaluate).
Command rsicycle drives ONE recursive-self-improvement keep-or-revert decision through fak's own non-forgeable keep-bit (internal/shipgate.Evaluate).
rsiloop command
Command rsiloop is fak's TRUE recursive-self-improvement loop — the closed-loop companion to cmd/rsicycle's one-shot.
Command rsiloop is fak's TRUE recursive-self-improvement loop — the closed-loop companion to cmd/rsicycle's one-shot.
sessionbench command
Command sessionbench measures the NET VALUE-ADD of the fused agent kernel on a realistic long, multi-agent session — the regime the whole fusion exists for, and the one a per-call / per-turn naive setup pays for dearly.
Command sessionbench measures the NET VALUE-ADD of the fused agent kernel on a realistic long, multi-agent session — the regime the whole fusion exists for, and the one a per-call / per-turn naive setup pays for dearly.
simpledemo command
Command simpledemo is the friendliest way to chat with a local AI model.
Command simpledemo is the friendliest way to chat with a local AI model.
tpcheck command
Command tpcheck runs fak's NATIVE-engine TENSOR-parallel decomposition end to end over SIMULATED ranks (single box, in-memory, no GPU/NCCL/checkpoint) — the runnable form of the intra-layer sharding contract (internal/model/tensor_parallel.go).
Command tpcheck runs fak's NATIVE-engine TENSOR-parallel decomposition end to end over SIMULATED ranks (single box, in-memory, no GPU/NCCL/checkpoint) — the runnable form of the intra-layer sharding contract (internal/model/tensor_parallel.go).
turntaxdemo command
Command turntaxdemo is the live, on-box demo of how fak SAVES MODEL TURNS.
Command turntaxdemo is the live, on-box demo of how fak SAVES MODEL TURNS.
webbench-convert command
webbench-convert converts WebVoyager dataset to webbench format.
webbench-convert converts WebVoyager dataset to webbench format.
webbench-run command
webbench-run is a reproducible end-to-end webbench runner.
webbench-run is a reproducible end-to-end webbench runner.
webbench-token-measure command
webbench-token-measure measures actual token usage from model API runs.
webbench-token-measure measures actual token usage from model API runs.
internal
abi
events.go — the closed core EventKind vocabulary (additive).
events.go — the closed core EventKind vocabulary (additive).
adjudicator
Package adjudicator is the in-process DOS reference monitor — the v0.1 realization of the Adjudicator seam.
Package adjudicator is the in-process DOS reference monitor — the v0.1 realization of the Adjudicator seam.
agent
Package agent is the REAL agentic loop: a live model (the planner) drives a multi-turn tool-calling conversation, and EVERY tool call it emits is mediated — on the "fak" arm — by the in-process kernel syscall (vDSO -> adjudicate -> grammar repair -> dispatch -> context-MMU admit).
Package agent is the REAL agentic loop: a live model (the planner) drives a multi-turn tool-calling conversation, and EVERY tool call it emits is mediated — on the "fak" arm — by the in-process kernel syscall (vDSO -> adjudicate -> grammar repair -> dispatch -> context-MMU admit).
agentdojo
Package agentdojo replaces the STATIC poison.json fixture with a DYNAMIC, adaptive attack battery scored by Attack Success Rate (ASR) — the AgentDojo (Debenedetti et al., 2024) evaluation discipline.
Package agentdojo replaces the STATIC poison.json fixture with a DYNAMIC, adaptive attack battery scored by Attack Success Rate (ASR) — the AgentDojo (Debenedetti et al., 2024) evaluation discipline.
appversion
Package appversion resolves the fleet/FAK application version from the single repo-level VERSION marker, with build-time and environment fallbacks.
Package appversion resolves the fleet/FAK application version from the single repo-level VERSION marker, with build-time and environment fallbacks.
architest
Package architest is the kernel's machine-checked architecture contract.
Package architest is the kernel's machine-checked architecture contract.
bench
Package bench is the A/B ablation runner behind `fak bench`.
Package bench is the A/B ablation runner behind `fak bench`.
blob
Package blob is the v0.1 default backend behind every abi.Ref: a content-addressed (sha256) in-memory blob store.
Package blob is the v0.1 default backend behind every abi.Ref: a content-addressed (sha256) in-memory blob store.
cachemeta
Package cachemeta defines the metadata contract for first-class cache entries.
Package cachemeta defines the metadata contract for first-class cache entries.
canon
Package canon is the de-obfuscating canonicalizer + lexical threat detector, factored out of internal/normgate so it is ONE primitive, tested ONCE, and reusable by every gate that needs to scan bytes for a hidden secret or injection on a normalized view — not just the write-time admitter.
Package canon is the de-obfuscating canonicalizer + lexical threat detector, factored out of internal/normgate so it is ONE primitive, tested ONCE, and reusable by every gate that needs to scan bytes for a hidden secret or injection on a normalized view — not just the write-time admitter.
cdb
Package cdb is the context debugger: it attaches to a FINISHED agent session as if to a core dump and answers questions by demand-paging only the working set the question touches — never by replaying the whole address space.
Package cdb is the context debugger: it attaches to a FINISHED agent session as if to a core dump and answers questions by demand-paging only the working set the question touches — never by replaying the whole address space.
compute
Package compute is the hardware-abstraction seam (HAL) for the in-kernel forward pass.
Package compute is the hardware-abstraction seam (HAL) for the in-kernel forward pass.
contextq
Package contextq is the on-demand context materializer over CDB images.
Package contextq is the on-demand context materializer over CDB images.
ctxmmu
Package ctxmmu is the context-MMU: a write-time (post-tool) gate on tool RESULTS, the dual of the call-side adjudicator.
Package ctxmmu is the context-MMU: a write-time (post-tool) gate on tool RESULTS, the dual of the call-side adjudicator.
deletioncert
Package deletioncert mints and verifies a DeletionCertificate: a single, portable, re-checkable artifact that binds a bit-exact KV eviction to the tamper-evident audit journal that recorded it.
Package deletioncert mints and verifies a DeletionCertificate: a single, portable, re-checkable artifact that binds a bit-exact KV eviction to the tamper-evident audit journal that recorded it.
engine
Package engine is the inference-engine seam (the EngineDriver).
Package engine is the inference-engine seam (the EngineDriver).
enginecache
Package enginecache binds cachemeta's remote invalidation directives to documented serving-engine control endpoints.
Package enginecache binds cachemeta's remote invalidation directives to documented serving-engine control endpoints.
gateway
Package gateway is the kernel-adjudicated wire: it fronts the fak kernel over MCP (newline-delimited JSON-RPC) and an OpenAI-compatible HTTP surface so an agent written in ANY language can route its tool calls through the in-process syscall boundary WITHOUT writing Go.
Package gateway is the kernel-adjudicated wire: it fronts the fak kernel over MCP (newline-delimited JSON-RPC) and an OpenAI-compatible HTTP surface so an agent written in ANY language can route its tool calls through the in-process syscall boundary WITHOUT writing Go.
ggufload
Package ggufload parses GGUF metadata and tensor directories for off-path model loading.
Package ggufload parses GGUF metadata and tensor directories for off-path model loading.
gpulease
Package gpulease is a machine-wide advisory lease so that only one GPU-heavy process loads a model at a time.
Package gpulease is a machine-wide advisory lease so that only one GPU-heavy process loads a model at a time.
grammar
Package grammar is the tool-invocation grammar rung: the well-formedness axis the trust/effect rungs can't see.
Package grammar is the tool-invocation grammar rung: the well-formedness axis the trust/effect rungs can't see.
harvest
Package harvest is the LabelRow harvester — the data-collection rung of the compiled defender-side loop.
Package harvest is the LabelRow harvester — the data-collection rung of the compiled defender-side loop.
ifc
Package ifc is the information-flow control layer — the CaMeL / FIDES complement to the lexical detectors (canon, normgate, ctxmmu).
Package ifc is the information-flow control layer — the CaMeL / FIDES complement to the lexical detectors (canon, normgate, ctxmmu).
journal
Package journal is the durable, append-only, tamper-evident DECISION JOURNAL — the regulated-audit (AUD) surface of the trust floor.
Package journal is the durable, append-only, tamper-evident DECISION JOURNAL — the regulated-audit (AUD) surface of the trust floor.
kernel
Package kernel is the fak core: the one concrete implementation of abi.Kernel.
Package kernel is the fak core: the one concrete implementation of abi.Kernel.
kvmmu
Package kvmmu is the bridge the in-kernel model makes possible: it turns ctxmmu's LOGICAL quarantine verdict — "these bytes may not enter the context window" — into a MECHANICAL one — eviction of that result's K/V span from the kernel-owned attention cache, so the model physically cannot attend to it.
Package kvmmu is the bridge the in-kernel model makes possible: it turns ctxmmu's LOGICAL quarantine verdict — "these bytes may not enter the context window" — into a MECHANICAL one — eviction of that result's K/V span from the kernel-owned attention cache, so the model physically cannot attend to it.
leakcheck
Package leakcheck provides the three reusable PROOF primitives a memory/goroutine-leak sweep needs, so a regression guard is a few lines instead of a hand-rolled harness each time.
Package leakcheck provides the three reusable PROOF primitives a memory/goroutine-leak sweep needs, so a regression guard is a few lines instead of a hand-rolled harness each time.
metalgemm
Package metalgemm stub — the default (non-fakmetal) build.
Package metalgemm stub — the default (non-fakmetal) build.
metrics
Package metrics is the KPI layer + the A/B report shape.
Package metrics is the KPI layer + the A/B report shape.
model
Package model is the in-kernel inference core: a pure-Go forward pass over a single small open-source model (SmolLM2-135M / Qwen2.5-0.5B), with the KV cache as a first-class Go data structure the kernel OWNS.
Package model is the in-kernel inference core: a pure-Go forward pass over a single small open-source model (SmolLM2-135M / Qwen2.5-0.5B), with the KV cache as a first-class Go data structure the kernel OWNS.
modelengine
Package modelengine wires the in-kernel model (internal/model) into the kernel as a registered abi.EngineDriver under the id "inkernel".
Package modelengine wires the in-kernel model (internal/model) into the kernel as a registered abi.EngineDriver under the id "inkernel".
normgate
Package normgate is a write-time ResultAdmitter that closes the context-MMU's measured DETECTION gap: the v0.1 ctxmmu matches injection markers and secret shapes as raw ASCII regex/substring, so any obfuscation (char-spacing, base64, homoglyph, zero-width, fullwidth, bidi, format-variant secrets) walks straight through (~100% evasion, measured on a private transcript-derived corpus).
Package normgate is a write-time ResultAdmitter that closes the context-MMU's measured DETECTION gap: the v0.1 ctxmmu matches injection markers and secret shapes as raw ASCII regex/substring, so any obfuscation (char-spacing, base64, homoglyph, zero-width, fullwidth, bidi, format-variant secrets) walks straight through (~100% evasion, measured on a private transcript-derived corpus).
plancfi
Package plancfi is control-flow integrity for an agent's PLAN — the stateful adjudicator that refuses a tool call which deviates from the approved plan.
Package plancfi is control-flow integrity for an agent's PLAN — the stateful adjudicator that refuses a tool call which deviates from the approved plan.
policy
Package policy loads the adjudicator's capability floor from a declarative, version-tagged JSON manifest instead of a compiled-in Go literal — so an adopter configures WHICH tools the agent may call by editing a file the operator can read and a reviewer can diff, never by forking the kernel and recompiling.
Package policy loads the adjudicator's capability floor from a declarative, version-tagged JSON manifest instead of a compiled-in Go literal — so an adopter configures WHICH tools the agent may call by editing a file the operator can read and a reviewer can diff, never by forking the kernel and recompiling.
preflight
Package preflight is the pre-flight rung ladder: cheapest-first well-formedness checks that catch a malformed/unsafe call BEFORE it fires, so a dead branch never spawns a process or burns a model turn.
Package preflight is the pre-flight rung ladder: cheapest-first well-formedness checks that catch a malformed/unsafe call BEFORE it fires, so a dead branch never spawns a process or burns a model turn.
provenance
Package provenance is the single, kernel-authored answer to one question: "where did this byte come from, and may the kernel trust it?" — and it is the ONE place that answer is decided.
Package provenance is the single, kernel-authored answer to one question: "where did this byte come from, and may the kernel trust it?" — and it is the ONE place that answer is decided.
radixkv
Package radixkv is SGLang's RadixAttention prefix cache, rebuilt over fak's kernel-owned KV cache — the apples-to-apples answer to "how does fak compare to SGLang's KV-cache radix attention?".
Package radixkv is SGLang's RadixAttention prefix cache, rebuilt over fak's kernel-owned KV cache — the apples-to-apples answer to "how does fak compare to SGLang's KV-cache radix attention?".
ratelimit
Package ratelimit is the throughput/cost governor: the adjudicator that turns the already-plumbed RATE_LIMITED reason into an actual enforcer.
Package ratelimit is the throughput/cost governor: the adjudicator that turns the already-plumbed RATE_LIMITED reason into an actual enforcer.
recall
Package recall makes a COMPLETED agent session queryable without replaying it — the "treat a finished session as a core dump" leaf (../../session-recall-design.md).
Package recall makes a COMPLETED agent session queryable without replaying it — the "treat a finished session as a core dump" leaf (../../session-recall-design.md).
registrations
Package registrations is the "built-in driver list" (the Linux defconfig).
Package registrations is the "built-in driver list" (the Linux defconfig).
rsiloop
Package rsiloop closes fak's recursive-self-improvement loop.
Package rsiloop closes fak's recursive-self-improvement loop.
shipgate
adjudicate.go puts the ship gate ON the kernel's decision path: a registered Adjudicator that holds a ship-shaped tool call behind the require-witness rung.
adjudicate.go puts the ship gate ON the kernel's decision path: a registered Adjudicator that holds a ship-shaped tool call behind the require-witness rung.
steward
Package steward is the steward population: a set of cheap, single-invariant validators that garden the kernel's journal.
Package steward is the steward population: a set of cheap, single-invariant validators that garden the kernel's journal.
swebench
Package swebench turns SWE-bench Verified into a fak-native benchmark whose results are directly comparable to the external "N-Server Cache Benchmarking Tool" (the Benchmark repo, "bench") that runs the same task set against an SGLang endpoint.
Package swebench turns SWE-bench Verified into a fak-native benchmark whose results are directly comparable to the external "N-Server Cache Benchmarking Tool" (the Benchmark repo, "bench") that runs the same task set against an SGLang endpoint.
tokenizer
Package tokenizer is a tokenizer leaf for offline text/id conversion outside the model proof path.
Package tokenizer is a tokenizer leaf for offline text/id conversion outside the model proof path.
toollint
Package toollint is the kernel's STATIC tool linter: it checks the registered tool SURFACE for inconsistencies the runtime would otherwise silently paper over on every single call.
Package toollint is the kernel's STATIC tool linter: it checks the registered tool SURFACE for inconsistencies the runtime would otherwise silently paper over on every single call.
turnbench
Package turnbench is the TURN-TAX benchmark — the dedicated A/B that isolates the one cost the microsecond-transport bench (internal/bench) does NOT measure: the EXTRA MODEL TURN a SOTA agent loop must fire when a tool call fails its first attempt and comes back as an error code, versus fak's "1-shot" path, where the kernel resolves the very same condition INSIDE the syscall the call arrived on — no second round-trip to the model.
Package turnbench is the TURN-TAX benchmark — the dedicated A/B that isolates the one cost the microsecond-transport bench (internal/bench) does NOT measure: the EXTRA MODEL TURN a SOTA agent loop must fire when a tool call fails its first attempt and comes back as an error code, versus fak's "1-shot" path, where the kernel resolves the very same condition INSIDE the syscall the call arrived on — no second round-trip to the model.
vdso
Package vdso is the tool vDSO: a 3-tier local fast path that answers a tool call with NO engine and NO remote round-trip — the agentic analogue of the kernel vDSO that serves gettimeofday() from userspace without a syscall.
Package vdso is the tool vDSO: a 3-tier local fast path that answers a tool call with NO engine and NO remote round-trip — the agentic analogue of the kernel vDSO that serves gettimeofday() from userspace without a syscall.
webbench
Package webbench turns frontier web/browser agent benchmarks into fak-native benchmarks whose results directly measure the value of fak's session value stack on multi-turn web automation tasks.
Package webbench turns frontier web/browser agent benchmarks into fak-native benchmarks whose results directly measure the value of fak's session value stack on multi-turn web automation tasks.
webbench/browser
browser - web automation layer for webbench Uses Playwright CLI for browser control (cross-platform)
browser - web automation layer for webbench Uses Playwright CLI for browser control (cross-platform)
witness
Package witness is the in-process realization of the require-witness rung — the DOS dos_verify effect-verify, brought inside the kernel.
Package witness is the in-process realization of the require-witness rung — the DOS dos_verify effect-verify, brought inside the kernel.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL