Send: Objects, History, and Transactions in a Single-Verb Kernel

TL;DR

This paper introduces a minimal kernel design that unifies multiple structural properties for multi-party object coordination, ensuring robustness and security through a uniform interface and primitive object distinctions.

Contribution

It presents a novel kernel architecture built from s-expressions and a single 'send' interface that jointly enforces six key properties in multi-party systems.

Findings

Kernel guarantees all six properties under kernel-faithful trust.

Append-only logs enable immutability and replay.

Cryptographic compiler can secure operator-adversarial deployments.

Abstract

Multi-party object coordination - across object-capability systems, smart-contract platforms, distributed actors, and event-sourced architectures - is shaped by six structural properties: authenticated provenance, opaque encapsulation, atomic multi-object commit, deterministic replay, immutable history, and history-derived state. Existing systems compose subsets via separate layered mechanisms (RPC, capability ACLs, transaction coordinators, event journals, vat boundaries); each layer is well-studied but the combination is fragile. We present a minimal kernel which makes them jointly compatible. Our kernel is built from s-expressions, a uniform 'send' interface, transactions, and one primitive object distinction: *ephemeral* (caller's context inherited) vs. *persistent* (context switches to the target's kernel-assigned identity and append-only log). The kernel structurally classifies every send target into one of six cases without input from the caller - uniform caller interface, intensional kernel dispatch. Under kernel-faithful trust (the kernel runs its semantics as specified), this design holds all six properties as *kernel-level* against arbitrary programs - the kernel's transition function refuses states violating them. Opacity *against the operator* additionally requires operator-faithful trust (the operator accesses logs only via 'recall' and does not censor or reorder transactions); under kernel-faithful alone, five of six guarantees survive an unconstrained operator. Append-only logs underpin immutability, replay, and history-derived state; kernel-controlled persistent dispatch yields authenticated provenance and opacity; transactions deliver atomic coordination. Operator-adversarial deployments can be realized with a cryptographic compiler.