The trust boundary belongs below the app.
Encryption inside an app still runs on a platform that reads the keyboard, the clipboard, the screen. Bonis governs identity, data, execution, and audit one layer down — on hardware you already own.
Seal a note. Try to open it with the wrong key. Watch it refuse.
This is the boundary, working. The seal and the reveal both run on your device — there is no server in this demo, and nothing you type leaves the browser. That is not an implementation detail; it is the whole thesis, in your hands.
Write a note and a passcode, then Seal. You see the opaque box — that is all a custodian, or any hop in transit, ever sees. Then type the passcode and Reveal. A wrong code is refused, never approximated. The seal and the reveal both run here, on your device; nothing you type is sent anywhere.
A demonstration — use throwaway text, though nothing here leaves your browser anyway.
Bonis moves the trust boundary below the app — one policy governing identity, data, execution, and audit, on hardware you already own.
- Position. Not a kernel, not a chip. An operating-system-grade trust layer that runs on commodity hardware instead of being it.
- Boundary. Encryption inside an app still runs on a platform that reads the keyboard, the clipboard, the screen. Bonis governs one layer down.
- Subsystems. Locker (filesystem), keyring, Knox (audit journal), scheduler, gates (kernel policy), verifier (fsck) — each maps to an OS component.
- The honest limit. At rest and in transit it wins. At the moment a human views plaintext on a compromised endpoint, a captured frame can leak — no app-layer encryption defeats that, and Bonis says so.
The trust boundary was drawn in the wrong place.
Data exists in three states: at rest, in transit, and in use. App encryption protects the first two. The third — the moment data is captured, rendered, or read — happens in plaintext, on a platform the application does not control. Encryption inside an app is a safe standing in a room the platform already wired.
So Bonis governs one layer down. Identity, data, execution, and audit are placed below the application plane, on the hardware root you already hold — not above it, where the platform can read them first. The boundary moves; the plaintext stops crossing it.
Where it still loses — said plainly
At the instant a person views plaintext, it must be rendered, and a compromised endpoint can capture that frame. No app-layer encryption defeats that. A hardened, de-Googled endpoint reduces the exposure; nothing shipping today eliminates it. Bonis names the seam because the willingness to name it is the only credential that cannot be faked — and because everything below the boundary is the part Bonis does close.
Six layers from silicon to agent. Bonis governs the lower four.
Bonis does not make the metal, the bootloader, or the kernel — that work ships today in the hardened-OS and capability-security tradition, and Bonis stands on it. What Bonis governs is everything from where artifacts move to where agents act.
The keystore, secure enclave, or TPM you already own. Bonis does not make the metal — it roots keys in the one you have.
Measured-boot attestation, owned by the platform. Bonis consumes the measurement; it does not replace the bootloader.
The OS kernel's process and memory isolation. The lineage here is hardened-OS and capability-security work — Bonis stands on it, not over it.
Where artifacts move between parties. Bonis seals them in transit so a custodian carries a box it cannot open.
Where the application runs and a key is held to do its work. This is the plane the trust boundary sits just below.
Identity, data, execution, and audit governed under one policy — below the app, on hardware you already own.
Every subsystem is an operating-system component.
The framing is not a metaphor reached for after the fact. Each Bonis subsystem already plays the role its operating-system counterpart plays — and each carries an honest status, because a trust layer that overstates what it ships is the one thing this audience will never forgive.
| Subsystem | OS component | Status |
|---|---|---|
Bonis Locker | filesystem | Live Double-door demo runnable |
BTS-1 | keyring / enclave | Live Grant is classical X25519 today; PQ hybrid tracked |
Knox | audit journal | Live Independently verifiable without Bonis |
The hive | scheduler | Live Operates the rails today |
The gates | kernel policy | Live Enforced before publish |
The verifier | fsck | Live Verify a box you cannot open |
Bonis node | off-device key holder | Direction Direction, not built |
A distinction held on purpose: Knox seals are ML-DSA-87 (NIST FIPS 204), a post-quantum signature. The Locker’s reveal-ledger is SHA-256 today, not yet the rail’s post-quantum seal; the key-grant is classical X25519. A post-quantum hybrid is tracked, not yet claimed live. Bonis keeps these apart so the word “post-quantum” never does work it hasn’t earned.
What is real today, in order of reach.
Hardened OS
A de-Googled, hardened operating system narrows the platform’s read of you. This ships today in the GrapheneOS / CalyxOS class — credited here as the floor Bonis builds on, not work Bonis claims.
Key off the device
Move the key off the phone entirely — a hardware key today; a dedicated Bonis node as the direction beyond it. The further the key sits from the rendering surface, the less a compromised endpoint can take.
Seal before the platform
Seal data before it touches a platform that would read it, and let custodians carry boxes they cannot open. This is where the Locker and the no-custody handoff already operate.
The limits, stated before you find them.
Point of view is unsolved
A captured frame on a hostile endpoint is the seam no app-layer encryption closes. A hardened endpoint reduces it; nothing today eliminates it. Bonis does not sell the gap.
The node is a direction
The dedicated off-device keyholder and a hardened Bonis image are a direction, not a shipped product. Where the page describes them, it says so in the same sentence.
Can’t-decrypt is a design, pending audit
The no-custody handoff is designed so a carrier cannot decrypt the box it holds — independent audit pending. “Trust the vendor’s claim of can’t-decrypt” is exactly the failure mode of the last fifty years; naming it is how the claim earns its place.
Post-quantum is per-layer, not a banner
At rest is AES-256; Knox seals are ML-DSA-87. The Locker ledger is SHA-256 and the key-grant is classical X25519 today — both tracked for a post-quantum hybrid, neither claimed as shipped.
No claim ships without its check.
Run the boundary on your data, as a design partner.
The Bonis OS is built and checkable today — you just sealed a box on your own machine. It is offered to a small number of organizations as a hands-run design-partner pilot: your data, your environment, sealed and handed off without a readable copy in any middle. Describe what you would put in a box; a person — not a bot — replies.