▌ Technology ModuleCore OS API

The v1 surface.
Everything the brain exposes.

Titan Core OS is an open SDK around a closed safety kernel. This is the v1 API: what integrators can call, implement, and extend — and the short list of what is deliberately not exposed.

API v1 · Eight Groups

Call it. Implement it.
Extend it.

Three kinds of surface: functions you call (runtime, missions, link, lifecycle), interfaces you implement (skills, models, HAL drivers), and records you verify (audit, evidence). Everything below is v1 — versioned with the runtime, stable within the major.

Runtime & Modes

Boot a machine as a deployment profile, drive the control loop, read its state. The mode machine is observable, never directly settable — modes follow evidence.

boot(profile) → CoreRuntimeCompose a machine from a named profile: skills + HAL + mode semantics
runtime.tick(telemetry) → ActuatorCommandOne control-loop step: sense → localize → plan → decide → act
runtime.snapshot() → RuntimeSnapshotMode, active intent, health, buffered-telemetry depth
orchestrator.acceptIntent(intent) → booleanPriority-arbitrated mission intake; FAULT rejects
orchestrator.degrade(reason) / resetFault(operator)Explicit mode transitions — always attributed, always audited

Skill Registry

The extension point. A skill is one signed registration; redundancy is a wrapper, not a rewrite.

registry.register(skill, manifest) → LoadDecisionSigned manifests only — unsigned code never loads in production
registry.unregister(name, operator)Audited removal; the machine keeps running without the capability
redundant({ providers, arbiter }) → SkillN providers in one slot; the group is a drop-in for the skill type
preferPrimary({ failAfterMisses })Sticky-primary arbiter: fail over on repeated faults, reclaim on recovery
confidenceAbove(threshold)Confidence-gated arbiter: switch on decay, hand back on recovery

Missions

Verticals are compiled, not coded. A mission profile turns operator parameters into intent sequences the planner consumes.

compileMission(vertical, params) → MissionIntent[]patrol-security · delivery-logistics · agriculture-fieldwork · search-rescue
MissionProfile (interface)Implement + register to ship a new vertical — no runtime changes

Command Link (ECL)

The machine's side of the Titan Command Center conversation. Latency is a safety property here, enforced in the API.

link.sendIntent(intent) / nextIntent()Prioritized mission intent queue
link.queueOverride(override) → booleanRefused when link RTT p99 exceeds 200ms — the guard is not optional
link.publishTelemetry(sample) / drainTelemetry()Continuous uplink; buffered while disconnected
link.buildResyncReplay() → ResyncFrame[]Hash-chained disconnected history — verifiable, tamper-evident
link.quality() → good | degraded | lostOne link-health contract; recommendedMode() maps it to the mode machine

Model Slot

The decision layer is a first-class model interface — swap the VLA, compose vision with an LLM, or route hard calls to the datacenter.

VlaModel.decide(observation) → { skill, confidence }Observation in: pose, map summary, mission context. Skill out, confidence attached
model composition & offload policyOn-device by default; datacenter-scale models when the link allows — the runtime decides, continuously
low-confidence escalationDecisions under threshold route to a named operator, never guessed through

HAL Drivers

The seam hardware modules plug into. Implement four methods and the runtime drives your hardware — or Titan Matrix's simulation of it.

driver.apply(command)Uniform ActuatorCommand in — wheels, rotors, hand, emitters
driver.heartbeat(ts)Feed the dead-man watchdog; silence stops motors
driver.tick() → HalActuatorStateActuator state, fault codes, watchdog escalation out
driver.safeStop(reason)The last-resort path — every driver must implement it

Lifecycle & OTA

Updates are staged, health-checked, and reversible — kernel images to model weights.

ota.stage(manifest)Signed manifests only; A/B slot prepared, nothing switched
ota.commit(healthCheck)Atomic swap gated on the health check passing
ota.rollback(reason)One call back to the known-good slot

Audit & Evidence

Every actuation, load, override, and switchover is chained. The API exposes verification, not editing.

audit.list() → AuditEntry[]Attributed history: who or what commanded, when, why
audit.verify() → booleanWalk the hash chain end to end — tampering is detectable, not deniable
evidence recording (MCAP, traces, dumps)Ships to Titan Command Center on resync
The Closed Kernel

What the API
refuses to offer.

An autonomy API is defined as much by what it withholds. These are absent by design, not omission — the line that lets integrators extend behavior without weakening deterministic control.

Safety executor internals

The dead-man watchdog shares no fate with the smart stack — including its API

Raw actuator buses

Every command flows through the audited ActuatorCommand path or it doesn't flow

Watchdog thresholds at runtime

Deadline budgets are profile configuration, signed and staged like code

Unsigned anything

The registry gate has no bypass parameter

Versioning: the API is versioned with the runtime — v1 signatures are stable within the major, additive changes ship in minors, and every skill, driver, and model declares the API version it was built against in its signed manifest. The wire protocol between machine and Titan Command Center is specified separately and versioned on the same policy.