If the last few weeks built a pure-Rust stack from the crypto floor up — primitives, compression, SSH, a curl, internationalization — this week added the top of it: an application layer. forma is a cross-platform UI toolkit that draws its own interfaces, on its own media stack, talking to each OS through raw FFI. And puressh crossed from "scaffolding filling in" to production-grade SSH.

forma: a self-drawn UI toolkit

forma is "a cross-platform UI library and toolkit in Rust" that draws beautiful, fully themeable, pixel-identical interfaces on Linux, macOS, Windows, Android, iOS, and the web — staying as close to the OS as possible while depending on as little third-party code as possible. It builds on the pure-Rust oxideav media stack for all 2D rendering (scene graph, CPU rasterizer, font shaping, image decode, SVG) and adds everything around it: native windowing and input per OS, presenting the rendered buffer, and a declarative, reactive toolkit. The API reads like SwiftUI or Flutter — Column, Row, Button("+").on_tap(...), Text(...).font_size(...) — but the entire rendering and platform substrate underneath is in-house.

The repo went from nothing to a working multi-platform toolkit in a single week (169 commits). The layers it built:

• GPU backends, raw FFI to each API — a triangle through a full Metal pipeline (macOS), Direct3D 11 (Windows, WARP), WebGPU (web, headless-Chrome CI), and OpenGL/EGL on Linux, with the on-screen present path wired through App::render_with. The Linux path goes deep: DRI3 to receive the server's DRM fd, SCM_RIGHTS fd-passing over Unix sockets, EGL bound to a specific GPU via GBM, and dma-buf export/import for the browser-content seam.
• Native windowing per OS — true multi-window on X11 (each window a Pane), macOS Cocoa, Windows, Android via NativeActivity (verified on an emulator in CI), and iOS UIKit (verified on the simulator).
• Accessibility on all three desktops — a hand-written D-Bus client exposing the tree over AT-SPI (Linux), NSAccessibility (macOS), and a hand-written UI Automation provider (Windows).
• The widget toolkit — scroll containers with scene clipping, an overlay layer with menus / dialogs / tooltips / radio / progress / spinner, tabs and right-click context menus, clipboard (copy/cut/paste wired to the X11 CLIPBOARD selection), native file dialogs via xdg-desktop-portal, and area-based repaint that skips unchanged regions. A four-function calculator demo exercises it end to end.

This is the piece that makes the whole "pure Rust, minimal third-party code, talk to the OS directly" project visible as an application platform, not just a library collection. The first crates tagged: forma-geometry, forma-layout, forma-anim at v0.0.1.

puressh: certificates, KRL, and PAM/MFA

puressh (v0.0.6) spent the week reaching feature-complete SSH. OpenSSH certificates landed across five phases: parse/verify core, CASignatureAlgorithms, host certificates (server presents, client verifies), user certificates (client offers, server authorizes), and critical options (force-command, source-address), with default-deny user-cert extensions and end-to-end interop tests against a real OpenSSH sshd. Key revocation lists (the OpenSSH binary KRL format) wire into the cert and pubkey trust gates, with serial-list / serial-range revocation. PAM grew a multi-step keyboard-interactive conversation bridge and multi-factor AuthenticationMethods chains with enforced positional order.

The security grind continued in parallel: an absolute LoginGraceTime and a bounded, non-panicking accept loop (pre-auth DoS), a 2048-bit RSA floor on cert-embedded keys, StrictModes ownership + ancestor checks, MIT-MAGIC-COOKIE-1 validation on X11 forwarding by default, and ObscureKeystrokeTiming keystroke-timing obfuscation. It also added ping@openssh.com PING/PONG and tracked the current crypto floor (purecrypto 0.6.1 → 0.6.14, honoring a Rust 1.88 MSRV).

Also this week

• rsurl and intl kept settling — torrent-engine and Unicode-surface follow-through after their big weeks.
• oxideav-io is new: a generic open/save/transcode entry point that auto-detects an image / video / audio / 3D / PDF / SVG source and dispatches through the oxideav-core registries — the single front door forma renders through.
• oxideav-aptx — aptX classic + aptX HD Bluetooth audio.
• The OxideAV per-codec sweep continued across the audio and container crates (aac, mp4, mov, theora, jpeg2000, dts, …).

Next week

The capstone the whole stack has been pointing at: argus, a web browser written in pure Rust. It sits on top of everything built so far — forma for the UI, the kataan JavaScript engine (a pure-Rust ECMAScript implementation with a tree-walking interpreter, a register bytecode VM, an x86-64 JIT, and a WebAssembly tier), the rsurl networking stack, and the oxideav media layer, with purecrypto underneath. Multi-process, in-house engine, GUI and headless. A browser is the application that exercises every layer at once — which is rather the point of building the layers.