Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Capability-Infrastructure Cluster Backlog

A planning audit found a cluster of maturing proposals whose Phase 1 slices are now extractable (their stated prerequisites have landed) plus the Stage 6 capability remainder. Most of these slices ADD interfaces to schema/capos.capnp and therefore share the schema serial surface: only one plan at a time may change the schema (docs/backlog/index.md “Concurrency Notes”), and the next plan must rebase on the generated-code refresh. This file decomposes the cluster and records the recommended ordering so the slices do not all become ready at once and collide on that surface.

docs/tasks/README.md points here for the cluster; it should not inline the details.

Ordering Contract

  • The non-schema slices (capos-service framework, tickless idle, default avatar) are dispatchable in parallel today and have their own ready task files; they do NOT queue here.
  • The schema-touching slices below queue on the shared schema serial surface. Promote ONE at a time from this backlog into a docs/tasks/ file, land it, refresh generated bindings, then promote the next. Do not file all of them as ready simultaneously.
  • The ResourceProfileRecord / ManifestResourceProfile schema, capos_config::ResourceProfile carrier, and non-schema spawn-limit enforcement have landed. Crypto key caps Phase 1 has also landed. The next queued schema-serial slice is crash-recovery-stale-cap-phase1.
  • Recommended schema promotion order from here: crash-recovery stale-cap → authority-broker → live-upgrade CapRetarget → Stage 6 remainder. Reorder by explicit user priority. Do not promote a schema slice in parallel with another schema-surface task.

Schema-Serial Phase-1 Slices

Each slice names a 1-line scope, the owning proposal, and the conflict domains its eventual task file should carry. All share interface:schema-capos-capnp + path:schema/capos.capnp + path:tools/generated/ (the serial surface) in addition to the listed domains.

monitoring-log-surface (landed)

  • Scope: LogSink/LogReader schema + a minimal userspace log service backed by Console, with logLevel enforcement and scoped LogSink caps granted to children at spawn. Source: docs/proposals/system-monitoring-proposal.md.
  • Domains: resource:system-monitoring, path:kernel/src/cap/, path:demos/, docs:system-monitoring.
  • Landed (2026-05-25): additive LogSink.write @38 / LogReader.read @39 plus LogRecord/LogFilter (reusing LogLevel), backed by a bounded drop-oldest kernel ring (kernel/src/cap/log.rs). The sink drops below- SystemConfig.logLevel records (boot-seeded) and forwards accepted records to serial; the reader returns cursor/filtered records with nextCursor/dropped. capos-rt LogSinkClient/LogReaderClient, producer/reader demos, system-monitoring-log.cue, and make run-monitoring-log-smoke prove the sink drop, read-back, and reader-side minLevel filter. The wider Severity (critical), correlation fields, token-bucket backpressure, and persistent retention remain later phases. Task: docs/tasks/done/2026-05-25/cap-infra-monitoring-log-surface.md.

crypto-key-caps-phase1 (landed)

  • Scope: SymmetricKey/PrivateKey/PublicKey schema interfaces + a software-backed userspace key service + a QEMU encrypt/sign smoke over the cap boundary. Unblocks TLS, OIDC, volume encryption, signed audit, SSH cert upgrade. Source: docs/proposals/cryptography-and-key-management-proposal.md.
  • Domains: resource:crypto-key-service, path:demos/, docs:cryptography-and-key-management.
  • Landed (2026-06-06): minimal RAM-only SymmetricKey, PrivateKey, and PublicKey ABI in schema/capos.capnp, regenerated bindings, capos-tls XChaCha20+HMAC-SHA256/P-256 cores, RAM KeyVault private-key custody, and the development-only KeySource bootstrap. Local proofs cover symmetric AEAD/MAC, private/public signing, KeyVault stale-handle custody, and development-source admission/rejection. Remaining work is production/runtime key service wiring, symmetric derivation/wrapping, persistence, hardware/cloud custody, ACME/TLS handshakes, and production public-ingress key sources. Task: docs/tasks/done/2026-06-06/cap-infra-crypto-key-caps-phase1-reconcile-local-proof.md.

time-wallclock-phase1 (landed)

  • Scope: WallClock read cap + ClockProvenance label + manifest-seeded boot time; WASI clock_time_get(REALTIME) and audit timestamp delegate to it. Source: docs/proposals/time-and-clock-proposal.md.
  • Domains: resource:time-clock-authority, path:kernel/src/cap/, docs:time-and-clock.
  • Landed (2026-05-24, fixed-boot-base variant): WallClock.wallTime read cap + ClockProvenance enum (untrusted @0 fail-closed zero value), KernelCapSource::wallClock @36, kernel/src/cap/wall_clock.rs, the capos-rt WallClockClient, and a shell date command granted wall_clock in system-shell.cue and asserted by make run-shell. Manifest seedUtcSeconds, a stateful WallClockState, WASI realtime-clock delegation, and init audit/TLS grants remain Phase 1.x / Phase 2 follow-ups. Task: docs/tasks/done/2026/time-wallclock-phase1.md.

crash-recovery-stale-cap-phase1

  • Scope: stale-cap DISCONNECTED/server-death CQE propagation to in-flight callers and endpoint holders on unplanned process death, plus a redacted CrashRecord appended to AuditLog. Source: docs/proposals/crash-recovery-supervision-proposal.md.
  • Domains: resource:crash-recovery, path:kernel/src/cap/, path:kernel/src/process.rs, docs:crash-recovery.

debug-session-phase1

  • Scope: DebugSession attach cap (owner-consent or broker maintenance grant, audited) + read-only cap-table snapshot that transfers no authority. Source: docs/proposals/debug-trace-authority-proposal.md.
  • Domains: resource:debug-trace-authority, path:kernel/src/cap/, docs:debug-trace.

authority-broker-phase1

  • Scope: endpoint-served AuthorityBroker + ShutdownControl schema + runtime client + a QEMU proof that an anonymous shell cannot invoke shutdown. Source: docs/proposals/userspace-authority-broker-proposal.md.
  • Domains: resource:authority-broker, path:init/, path:shell/, docs:userspace-authority-broker.
  • Status note: the interim kernel broker no longer owns hard-coded demo binary allowlists. kernelParams.authorityBrokerPolicy now carries the admitted session-context, remote-client spawn, and worker service grant policy with manifest validation. The endpoint-served userspace broker and shutdown-control interfaces remain the queued Phase 1 work.

live-upgrade-capretarget-phase1

  • Scope: ProcessControl + retargetCaps kernel op for stateless Case 1 upgrades, with a QEMU retarget-mid-call smoke. Foundation for DDF userspace-driver fault containment. Source: docs/proposals/live-upgrade-proposal.md.
  • Domains: resource:live-upgrade, path:kernel/src/cap/, docs:live-upgrade.

system-info-hostname (done)

  • Scope: add hostname to the SystemInfo cap + kernelParams.hostname + manifest field. Source: docs/proposals/system-info-proposal.md Phase 3.
  • Domains: resource:system-info, path:kernel/src/cap/, docs:system-info.
  • Landed: SystemInfo.hostname @1 served from kernelParams.hostname (default capos), printed by the shell hostname command, asserted in run-shell. Task: docs/tasks/done/cap-infra-system-info-hostname.md.

stage6-remainder

  • Scope: the remaining Stage 6 capability semantics – SharedBuffer SQE opcode + kernel mapping authority, typed notification objects with ring Recv integration, and CapabilityManager.list/grant. Decomposed in docs/backlog/stage-6-capability-semantics.md; queue each as its own slice on the schema surface. Source: roadmap Stage 6.
  • Domains: resource:stage6-capability-semantics, path:kernel/src/cap/, path:kernel/src/cap/ring.rs, docs:stage-6.

Non-Schema Slices

These are dispatchable now and are tracked as ready or done tasks, not queued on the schema serial surface:

  • Done: cap-infra-resource-profile-enforcement-local-proof – binds the existing ResourceProfileRecord / ManifestResourceProfile and capos_config::ResourceProfile carrier to remaining cap-slot and thread spawn-limit enforcement, with rollback proof (docs/tasks/done/2026-06-06/cap-infra-resource-profile-enforcement-local-proof.md).
  • Done: capos-service-lifecycle-slice1ServiceMain/lifecycle framework above capos-rt, one converted gateway proof (docs/tasks/done/2026/capos-service-lifecycle-slice1.md).
  • Done: default-user-avatar – deterministic native-shell avatar selection over the shipped flat catalog, printed in the shell session output without schema or broker changes (docs/tasks/done/2026/default-user-avatar.md).
  • Done: scheduler-tickless-idle-step6 – enable true-idle tickless windows while keeping cap-enter polling dependencies periodic (docs/tasks/done/2026/scheduler-tickless-idle-step6.md).

Still-Gated (not in this cluster)

Memory-authority, OOM/swap, certificates/TLS, OIDC, volume-encryption, go-runtime, chat-multimedia, llm/agent, browser, GPU, formal-MAC/MIC, cloud-metadata, HPC, scientific, hosted-agent-swarm remain gated on this cluster, DDF, networking, storage persistence, or SMP Phase C / Ring v2. See each proposal’s gating note and docs/backlog/research-design-gaps.md.