# Capability-Infrastructure Cluster Backlog A planning audit found a cluster of maturing proposals whose Phase 1 slices are now extractable (their stated prerequisites have landed) plus the Stage 6 capability remainder. Most of these slices ADD interfaces to `schema/capos.capnp` and therefore share the **schema serial surface**: only one plan at a time may change the schema (`docs/backlog/index.md` "Concurrency Notes"), and the next plan must rebase on the generated-code refresh. This file decomposes the cluster and records the recommended ordering so the slices do not all become `ready` at once and collide on that surface. `docs/tasks/README.md` points here for the cluster; it should not inline the details. ## Ordering Contract - The non-schema slices (capos-service framework, tickless idle, default avatar) are dispatchable in parallel today and have their own ready task files; they do NOT queue here. - The schema-touching slices below queue on the shared schema serial surface. Promote ONE at a time from this backlog into a `docs/tasks/` file, land it, refresh generated bindings, then promote the next. Do not file all of them as `ready` simultaneously. - The `ResourceProfileRecord` / `ManifestResourceProfile` schema, `capos_config::ResourceProfile` carrier, and non-schema spawn-limit enforcement have landed. Crypto key caps Phase 1 has also landed. The next queued schema-serial slice is `crash-recovery-stale-cap-phase1`. - Recommended schema promotion order from here: crash-recovery stale-cap → authority-broker → live-upgrade `CapRetarget` → Stage 6 remainder. Reorder by explicit user priority. Do not promote a schema slice in parallel with another schema-surface task. ## Schema-Serial Phase-1 Slices Each slice names a 1-line scope, the owning proposal, and the conflict domains its eventual task file should carry. All share `interface:schema-capos-capnp` + `path:schema/capos.capnp` + `path:tools/generated/` (the serial surface) in addition to the listed domains. ### monitoring-log-surface (landed) - Scope: `LogSink`/`LogReader` schema + a minimal userspace log service backed by `Console`, with `logLevel` enforcement and scoped `LogSink` caps granted to children at spawn. Source: `docs/proposals/system-monitoring-proposal.md`. - Domains: `resource:system-monitoring`, `path:kernel/src/cap/`, `path:demos/`, `docs:system-monitoring`. - Landed (2026-05-25): additive `LogSink.write @38` / `LogReader.read @39` plus `LogRecord`/`LogFilter` (reusing `LogLevel`), backed by a bounded drop-oldest kernel ring (`kernel/src/cap/log.rs`). The sink drops below- `SystemConfig.logLevel` records (boot-seeded) and forwards accepted records to serial; the reader returns cursor/filtered records with `nextCursor`/`dropped`. `capos-rt` `LogSinkClient`/`LogReaderClient`, producer/reader demos, `system-monitoring-log.cue`, and `make run-monitoring-log-smoke` prove the sink drop, read-back, and reader-side `minLevel` filter. The wider `Severity` (`critical`), correlation fields, token-bucket backpressure, and persistent retention remain later phases. Task: `docs/tasks/done/2026-05-25/cap-infra-monitoring-log-surface.md`. ### crypto-key-caps-phase1 (landed) - Scope: `SymmetricKey`/`PrivateKey`/`PublicKey` schema interfaces + a software-backed userspace key service + a QEMU encrypt/sign smoke over the cap boundary. Unblocks TLS, OIDC, volume encryption, signed audit, SSH cert upgrade. Source: `docs/proposals/cryptography-and-key-management-proposal.md`. - Domains: `resource:crypto-key-service`, `path:demos/`, `docs:cryptography-and-key-management`. - Landed (2026-06-06): minimal RAM-only `SymmetricKey`, `PrivateKey`, and `PublicKey` ABI in `schema/capos.capnp`, regenerated bindings, `capos-tls` XChaCha20+HMAC-SHA256/P-256 cores, RAM `KeyVault` private-key custody, and the development-only `KeySource` bootstrap. Local proofs cover symmetric AEAD/MAC, private/public signing, KeyVault stale-handle custody, and development-source admission/rejection. Remaining work is production/runtime key service wiring, symmetric derivation/wrapping, persistence, hardware/cloud custody, ACME/TLS handshakes, and production public-ingress key sources. Task: `docs/tasks/done/2026-06-06/cap-infra-crypto-key-caps-phase1-reconcile-local-proof.md`. ### time-wallclock-phase1 (landed) - Scope: `WallClock` read cap + `ClockProvenance` label + manifest-seeded boot time; WASI `clock_time_get(REALTIME)` and audit timestamp delegate to it. Source: `docs/proposals/time-and-clock-proposal.md`. - Domains: `resource:time-clock-authority`, `path:kernel/src/cap/`, `docs:time-and-clock`. - Landed (2026-05-24, fixed-boot-base variant): `WallClock.wallTime` read cap + `ClockProvenance` enum (`untrusted @0` fail-closed zero value), `KernelCapSource::wallClock @36`, `kernel/src/cap/wall_clock.rs`, the `capos-rt` `WallClockClient`, and a shell `date` command granted `wall_clock` in `system-shell.cue` and asserted by `make run-shell`. Manifest `seedUtcSeconds`, a stateful `WallClockState`, WASI realtime-clock delegation, and init audit/TLS grants remain Phase 1.x / Phase 2 follow-ups. Task: `docs/tasks/done/2026/time-wallclock-phase1.md`. ### crash-recovery-stale-cap-phase1 - Scope: stale-cap `DISCONNECTED`/server-death CQE propagation to in-flight callers and endpoint holders on unplanned process death, plus a redacted `CrashRecord` appended to `AuditLog`. Source: `docs/proposals/crash-recovery-supervision-proposal.md`. - Domains: `resource:crash-recovery`, `path:kernel/src/cap/`, `path:kernel/src/process.rs`, `docs:crash-recovery`. ### debug-session-phase1 - Scope: `DebugSession` attach cap (owner-consent or broker maintenance grant, audited) + read-only cap-table snapshot that transfers no authority. Source: `docs/proposals/debug-trace-authority-proposal.md`. - Domains: `resource:debug-trace-authority`, `path:kernel/src/cap/`, `docs:debug-trace`. ### authority-broker-phase1 - Scope: endpoint-served `AuthorityBroker` + `ShutdownControl` schema + runtime client + a QEMU proof that an anonymous shell cannot invoke shutdown. Source: `docs/proposals/userspace-authority-broker-proposal.md`. - Domains: `resource:authority-broker`, `path:init/`, `path:shell/`, `docs:userspace-authority-broker`. - Status note: the interim kernel broker no longer owns hard-coded demo binary allowlists. `kernelParams.authorityBrokerPolicy` now carries the admitted session-context, remote-client spawn, and worker service grant policy with manifest validation. The endpoint-served userspace broker and shutdown-control interfaces remain the queued Phase 1 work. ### live-upgrade-capretarget-phase1 - Scope: `ProcessControl` + `retargetCaps` kernel op for stateless Case 1 upgrades, with a QEMU retarget-mid-call smoke. Foundation for DDF userspace-driver fault containment. Source: `docs/proposals/live-upgrade-proposal.md`. - Domains: `resource:live-upgrade`, `path:kernel/src/cap/`, `docs:live-upgrade`. ### system-info-hostname (done) - Scope: add `hostname` to the `SystemInfo` cap + `kernelParams.hostname` + manifest field. Source: `docs/proposals/system-info-proposal.md` Phase 3. - Domains: `resource:system-info`, `path:kernel/src/cap/`, `docs:system-info`. - Landed: `SystemInfo.hostname @1` served from `kernelParams.hostname` (default `capos`), printed by the shell `hostname` command, asserted in `run-shell`. Task: `docs/tasks/done/cap-infra-system-info-hostname.md`. ### stage6-remainder - Scope: the remaining Stage 6 capability semantics -- `SharedBuffer` SQE opcode + kernel mapping authority, typed notification objects with ring `Recv` integration, and `CapabilityManager.list`/`grant`. Decomposed in `docs/backlog/stage-6-capability-semantics.md`; queue each as its own slice on the schema surface. Source: roadmap Stage 6. - Domains: `resource:stage6-capability-semantics`, `path:kernel/src/cap/`, `path:kernel/src/cap/ring.rs`, `docs:stage-6`. ## Non-Schema Slices These are dispatchable now and are tracked as ready or done tasks, not queued on the schema serial surface: - **Done:** `cap-infra-resource-profile-enforcement-local-proof` -- binds the existing `ResourceProfileRecord` / `ManifestResourceProfile` and `capos_config::ResourceProfile` carrier to remaining cap-slot and thread spawn-limit enforcement, with rollback proof (`docs/tasks/done/2026-06-06/cap-infra-resource-profile-enforcement-local-proof.md`). - **Done:** `capos-service-lifecycle-slice1` -- `ServiceMain`/lifecycle framework above `capos-rt`, one converted gateway proof (`docs/tasks/done/2026/capos-service-lifecycle-slice1.md`). - **Done:** `default-user-avatar` -- deterministic native-shell avatar selection over the shipped flat catalog, printed in the shell `session` output without schema or broker changes (`docs/tasks/done/2026/default-user-avatar.md`). - **Done:** `scheduler-tickless-idle-step6` -- enable true-idle tickless windows while keeping cap-enter polling dependencies periodic (`docs/tasks/done/2026/scheduler-tickless-idle-step6.md`). ## Still-Gated (not in this cluster) Memory-authority, OOM/swap, certificates/TLS, OIDC, volume-encryption, go-runtime, chat-multimedia, llm/agent, browser, GPU, formal-MAC/MIC, cloud-metadata, HPC, scientific, hosted-agent-swarm remain gated on this cluster, DDF, networking, storage persistence, or SMP Phase C / Ring v2. See each proposal's gating note and `docs/backlog/research-design-gaps.md`.