Changelog

A curated record of capOS’s shipped milestones: the significant, externally visible capabilities the system has demonstrated.

Each entry documents one landed milestone with the evidence that backs it – a shipped feature with measured behavior, a security finding closed with its fix and verification commands, a scaling proof with its data, or a benchmark with its host caveats – named, dated to the commit it landed at, and reproducible.

2026-06-09

Remote-session Web UI server-side session hardening – Review C high closed

The capOS-served Web UI (remote-session-web-ui) no longer derives its capos_remote_session cookie from the accept counter. It now mints an opaque, high-entropy server-side session id – a one-way SHA-256 (domain-separated, base64url) over the kernel-CSPRNG backend SessionInfo.session_id – and a per-session double-submit CSRF token from the same seed under a distinct label. The raw backend id never crosses to the browser (the digest is one-way). Landed at 91743ed4.
Server-side enforcement added before request dispatch: token rotation on login/re-login, cookie expiry + fail-closed rejection on logout and on a replayed rotated-out id, idle (30 min) and absolute (12 h) lifetime bounds via absolute monotonic deadlines, Host (DNS-rebinding) and Origin validation, and a required X-CSRF-Token double-submit on state-changing requests. The session cookie is Secure when X-Forwarded-Proto: https reports HTTPS ingress; the plaintext loopback proof stays explicitly non-Secure. This matches the committed operator-bundle/host-bridge CSRF contract; no schema/kernel/ABI change.
Evidence: make run-cloud-prod-remote-session-web-ui-l4 (local QEMU/cloudboot) now drives stale-token, CSRF (missing/mismatch), Origin (missing/cross-site), Host, idle/absolute expiry, cookie-attribute, and login/re-login rotation denial gates, each failing closed before any backend-held capability call (report.json sessionHardening: all gates true, tokenLen 43). Local proof only; not private GCE reachability, public ingress, or TLS.

2026-06-04

Userspace TCP over the capability NIC – TcpListener/TcpSocket round trip

A userspace process now completes a full TcpListener/TcpSocket round trip over smoltcp driven entirely through capabilities: frames cross the Nic capability, the kernel-owned keep-armed sustained-receive RX pool (Nic.receivePoll @4) feeds smoltcp’s RX token across the multi-frame TCP handshake, and no host-physical or device-usable address is exposed to userspace. This is the first userspace TCP (connection-oriented, multi-frame) path in capOS, landed at 002c5927 (Phase C slice 7c-iii).
It rests on the sustained-receive ABI that lifted the prior single-frame Nic.receive blocker (slice 7d, Nic.receivePoll @4, kernel-owned bounce pool with per-recycle scrub + slot-generation bump, no per-frame device reset). Evidence: the run-cloud-prod-network-stack-smoltcp-tcp-listener-roundtrip QEMU proof exercises listen/accept/echo over the userspace stack.
Remaining for the full Phase C userspace L4 stack: the cap/network.rs production-contract relocation (parent task cloud-prod-userspace-network-stack-smoltcp-local-proof), after which the TLS-client handshake, self-hosted Web-UI L4, and IPv6-TCP tracks unblock.

2026-06-02

Real-GCE virtio-net NIC bind – the GCE Polling Path track closes

The billable real-GCE proof passed: a real e2-small instance (europe-west3-a, image capos-test-1780412056-e1cb, source commit 1fb65683) booted the production non-qemu cloud kernel from the legacy datapath manifest, the kernel-brokered legacy polled path bound the live GCE virtio 0.9 NIC (00:04.0, 1af4:1000), and the run passed the tools/cloudboot/run-test.sh --require-provider-nic-proof gate. Run 1780412056-e1cb; teardown_status=complete, no leaked sandbox resources.
This is the first real-hardware attestation of the legacy bind. Every stage ran end to end on GCE: candidate select over PIO BAR0 (iobase=0xc040), I/O + bus-master enable (command=0x0107), real GCE device MAC read (src_mac=42:01:0a:c8:00:12), NET_F_MAC negotiation (device_features=0x204399a7), full 4096-entry vring materialization (rx_queue_size=4096 tx_queue_size=4096 rx_vring_pages=28 tx_vring_pages=28 – the ~110 KiB/28-page contiguous frame::alloc_contiguous per queue that QEMU cannot emulate, since QEMU caps queue size at 1024), a broadcast DHCP DISCOVER TX, and a real device->host RX DMA within the TSC-governed wall-clock budget (rx_used_len=532 ethertype=0x0800 IPv4, rx_clock_usable=true, rx_iters=1). Marker: cloudboot-evidence: provider-nic-bound 0000.00.04.0-vendor.1af4-dev.1000-iobar.0-iobase.c040-usedidx.1-usedid.0-usedlen.532-ethertype.0800-txusedidx.1-srcmac.42010ac80012 from cap::provider_nic_bind_proof::report_real_completion_legacy.
The bind reached the device only after three distinct real-hardware premise conflicts were closed by prior local slices, each found by a bounded billable run: modern-only candidate select vs the legacy device (5b), the QEMU-SLIRP-only RX stimulus vs GCE anti-spoofing (5c, real-MAC DHCP DISCOVER + accept-any wall-clock RX), and the device’s 4096-entry queue exceeding the prior 1024 bound (5d, MAX_LEGACY_QUEUE_SIZE raised to the spec max 32768).
Honest scope: this is a kernel-brokered, polling-only data-path attestation (userspace_driver_authority=kernel-brokered-legacy-polled, interrupt_model=polled-no-msix, device_autonomous_raise=not-claimed, direct_dma=blocked, host_physical_user_visible=0). It is not a claim of userspace-driver authority, device-autonomous MSI-X delivery, an L4 socket round-trip (raw-frame reachability per the slice-5 Option-A decision; L4 is networking-proposal Phase C), or cloud storage readiness. It retires the cloud-gcp-virtio-net-nic-driver blocker.
Reproduce: build the cloudboot image with make capos-cloudboot-image MANIFEST_SOURCE=system-cloud-provider-virtio-net-legacy-datapath.cue, confirm make run-cloud-provider-nic-bound-legacy (and make run-cloud-provider-nic-bound-legacy-large-queue) green on the build commit, then tools/cloudboot/run-test.sh --require-provider-nic-proof (BILLABLE; operator-authorized 2026-05-27, commit 2aaeaa53).

2026-05-30

Device Driver Foundation – production bind-stack qemu-gate dissolution

Umbrella cloud-prod-ddf-bindstack-qemu-gate-dissolution closed at commit fdc8eb66. The production (non-qemu) cloud kernel’s device-authority surface is now always-built code fronted by fail-closed runtime capability probes, graduated off the overloaded qemu gate and the per-proof cloud_*_proof feature modules it previously hid behind, while iommu.rs stays gated and brokered bounce-buffer-only DMA (no host-physical/IOVA export) is preserved. Landed as six reviewed slices:
- 29a76850 – RX MSI-X Interrupt.wait waiter-wakeup determinism: the provider-consumer flake was a synthetic-dispatch ordering race, fixed by gating injection on the owner being parked in cap_enter (sched::thread_blocked_on_cap_enter); 28/28 make run-ddf-provider-consumer (baseline ~18% flake).
- ef2548b3 – grant-source de-specialization: the prod {dmapool,devicemmio,interrupt}_grant_source statics stage an arbitrary enumerated function through one stage_with_class entry point taking a ProdGrantClass descriptor (cap::prod_grant_source_class), bit-identical.
- b7d30ec3 – MSI-X program/attach/arm/unmask + kernel-injected-dispatch wait graduated into always-built cap::interrupt_programmed / device_interrupt::wait_kernel_injected_dispatch.
- 82c2ed53 / b2168e05 / ad6da6ce – the device_manager backend port: always-built ProductionDeviceTable device-record/handle backend, per-record bounce-buffer DMA-pool backend, and interrupt-route backend (parent cloud-prod-device-manager-backend-port).
- fdc8eb66 – split test-harness affordances off the qemu feature.
- Reproduction: make run-cloud-devicemmio-grant, make run-cloud-dmapool-grant, make run-cloud-interrupt-grant, make run-cloud-provider-cap-waiter, make run-cloud-provider-nvme-readonly-bind, make run-ddf-provider-consumer, make run-net. Remaining DDF work – userspace virtio-net RX/multiqueue and NVMe I/O-queue provider readiness, plus live cloud bind – is tracked by the separate provider-parent tasks, not this umbrella.

2026-05-23

Device Driver Foundation – userspace virtio-net provider closeout

Commit c86374f8 (2026-05-23 16:51 UTC) closes the first local bounded userspace virtio-net provider-driver proof for Task 6. The provider-consumer smoke now asserts one stable closeout line tying together selected queue 1 TX descriptor/avail/doorbell/used-ring/CQ ownership across the full QEMU TX queue depth, bounded queue 0 RX synthetic-token CQ identity, selected TX/RX MSI-X/LAPIC wait/ack/EOI, selected-route mask/unmask/reset/reassignment, teardown, stale-handle blocking, and no silent provider fallback. Reproduction: make run-ddf-provider-consumer, make run-net. This remains bounded local QEMU provider evidence over manager-owned bounce buffers; live hardware RX used-ring ownership, full virtio-net ownership, direct DMA/IOMMU, cloud NIC/storage readiness, and virtio block/storage drivers remain separate work.

Device Driver Foundation – provider TX full-depth CQ ownership

Commit e248d42b (2026-05-23 13:36 UTC) extends selected userspace virtio-net TX CQ ownership from the prior four-outstanding window to the full eight-entry TX queue depth used by QEMU. The smoke now proves eight live manager-owned bounce buffers, descriptor/avail publication and notify doorbells for descriptors 0 through 7, wrong-order completion fail-closed at descriptor 7, in-order CQ identity delivery/ack for all eight descriptors, ninth allocation rejection without pool expansion, teardown-only drain for seven incomplete descriptors, and release retirement of seven delivered but unacknowledged CQ events. Reproduction: make run-ddf-provider-consumer, make run-net.

Device Driver Foundation – provider RX wait/ack dispatch-token proof

The provider-consumer smoke now promotes the provider RX interrupt grant’s wait/ack path beyond the blocked skeleton for one selected RX dispatch token. rx_interrupt.wait can pend, stay unpromoted by generic route delivery-count advancement, and wake only after a selected RX MSI-X/LAPIC dispatch validates the live RX issue, selected RX source, source generation, route generation, virtio-net owner, and driver-unmasked route state. The paired rx_interrupt.acknowledge accounts exactly one bounded RX hardware-dispatch ack for the delivered zero-CQ RX event; pre-event, masked-route, duplicate, and stale-after-release wait/ack attempts remain fail-closed. Reproduction: make run-ddf-provider-consumer. RX descriptor publication, RX CQ identity, real hardware IRQ acknowledgement/deferred EOI, direct DMA/IOMMU, full virtio-net ownership, cloud NIC/storage readiness, and production driver readiness remain open.

POSIX Adapter – File/Directory fd closeout

Commit f97d9833 (2026-05-23 06:23 UTC): the posix-file-directory-client-capos-rt task closes the v0 File/Directory fd surface on top of the existing Storage Phase 3 RAM-backed Directory cap. libcapos-posix now implements lseek() over the per-fd file position and readdir() as a lazy Directory.list snapshot, while preserving the existing pipe, UDP, Console, and TerminalSession fd paths. The new make run-posix-file proof boots a live C process that creates a file through open(), writes, seeks, reads, lists the root directory with opendir() / readdir(), closes both handles, and asserts relative paths still fail closed. Remaining P1.4 dash-port work is the printf/string subset, signal/time stubs, identity stubs, dash vendoring/patching, multi-TU C build, and run-posix-shell-smoke.

Device Driver Foundation – provider TX release retires three unacked CQ events

The provider-consumer smoke now extends the selected TX release-retirement path to three delivered but unacknowledged bounded provider TX CQ events in one live issue. The smoke completes descriptors 0, 1, and 2, consumes all three through tx_interrupt.wait, skips all acknowledgements, proves the stale-bound in-flight descriptor remains in fixed DMABuffer slot 3, and asserts provider tx_interrupt release retires three pending provider completion acks without hardware acknowledgement. The claim remains bounded CQ teardown evidence only; deferred EOI, hardware acknowledgement, hardware IRQ ownership, direct DMA/IOMMU, full CQ ownership, full userspace virtio-net ownership, cloud NIC/storage readiness, and production driver readiness remain open. Reproduction: make run-ddf-provider-consumer.

Device Driver Foundation – provider TX release retires unacked CQ event

Commit 11eeab2e: the provider-consumer smoke now proves release-time retirement for a delivered but unacknowledged bounded provider TX CQ event. The smoke drives a selected TX completion through DMABuffer.completeDescriptor and tx_interrupt.wait, deliberately skips tx_interrupt.acknowledge, releases the provider tx_interrupt cap, and asserts the release proof records one pending provider completion ack retired from the ledger. The stale post-release acknowledge path remains revoked; the completed buffer can still be freed normally; and deferred EOI, hardware acknowledgement, hardware IRQ ownership, direct DMA/IOMMU, full CQ ownership, full userspace virtio-net ownership, cloud NIC/storage readiness, and production driver readiness remain open. Reproduction: make run-ddf-provider-consumer.

Device Driver Foundation – provider RX descriptor boundary proof

Commit 2bd5add5: the provider-consumer smoke now records an explicit provider RX queue 0 descriptor boundary while the live RX interrupt issue is active. The proof keeps the existing DMABuffer.submitDescriptor(queue=0) / completeDescriptor(queue=0) path as neutral bounce-buffer accounting and asserts that RX ring publication, provider CQ publication, provider IRQ delivery, hardware acknowledgement, and direct DMA remain blocked while kernel RX cohabitation is unresolved. Reproduction: make run-ddf-provider-consumer. Honest caveat: RX descriptor publication, RX CQ identity, RX waiter delivery, direct DMA/IOMMU, full virtio-net ownership, cloud NIC/storage readiness, and production driver readiness remain open.

2026-05-17

Kernel – scheduler/IPC recoverable-panic surface closed

The scheduler and IPC hot-path .expect()/.unwrap() sites that could panic on stale run-queue or thread-metadata invariants are now hardened across the seven hot-path functions. block_current_on_cap_enter logs and returns false (yielding u64::MAX at the syscall boundary); next_start_context logs and returns None so the caller’s retry loop (kernel_idle_entry, start_current_cpu, start_ap) selects another thread; and schedule(), exit_current(), exit_current_thread, and capos_block_current_syscall() drop the scheduler lock and crate::hcf() on the dispatch/exit/block paths that have no caller-side recovery, matching the canonical last-process-exited halt. retain_endpoint_queue (kernel/src/cap/endpoint.rs) breaks with a diagnostic kprintln on a queue-length mismatch instead of panicking on pop_front(). The PhysFrame::from_start_address(cr3_phys) panics on the exit and syscall-entry paths are intentionally retained: corrupted CR3 is genuine memory-state corruption, not transient queue inconsistency. An explorer audit confirmed no recoverable panic surface remains (2026-05-17 00:41 UTC).

Kernel – resource quota fields fully wired

All three sub-items from the prior “partially wired” resource-quota finding are now enforced (closed 2026-05-16 19:19 UTC). The per-process carrier (capos_config::ResourceProfile on Process::resource_profile) lands the profile at spawn from SessionMetadata::profile via RamAccountStore. ringScratchLimitBytes sizes the per-process input/output/reply scratch buffers and rejects oversize CALLs with CAP_ERR_INVALID_REQUEST; replyScratchLimitBytes clamps the exception reply-scratch buffer to the profile ceiling (closed 2026-05-16 20:52 UTC), fixing the #175 asymmetry that produced spurious CAP_ERR_APPLICATION_EXCEPTION_TRUNCATED on small-ring processes; endpointQueueLimit and inFlightCallLimit carry the owner profile’s values into Endpoint::try_new, clamped by the kernel ceilings MAX_QUEUED_CALLS=32 / MAX_IN_FLIGHT_CALLS=32. Scope caveat: the endpoint-scoped bounds are per-endpoint relative to the owner profile, not a strict per-process counter across all endpoints the owner holds. ResourceProfileRecord @13 is tombstoned as retired13. Reproduction: make run-ring-scratch-limit, make run-reply-scratch-limit, make run-endpoint-queue-limit, make run-in-flight-call-limit.

Device Driver Foundation – Hardware-audit userspace service (durable-audit Step 2b)

Commits 037256ce (initial slice) and the remediation follow-up on the same ddf-audit-userspace-service branch: durable-audit Step 2b of 4 delivers demos/hardware-audit-service, which polls HardwareAuditLog.drain with the cursor protocol from Step 2a, accumulates records in memory, and serves a typed HardwareAuditReader.snapshot over a kernel-allocated Endpoint retagged for the consumer. The reader cursor is fail-closed: an expectedSequence outside {0, current drain cursor, any retained record's sequence} – or a malformed-capnp param payload – is rejected with a typed InvalidArgument exception, mirroring the kernel-side HardwareAuditLog.drain rejection so a stale or forged cursor cannot silently skip or repeat records. The schema docstring for HardwareAuditReader now states this contract explicitly. Reproduction: make run-ddf-audit-service-smoke proves boot-record accumulation, a service-handoff snapshot, a release-triggered follow-up snapshot, signatureStatus = "unsigned", and the negative cursor-mismatch rejection (matched on both the service-side snapshot-rejected exception_type=invalid-argument and the consumer-side cursor-mismatch rejected ok exception_type=invalid-argument markers). Steps 3 (segment signing with key management routed through the cryptography proposal) and 4 (durable Store-backed persistence with a defined rotation contract) remain open follow-ons.

2026-05-16

POSIX Adapter – P1.4 Slices 3 and 4: functional file I/O end-to-end

P1.4 Slice 3 (FdBacking File/Directory/Terminal variants and the make run-posix-file-backing-smoke proof of Terminal routing) landed at ae58f936 (closing merge 4c70a03d). P1.4 Slice 4 (absolute-path resolver, functional open()/opendir() over the bootstrap-granted root Directory cap, per-fd file position tracked across read()/write(), and the make run-posix-open-smoke proof of create+write+close, then re-open for read, plus relative-path rejection) landed at 94b29177 (closing merge de4235f9). closedir() releases the local slot only. This is the first non-shell POSIX subsystem to reach functional parity: open(path, flags) – read/write – close works end-to-end through libcapos-posix on top of the Storage Phase 3 RAM-backed Directory authority. Reproduction: make run-posix-file-backing-smoke (Slice 3), make run-posix-open-smoke (Slice 4), and the existing make run-posix-stdio-smoke regression remains green. Honest caveat: the remaining v0 dash port work is stdio adoption (Slice 5), env vector (Slice 6), printf/string subset (Slice 7), signal/time/identity stubs (Slices 8-10), and dash vendoring + smoke (Slices 11-13).

Scheduler – Phase F remote-CPU nohz activation via reschedule IPI

Commit 8c1601ac: the Phase F auto-nohz preflight no longer requires the lease’s target CPU to be the current CPU for the namedRing = none compute-lease shape. When the single-CPU allowedCpuMask targets a different scheduler CPU, the kernel parks a bounded remote-activation request in the target CPU’s per-CPU slot and sends a reschedule-style IPI; the target CPU drains the request from its IPI handler (timer-handler backstop) and re-runs the full disqualification check locally under try_lock before arming its own one-shot deadline – remote activation is never trusted blind. Reproduction: make run-scheduler-cpu-isolation-lease.

Device Driver Foundation – virtio-net provider RX bootstrap-grant skeleton

Commit b710d4fd: the provider RX path now mirrors the provider TX bootstrap-grant authority at the skeleton level over the selected virtio-net RX MSI-X route. Adds validate_provider_rx_interrupt_route as the receive-queue counterpart of the TX route validator (same admission shape, same active/resetting state gate, same interrupt_owner_for_device_owner mapping; only the PciMsixInterruptRole::RxQueue role tag differs) plus matching cap::interrupt_grant_source init/build/release entry points. Skeleton only: live RX DMA, completion delivery, and hostile-smoke coverage remain open.

Device Driver Foundation – provider RX selected-route MSI-X control

Commits 5ea850c3, 1d2be684, and 9f3f8a8c: the provider RX rx_interrupt cap validates the live RX issue and selected virtio-net RX route before bounded mask/unmask of the selected RX MSI-X table vector-control bit and route state. The provider-consumer smoke asserts vector-control readback, delivery-count preservation, stale methods after release, and release-while-masked cleanup back to driver-unmasked; cleanup failure leaves the live issue uncleared so future RX cap issuance stays blocked on uncertain route state. RX wait/ack, descriptors, provider CQ identity, hardware acknowledgement, deferred EOI, full RX ownership, direct DMA/IOMMU, cloud readiness, and production userspace driver readiness remain open.

SSH session – explicit UserSession.logout failure-path proof

Commit 9e7328e6: test(ssh-public-key-session) proves the explicit UserSession.logout failure path, closing part of the open REVIEW_FINDINGS Low item.

Storage Phase 2 closed in docs

Storage & Naming Phase 2 (schema BlockDevice/File/Directory interfaces) was marked done in docs/tasks/done/2026/ (commit 0551941c) after Phase 3 slices 1–3 shipped on 2026-05-14. A separate task-state reconciliation sweep (ad280bf2, closing merge 189d4af2) realigned docs/tasks/ directory state with docs/tasks/README.md ground truth.

Production Provenance Milestone

Landed across 1feee12b..6f775925 (2026-05-16). All GitHub Actions steps pinned to immutable commit SHAs, Rust nightly pinned to an exact date, and OVMF/qemu-system-x86/xorriso pinned to exact apt versions in the QEMU smoke apt-install. Each CI run publishes a build-provenance artifact and PRs run an advisory cross-run compare against the base-branch artifact. Reproduction: make build-provenance produces the provenance artifact locally; CI artifacts appear as build-provenance-<sha> per qemu-smoke run. Full pin inventory and bump procedure: docs/trusted-build-inputs.md. Honest caveats: the PR compare step is advisory-only (not PR-blocking); URL-based download-and-verify for OVMF and other pre-built tool binaries (Option B) remains future hardening.

2026-05-14

Device Driver Foundation – IOMMU VT-d remapping closed across A1/A2/B/C

The QEMU Intel IOMMU remapping milestone closed across four reviewed slices in a single day: A1 active-programmed legacy-mode table (3a60a401), A2 hardware-DMA translation proof through virtio-rng with an observed VT-d fault on an unmapped IOVA (dfedf574), B register-based context-cache / IOTLB invalidation with an ordered scrub-after-invalidate revocation cycle (24eb587e), and C two-phase revocation with hostile stale-handle / stale-completion smokes (closing merge 274ff63f, follow-up 873eef56). Reproduction: make run-iommu-remapping asserts table program proof, invalidation proof, hostile stale-handle proof, and hostile stale-completion proof all as proof_result=ok (QEMU 8.2.2). Honest caveat: QEMU-only evidence (hostile_hardware_isolation=not-claimed); the live virtio-net DMA path still uses bounce buffers, and production userspace-driver IOMMU authority remains open.

Device Driver Foundation – virtio-net provider four-outstanding TX window

The userspace virtio-net provider TX path reached a four-outstanding completion-queue window with full provider descriptor/avail publication, one notify doorbell per descriptor, real IRQ-dispatch-backed tx_interrupt wait/ack/mask/unmask, per-event provider CQ identity, and a four-slot bounce-buffer pool. The provider notify doorbell write moved off the broker into the provider’s own scoped notify-MMIO cap (ef979d17), and the harness now proves a general write32 verb fails closed on that same notify cap (95a65e99). Reproduction: make run-ddf-provider-consumer, make run-net.

Scheduler – per-CPU CPL0 kernel idle thread closed

The user-mode idle process was replaced with a per-CPU CPL0 kernel idle thread across Increments 1a..2e (final merge 2bba8d11). All four idle dispatch sites route through the CPL0 idle context: schedule() timer path, capos_block_current_syscall (block path), exit_current and exit_current_thread (two exit paths). Each scheduler CPU slot owns a dedicated CPL0 idle kernel stack and CpuContext; the synthetic idle Process record is retained only so the idle ThreadRef resolves through the scheduler’s ThreadRef-centric bookkeeping. A TLB-flush drain in kernel_timer_interrupt_handler closes the CPL0 idle-residency gap. Reproduction: make run-scheduler-cpu-isolation-lease asserts idle_path=cooperative-cpl0 for the boot/AP loop and idle_path=cpl0-dispatch-{timer,block,exit} for the dispatch sites.

Scheduler – per-CPU nohz tick suppression and SQPOLL-driven activation

Phase F got its first real nohz increments: per-CPU periodic-tick suppression for the single-runnable window (commit 9e269e31) and SQPOLL-driven auto-nohz activation for ring-coupled leases (commit 8edd2314), built on per-CPU CPL0 idle-thread context infrastructure (commit 5ac6b08f). Generic full-nohz and timeout-based auto-revoke remain future work.

Storage – Phase 2 schema + Phase 3 slices 1–3

Phase 2 added schema-only BlockDevice / File / Directory / DirEntry interfaces (commit 4c0d940c). Phase 3 then delivered three kernel CapObject slices the same day: a RAM-backed File cap with read/write/stat/truncate/sync/close and 64 KiB per-call inline-payload bound (slice 1, d06dff6b); a RAM-backed Directory cap with subtree bring-up + grant path + QEMU smoke (slice 2, b11ec9e4); and a content-addressed RAM-backed Store + name->hash Namespace pair (slice 3, 804a3f41). Reproduction: make run-file-server-smoke, make run-directory-server-smoke, make run-store-namespace-smoke. This unblocks POSIX adapter Phase P1.4 (dash port) and WASI host adapter Phase W.5 (filesystem surface), both previously blocked on the cap shape.

Remote session – self-served web UI is the default boot

Commit 5594c9ef wires the capOS-served remote-session web UI into the default operator boot (cue/defaults/defaults.cue, scoped loopback listener cap, make run host-port line). The Rust backend owns connection and session state; the browser receives view models and redacted transcript rows. Reproduction: make run, or the focused make run-default-web-ui.

2026-05-13

Device Driver Foundation – provider TX three-outstanding + MSI-X mask + ack

Provider TX CQ window expanded from two to three outstanding descriptors (d6458381, 6ee96d29), descriptor-issue-bound completions (f894ee1a, bc3280be), MSI-X mask/unmask control with atomic rollback on failure (b5af7335, 3c8dc627, ca9beb73, be506075), real IRQ-dispatch wake of provider TX waiters (203461da), and hardware dispatch acknowledgement accounting (caaa388c, bc11c1aa). Provider CQ teardown gained an end-to-end quiesce/retire proof (d8760182, dff94930, 235ed1e8). Reproduction: make run-ddf-provider-consumer.

Scheduler – SQPOLL producer-wake progress

Scheduler added the bounded SQPOLL producer-wake increment (commit 0dbb5542) with preserved wake-result state across stop (commit dbf8e0ff) on the Phase F prerequisite path that the 2026-05-14 SQPOLL-driven auto-nohz activation builds on.

Kernel – endpoint / park-waiter rollback hardening

IPC rollback paths hardened: endpoint pending-recv rollback (e46b52dc), preserved endpoint recv rollback capacity (db454b59), kept endpoint recovery live across revocation (a1ccbda1), preserved park wake status during retry (d37edf54), and drained private park waiters after unmap-retry (1e0ce242). Bounded recovery surface; no new authority.

Language adapters – POSIX stdio, WASI env, libcapos C pipe + entropy

POSIX adapter routed stdio writes to the Console cap (aa6a56d7, d442a3b7) and exposed posix_spawn file actions (b8fb3131). WASI added bounded per-instance environment grants (5f5028e7, 987e7814), promoted stdio-compatibility Preview 1 imports (1a79037b), and gained an unauthorized-import refusal harness (c803565f, 756b5ba8, 1b53acd8). Native libcapos shipped a C pipe smoke (b6c2d4bb) and an EntropySource.fill wrapper (b1f7a3c1, 6b3b7425).

Remote session – Paperclips Path B + Tauri scaffolding

Paperclips launch wiring Path B (worker + gateway + bridge) landed (701522b9), with host chat RPC facade over DTO (7cf4cf2c) and DTO schema for Path A (e159adb8). A remote-session Tauri wrapper scaffold (5691ec2a) plus capability policy hardening and preflight (eff47eb3, b41ba656, ff58cacf) prepare the desktop wrapper path.

Build hygiene – build-provenance compare harness

New build-provenance comparison make target (07722584, a34cb441, b3ed23cf, 779f3ce0) records runner identity in provenance (00272130) so two runners can be compared offline.

Docs sweep – proposal cross-link + last_reviewed refresh

Substantial documentation refresh across ~40 proposals and architecture docs: cross-links sharpened, last_reviewed stamps refreshed, and proposals updated against shipped state (POSIX P1.1/P1.2/P1.3, Scheduler Phase D/E close and Phase F SQPOLL, error-handling against current ExceptionType + CapException, networking proposal against transitional kernel state, userspace-binaries Parts 4/5, scheduler Phase F.5 cross-link). The 29-page research index landed (18fbaf35). No behavior change.

2026-05-12

Scheduler – Phase F nohz scaffolding + CpuIsolationLease

Phase F infrastructure landed across the day: nohz telemetry (aeb0f4d2), the clockevent/deadline substrate (268b44c2), CpuIsolationLease scaffold (e9ab9e46, 97f958a7), bounded SQPOLL ring mode (6dcbb69a, 07578bec, cdbb45be), and housekeeping/ deferred-work placement (c7580873). These are the prerequisite chain the 05-14 SQPOLL-driven auto-nohz activation depends on.

Device Driver Foundation – provider TX completion delivery + IRQ regrant

Provider TX gained completion-event delivery (334818af), hardened interrupt delivery (dfebd411), serialized wait posting against IRQ race (bbe2fea7), and reset-disable lifetime hardening (50c6c8cd). Provider TX interrupt teardown event proof (9205af3e, d8760182), interrupt reset reassignment proof (8aee7d42), and a disabled Intel QEMU IOMMU scaffold with MMIO status diagnostics (02688941, 41314553, 277dbd26) prepared the 05-14 IOMMU Slice A1.

Userspace runtime – libcapos fail-closed on C-runtime threading

libcapos now fails closed on C-runtime threading attempts (57ad4bfa), closing the remediation entry tracked in docs/proposals/libcapos-c-substrate-proposal.md.

Remote session – local UI bridge hardening

Local UI bridge was hardened (cab6f791) with refreshed evidence (21a6a16a); login auth denial is now treated as a login failure rather than a transport error (58d198f3, b8486eac).

2026-05-11

Device Driver Foundation – provider/consumer split + DmaPool manager-authoritative

The selected virtio-net userspace provider path proof landed (9ca39ff8, e6fb4c91): provider-consumer authority smoke (3d59cb8b), provider shadow descriptor side effect (db5c4995, c91b1477), selected provider metadata gated to the TX queue, MMIO/IRQ smoke (c52064c0, d1c6cece), and DMA accounting extension (40a77ae0). DmaPool lifecycle became manager-authoritative (96e1107e): blocks mapped DMABuffer manager-free (149ef53e), keeps DMABuffer unmap live in the manager (d6b7a292), validates cap identity before stale side effects (4f404f44), and propagates budget checks through release paths (877ed956, 01c078f5, 45903e5e). The provider notify-MMIO no-write cap grant landed (78c627a9, d177ffa1, b8f7b83f) with stale admission proof (0ec23fe6, a5a722de, fefd5267, 3ed4418f) and submit-path carry (54b1499f).

Scheduler – one SQ consumer + session-logout hooks + context bind/revoke

One SQ consumer owner is now enforced (c427f3d9, b503b640) – the Phase F prerequisite that ring-coupled nohz depends on – with matching scheduling-context ring/SQ owner proof stabilizations (e5ec448c, 811a4976). Scheduling contexts can donate over endpoints (d2eab605, 6343ec84) with block/settle around donation (93706ecb, d202ca31, 599f4649), bind/revoke generation (3b6e1bb5), identity-aliasing fix (fe4e340b), notification cells (c0e4470c), and exit-cleanup budget preservation (f30a9bb3, 8b00c480, 3725c87e, eaeb1071). Session-logout cleanup hook marks bound contexts stale (594f1353), propagates shell exit to session logout (0d9b3d90, 0e9c8dd1), proves logout stale contexts fail closed (59dca4e8), donated logout skip policy (49de54f2), and blocks stale-snapshot budget refresh (9d1cd80b).

Device Driver Foundation – device-manager kernel refactor

The device-manager kernel module was split into focused submodules (99c37592, 734383f9, af539f6c, 9c0a5183, 98dddb72, bfdb78a0), reducing the proof-stack footprint and exposing shared authority admission helpers ahead of Slice A1’s per-domain remapping work. Process-exit teardown smokes for DMA/MMIO and Interrupt landed (b452f18e, 746c1742), and a stage for the DDF IOMMU remapping-domain ledger went in (636edfb2).

Remote session – observable self-served UI proof

Self-served remote-session web UI gained an observable proof (e4ab7b41, 0eb68aa8, 971d8ce8, 65fe4bf7, 28db3277, 505b553c, f0254b02), closing the read-side gate before its 05-14 default-boot promotion.

2026-05-10

Scheduler Phase D closed

2026-05-10 19:39 UTC, mainline commit 77caafc0 (closeout 1a08ec23): Phase D is closed. Accepted WFQ slice covers SchedulingPolicyCap weight/latency-class authority, per-thread weighted vruntime and per-enqueue virtual_finish_ns, per-CPU WFQ run queues, bounded steal/migration invariants, fairness/interactive/ weight-change smokes, and the controlled Task 6 thread-scale gate.

Phase D thread-scale benchmark (five runs, KVM, physical-core logical CPUs 0,1,2,3, blocking parent join, 262,144 blocks / 16 MiB, work_rounds=64):

Comparison	capOS Phase D WFQ	Linux pthread	capOS gate
1->2 work	`1.809x`	`1.996x`	>= `1.6x`
1->2 total	`1.774x`	`1.995x`	>= `1.6x`
1->4 work	`3.088x`	`3.974x`	diagnostic target >= `2.5x`
1->4 total	`2.700x`	`3.850x`	diagnostic baseline > `1.538x`

The 1->2 work/total rows passed the harness-enforced gate; the 1->4 rows were manually accepted from recorded diagnostics. Raw artifacts: target/thread-scale/20260510T193200Z/ and target/linux-thread-scale/20260510T194600Z/. Reproduction in tools/qemu-thread-scale-harness.sh (via make run-thread-scale) and the matching make run-linux-thread-scale-baseline.

Bottleneck analysis. Linux pthread scaled near-linearly on the same physical CPU set, so the workload shape is sound and the remaining 1->4 gap is a capOS scheduler/runtime cost. The dominant contributors visible in measure-mode and post-thread-scale review are:

Global Scheduler lock contention. Per-CPU WFQ run queues exist, but several scheduler decisions (cross-CPU wake targeting, direct-target stale cleanup, queue reservation accounting) still funnel through one Scheduler mutex. Total-time scaling regresses faster than work-window scaling because exit/join/block/schedule paths spend disproportionate time inside that critical section.
Process-wide capability ring under one SQ consumer. A multi-thread process has one ring endpoint owned by one SQ consumer at a time. Completions, waker resolution, and direct IPC all serialize there, even when scheduler dispatch is per-CPU.
Temporary four-owner scheduler-CPU assumption. The selected scheduler topology is currently hardcoded to four owner CPUs; the boot-time CPU set is not yet discovered, so workloads larger than four cores cannot be admitted at all.
Periodic-tick service tax. Non-isolated CPUs still pay the periodic timer-tick cost on every scheduler tick, even when no thread is ready to run; nohz suppression today only fires inside the narrow single-runnable window and the SQPOLL-coupled lease.

Planned architecture changes that should improve SMP / threading scalability. The roadmap response is concrete:

Scheduler Phase F.5: Full-SMP 16/32-core scalability (docs/backlog/scheduler-evolution.md, cross-linked from docs/proposals/smp-proposal.md). Replaces the four-owner assumption with dynamic CPU topology discovery, adds the x2APIC backend needed for higher APIC ids, shrinks scheduler shared-state serialization so local pick/requeue can avoid the global lock, and adds topology-aware placement plus an observable migration policy. A 1/2/4/8/16/32-worker hardware benchmark suite against a matching native-Linux baseline is the gate.
Ring v2: per-thread capability ring ownership (docs/proposals/ring-v2-smp-proposal.md). Completions route by ThreadRef -> RingEndpoint, removing the single-SQ-consumer bottleneck and unblocking concurrent scheduler-owned work on more than one CPU per process. Needs TLB shootdown + cross-CPU cleanup review.
Generic full-nohz + generic SQPOLL nohz (docs/architecture/scheduling.md Phase F follow-ons). Extends the bounded SQPOLL-driven activation (2026-05-14, commit 8edd2314) to arbitrary rings and threads, retiring the periodic-tick service tax on non-isolated CPUs and enabling realtime islands.
EEVDF policy evaluation (deferred behind Phase F). Tracked as a follow-on dispatcher policy, not a Phase D blocker.
SchedulingContext over endpoints (Phase E, see 2026-05-14 entry above). Already-landed; lets a server inherit a caller’s reservation, reducing IPC scheduling round-trips for the same workload class.

Device Driver Foundation – DDF authority surface broadened

DDF capability surface broadened in one day: DeviceMmio.map returns a read-only userspace BAR VMA with the unmap cleanup paths exercised across release/drop/driver-crash/ reset-disable; DeviceMmio.write32 exposes typed admission; DMAPool.allocateBuffer reaches a three-slot bounce-buffer pool with manager-owned generation; DMABuffer accounting tracks per-slot in-flight descriptor identity with live_inflight aggregation; and Interrupt.mask / unmask perform bounded manager-mediated route-state control. Typed denials for invalid protections (mmio-map-prot-invalid) and invalid allocate-buffer requests (dmapool-allocation-request-invalid) now route through the no-result-cap admission path. Reproduction: make run-devicemmio-grant, make run-dmapool-grant, make run-interrupt-grant, make run-hardware-grant-cycle. This remains bounded manager accounting and admission proof: no direct DMA, doorbells, IOVA exposure, IOMMU programming, or production driver consumer.

2026-05-09

Device Driver Foundation – Interrupt/DMABuffer admission + audit hardening

The Interrupt skeleton gained typed admission across acknowledge, wait, mask, and unmask (admission-check-only, *-not-attempted, side-effect-blocked), with the pending-IRQ token validator factored into capos-lib::device_authority. DMABuffer.submitDescriptor / .completeDescriptor follow the same admission pattern with per-slot in-flight accounting and typed freeBuffer. The manifest-granted Interrupt retains its claimed MSI-X source across cap releases for sequential grant-source reuse (commit 681e48ac).
HardwareAuditLog.snapshot exposes the volatile snapshot contract as typed result metadata (bounded-volatile-ring-drop-oldest, volatile-only, unsigned, production-admission-policy-not-implemented) plus typed truncation labels (commit e4cea6ff), a startSequence cursor for the retained ring, and cursor edge-case metadata for the below-oldest / past-end cases. Hardware audit smokes assert grant-source acquire/ release identity for DeviceMmio, Interrupt, DmaPool, and DmaBuffer; cap-audit assertion sets are now exact-count anchored so boot-time virtio-rng proof records cannot satisfy the grant audit checks.
Reproduction: make run-interrupt-grant, make run-devicemmio-grant, make run-dmapool-grant, make run-hardware-audit, make run-hardware-grant-cycle. Bounded manager accounting and read-side audit only; production userspace-driver authority remains open.

Device Driver Foundation – DMAPool parent-first release ordering

Commit 29b4dde5: make run-dmapool-grant releases the parent DMAPool before the result DMABuffer. Parent release stages a pending detach while the proof buffer is still attached; the DMABuffer release then frees the proof page and completes the staged zero-live pool detach as the single DmaPool cap-op-release audit. DMABuffer driver-crash and reset-disable run-net proofs also complete any pending parent release instead of orphaning it.

2026-05-08

Device Driver Foundation – DMAPool grant + hardware audit cap

KernelCapSource::DmaPool now grants the bounded single-proof-buffer allocation path (commit f95c6cf8): capos-rt exposes typed DmaPoolClient::allocate_buffer_wait and DmaBufferClient::info_wait, and make run-dmapool-grant proves the manager-attached buffer lifecycle plus the matching dmapool / dmabuffer audit records. An earlier info-only grant variant routed through kernel/src/cap/dmapool_grant_source.rs and reused the virtio-rng ManagerGrantSource device handle.
KernelCapSource::HardwareAuditLog exposes a read-only HardwareAuditLog.snapshot cap backed by a bounded volatile drop-oldest ring in kernel/src/cap/hardware_audit.rs, so userspace observes hardware-cap audit records without parsing COM1 text. Reproduction: make run-hardware-audit.
Interrupt waiter teardown trigger now routes through the stale-safe detach helper used by cap release / driver-crash / reset-disable cleanup (commit aeef8b41). make run-net asserts the interrupt waiter hook proof line and an exact-one cap-audit: cap=interrupt event=interrupt-waiter count.
Hostile-smoke gate hardened: tools/qemu-net-smoke.sh anchors the remaining proof-line assertions in the S.11.2 hostile-smoke gate with exact-count guards + anchored suffix assertions.

Cloud boot – GCP imported-image serial boot recorded

Cloudboot run 1778230874-715a (2026-05-08 09:06 UTC) against source 3951e275: make cloudboot-test built the 10 GiB GCE-compatible disk tarball, uploaded it to the staging bucket, created a temporary GCE image + e2-small instance, and observed the capos kernel starting serial landmark on poll attempt 2. Serial evidence shows SeaBIOS booting from Google Persistent Disk virtio-scsi (10240 MiB), 2 vCPU / 2 GiB RAM discovery, Google RSDT/MADT tables, fail-closed IOMMU policy (no MCFG/DMAR/IVRS), masked I/O APIC routing, AP online, manifest load, init start, and shell spawn. The harness copied artifacts to target/cloudboot-evidence/run-1778230874-715a/ before deleting the temporary instance, image, and staged tarball.

2026-05-07

WASI Host Adapter Phase W.2 – C and Rust hello-wasi smokes closed

Commit 7bfcb1d8: WASI host adapter Phase W.2 closed. Both Rust (wasm32-wasip1) and C (wasm32-wasi) hello, wasi payloads run inside the wasmi interpreter under the wasm-host capOS process and print through the host’s granted Console cap via the Preview 1 fd_write(1, ...) surface. Closed in four sub-slices: (1) the wasm-host userspace binary + system-wasm-host.cue + make run-wasm-host empty-module instantiation, carrying a one-time userspace ABI bump for wasmi’s ~3 MiB BSS; (2) the Preview 1 stdout-only import resolver in capos-wasm/src/wasi/preview1.rs (46 imports, args_get/environ_get empty, clock_time_get backed by Timer, proc_exit via capos_rt::syscall::exit, fd_write 4 KiB iov-total + 1 KiB per-call ceiling through Console; everything else returns ERRNO_NOSYS = 52); (3) the Rust demos/wasi-hello-rust/ crate with system-wasi-hello-rust.cue + the manifest-supplied payload reader in capos-wasm/src/payload.rs; (4) the C demos/wasi-hello-c/ smoke built directly against system clang-18 + wasi-libc (no libcapos/POSIX work needed – the wasm-host payload-load path from sub-slice 3 carries the C .wasm payload unchanged). Reproduction: make run-wasi-hello-rust, make run-wasi-hello-c, and make run-wasm-host for the empty-module regression. Phase W.3 (per-instance CapSet + LaunchParameters) is the next selectable phase.

2026-05-03

System Configuration Slice 3 closed

2026-05-03 21:54 UTC, commit a50f610d: the System Configuration and Operator Extensibility track’s Slice 3 closed. Every owned focused-proof manifest in the inventory declares its own CUE package and imports capos.local/cue/defaults; the manifest decoder rejects unknown document-root fields with typed Error::UnknownField (pinned by system_manifest_rejects_unknown_root_field and system_manifest_accepts_only_known_root_fields); and the operator overlay worked example covers every defaults-package extension hook (MOTD, console password verifier, additional authorized SSH keys, additional seed accounts, additional resource profiles, additional binaries, additional services), verified by a 1808-byte manifest.bin delta when the worked-example overlay is dropped at repo root and make manifest is rerun in package mode. Reproduction: cargo test-config (348 tests), make manifest, make run, and the per-manifest make run-* targets named in the Slice-3 inventory table. Residual successor scope: system-measure.cue migration is owned by docs/backlog/scheduler-evolution.md; system-paperclips.cue and system-adventure.cue are demo-owned.

2026-05-02

Thread-Scale Honest Scaling Proof

2026-05-02 21:38 UTC, against main commit 374f8556: the formal capOS+Linux thread-scale evidence pair was collected on the benchmark VM as the gate before Phase D. Both runs pinned to physical-core logical CPUs 0,1,2,3 on a 4-core/8-thread n2-highcpu-8 host with KVM, five runs per case, same repaired benchmark shape (blocking parent join, 262,144 blocks / 16 MiB, work_rounds=64).

Comparison capOS Linux pthread capOS gate

1->2 work 1.883x 1.988x >= 1.6x

1->2 total 1.787x 1.987x >= 1.6x

1->4 work 1.566x 3.963x >= 1.6x (diagnostic)

1->4 total 1.538x 3.858x >= 1.6x (diagnostic)

The 1->2 gates passed against the then-current single-global-queue scheduler. The 1->4 rows are the bottleneck-attribution diagnostic that justified Phase D’s fair-share enqueue policy: Linux scaled near-linearly on the same physical CPU set, so the workload shape was sound and the gap was a capOS scheduler bottleneck. Phase D later reduced the gap (see 2026-05-10 entry above for the post-Phase D result and the Bottleneck analysis + planned-architecture-changes block).

Raw artifacts: target/thread-scale/20260502T213544Z/ and target/linux-thread-scale/20260502T213445Z/. Reproduction: make run-thread-scale (with CAPOS_THREAD_SCALE_RUNS=5 etc.) and make run-linux-thread-scale-baseline. Host: internal benchmark VM in single GCP zone, n2-highcpu-8, nested virtualization, kernel Linux 6.17.0-1012-gcp x86_64, CPU Intel(R) Xeon(R) CPU @ 2.80GHz, qemu-system-x86_64 8.2.2, rustc 1.97.0-nightly (c935696dd 2026-04-29).

Comparison	capOS	Linux pthread	capOS gate
1->2 work	`1.883x`	`1.988x`	>= `1.6x`
1->2 total	`1.787x`	`1.987x`	>= `1.6x`
1->4 work	`1.566x`	`3.963x`	>= `1.6x` (diagnostic)
1->4 total	`1.538x`	`3.858x`	>= `1.6x` (diagnostic)

Measure Mode Repair

2026-05-02 20:23 UTC, commit 08c54075: make run-measure is green again. Two cumulative regressions: the thread-lifecycle measure-mode binary started requiring vm (VirtualMemory) and frames (FrameAllocator) caps when the park unmap/reuse smoke landed (a7af0e37, 765c6c26) but system-measure.cue was never updated; the run_park_process_exit_cleanup path called capos_rt::syscall::exit(0) to terminate the entire process, but that syscall became per-thread in 214c8e11, so the parent thread exited while the parked child kept the process alive. Repair: add the missing cap entries, bump the smoke assertion from 5 caps to 7 caps, retire the broken park-exit path, and route measure-mode exits through the same exit_last_thread ThreadControl flow as the spawn smoke. Closeout: make run-measure exits 0 in 32s with the full measure: ... segment/scheduler/timer/lock attribution intact; all other validation gates passed.

2026-05-01

In-Process Threading Scalability

2026-05-01 14:58 UTC, commit 136b72de: the In-Process Threading Scalability milestone reached accepted controlled evidence only after the benchmark shape was repaired (the old 1 MiB / spinning-parent shape failed to scale even on Linux pthread at four workers). Harness defaults are now blocking parent join, 262,144 blocks (16 MiB), work_rounds=64. Controlled native-Linux evidence on a physical CPU set validated the repaired shape (1->2 1.991x work / 1.990x total; 1->4 3.958x / 3.834x). Controlled capOS evidence on the same CPU set passed both enforced 1->2 gates with 1.828x / 1.687x work/total. Unsuppressed 1->4 diagnostic recorded 3.029x / 2.386x; switch-log-suppressed 3.272x / 2.303x, showing serial scheduler switch logging materially distorts four-worker work timing. Four-core capOS scaling was not declared a closed claim – guest-measure evidence showed remaining global Scheduler lock contention plus exit/join/block/schedule overhead in total time. This was the diagnostic stepping-stone that motivated Phase D’s WFQ run queues and the Phase F.5 architecture work listed in the 2026-05-10 entry.
Same branch tightened caller-aware child publication for the repaired blocking-parent benchmark: publication avoids the caller only when another active ready scheduler CPU has a strictly lower non-idle dispatch load; equal-load ties keep an active-ready caller CPU instead of falling through to CPU0.

Diagnostics and Scheduler Support

2026-05-01 07:28 UTC, commit d8d9dab1: benchmark attribution added guest-measure phase counters, host-summary work/total speedup gates, guest PC sampling, benchmark-only userspace symbol maps, resolved user-pc-symbols.log reports, the Linux pthread baseline, larger workload / Amdahl controls, logging-suppression A/B support, and first-slice shared-kernel lock counters for frame-allocator and ring-dispatch paths.
2026-05-01 05:24 UTC, commit a88e7906: scheduler support landed as incremental slices, not milestone closeout – bounded per-scheduler-CPU runnable queues, queue reservation accounting, bounded idle-to-runnable wake targeting, wake/reschedule attribution, stale runnable / direct target cleanup proofs, a SchedulerDispatch substate separating dispatch ownership from shared thread metadata, and per-thread runtime/virtual-runtime accounting.

2026-04-30

Multi-Process SMP Concurrency

2026-04-30 09:45 UTC, commit 3fb89923: Multi-Process SMP Concurrency closed. Worker elapsed reporting uses scaled user-mode cycle counts; prime-counting ranges remain contiguous while balancing upper-range cost. Accepted KVM-backed run in target/smp-process-scale/cycle-balanced-default/: medians smp1=1693, smp2=1053, smp4=2314, or 1.608x 1-to-2 speedup. Ordinary run-smoke and run-spawn under -smp 2 passed.

2026-04-28 / 2026-04-29

Session-Bound Invocation Context core gates

2026-04-29 08:40 UTC: Session-Bound Invocation Context landed its core gates: process-session invariant, default endpoint caller-session metadata, stale normal endpoint rejection, transfer scopes, field-granular disclosure gating, session expiry for broker-issued shell bundle caps, guest bundle narrowing, chat membership keyed by opaque caller-session references, Aurelian player state keyed by live endpoint caller-session metadata, and terminal output liveness checks. Terminal/stdio bridge completion and final service-scoped reference derivation/rotation remained open.

2026-04-25

SMP Phase C – multi-CPU scheduling proof

2026-04-25 11:47 UTC: SMP Phase C AP scheduler-owner proof closed. AP cpu=1 can run scheduler-owned user contexts while the BSP stays in kernel idle behind a one-way scheduler-owner latch (review-fix commit d88bca7). Per-CPU KernelGsBase + swapgs, PIT-calibrated xAPIC LAPIC timer/IPI, resident-mask TLB shootdown (vector 49), and split scheduler current-thread tracking landed across the day on the smp-phase-c-* branches (swapgs, lapic-ipi, tlb-shootdown, scheduler-ownership). Per-CPU run queues, reschedule IPIs, concurrent scheduler-owned work on more than one CPU, and per-thread rings (Ring v2) remained Phase C follow-ups.

Telnet Shell Demo

2026-04-25 20:25 UTC, reviewed merge 2834bfc: Telnet Shell Demo closed. Adds telnet-gateway, system-telnet.cue, make run-telnet, make qemu-telnet-harness, proving QEMU host-local forwarding from 127.0.0.1:2323 to guest port 23, password login, caps, session, and clean exit through a socket-backed TerminalSession. The child shell transcript proves no raw NetworkManager, ProcessSpawner, TCP, or unknown capability interfaces. Scoped gateway authority follow-up remains open.

SMP Phase B – APs running

2026-04-25 06:59 UTC: SMP Phase B closed. AP startup uses Limine MpRequest/MpInfo::bootstrap, stable AP records, AP-owned kernel/IST stacks, AP-local GDT/TSS state, capOS kernel PML4 handoff, AP-owned kernel RSP handoff, shared IDT, KernelGsBase, syscall MSRs, SMEP/SMAP state, and a parked interrupt-disabled hlt loop.

SMP Phase A and user-buffer protection

2026-04-25 05:36 UTC: SMP Phase A closed. The BSP has a concrete PerCpu for syscall-stack state and current-thread mirroring; kernel-entry stack updates flow through one per-CPU hook.
2026-04-25 04:00 UTC: workplan/user-buffer-validation-protection closed the private process-buffer validate_user_buffer TOCTOU finding. AddressSpace now owns validation plus HHDM-backed user copy/read helpers under the process address-space mutex.
2026-04-25 03:36 UTC: final review of workplan/futexspace-private-wait-wake fixed a park-ownership bug where a sibling thread could drain a park SQE and park the wrong ThreadRef. Fix requires CAP_SQE_THREAD_OWNED plus the owning thread id for CAP_OP_PARK.

2026-04-24

2026-04-24 22:41 UTC: in-process threading design freeze closed. Thread/process ownership and park authority contracts frozen; review findings fixed before merge.
2026-04-24 20:53 UTC: runtime prerequisites for threading and Go closed, with follow-up rejecting writable-executable user mappings in anonymous VirtualMemory / MemoryObject paths and QEMU smoke coverage.
2026-04-24 16:45 UTC: kernel networking smoke closed – QEMU virtio-net path proves modern transport discovery, virtqueue setup, descriptor completion, ARP, ICMP echo, smoltcp handoff, static IPv4, and host-backed TCP HTTP GET.
2026-04-24 13:11 UTC: custom userspace target closed. Userspace artifacts build through targets/x86_64-unknown-capos.json; kernel stays on x86_64-unknown-none.
2026-04-24 11:25 UTC: boot-manifest parser scope tightened by KernelBootstrapManifest, which decodes only kernel-owned fields and avoids materializing the init-owned service graph. Boot package boundary cleanup followed (10:53 UTC).
2026-04-24 03:06 UTC: Ring-as-Black-Box closed. QEMU debug-tap builds export bounded metadata-only ring records; tools/ringtap-viewer/ renders correlated SQE/CQE evidence offline.
2026-04-24 02:16 UTC: shared service harness extraction closed for non-speculative duplicated demo-service pieces.
2026-04-24 00:34 UTC: dependency policy gate restored by allowing BSD-3-Clause for the current Argon2 closure with rationale in docs/trusted-build-inputs.md.

2026-04-23

2026-04-23 22:05 UTC: Verified Core closed. make kani-lib runs the bounded local/GitHub Kani model-checking gate; make kani-lib-full adds the high-memory transfer model-checking gate. These are bounded model checks (small input sizes such as <=8 frames and 63 ELF bytes), proving the harnessed invariants within those bounds rather than for all inputs. The companion Loom check (cargo test-ring-loom) exercises a bounded concurrency model of the ring protocol, not the shipped kernel/src/cap/ring.rs.
2026-04-23 21:30 EEST: boot-to-shell milestone closed. Default make run reaches setup/login, volatile credential creation, password-authenticated session minting, broker-issued shell bundles, redacted auth/session audit records, and an interactive native shell REPL over serial. capos-shell is init on shell-led manifests; anonymous shell starts on boot; login/setup mint authenticated operator bundles.
2026-04-23 16:34 UTC: split UART shell session closed. make run presents login/native shell on terminal UART while kernel/debug output goes to target/qemu-console.log. The revocable read milestone closed in the same window – make run-revocable-read proves a parent can revoke a child-local BootPackage grant through CapabilityManager.

2026-04-20 To 2026-04-22

2026-04-22 23:50 UTC: AP-independent review remediation closed issues around endpoint owner cleanup, ProcessSpawner badge attenuation, ProcessSpawner heap-OOM paths, queued release semantics, pinned CUE toolchain enforcement, stale authority docs, spawn hardening stability, NMI IST coverage, MemoryObject replacement for raw frame grants, generated capnp ownership, and manifest validation modularization.
2026-04-21 22:21 EEST: VirtualMemory quota review finding resolved with per-address-space ownership tracking, holder quota, bounded auto-placement probes, owned-range checks, and QEMU coverage.
2026-04-21 18:46 EEST: smoke demos moved into a nested demos/ userspace workspace; system.cue packages each demo as a distinct release-built binary/service.
2026-04-21 16:56 UTC: cross-process CAP_OP_CALL/RECV/RETURN flow closed. Allocation-free synchronous ring dispatch (12:28 UTC), SMEP/SMAP, cap_enter blocking waits with timeout, Endpoint, and RECV/RETURN routing (01:15 UTC) closed in the same window.
2026-04-20 23:05 EEST: Phase 0 and Phase 1 cleanup closed – dead-code cleanup, ELF validation hardening, deterministic error paths, corrupted ring recovery policy, capos-lib split, host tests.

2026-04-05

2026-04-05 16:39 EEST: Stage 4 and Stage 5 direction took shape. Capability invocation moved from direct calls toward the shared-memory ring and cap_enter; preemptive scheduling was documented after the PIT/context-switch scheduler landed; stale cap_call proposal text was replaced with the ring-based model.
2026-04-05 17:08 EEST: planning surface matured. The roadmap moved out of README.md, review findings split into their own log, and the project added userspace-binaries, SMP, Go runtime, cloud deployment, storage/naming, service architecture, GPU, error-handling, and persistence planning.
2026-04-05 10:35 EEST: design grounding expanded through prior-art research on seL4, Zircon, Plan 9/Inferno, EROS/CapROS/Coyotos, Genode, and LLVM target customization. That research fed the interface-as-permission decision.
2026-04-05 02:17 EEST: manifest/config and init-side planning advanced with a no-std manifest config loader, hardening tests, and early init-side manifest parsing demos.

2026-04-04

2026-04-04 21:02 EEST: capOS bootstrapped as a Limine-loaded Rust kernel with serial output, then gained the first Cap’n Proto capability invocation path and a staged implementation roadmap.
2026-04-04 23:12 EEST: Stage 1 through Stage 3 landed in rapid succession – virtual memory with kernel remapping and isolated process address spaces; Ring 3 user-space transition through GDT/TSS/syscall setup; and process abstraction with ELF loading, per-process address spaces/cap tables, static init, and QEMU auto-exit proof.
2026-04-04 23:57 EEST: the first major design proposals appeared, including userspace TCP/IP networking and capability-based service architecture. Networking was split into its own proposal after review.

Keyboard shortcuts

capOS Documentation