Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Changelog

Historical milestone and review reports for capOS.

This file exists to keep mandatory agent context small. WORKPLAN.md should contain current execution state, REVIEW_FINDINGS.md should contain unresolved findings, and detailed historical reports should move here after they stop affecting the next task.

2026-04-28 / 2026-04-29

Session-Bound Invocation Context Core Gates

  • 2026-04-29 08:40 UTC: the in-flight Session-Bound Invocation Context milestone has landed its core gates and remains in cleanup. The implemented pieces now include the process-session invariant, default endpoint caller-session metadata, stale normal endpoint rejection, transfer scopes, field-granular disclosure gating, session expiry for broker-issued shell bundle caps, guest bundle narrowing, chat membership keyed by opaque caller-session references, Aurelian player state keyed by live endpoint caller-session metadata, and terminal output liveness checks. Remaining work stays in WORKPLAN.md, docs/status.md, and docs/roadmap.md until the milestone closes: terminal/stdio bridge completion, broader shared-service cleanup, and final service-scoped reference derivation/rotation rules.

2026-04-25

SMP Phase C: Multi-CPU Scheduling

  • 2026-04-25 11:47 UTC: the selected SMP Phase C AP scheduler-owner proof completed after review and post-merge verification. The proof moved syscall/per-CPU access to KernelGsBase/swapgs, added PIT-calibrated xAPIC LAPIC timer/IPI support with PIT/PIC fallback and x2APIC deferred, added resident-mask TLB shootdown, split scheduler current-thread tracking into per-CPU slots, and proved AP cpu=1 can run scheduler-owned user contexts while the BSP stays in kernel idle behind a scheduler-owner latch. Verification passed cargo fmt --check, cargo check -p capos-kernel, git diff --check HEAD~1..HEAD, make docs, make run-smoke QEMU_KVM_FLAGS='-smp 2', and make run-spawn QEMU_KVM_FLAGS='-smp 2'. Broader SMP Phase C work remains: per-CPU run queues, reschedule IPIs, concurrent scheduler-owned work on more than one CPU, and per-thread rings.
  • 2026-04-25 11:36 UTC: review fix for the scheduler-ownership gate added a one-way scheduler-owner latch in commit d88bca7. AP cpu=1 and the BSP can no longer both enter scheduler-owned user work; if the BSP claims fallback ownership first, late APs remain in kernel idle. make docs, make run-smoke QEMU_KVM_FLAGS='-smp 2', and make run-spawn QEMU_KVM_FLAGS='-smp 2' passed with the usual format/check gates.
  • 2026-04-25 11:04 UTC: scheduler-ownership gate implemented on workplan/smp-phase-c-scheduler-ownership. Scheduler current state became per-CPU, AP per-CPU records were registered for current-thread and kernel-entry stack updates, AP TSS.RSP0 is updated on context switches, APs program LAPIC timers from BSP calibration, and AP cpu=1 can enter the scheduler from the kernel idle loop. The proof deliberately keeps one scheduler owner because the capability ring is still process-wide.
  • 2026-04-25 09:22 UTC: TLB shootdown gate implemented on workplan/smp-phase-c-tlb-shootdown. User page-table map, unmap, and protect route through shootdown-aware helpers after local mapper flush. Each AddressSpace tracks a conservative resident CPU mask; scheduler CR3 handoff marks the selected address space resident on the current CPU before returning to userspace. Vector 49 handles shootdown requests through per-CPU pending full-TLB flush generations and an allocation-free completion path. Verification passed cargo fmt --check, cargo check -p capos-kernel, git diff --check, make docs, make run-smoke QEMU_KVM_FLAGS='-smp 2', and make run-spawn QEMU_KVM_FLAGS='-smp 2'.
  • 2026-04-25 08:21 UTC: x2APIC planning recorded in docs/research/x2apic-and-virtualization.md, docs/proposals/smp-proposal.md, and docs/proposals/cloud-deployment-proposal.md. The Phase C path remains PIT-calibrated xAPIC MMIO LAPIC timer/IPI support; x2APIC is a later backend.
  • 2026-04-25 08:20 UTC: LAPIC timer/IPI foundation implemented on workplan/smp-phase-c-lapic-ipi. The kernel enables xAPIC MMIO on the BSP, maps the LAPIC page, initializes parked AP LAPIC state, routes scheduler ticks through LAPIC timer vector 48, installs the spurious vector, remaps and masks the legacy PIC when LAPIC ticks are available, and wires vector 49 for IPI users. Verification passed cargo fmt --check, cargo check -p capos-kernel, git diff --check, make run-smoke QEMU_KVM_FLAGS='-smp 2', and make run-spawn QEMU_KVM_FLAGS='-smp 2'.
  • 2026-04-25 07:54 UTC: syscall entry/exit gate implemented on workplan/smp-phase-c-swapgs. The BSP initializes KernelGsBase, syscall entry executes swapgs, and GS-relative PerCpu offsets carry saved user RSP and syscall kernel RSP state. Scheduler/exit restore paths use a dedicated restore_context_after_syscall trampoline. Verification passed cargo fmt --check, cargo check -p capos-kernel, git diff --check, make run-smoke QEMU_KVM_FLAGS='-smp 2', and make run-spawn QEMU_KVM_FLAGS='-smp 2'.
  • 2026-04-25 07:33 UTC: Phase C grounding gate completed after Ring v2, scheduler-ordering, and LAPIC/TLB grounding review. Remaining implementation gates were GS/swapgs, LAPIC timer/IPI, TLB shootdown, scheduler ownership, and AP scheduler-work proof.
  • 2026-04-25 07:26 UTC: LAPIC/TLB grounding recorded in docs/architecture/scheduling.md and docs/proposals/smp-proposal.md. Current page-table mutation methods flushed only the local CPU; Phase C required shootdown-aware wrappers and CPU residency tracking before address spaces could migrate or run on multiple CPUs.
  • 2026-04-25 07:15 UTC: scheduler Phase C ordering recorded in docs/architecture/scheduling.md and docs/proposals/smp-proposal.md: migrate syscall/per-CPU access first, add LAPIC timer/IPI next, enable TLB shootdown before address-space migration, then split scheduler current/run-queue ownership.
  • 2026-04-25 07:06 UTC: full-SMP ring/threading direction recorded in docs/proposals/ring-v2-smp-proposal.md and grounded by docs/research/completion-ring-threading.md. The long-term transport target is per-thread capability rings with completion routing by generation-checked ThreadRef.

Telnet Shell Demo Planning

  • 2026-04-25 20:25 UTC: Telnet Shell Demo completed at reviewed merge 2834bfc. The merged path adds telnet-gateway, system-telnet.cue, make run-telnet, and make qemu-telnet-harness, proving QEMU host-local forwarding from 127.0.0.1:2323 to guest port 23, password login, caps, session, and clean exit through a socket-backed TerminalSession. The child shell transcript proves it receives no raw NetworkManager, ProcessSpawner, TCP, or unknown capability interfaces. A scoped gateway authority follow-up remains open for replacing the trusted demo gateway’s factory network/spawn authority with scoped listener and shell-launch grants.
  • 2026-04-25 11:47 UTC: selected Telnet Shell Demo as the next visible milestone. The grounding starts from networking, shell, boot-to-shell, service-architecture, trust-boundary, status, roadmap, and review-finding docs plus the existing ix-on-capos-hosting, pingora, genode, and sel4 research notes. The milestone is networking Phase B: keep the TCP stack in-kernel behind capability objects, expose a socket-backed TerminalSession, and leave userspace NIC decomposition, TLS/OIDC, and production remote access to later milestones.

SMP Phase B: APs Running

  • 2026-04-25 06:59 UTC: SMP Phase B: APs running completed after review. AP startup uses Limine MpRequest/MpInfo::bootstrap, stable AP records, AP-owned kernel/IST stacks, AP-local GDT/TSS state, capOS kernel PML4 handoff, AP-owned kernel RSP handoff, shared IDT, KernelGsBase, syscall MSRs, SMEP/SMAP state, and a parked interrupt-disabled hlt loop. Verification passed cargo fmt --check, cargo check -p capos-kernel, git diff --check, make run-smoke QEMU_KVM_FLAGS='-smp 2', and make run-spawn QEMU_KVM_FLAGS='-smp 2'.
  • 2026-04-25 06:49 UTC: AP entry switched to the capOS kernel PML4 and AP-owned kernel stack before reporting online. The non-returning handoff disables interrupts, clears DF, writes CR3, aligns RSP, and jumps into the Rust AP continuation before loading AP-local CPU state.
  • 2026-04-25 06:37 UTC: AP startup first reached a parked kernel idle loop. The BSP starts prepared APs through Limine MpInfo::bootstrap, passes a stable AP record pointer through extra_argument, waits for bounded online count, and leaves userspace scheduling on the BSP.
  • 2026-04-25 06:10 UTC: kernel/src/arch/x86_64/smp.rs began owning the Limine MpRequest, enumerating non-BSP CPUs, allocating AP-local PerCpu objects and stacks, and recording dense capOS CPU ids separately from Limine processor and LAPIC ids.
  • 2026-04-25 05:55 UTC: the roadmap and docs/proposals/smp-proposal.md were updated to use the local Limine MpRequest API and to separate dense capOS CPU ids from Limine ACPI processor_id.
  • 2026-04-25 05:48 UTC: AP-startup grounding recorded in docs/proposals/smp-proposal.md, docs/architecture/scheduling.md, docs/architecture/threading.md, docs/research/llvm-target.md, docs/research/out-of-kernel-scheduling.md, and docs/research/sel4.md.

SMP Phase A And User-Buffer Protection

  • 2026-04-25 05:36 UTC: SMP Phase A: Per-CPU data on BSP completed. The BSP has a concrete PerCpu object for syscall stack state and current-thread mirroring. Runtime kernel-entry stack updates flow through one per-CPU hook that updates TSS.RSP0 and syscall-entry kernel RSP together. Verification passed cargo fmt --check, cargo check -p capos-kernel, git diff --check, make run-smoke, and make run-spawn.
  • 2026-04-25 04:00 UTC: workplan/user-buffer-validation-protection closed the private process-buffer validate_user_buffer TOCTOU finding before Stage 7. AddressSpace now owns validation plus HHDM-backed user copy/read helpers under the process address-space mutex. Verification passed make run-spawn, make run-measure, make check, make docs, cargo check -p capos-kernel, cargo check -p capos-kernel --features measure, cargo test-config, cargo test-ring-loom, cargo test-lib, cargo fmt --check, and git diff --check.
  • 2026-04-25 03:36 UTC: final review of workplan/futexspace-private-wait-wake found and then closed a park ownership bug where a sibling thread could drain a park SQE and park the wrong ThreadRef. The fix requires CAP_SQE_THREAD_OWNED plus the owning thread id for CAP_OP_PARK.

2026-04-24

  • 2026-04-24 22:41 UTC: in-process threading design freeze completed. The thread/process ownership contract and park authority contract were frozen; review findings raised during the park pass were fixed before merge.
  • 2026-04-24 20:53 UTC: runtime prerequisites for threading and Go completed. Follow-up fixes reject writable-executable user mappings in anonymous VirtualMemory and MemoryObject paths and add QEMU smoke coverage.
  • 2026-04-24 16:45 UTC: kernel networking smoke completed. The QEMU virtio-net path proves modern transport discovery, virtqueue setup, descriptor completion, ARP, ICMP echo, smoltcp handoff, static IPv4, and a host-backed TCP HTTP GET proof.
  • 2026-04-24 13:11 UTC: custom userspace target completed. Userspace artifacts build through targets/x86_64-unknown-capos.json, and checked-in CUE manifests reference target/x86_64-unknown-capos/release artifacts while the kernel remains on x86_64-unknown-none.
  • 2026-04-24 11:25 UTC: boot-manifest parser finding resolved by KernelBootstrapManifest, which decodes only kernel-owned fields from the Cap’n Proto reader and avoids materializing the init-owned service graph.
  • 2026-04-24 10:53 UTC: boot package boundary cleanup completed. Kernel bootstrap validates only the kernel-owned manifest boundary and starts one initConfig.init process; mkmanifest and init own service-graph validation.
  • 2026-04-24 03:06 UTC: Ring as Black Box completed. QEMU debug-tap builds export bounded metadata-only ring records, and tools/ringtap-viewer/ renders correlated SQE/CQE evidence offline.
  • 2026-04-24 02:16 UTC: shared service harness extraction completed for the non-speculative duplicated demo-service pieces.
  • 2026-04-24 00:48 UTC: status docs refreshed after boot-to-shell and revocation work.
  • 2026-04-24 00:34 UTC: dependency policy gate restored by explicitly allowing BSD-3-Clause for the current Argon2 dependency closure with rationale in docs/trusted-build-inputs.md.
  • 2026-04-24 00:12 UTC: current chat schema/server/client/bot path accepted as the First Chat MVP slice; follow-on hardening remains tracked separately.

2026-04-23

  • 2026-04-23 22:05 UTC: Verified Core completed. make kani-lib runs the bounded local/GitHub proof gate, and make kani-lib-full adds the high-memory transfer proof gate.
  • 2026-04-23 21:30 EEST: shell-led boot flow landed. capos-shell is init on shell-led manifests, anonymous shell starts on boot, and login/setup mint authenticated operator bundles.
  • 2026-04-23 16:34 UTC: split UART shell session completed. make run presents login/native shell on terminal UART while kernel/debug output goes to target/qemu-console.log.
  • 2026-04-23 16:34 UTC: the revocable read milestone completed. make run-revocable-read proves a parent can revoke a child-local BootPackage grant through CapabilityManager.
  • 2026-04-23 21:30 EEST: boot-to-shell milestone completed. Default make run reaches setup/login, volatile credential creation, password-authenticated session minting, broker-issued shell bundles, redacted auth/session audit records, and an interactive native shell REPL over serial.

2026-04-20 To 2026-04-22

  • 2026-04-22 23:50 UTC: AP-independent review remediation closed issues around endpoint owner cleanup, ProcessSpawner badge attenuation, ProcessSpawner heap-OOM paths, queued release semantics, pinned CUE toolchain enforcement, stale authority docs, spawn hardening stability, NMI IST coverage, MemoryObject replacement for raw frame grants, generated capnp ownership, and manifest validation modularization.
  • 2026-04-21 22:21 EEST: VirtualMemory quota review finding resolved with per-address-space ownership tracking, holder quota, bounded auto-placement probes, owned-range checks, and QEMU coverage.
  • 2026-04-21 18:46 EEST: smoke demos moved into a nested demos/ userspace workspace, and system.cue packages each demo as a distinct release-built binary/service.
  • 2026-04-21 16:56 UTC: cross-process CAP_OP_CALL/RECV/RETURN flow completed.
  • 2026-04-21 12:28 UTC: allocation-free synchronous ring dispatch landed.
  • 2026-04-21 01:15 UTC: SMEP/SMAP, cap_enter blocking waits with timeout, Endpoint, and RECV/RETURN routing completed.
  • 2026-04-20 23:05 EEST: Phase 0 and Phase 1 cleanup completed, including dead-code cleanup, ELF validation hardening, deterministic error paths, corrupted ring recovery policy, capos-lib split, and host tests.

2026-04-05

  • 2026-04-05 16:39 EEST: Stage 4 and Stage 5 direction took shape. Capability invocation moved from direct calls toward the shared-memory ring and cap_enter, preemptive scheduling was documented after the PIT/context-switch scheduler landed, and stale cap_call proposal text was replaced with the ring-based model.
  • 2026-04-05 17:08 EEST: the planning surface matured. The roadmap moved out of README.md, review findings split into their own log, and the project added or revised userspace-binaries, SMP, Go runtime, cloud deployment, storage/naming, service architecture, GPU, error-handling, and persistence planning.
  • 2026-04-05 10:35 EEST: design grounding expanded through prior-art research on seL4, Zircon, Plan 9/Inferno, EROS/CapROS/Coyotos, Genode, and LLVM target customization. That research fed the interface-as-permission decision: restrict authority by granting narrower typed capabilities or wrapper objects, not by attaching generic READ/WRITE-style rights to ordinary caps.
  • 2026-04-05 02:17 EEST: manifest/config and init-side planning advanced with a no-std manifest config loader, hardening tests, and early init-side manifest parsing demos.

2026-04-04

  • 2026-04-04 21:02 EEST: capOS bootstrapped as a Limine-loaded Rust kernel with serial output, then gained the first Cap’n Proto capability invocation path and a staged implementation roadmap.
  • 2026-04-04 23:12 EEST: Stage 1 through Stage 3 landed in rapid succession: virtual memory with kernel remapping and isolated process address spaces; Ring 3 user-space transition through GDT/TSS/syscall setup; and process abstraction with ELF loading, per-process address spaces/cap tables, static init, and QEMU auto-exit proof.
  • 2026-04-04 23:57 EEST: the first major design proposals appeared, including userspace TCP/IP networking and capability-based service architecture. Networking was split into its own proposal after review, setting up later virtio/smoltcp and service-decomposition work.