# Changelog

Historical milestone and review reports for capOS.

This file exists to keep mandatory agent context small. `WORKPLAN.md` should
contain current execution state, `REVIEW_FINDINGS.md` should contain unresolved
findings, and detailed historical reports should move here after they stop
affecting the next task.

## 2026-04-28 / 2026-04-29

### Session-Bound Invocation Context Core Gates

- 2026-04-29 08:40 UTC: the in-flight Session-Bound Invocation Context
  milestone has landed its core gates and remains in cleanup. The implemented
  pieces now include the process-session invariant, default endpoint
  caller-session metadata, stale normal endpoint rejection, transfer scopes,
  field-granular disclosure gating, session expiry for broker-issued shell
  bundle caps, guest bundle narrowing, chat membership keyed by opaque
  caller-session references, Aurelian player state keyed by live endpoint
  caller-session metadata, and terminal output liveness checks. Remaining work
  stays in `WORKPLAN.md`, `docs/status.md`, and `docs/roadmap.md` until the
  milestone closes: terminal/stdio bridge completion, broader shared-service
  cleanup, and final service-scoped reference derivation/rotation rules.

## 2026-04-25

### SMP Phase C: Multi-CPU Scheduling

- 2026-04-25 11:47 UTC: the selected SMP Phase C AP scheduler-owner proof
  completed after review and post-merge verification. The proof moved
  syscall/per-CPU access to
  `KernelGsBase`/`swapgs`, added PIT-calibrated xAPIC LAPIC timer/IPI support
  with PIT/PIC fallback and x2APIC deferred, added resident-mask TLB shootdown,
  split scheduler current-thread tracking into per-CPU slots, and proved AP
  cpu=1 can run scheduler-owned user contexts while the BSP stays in kernel
  idle behind a scheduler-owner latch. Verification passed `cargo fmt --check`,
  `cargo check -p capos-kernel`, `git diff --check HEAD~1..HEAD`,
  `make docs`, `make run-smoke QEMU_KVM_FLAGS='-smp 2'`, and
  `make run-spawn QEMU_KVM_FLAGS='-smp 2'`. Broader SMP Phase C work remains:
  per-CPU run queues, reschedule IPIs, concurrent scheduler-owned work on more
  than one CPU, and per-thread rings.
- 2026-04-25 11:36 UTC: review fix for the scheduler-ownership gate added a
  one-way scheduler-owner latch in commit `d88bca7`. AP cpu=1 and the BSP can
  no longer both enter scheduler-owned user work; if the BSP claims fallback
  ownership first, late APs remain in kernel idle. `make docs`,
  `make run-smoke QEMU_KVM_FLAGS='-smp 2'`, and
  `make run-spawn QEMU_KVM_FLAGS='-smp 2'` passed with the usual format/check
  gates.
- 2026-04-25 11:04 UTC: scheduler-ownership gate implemented on
  `workplan/smp-phase-c-scheduler-ownership`. Scheduler current state became
  per-CPU, AP per-CPU records were registered for current-thread and
  kernel-entry stack updates, AP TSS.RSP0 is updated on context switches, APs
  program LAPIC timers from BSP calibration, and AP cpu=1 can enter the
  scheduler from the kernel idle loop. The proof deliberately keeps one
  scheduler owner because the capability ring is still process-wide.
- 2026-04-25 09:22 UTC: TLB shootdown gate implemented on
  `workplan/smp-phase-c-tlb-shootdown`. User page-table `map`, `unmap`, and
  `protect` route through shootdown-aware helpers after local mapper flush.
  Each `AddressSpace` tracks a conservative resident CPU mask; scheduler CR3
  handoff marks the selected address space resident on the current CPU before
  returning to userspace. Vector 49 handles shootdown requests through per-CPU
  pending full-TLB flush generations and an allocation-free completion path.
  Verification passed `cargo fmt --check`, `cargo check -p capos-kernel`,
  `git diff --check`, `make docs`,
  `make run-smoke QEMU_KVM_FLAGS='-smp 2'`, and
  `make run-spawn QEMU_KVM_FLAGS='-smp 2'`.
- 2026-04-25 08:21 UTC: x2APIC planning recorded in
  `docs/research/x2apic-and-virtualization.md`,
  `docs/proposals/smp-proposal.md`, and
  `docs/proposals/cloud-deployment-proposal.md`. The Phase C path remains
  PIT-calibrated xAPIC MMIO LAPIC timer/IPI support; x2APIC is a later backend.
- 2026-04-25 08:20 UTC: LAPIC timer/IPI foundation implemented on
  `workplan/smp-phase-c-lapic-ipi`. The kernel enables xAPIC MMIO on the BSP,
  maps the LAPIC page, initializes parked AP LAPIC state, routes scheduler
  ticks through LAPIC timer vector 48, installs the spurious vector, remaps and
  masks the legacy PIC when LAPIC ticks are available, and wires vector 49 for
  IPI users. Verification passed `cargo fmt --check`,
  `cargo check -p capos-kernel`, `git diff --check`,
  `make run-smoke QEMU_KVM_FLAGS='-smp 2'`, and
  `make run-spawn QEMU_KVM_FLAGS='-smp 2'`.
- 2026-04-25 07:54 UTC: syscall entry/exit gate implemented on
  `workplan/smp-phase-c-swapgs`. The BSP initializes `KernelGsBase`, syscall
  entry executes `swapgs`, and GS-relative `PerCpu` offsets carry saved user
  RSP and syscall kernel RSP state. Scheduler/exit restore paths use a
  dedicated `restore_context_after_syscall` trampoline. Verification passed
  `cargo fmt --check`, `cargo check -p capos-kernel`, `git diff --check`,
  `make run-smoke QEMU_KVM_FLAGS='-smp 2'`, and
  `make run-spawn QEMU_KVM_FLAGS='-smp 2'`.
- 2026-04-25 07:33 UTC: Phase C grounding gate completed after Ring v2,
  scheduler-ordering, and LAPIC/TLB grounding review. Remaining implementation
  gates were GS/`swapgs`, LAPIC timer/IPI, TLB shootdown, scheduler ownership,
  and AP scheduler-work proof.
- 2026-04-25 07:26 UTC: LAPIC/TLB grounding recorded in
  `docs/architecture/scheduling.md` and `docs/proposals/smp-proposal.md`.
  Current page-table mutation methods flushed only the local CPU; Phase C
  required shootdown-aware wrappers and CPU residency tracking before address
  spaces could migrate or run on multiple CPUs.
- 2026-04-25 07:15 UTC: scheduler Phase C ordering recorded in
  `docs/architecture/scheduling.md` and `docs/proposals/smp-proposal.md`:
  migrate syscall/per-CPU access first, add LAPIC timer/IPI next, enable TLB
  shootdown before address-space migration, then split scheduler
  current/run-queue ownership.
- 2026-04-25 07:06 UTC: full-SMP ring/threading direction recorded in
  `docs/proposals/ring-v2-smp-proposal.md` and grounded by
  `docs/research/completion-ring-threading.md`. The long-term transport target
  is per-thread capability rings with completion routing by
  generation-checked `ThreadRef`.

### Telnet Shell Demo Planning

- 2026-04-25 20:25 UTC: `Telnet Shell Demo` completed at reviewed merge
  `2834bfc`. The merged path adds `telnet-gateway`, `system-telnet.cue`,
  `make run-telnet`, and `make qemu-telnet-harness`, proving QEMU host-local
  forwarding from `127.0.0.1:2323` to guest port 23, password login, `caps`,
  `session`, and clean exit through a socket-backed `TerminalSession`. The
  child shell transcript proves it receives no raw `NetworkManager`,
  `ProcessSpawner`, TCP, or unknown capability interfaces. A scoped gateway
  authority follow-up remains open for replacing the trusted demo gateway's
  factory network/spawn authority with scoped listener and shell-launch grants.
- 2026-04-25 11:47 UTC: selected `Telnet Shell Demo` as the next visible
  milestone. The grounding starts from networking, shell, boot-to-shell,
  service-architecture, trust-boundary, status, roadmap, and review-finding
  docs plus the existing `ix-on-capos-hosting`, `pingora`, `genode`, and
  `sel4` research notes. The milestone is networking Phase B: keep the TCP
  stack in-kernel behind capability objects, expose a socket-backed
  `TerminalSession`, and leave userspace NIC decomposition, TLS/OIDC, and
  production remote access to later milestones.

### SMP Phase B: APs Running

- 2026-04-25 06:59 UTC: `SMP Phase B: APs running` completed after review. AP
  startup uses Limine `MpRequest`/`MpInfo::bootstrap`, stable AP records,
  AP-owned kernel/IST stacks, AP-local GDT/TSS state, capOS kernel PML4
  handoff, AP-owned kernel RSP handoff, shared IDT, `KernelGsBase`, syscall
  MSRs, SMEP/SMAP state, and a parked interrupt-disabled `hlt` loop.
  Verification passed `cargo fmt --check`, `cargo check -p capos-kernel`,
  `git diff --check`, `make run-smoke QEMU_KVM_FLAGS='-smp 2'`, and
  `make run-spawn QEMU_KVM_FLAGS='-smp 2'`.
- 2026-04-25 06:49 UTC: AP entry switched to the capOS kernel PML4 and
  AP-owned kernel stack before reporting online. The non-returning handoff
  disables interrupts, clears DF, writes CR3, aligns RSP, and jumps into the
  Rust AP continuation before loading AP-local CPU state.
- 2026-04-25 06:37 UTC: AP startup first reached a parked kernel idle loop.
  The BSP starts prepared APs through Limine `MpInfo::bootstrap`, passes a
  stable AP record pointer through `extra_argument`, waits for bounded online
  count, and leaves userspace scheduling on the BSP.
- 2026-04-25 06:10 UTC: `kernel/src/arch/x86_64/smp.rs` began owning the
  Limine `MpRequest`, enumerating non-BSP CPUs, allocating AP-local `PerCpu`
  objects and stacks, and recording dense capOS CPU ids separately from Limine
  processor and LAPIC ids.
- 2026-04-25 05:55 UTC: the roadmap and
  `docs/proposals/smp-proposal.md` were updated to use the local Limine
  `MpRequest` API and to separate dense capOS CPU ids from Limine ACPI
  `processor_id`.
- 2026-04-25 05:48 UTC: AP-startup grounding recorded in
  `docs/proposals/smp-proposal.md`, `docs/architecture/scheduling.md`,
  `docs/architecture/threading.md`, `docs/research/llvm-target.md`,
  `docs/research/out-of-kernel-scheduling.md`, and `docs/research/sel4.md`.

### SMP Phase A And User-Buffer Protection

- 2026-04-25 05:36 UTC: `SMP Phase A: Per-CPU data on BSP` completed. The BSP
  has a concrete `PerCpu` object for syscall stack state and current-thread
  mirroring. Runtime kernel-entry stack updates flow through one per-CPU hook
  that updates TSS.RSP0 and syscall-entry kernel RSP together. Verification
  passed `cargo fmt --check`, `cargo check -p capos-kernel`,
  `git diff --check`, `make run-smoke`, and `make run-spawn`.
- 2026-04-25 04:00 UTC: `workplan/user-buffer-validation-protection` closed
  the private process-buffer `validate_user_buffer` TOCTOU finding before
  Stage 7. `AddressSpace` now owns validation plus HHDM-backed user copy/read
  helpers under the process address-space mutex. Verification passed
  `make run-spawn`, `make run-measure`, `make check`, `make docs`,
  `cargo check -p capos-kernel`,
  `cargo check -p capos-kernel --features measure`, `cargo test-config`,
  `cargo test-ring-loom`, `cargo test-lib`, `cargo fmt --check`, and
  `git diff --check`.
- 2026-04-25 03:36 UTC: final review of
  `workplan/futexspace-private-wait-wake` found and then closed a park
  ownership bug where a sibling thread could drain a park SQE and park
  the wrong `ThreadRef`. The fix requires `CAP_SQE_THREAD_OWNED` plus the
  owning thread id for `CAP_OP_PARK`.

## 2026-04-24

- 2026-04-24 22:41 UTC: in-process threading design freeze completed. The
  thread/process ownership contract and park authority contract were frozen;
  review findings raised during the park pass were fixed before merge.
- 2026-04-24 20:53 UTC: runtime prerequisites for threading and Go completed.
  Follow-up fixes reject writable-executable user mappings in anonymous
  `VirtualMemory` and `MemoryObject` paths and add QEMU smoke coverage.
- 2026-04-24 16:45 UTC: kernel networking smoke completed. The QEMU
  virtio-net path proves modern transport discovery, virtqueue setup,
  descriptor completion, ARP, ICMP echo, smoltcp handoff, static IPv4, and a
  host-backed TCP HTTP GET proof.
- 2026-04-24 13:11 UTC: custom userspace target completed. Userspace artifacts
  build through `targets/x86_64-unknown-capos.json`, and checked-in CUE
  manifests reference `target/x86_64-unknown-capos/release` artifacts while
  the kernel remains on `x86_64-unknown-none`.
- 2026-04-24 11:25 UTC: boot-manifest parser finding resolved by
  `KernelBootstrapManifest`, which decodes only kernel-owned fields from the
  Cap'n Proto reader and avoids materializing the init-owned service graph.
- 2026-04-24 10:53 UTC: boot package boundary cleanup completed. Kernel
  bootstrap validates only the kernel-owned manifest boundary and starts one
  `initConfig.init` process; mkmanifest and init own service-graph validation.
- 2026-04-24 03:06 UTC: `Ring as Black Box` completed. QEMU debug-tap builds
  export bounded metadata-only ring records, and `tools/ringtap-viewer/`
  renders correlated SQE/CQE evidence offline.
- 2026-04-24 02:16 UTC: shared service harness extraction completed for the
  non-speculative duplicated demo-service pieces.
- 2026-04-24 00:48 UTC: status docs refreshed after boot-to-shell and
  revocation work.
- 2026-04-24 00:34 UTC: dependency policy gate restored by explicitly allowing
  `BSD-3-Clause` for the current Argon2 dependency closure with rationale in
  `docs/trusted-build-inputs.md`.
- 2026-04-24 00:12 UTC: current chat schema/server/client/bot path accepted as
  the First Chat MVP slice; follow-on hardening remains tracked separately.

## 2026-04-23

- 2026-04-23 22:05 UTC: `Verified Core` completed. `make kani-lib` runs the
  bounded local/GitHub proof gate, and `make kani-lib-full` adds the
  high-memory transfer proof gate.
- 2026-04-23 21:30 EEST: shell-led boot flow landed. `capos-shell` is init on
  shell-led manifests, anonymous shell starts on boot, and `login`/`setup`
  mint authenticated operator bundles.
- 2026-04-23 16:34 UTC: split UART shell session completed. `make run`
  presents login/native shell on terminal UART while kernel/debug output goes
  to `target/qemu-console.log`.
- 2026-04-23 16:34 UTC: the revocable read milestone completed.
  `make run-revocable-read` proves a parent can revoke a child-local
  `BootPackage` grant through `CapabilityManager`.
- 2026-04-23 21:30 EEST: boot-to-shell milestone completed. Default `make run` reaches
  setup/login, volatile credential creation, password-authenticated session
  minting, broker-issued shell bundles, redacted auth/session audit records,
  and an interactive native shell REPL over serial.

## 2026-04-20 To 2026-04-22

- 2026-04-22 23:50 UTC: AP-independent review remediation closed issues around endpoint
  owner cleanup, ProcessSpawner badge attenuation, ProcessSpawner heap-OOM
  paths, queued release semantics, pinned CUE toolchain enforcement, stale
  authority docs, spawn hardening stability, NMI IST coverage, MemoryObject
  replacement for raw frame grants, generated capnp ownership, and manifest
  validation modularization.
- 2026-04-21 22:21 EEST: VirtualMemory quota review finding resolved with
  per-address-space ownership tracking, holder quota, bounded auto-placement
  probes, owned-range checks, and QEMU coverage.
- 2026-04-21 18:46 EEST: smoke demos moved into a nested `demos/` userspace
  workspace, and `system.cue` packages each demo as a distinct release-built
  binary/service.
- 2026-04-21 16:56 UTC: cross-process `CAP_OP_CALL`/`RECV`/`RETURN` flow
  completed.
- 2026-04-21 12:28 UTC: allocation-free synchronous ring dispatch landed.
- 2026-04-21 01:15 UTC: SMEP/SMAP, `cap_enter` blocking waits with timeout,
  Endpoint, and RECV/RETURN routing completed.
- 2026-04-20 23:05 EEST: Phase 0 and Phase 1 cleanup completed, including dead-code
  cleanup, ELF validation hardening, deterministic error paths, corrupted ring
  recovery policy, `capos-lib` split, and host tests.

## 2026-04-05

- 2026-04-05 16:39 EEST: Stage 4 and Stage 5 direction took shape. Capability invocation
  moved from direct calls toward the shared-memory ring and `cap_enter`,
  preemptive scheduling was documented after the PIT/context-switch scheduler
  landed, and stale `cap_call` proposal text was replaced with the ring-based
  model.
- 2026-04-05 17:08 EEST: the planning surface matured. The roadmap moved out of
  `README.md`, review findings split into their own log, and the project added
  or revised userspace-binaries, SMP, Go runtime, cloud deployment,
  storage/naming, service architecture, GPU, error-handling, and persistence
  planning.
- 2026-04-05 10:35 EEST: design grounding expanded through prior-art research on seL4,
  Zircon, Plan 9/Inferno, EROS/CapROS/Coyotos, Genode, and LLVM target
  customization. That research fed the interface-as-permission decision:
  restrict authority by granting narrower typed capabilities or wrapper
  objects, not by attaching generic READ/WRITE-style rights to ordinary caps.
- 2026-04-05 02:17 EEST: manifest/config and init-side planning advanced with a no-std
  manifest config loader, hardening tests, and early init-side manifest parsing
  demos.

## 2026-04-04

- 2026-04-04 21:02 EEST: capOS bootstrapped as a Limine-loaded Rust kernel with serial
  output, then gained the first Cap'n Proto capability invocation path and a
  staged implementation roadmap.
- 2026-04-04 23:12 EEST: Stage 1 through Stage 3 landed in rapid succession: virtual
  memory with kernel remapping and isolated process address spaces; Ring 3
  user-space transition through GDT/TSS/syscall setup; and process abstraction
  with ELF loading, per-process address spaces/cap tables, static init, and
  QEMU auto-exit proof.
- 2026-04-04 23:57 EEST: the first major design proposals appeared, including userspace
  TCP/IP networking and capability-based service architecture. Networking was
  split into its own proposal after review, setting up later virtio/smoltcp
  and service-decomposition work.