Proposal Index
This page classifies proposal documents by current role so readers do not confuse implemented behavior, active design direction, future architecture, and rejected alternatives.
The sidebar nests long proposal documents under this index so the public site opens as a current-system manual instead of an archive dump. Use this table as the first status checkpoint before opening a long proposal.
Current design authority lives in Current Design Authority. Proposal files are design history or active design records; when a proposal is implemented, future technical changes should update the stable current-design page first.
Lifecycle classes used below:
- Implemented: shipped behavior; proposal is archival unless the status link or historical note is being corrected.
- Accepted design: selected direction; implemented subsets need a stable current-design home.
- Partially implemented: some behavior is in tree; future/planned text must remain explicit.
- Active design: unimplemented or near-term design record still available for planning. Older rows that say “Future design” are active design records with no current implementation unless the row says otherwise.
- Superseded or Rejected: retained historical rationale, not current direction.
Promoted Current Design
| Proposal or decision | Stable current-design authority | Disposition |
|---|---|---|
| Session-Bound Invocation Context | Session Context and IPC and Endpoints | Implemented proposal is archival. |
| Error Handling | Error Handling and Capability Ring | Implemented proposal is archival. |
| System Configuration | Configuration and Manifest and Service Startup | Implemented proposal is archival. |
| DMA Assurance Model | DMA Isolation | Accepted design is grounded in the stable DMA design page. |
Active or Near-Term
| Proposal | Status | Purpose |
|---|---|---|
| Service Architecture | Partially implemented | Defines authority-at-spawn, service composition, exported capabilities, and the init-owned service graph direction. |
| Schema Registry | Future design | Active design record for runtime schema reflection as the machine-readable twin of the System Manual; no implementation yet. |
| Session Archive & Gantt Effort | Future design | Active design record for session recap and planning-timeline effort records; retained as workflow design, not system behavior. |
| Task State and Agent Telemetry | Partially implemented | File-per-task ledger, selected-milestone state, lifecycle directories, and the tools/vibe-loop-capos-tasks adapter are implemented; generated checked-in views and tracker sync remain future. |
| Session-Bound Invocation Context | Implemented | Archival record for replacing caller-selected endpoint identity and the superseded service-object migration with one immutable session context per process. Current design authority is Session Context. |
| Storage and Naming | Accepted design | Defines capability-native storage, namespaces, boot-package structure, and future persistence instead of a global filesystem. |
| Error Handling | Implemented | Archival record for the implemented transport/capability-exception/schema-result split. Current design authority is Error Handling. |
| Security and Verification | Partially implemented | Defines the security review vocabulary, trust-boundary checklist, and practical verification tracks used by capOS. |
| DMA Assurance Model | Accepted design | Defines the DMA authority model, invariants, and TLA+/Alloy/Kani/Loom evidence mapping that cloud and production driver backend claims must use before attended sign-off. |
| Device Manager Refactor | Implemented | Separates the kernel device authority ledger from QEMU proof scaffolding while preserving one MMIO/DMA/IRQ ownership transaction for userspace-driver readiness; further registry, ledger, or proof-internal splits are optional risk-reduction follow-ups. |
| Cloud Driver Foundation Gap Analysis | Superseded | Retained as a DDF coverage map; the central blocked virtio-net driver gap it tracked is closed and successor work lives in Phase C userspace NIC relocation and NVMe BlockDevice graduation records. |
| NVMe Model B Doorbell DMA Validator | Accepted design | Records the conditional direct-remapping/vIOMMU validator model and explicitly excludes the current no-IOMMU bounce path. |
| Network-Reachable Datapath Scope Decision | Accepted design | Fixes the real-GCE-boot milestone’s reachable-network requirement to raw-frame TX/RX reachability, not a TCP/UDP socket round trip. |
| Phase C Userspace NIC Driver Relocation | Accepted design | Active Phase C design record for relocating the virtio-net driver into userspace over the landed device-authority surfaces. |
| Remote Session UI Security | Partially implemented | Defines the per-browser BrowserSession model, OWASP-style web hardening posture, cookie/CSRF/CSP/headers/Fetch-Metadata controls, and Tauri-wrapper capability-allowlist minimization for the trusted local remote-session-ui bridge; the loopback bridge now has per-browser cookies, CSRF checks, Host/Origin/content-type validation, first-wins ownership, and bounded HTTP parsing/threading. |
| mdBook Documentation Site | Partially implemented | Defines the documentation site structure, status vocabulary, and curation rules for architecture, proposal, security, and research pages. |
| capOS Repository Harness Engineering | Future design | Applies OpenAI-style harness engineering to the capOS repository through agent-facing maps, run-target inventories, proposal metadata, decision records, compiled knowledge, and workflow evals. |
| capOS Agentic Development Experiment | Future design | Defines the longitudinal study design for using capOS development sessions, subagents, reviews, raw archives, and recap tooling as an agentic software-engineering experiment; initial tooling only exists today. |
| SMP | Accepted design | Defines the selected per-CPU Phase A direction plus later AP startup, multi-core scheduler, and TLB shootdown work. |
| Ring v2 For Full SMP | Future design | Defines per-thread capability rings, completion routing, and SQPOLL ownership as the target transport model for full SMP. |
| Scheduler Evolution | Accepted design | Defines the layered scheduler architecture. Phase D WFQ and Phase E SchedulingContext gates are accepted; Phase F SQPOLL/nohz/tickless idle, realtime islands, and EEVDF evaluation remain follow-on work. |
| Tickless and Realtime Scheduling | Future design | Defines staged tickless idle, SQPOLL nohz CPU isolation, request deadline metadata, scheduling-context CPU-time authority, donation, and admitted realtime islands. |
| System Configuration and Operator Extensibility | Implemented | Defines operator-extensible CUE configuration. Slices 1-3 are closed, including defaults-package migration, system.local.cue overlay hooks, strict top-level manifest decoding, and the operator configuration how-to; Slice 4 adds mkmanifest cue-to-capnp for schema-aware CUE-authored data conversion. |
Future Architecture
| Proposal | Status | Purpose |
|---|---|---|
| Real-Filesystem Decision | Partially implemented | Records the accepted role split between capnp-native managed state and read-only FAT32 host/interop images; several FAT and host-tool increments have landed. |
| Installable System | Partially implemented | Defines installed persistent capOS boot/config/update/rollback composition; the bounded local/QEMU data-region, overlay, generation, install, provision, and update/rollback smokes have landed. Secure boot/signing, production release authority, public ingress, provider breadth, and full durable account policy remain future work. |
| Standard App Capabilities | Future design | Defines per-app AppData private storage, a user-mediated powerbox/file-picker grant, and attenuated capability sharing as native, structural alternatives to Google Drive’s appData/Picker/role mechanisms. |
| Google Drive Storage Backend | Future design | Defines using a Google-authenticated user’s Drive behind the standard storage caps, via a near-term browser-transport path and a gated native OAuth2/HTTP/TLS backend, with explicit remote-vs-local-cap trust semantics. |
| Networking | Partially implemented | Records implemented kernel-internal virtio-net ping/HTTP smokes, kernel TCP capability objects, and the host-local Telnet shell demo; userspace NIC and network-stack decomposition remains blocked on production DMAPool/DeviceMmio/Interrupt authority. |
| capos-service | Partially implemented | Defines a userspace service framework above capos-rt for lifecycle, endpoint serve loops, readiness, shutdown/drain, request/session context, metrics, and resource budgeting hooks. The first slice landed the standalone lifecycle crate and Telnet gateway wrapper; endpoint-loop helpers and richer supervision hooks remain future work. |
| Stateful Task and Job Graphs | Future design | Defines durable stateful task/job graphs for init orchestration, IX-style package builds, operator work queues, and notebook-style run stories without making the graph coordinator a god object. |
| Resource Accounting and Quotas | Partially implemented | Generalizes existing per-process ResourceLedger mechanisms to cross-service resource profiles, ledgers of record, quota donation, and fail-closed reservation semantics. |
| Memory Authority Model | Future design | Defines memory authority classes, residency, mapping consistency, TLB/frame-reuse rules, pinned/DMA/swap boundaries, and proof obligations before future shared-memory and device work build on the existing VirtualMemory and MemoryObject substrate. |
| OOM Handling and Swap | Future design | Defines memory-pressure policy, explicit OOM outcomes, budgeted anonymous memory, and optional encrypted swap without an ambient OOM killer. |
| Cryptography and Key Management | Partially implemented | Minimal SymmetricKey, PrivateKey/PublicKey ABI, RAM XChaCha20+HMAC/P-256 cores, RAM-only KeyVault custody, and development KeySource bootstrap landed; production custody and persistence remain future. |
| Volume Encryption | Future design | Defines encryption-at-rest for system and user volumes, including passphrase, recovery, cloud KMS, and measured-boot-backed key sources. |
| Userspace Binaries | Partially implemented | Describes native userspace binaries, capos-rt, Rust std, C/libcapos, C++, Go, Python, Lua, JavaScript/TypeScript, POSIX adapters, WASI host adapters, and runtime authority handling. |
| Go Runtime | Future design | Plans a custom GOOS=capos path, runtime services, memory growth, TLS, scheduling, and network integration for Go. |
| Lua Scripting | Partially implemented | Defines Lua as an ordinary capability-scoped userspace runner with curated libraries, exact grants, and no ambient shell or POSIX authority; Phase 0 and Phase 1 host bindings are in tree, while Phase 2+ remains future work. |
| WASI Host Adapter | Partially implemented | Defines a capos-wasm userspace host adapter whose WASI imports are backed by typed capOS capabilities, with wasmi for v0 (Phases W.1–W.6), wasmtime/WAMR as W.7+ migration targets, and the Component Model as the typed-cap-handle path. Phase W.1 host-runtime scaffold landed 2026-05-05 19:12 UTC (capos-wasm/ standalone crate over vendored vendor/wasmi-no_std/wasmi-1.0.9/, make capos-wasm-build); Phase W.2 closed 2026-05-07 10:53 UTC across four sub-slices: sub-slice 1 (wasm-host binary + empty-instantiation smoke + userspace-image budget bump, 2026-05-06 20:19 UTC), sub-slice 2 (Preview 1 stdout-only import resolver in capos-wasm/src/wasi/preview1.rs plus probe-driven nosys=52 proof, 2026-05-07 08:03 UTC), sub-slice 3 (Rust hello, wasi smoke + manifest-payload load path, 2026-05-07 09:36 UTC), and sub-slice 4 (C hello, wasi smoke through system clang-18 + Ubuntu wasi-libc, 2026-05-07 10:53 UTC). make run-wasm-host / make run-wasi-hello-rust / make run-wasi-hello-c are the boot smokes. Phase W.3 (per-instance CapSet plumbing + LaunchParameters) and successor phases remain future design. |
| POSIX Adapter | Partially implemented | Defines a two-layer C substrate (libcapos thin Rust staticlib, libcapos-posix POSIX surface on top) whose POSIX wrappers are backed by typed capOS capabilities. P1.1 closed at merge fe5f5208 (2026-05-05 13:28 UTC), P1.2 UDP + DNS smoke closed 2026-05-05 21:21 UTC, and P1.3 pipe + recording-shim fork-for-exec closed 2026-05-07 09:55 UTC; broad POSIX headers and a whole dns.c build remain future work. |
| POSIX fork/execve fd Inheritance | Implemented | Recording-shim execve inherits the parent’s live fd table by default with FD_CLOEXEC/O_CLOEXEC handling; only optional pre-spawn transferability refinement remains. |
| Shell | Partially implemented | Describes native, agent-oriented, and POSIX shell models over explicit capabilities instead of ambient paths. |
| Remote Session CapSet Clients | Partially implemented | Defines regular host apps, including CLI, native GUI, Tauri backends, webapp gateways, and agent runners, that authenticate to capOS, keep broker-issued remote CapSets in trusted client-side backends, call granted capabilities over Cap’n Proto RPC, and optionally grant bounded UI-composition caps back to capOS services. The first implementation slice proves this with a schema-framed DTO transport; standard capnp-rpc proxy transport remains future work. |
| SSH Shell Gateway | Partially implemented | Defines production remote CLI shell access through SSH while preserving the same TerminalSession and broker-issued shell-bundle boundary proven by the Telnet shell demo; focused QEMU proofs now cover the non-production SshHostKey, manifest-seeded AuthorizedKeyStore, public-key session bridge, unsupported-feature policy table, scoped listener, restricted shell launcher, and a bounded plain-TCP terminal-host wiring slice. Full OpenSSH transport remains future work. |
| Telnet over TLS Shell | Future optional design | Defines a peer optional remote-shell path to the SSH gateway: TLS 1.3 over the existing Telnet TerminalSession handoff, with mTLS client certificates as the recommended user-auth path and CredentialStore passwords as fallback. Reuses the project’s PKI/ACME/cert-rotation track instead of inventing a parallel SSH-only key-management story. Smaller protocol surface than SSH; different operational profile, not the default main access interface. |
| Language Models and Agent Runtime | Future design | Defines language-model and embedder capabilities, local and remote backends, capOS-side agent runners, and browser-agent UI orchestration through gateway-enforced tool execution. |
| capOS-Hosted Agent Swarms | Future design | Defines OpenClaw-like hosted personal agents, swarms, harness controls, task workspaces, agent memory/wiki services, MCP/A2A-style adapters, and the research agenda for capability-scoped background agents. |
| Enterprise Agent Game Showcase | Future design | Positions a playable business simulation as the capOS enterprise-agent showcase: agents manage procurement, finance, operations, logistics, markets, and audit under OS-enforced capability policy. |
| Chat As Multimedia Substrate | Future design | Defines Chat as a unified text/audio/video transport for human, agent, and service participants, with listener-cap delivery and a clean WebRTC mapping for browser surfaces, so new messaging surfaces do not require new top-level capabilities or gateway DTOs. |
| Realtime Voice Agent Shell | Future design | Extends the agent-shell path for native realtime audio models, direct browser provider media, and browser-agent UI sessions while preserving broker-mediated tool execution and web-shell session boundaries. |
| Interactive Command Surfaces | Future design | Defines structured command sessions for native interactive applications so familiar text commands compile to typed invocations instead of application-owned StdIO parsers. |
| Userspace Authority Broker | Future design | Proposes moving shell bundle policy out of the kernel and making shutdown an init-owned lifecycle control capability granted only after login. |
| Aurelian Frontier | Partially implemented | Capability-native persistent-world RPG on a Roman-inspired magical frontier. Current proof slice covers the deterministic mission, command discoverability, typed room view, CUE-sourced content with make generated-code-check freshness, resume cap, Phase 9 rank/skill/standing gates, Phase 10 market quote/buy/sell/trade/repair, Phase 11 session-keyed player state with fixed-smoke seed/variant metadata, Phase 11a calendar/festival/military event status plus the seasonal quartermaster ration purchase, Phase 11b regional delivery with bounded inventory capacity, player-local chit currency, seller-outpost stock, service-owned market fee accrual/withdrawal, seller-outpost proceeds, order expiry, Phase 11c construction material holds/restores plus the receipt snapshot proof, Phase 11d disabled-by-default fake-agent budget/dialogue, Phase 12 party labels/verbs and physical-item transfer, the settlement snapshot proof, and the eagle-standard/gate-seal/temple-seal/under_vault interactive transcript. See the runnable proof slice for current commands and coverage. Production seeds, two-client multiplayer transfer escrow, PvP consent authority, durable ledgers, full economy behavior, and a 2D tilemap browser client remain future work. |
| Contributor Quest Mechanics | Future design | Defines a post-adventure follow-up where maintainer-witnessed open-source contributions can mint cosmetic badges, states, decorations, and bounded game perks without granting repository or OS authority. |
| Public Release and Maintainer Boundaries | Future design | Defines the release posture, security-audit disclaimer, issue/PR intake limits, maintainer-load boundaries, and the adventure-repository-split and git-history-rewrite hygiene gates required before making the repository public. Defers the long-term sibling-repository rule to the Repository Composition proposal. |
| Repository Composition | Future design | Defines the scope rule for the capOS core repository, the list of tracks (adventure, whitepaper, public site, userspace netstack, remote-access services, protocol stacks, language runtimes, GPU, agent shell, cloud images, volume crypto) that should ship as siblings, the when-to-split criteria, the cross-repository mechanics, and the intended cap-os-dev GitHub organization placement. |
| Boot to Shell | Partially implemented | Defines text-only console and web-terminal login/setup, password verifier and passkey authentication, and the authenticated native shell launch path after manifest execution, terminal input, native shell, session, broker, audit, and credential-storage prerequisites are credible. |
| System Info Capability | Phase 1 + Phase 2 implemented | Unifies the system-wide informational capability (MOTD today; hostname, help topics, manpages later), moves banner printing into the shell, and has AuthorityBroker.shellBundle mint SystemInfo plus profile-scoped chat/adventure service endpoint caps for operator shells. Guest and anonymous shells receive no service endpoints by default. |
| System Manual Capability | Partially implemented | A built-in man-pages analog: shell man/apropos, self-served web-UI doc viewer, schema-derived section-2 description proofs, and programmatic API/agent-export consistency are settled, with remaining follow-ups described in the proposal. |
| System Monitoring | Future design | Defines capability-scoped logs, metrics, health, traces, crash records, and audit/status views. |
| Time and Clock Authority | Partially implemented | Defines WallClock and ClockDiscipline; Phase 1 WallClock read/provenance is landed, with trusted/network-synchronized time still future. |
| Debug and Trace Authority | Future design | Capability-scoped process-attach, read-only cap-table inspection, ring-trace capture, and sampler authority with explicit consent and audit; no ambient ptrace analog. |
| Hardware Audit Log Persistence | Partially implemented | Store-inventory segment retention, retained-window recovery, hash-chain evidence, manifest reader admission, a local persistent-store reboot proof, development-source RAM-local HMAC segment seals, and explicit runtime-reader refusal have landed; external key custody, production rotation/revocation, rollback policy, and authority-broker runtime admission remain future. |
| Crash Recovery and Supervision | Future design | Defines stale-cap DISCONNECTED propagation on unplanned process death, structured crash records appended to the supervisor’s AuditLog, bounded restart policy with crash-loop detection, watchdog liveness, and degraded-boot fallback. |
| System Performance Benchmarks | Future design | Defines correctness-gated primitive, workload, and user-story benchmarks for comparing capOS with other operating systems without distorting capability semantics. |
| HPC Parallel Processing Patterns | Future design | Extends benchmark planning from static SMP/thread scaling proofs to generic single-node and multi-node parallel pattern coverage: map/reduce, task pools, barriers, scans, stencils, dense/sparse kernels, graph frontiers, pipelines, and collectives. |
| Scientific Standard Package and Agent Lab Capabilities | Future design | Defines a curated scientific service graph for CAS, numerical computing, solvers, proof assistants, notebooks, package closures, provenance, and LLM agent research-lab workflows. |
| User Identity and Policy | Partially implemented | Defines users, sessions, guest profiles, and policy layers for RBAC, ABAC, and MAC over capability grants. Current implementation has anonymous/operator/guest UserSession metadata, bootstrap credential/session flows, broker-issued shell bundles, and seed-account configuration; durable accounts, external bindings, session revocation, quotas, and broader ABAC/MAC remain future work. |
| Delegated Subject Context | Future design | Defines bounded act-on-behalf-of subject context as separate from capability transfer and from the completed session-bound invocation context milestone. |
| Default User Avatar | Partially implemented | Deterministic default user avatar derived from a stable account identifier, with the shell-side default mapping implemented and schema-carried avatar caps plus durable overrides still future work. |
| Cloud Metadata | Future design | Describes cloud instance bootstrap through metadata/config-drive capabilities and manifest deltas. |
| Cloud Deployment | Partially implemented | Records QEMU boot, serial output, ACPI/PCI/MSI-X discovery work, the landed cloudboot image/harness, the first GCP imported-image serial-console boot proof, and the GCP-first usable-instance provider rollup; public L4/SSH/WebShell ingress, broader storage variants, cloud clocking, production cloud-image release, AWS/Azure proofs, and aarch64 deployment remain future work. |
| Live Upgrade | Future design | Defines service replacement without dropping capabilities or in-flight calls through retargeting and quiesce/resume protocols. |
| GPU Capability | Future design | Sketches capability-oriented GPU, CUDA, memory, and driver isolation models. |
| capOS As A Robot Brain | Future design | Defines capability-oriented robotics service graphs, actuator gateways, safety monitors, realtime control islands, and ROS 2/micro-ROS/MAVLink/OPC UA bridges. |
| Formal MAC/MIC | Future design | Defines a formal mandatory-access and mandatory-integrity model plus future proof obligations. |
| Browser/WASM | Future design | Explores running capOS concepts in a browser using WebAssembly and worker-per-process isolation. |
| Browser Capability and Agent Web Sessions | Future design | Defines browser profiles, a cap-native document-engine middle track, visual browsing after GUI, and earlier agent/shell browser sessions as capability-scoped services over external or native browser backends. |
| Certificates and TLS | Partially implemented | Phase 1 dependencies, host verifier, minimal signing keys, RAM-only vault custody, and development KeySource bootstrap have landed; TLS and ACME remain future. |
| OIDC and OAuth2 | Future design | Defines federated login, OAuth2 clients, typed token capabilities, JWKS, DPoP, token-exchange workload identity federation, and the broker integration for scopes/claims as ABAC input. |
Rejected or Superseded
| Proposal | Status | Purpose |
|---|---|---|
| Endpoint Badges as Service Identity | Rejected | Post-mortem for the seL4-style endpoint badge identity model that was superseded by Service Object Capabilities, then by Session-Bound Invocation Context. |
| Service Object Capabilities | Superseded | Historical service-minted object capability model; the landed synthetic routing/lifecycle proof remains low-level coverage, but the implemented replacement is Session-Bound Invocation Context. |
| Cap’n Proto SQE Envelope | Rejected | Records why ring SQEs stay fixed-layout transport records instead of becoming Cap’n Proto messages themselves. |
| Sleep(INF) Process Termination | Rejected | Records why infinite sleep should not replace explicit process termination, while preserving typed status and future sys_exit removal as separate lifecycle work. |
Maintenance
When a proposal becomes implemented, rejected, or stale, update this index in the same change that changes the proposal or corresponding implementation. If the proposal is implemented, also update or create the stable current-design page named by Current Design Authority. Long proposal files may describe target behavior; this index is the first status checkpoint before a reader opens those documents.