Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Proposal Group Archive

This page is retained as a compact grouping aid for older links and sidebar navigation. The canonical status table is Proposal Index; update that page first when a proposal changes role.

The public sidebar now nests proposal documents under the proposal index instead of exposing every long-form design page as a top-level entry.

Active Support

ProposalStatusPurpose
mdBook Documentation SitePartially implementedDefines the documentation site structure, status vocabulary, and curation rules for architecture, proposal, security, and research pages.

Future Runtime And Deployment

ProposalStatusPurpose
Go RuntimeFuture designPlans a custom GOOS=capos userspace port and runtime services for Go programs.
Lua ScriptingPartially implementedDefines Lua as a capability-scoped userspace runner with curated libraries and exact grants. Phase 0 and Phase 1 host bindings are in tree; Phase 2+ remains future work.
Cloud MetadataFuture designDescribes cloud bootstrap inputs and manifest deltas without importing cloud-init.
Cloud DeploymentPartially implementedRecords QEMU boot, ACPI/PCI/MSI-X discovery, the landed cloudboot image/harness, and the first GCP imported-image serial-console boot proof. Provider NIC/storage drivers, cloud clocking, AWS/Azure proofs, and aarch64 deployment remain future work.
Browser/WASMFuture designExplores a browser-hosted capOS model using WebAssembly and workers.

Future Security, Policy, And Lifecycle

ProposalStatusPurpose
User Identity and PolicyPartially implementedDefines user/session identity and policy layers over capability grants. Current implementation covers anonymous/operator/guest UserSession metadata, bootstrap credential/session flows, broker-issued shell bundles, and seed-account configuration; durable accounts, external bindings, session revocation, quotas, and broader ABAC/MAC remain future work.
Cryptography and Key ManagementFuture designDefines key, signing, encryption, and vault capabilities for later security services.
Certificates and TLSFuture designDefines X.509, trust store, ACME, and TLS configuration capabilities.
OIDC and OAuth2Future designDefines federated login, OAuth2 clients, token capabilities, and broker integration.
Volume EncryptionFuture designDefines encryption-at-rest for system and user volumes.
System MonitoringFuture designDefines scoped observability capabilities for logs, metrics, traces, health, status, crash records, and audit.
Formal MAC/MICFuture designDefines a formal access-control and integrity model for later proof work.
Live UpgradeFuture designDesigns service replacement while preserving handles, calls, and authority.
GPU CapabilityFuture designSketches isolated GPU device, memory, and compute authority.

Future Domains

ProposalStatusPurpose
Language Models and Agent RuntimeFuture designDefines model, embedding, and agent-runner capabilities.
Realtime Voice Agent ShellFuture designExtends the agent-shell path for realtime voice and media sessions.
capOS As A Robot BrainFuture designDefines capability-oriented robotics service graphs and actuator boundaries.
Contributor Quest MechanicsFuture designDefines contribution-linked game badges and bounded perks.
Public Release and Maintainer BoundariesFuture designDefines public release posture and maintainer-load boundaries.

Rejected Or Superseded

ProposalStatusPurpose
Endpoint Badges as Service IdentityRejectedPost-mortem for the seL4-style endpoint badge identity model that was superseded by Service Object Capabilities, then by Session-Bound Invocation Context.
Service Object CapabilitiesSupersededHistorical service-minted object capability model; the landed synthetic routing/lifecycle proof remains low-level coverage, but the implemented replacement is Session-Bound Invocation Context.
Cap’n Proto SQE EnvelopeRejectedRecords why ring SQEs stay fixed-layout transport records instead of becoming Cap’n Proto messages themselves.
Sleep(INF) Process TerminationRejectedRecords why infinite sleep should not replace explicit process termination, while preserving typed status and future sys_exit removal as separate lifecycle work.