Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Roadmap

Long-term direction for capOS. Related material lives elsewhere: detailed task decomposition in docs/backlog/, selected-milestone state in docs/tasks/state.toml, current execution order in root task records under docs/tasks/, and shipped-milestone reports in docs/changelog.md.

Current Direction

Current selected milestone: GCE Self-Hosted Web UI.

The next visible goal is a self-hosted capOS Web UI reachable through the Phase C userspace network stack, then proved on private GCE reachability before any public endpoint. The userspace smoltcp-backed TcpListenAuthority local path is proved by cloud-prod-userspace-network-stack-smoltcp-local-proof. The local DHCP/IPv4 configuration proof is done by cloud-prod-network-stack-dhcp-ipv4-config-local-proof: the userspace stack acquires a QEMU SLIRP DHCPv4 lease, installs the default route, resolves gateway and same-subnet ARP neighbors, and serves NetworkManager.getConfig before public or live GCE exposure. The cloudboot-local Web UI authority inventory is done by remote-session-webui-cloudboot-authority-inventory: it records the required and forbidden remote-session-web-ui grants, trusted listener/source metadata, browser-visible forbidden markers, and local L4 proof markers for the completed cloudboot proof. Server-side session hardening is done by remote-session-web-ui-session-hardening (Review C high closed: unpredictable rotated server-side session ids, idle/absolute expiry enforced before dispatch, Host/Origin/double-submit-CSRF gates, and a Secure-when-HTTPS cookie posture). Web UI connection bounds are done by remote-session-web-ui-connection-bounds (per-connection request-read/response-send deadlines in the Web UI client over the bounded network-stack listener, with a drip-feed abandon proof). The legacy kernel socket-path retirement is done by cloud-prod-legacy-kernel-network-socket-path-retirement: non-qemu production manifests reject kernel network_manager / tcp_listen_authority grants, leaving those sources as qemu-only fixtures. The local cloud-prod-remote-session-web-ui-l4-local-proof is the done service-level L4 proof on top of the userspace L4 and DHCP/IPv4 substrate. The legacy-virtio serving gap is closed locally by cloud-gce-legacy-virtio-webui-serving-local-proof (2026-06-11): a kernel-brokered legacy virtio 0.9 runtime backs the typed Nic cap and a host HTTP peer fetches the byte-verified UI bundle under disable-modern=on. A public-ingress hardening set is done on the L4 gate (public-origin policy, IAP-aware SameSite cookie policy, JSON content-type guard, security response headers and strict CSP, GFE-range-pinned forwarded-scheme trust, the public /healthz contract, and in-guest login peer-gate/backoff hardening), and a no-spend provider-harness fixture set is done (private --preflight-only, private/public proof-evidence validators, public ingress plan gate, journal-driven teardown engine, provider-command allowlist gate) — all local QEMU/cloudboot or recording-stub fixture evidence with no real provider invocation or mutation; the current ladder summary lives in Current Status. cloud-gce-private-self-hosted-webui-proof remains on hold: the cloudtest credential lacks the firewall IAM a private same-VPC probe needs against GCE default-deny ingress, and the live run needs per-run billable authorization. Public GCE ingress and TLS remain under the explicit on-hold cloud-gce-public-self-hosted-webui-ingress-tls task and require separate authorization; the selected milestone does not grant public exposure, broad firewall changes, TLS key custody, or production release authority. The capOS-terminated TLS successor remains a separate later evidence class behind the provider-terminated first public proof.

The previous selected milestone, Installable System, is complete through commit 12b8334a (commit timestamp 2026-06-07 18:19 UTC; task closeout 2026-06-07 18:20 UTC) for the bounded local/QEMU contract: persistent data-region mount, config-overlay compose/merge fallback, generation/rollback machinery, integrated installable disk packaging, target-disk install (make run-installable-install), first-boot provision (make run-installable-provision), update/rollback (make run-installable-update), and structural proposal/body wording reconcile are landed. The closeout preserves the RAM-only Namespace caveat and does not claim secure boot/signing, production release authority, public ingress, AWS/Azure live support, direct-remapping production hardware, userspace smoltcp/L4 readiness, or full durable account policy. Detailed decomposition lives in docs/backlog/installable-system.md.

The preceding selected milestone, Device Driver Foundation, is complete by the 2026-06-07 08:23 UTC production-authority closeout recorded in ddf-production-authority-closeout. That closeout ties together the landed provider-driver, interrupt, audit, and DMA-policy prerequisites and preserves the runtime fail-closed DMA backend baseline: remapping only when capOS can validate it, otherwise brokered bounce buffers or unsupported. The related GCP-first provider NIC/storage rollup is also closed by cloud-usable-instance-provider-nic-storage (2026-06-07 05:26 UTC), but only for the recorded operator serial path, selected raw-frame NIC/storage evidence, and gVNIC portability evidence. Public L4 ingress, AWS/Azure live support, direct-remapping production hardware, device-autonomous MSI-X delivery, userspace smoltcp/L4 readiness, and high-throughput or multiqueue NIC readiness remain explicit future follow-ups, not part of the closed DDF selected milestone.

The previous selected milestone, In-Process Threading Scalability, is complete at commit 136b72de (2026-05-01 14:58 UTC) after repairing the benchmark validity issue found on 2026-05-01: the old 1 MiB/spinning-parent workload was not a valid four-core scaling reference because the matching Linux pthread baseline also stayed flat at four workers. The repaired shape now uses a blocking parent join, 262,144 blocks (16 MiB), and work_rounds=64. The controlled capOS/Linux pair on capos-bench 2026-05-02 21:38 UTC against main commit 374f8556 (5 runs each, both pinned to physical-core logical CPUs 0,1,2,3) recorded capOS 1-to-2 work/total speedups 1.883x / 1.787x and matching Linux pthread baseline 1.988x/1.987x. Its 1-to-4 row became the diagnostic that justified Phase D’s fair-share enqueue policy: capOS sat at 1.566x/1.538x while Linux scaled to 3.963x/3.858x on the same physical-core pin set. Phase D WFQ has now closed that diagnostic gap as a scheduler-evolution milestone, recording capOS 3.088x/2.700x and Linux 3.974x/3.850x on 2026-05-10. These rows are summarized in docs/benchmarks.md and docs/changelog.md. Historical pre-collapse 1-to-2 (1.828x/1.687x) and the post-collapse 3-run diagnostic remain in docs/benchmarks.md for reference. Ordinary -smp 2 regression coverage also passed.

The previous selected milestone, Multi-Process SMP Concurrency, is complete at commit 3fb89923 (2026-04-30 09:45 UTC): make run-smp-process-scale has repeated KVM-backed evidence for independent CPU-bound worker processes with 1.608x 1-to-2 speedup, and the ordinary run-smoke/run-spawn coverage passed under -smp 2.

The previous selected milestone, Session-Bound Invocation Context, is complete: normal workload processes have one immutable live session context, endpoint calls reveal only privacy-preserving caller-session metadata by default, explicit subject disclosure is gated by request and scope, and chat/adventure/terminal/stdio paths no longer derive ordinary caller identity from caller-selected service-visible metadata. Gate 4 verification is recorded at commit faeff80 (2026-04-29 21:39 UTC), and paper/status closeout is merged at commit 503abc9. Follow-up session lifecycle work remains outside that completed milestone: production interactive shells need mutable session liveness cells, explicit logout/close propagation, and renewal/recovery paths so fixed short expiry is not the only way to bound stale authority.

Username-aware local password login is prioritized ad-hoc implementation work, not the selected milestone, unless explicitly selected later.

Current priority ladder, reflecting user direction (2026-05-05 17:56 UTC redirect supersedes the earlier SMP/threading-first ladder; the previous ordering is retained as background only at the end of this section):

  1. Userspace driver transition prerequisites – the S.11.2 hostile-smoke gate items in docs/dma-isolation-design.md and the matching open items of docs/backlog/hardware-boot-storage.md Task 3 are now closed. S.11.2.7 stale IRQ after revoke/reset closed 2026-05-05 18:17 UTC via real-INT $vector cross-reset injection in make run-net. S.11.2.8 stale DMA completion after revoke/reset closed 2026-05-05 19:37 UTC via the device-manager prove_qemu_stale_dma_completion_handoff proof in make run-net: real virtio-net DMA page free + reallocate cycle bumps the live ledger’s page generation at three boundaries (after revoke, after detach, after reset/reuse), then a synthesized stale DeviceDmaAllocation is fed to the production device_dma::record_virtio_net_completion_for_allocation path and rejected as stale-dma-handle with side-effect blocking. S.11.2.9 hostile-smoke gate-wiring closed 2026-05-05 20:49 UTC by aggregating every hostile-smoke acceptance matrix proof line into the make run-net -> tools/qemu-net-smoke.sh gate, including the newly wired device-manager: devicemmio driver crash hook proof and device-manager: interrupt driver crash hook proof assertions. The manifest-granted DMAPool path currently exposes eight fixed manager-owned bounce-buffer DMABuffer result caps with typed allocate/free/map/unmap/submit/complete surfaces; DMABuffer.unmap removes only the caller’s borrowed userspace VMA and preserves pool/page and descriptor accounting, and accepted submitDescriptor now writes a bounded provider-owned queue entry plus submit marker after authority validation and the submit scrub. The manifest-granted DeviceMmio path now exposes a read-only borrowed userspace VMA over boot-preseeded BAR pages, with explicit DeviceMmio.unmap, duplicate-map/no-op-unmap denials, revoke-before-detach cleanup, brokered read-only read32, and one bounded write32 effect for the provider-scoped PCI MSI-X metadata-derived virtio-rng vector-control mask dword, while arbitrary register writes, doorbells, host physical/IOVA exposure, and production provider-driver consumers remain blocked. The remaining gating prerequisites for moving NIC/block drivers out of the kernel are production userspace DMAPool/DeviceMmio/Interrupt handles, real device-manager page quiesce/scrub/release hooks, real userspace Interrupt waiter objects, and durable/signed production audit consumption beyond the first volatile HardwareAuditLog.snapshot cap. IOMMU domain programming has landed for the bounded QEMU Intel remapping path (umbrella closed 2026-05-23 23:35 UTC); production-hardware IOMMU programming, AMD-Vi, and trusted sharing groups remain future work. The device-manager refactor proposal is already on main at commit 77358400; treat its proof/handles/domain/transaction-helper splits as high-priority, behavior-preserving risk reduction only when they unblock or lower risk for those DDF authority gates. It remains subordinate to behavior-moving DDF slices and the scheduler SMP/nohz prerequisite chain.
  2. Scheduler evolution in docs/backlog/scheduler-evolution.md: Phase D best-effort fair scheduling closed at commit 77caafc0 (2026-05-10 19:39 UTC) and docs commit 1a08ec23 (2026-05-10 21:47 UTC). The WFQ slice uses per-thread vruntime accounting, SchedulingPolicyCap weight/latency-class authority, per-CPU WFQ run queues, and bounded steal/migration invariants. The controlled Task 6 benchmark pair materially closed the 1-to-4 thread-scale diagnostic gap: capOS recorded work/total speedups 3.088x / 2.700x versus the prior 1.566x / 1.538x baseline, while Linux on the same host/pin set recorded 3.974x / 3.850x. Phase E SchedulingContext capability follow-ups are now closed: endpoint donation/return and the scheduler-observable UserSession.logout() hook are merged; timeout/depletion notifications use fixed per-context cells plus drain observer results; ordinary non-donated session-logout stale-context coverage is proven; donated receiver logout keeps the conservative counted/skipped policy until endpoint return restores only reduced donor budget; and clean local owner-shell exit calls the same UserSession.logout() path before process exit. Phase F auto-nohz / SQPOLL / tickless idle follows Phase E; the one-SQ-consumer ring ownership prerequisite, CpuIsolationLease scaffold, nohz activation/deactivation telemetry child, and explicit housekeeping/deferred-work placement, bounded SQPOLL ring mode, the clockevent/deadline substrate, and bounded producer-wake SQPOLL progress are complete. The telemetry proof records accepted active candidates, rejected activation decisions, stale/revoked rollback labels, ready and selected housekeeping CPUs, selected deferred-work placement or fail-closed reasons, target runnable entity counts, monotonic clocksource/accounting readiness, and explicit disabled tick/SQPOLL/full-nohz guardrails. The first two automatic nohz activation increments have since landed: the CpuIsolationLease preflight performs real per-CPU periodic-tick suppression for the narrow single-runnable-entity window with fail-closed rollback (docs/tasks/done/2026/scheduler-phase-f-auto-nohz-activation.md), and a ring-coupled kernelSqpoll lease whose bound ring is in SQPOLL running/sleeping mode with a live owner is admitted for tick suppression with the SQPOLL ring-state re-check as the decisive rollback gate (docs/tasks/done/2026/scheduler-phase-f-auto-nohz-sqpoll.md). Timeout-based auto-revoke, generic full-nohz for explicitly budgeted compute leases, and generic SQPOLL nohz for explicitly leased caller-thread rings have since landed; production policy-service issuance and broader userspace-poller/device-queue admission remain future work. The future full-SMP hardware scalability milestone is now recorded in the existing SMP/scheduler/benchmark/HPC proposal set and docs/backlog/scheduler-evolution.md Phase F.5. It targets direct high-core hardware/perf-runner rows at 1/2/4/8/16/32 workers, with QEMU kept for boot/regression and virtualization context rather than as the primary performance source. Phase G realtime islands follows Phase F. EEVDF is retained as a follow-on policy evaluation, not a Phase D blocker; generic full-nohz is landed for explicitly budgeted compute leases, with policy-service issuance still future.
  3. Language-support tracks remain active high-priority parallel work alongside the kernel/scheduler focus. POSIX adapter v0 P1.2 (UDP cap + dns.c) and P1.3 (Pipe cap + fork-for-exec + recording-shim posix_spawn) landed; the remaining v0 phase is P1.4 (dash port
    • libcapos-posix file/dir/stdio/env/printf surface + the run-posix-shell-smoke harness), which is in flight against the Storage Phase 3 RAM-backed File/Directory/Store/Namespace caps. P1.4 Slice 3 (FdBacking File/Directory/Terminal variants + make run-posix-file-backing-smoke) landed at ae58f936, and Slice 4 (absolute-path resolver + functional open()/opendir() over the bootstrap-granted root Directory cap with per-fd file position + make run-posix-open-smoke) landed at 94b29177. The file/directory fd closeout landed at commit f97d9833 (2026-05-23 06:23 UTC): make run-posix-file proves open(), write(), lseek(), read(), opendir(), readdir(), and closedir() through a live POSIX C process. Together these bring POSIX file I/O to functional end-to-end parity as the first non-shell POSIX subsystem. Identity stubs landed at commit 1a8a9896 (2026-05-23 06:51 UTC): make run-posix-identity proves parent and fork/exec child getpid lines with hardcoded uid/gid 0. The printf/string subset now has make run-posix-printf, which proves formatted output plus string/mem, numeric conversion, and ctype behavior from a live capOS C process. The signal/time surface landed at commit 90e64011 (2026-05-23 08:11 UTC): make run-posix-signal-time proves Timer-backed time, nanosleep, and sleep plus fail-closed signal-delivery stubs from a live capOS C process. Remaining P1.4 work is dash vendoring + smoke (Slices 11-13). Long-form decomposition lives in docs/backlog/posix-adapter-dash-port.md. WASI host adapter v0 W.1/W.2, Lua iteration follow-ons, libcapos / libcapos-posix successor work, and Go runtime stay in the parallel pool when selectable.
  4. Storage capability interfaces, starting with RAM-backed Store/Namespace; proceed to local disk and a small read-only filesystem when the block path and the userspace-driver gate are ready. Phase 2 (schema-only BlockDevice/File/Directory interfaces), Phase 3 slice 1 (minimal RAM-backed File CapObject with the KernelCapSource::file grant source and the make run-file-server-smoke proof), Phase 3 slice 2 (minimal RAM-backed Directory CapObject with the KernelCapSource::directory grant source, result-cap transfer of File/Directory handles, and the make run-directory-server-smoke proof), and Phase 3 slice 3 (the Store/Namespace schema interfaces plus minimal RAM-backed Store/Namespace CapObjects with the KernelCapSource::store/KernelCapSource::namespace grant sources, content-addressed blob storage, Namespace.sub() result-cap transfer, and the make run-store-namespace-smoke proof) have landed. The local-disk path has also reached its first read-only milestone: the first virtio-blk BlockDevice CapObject (make run-virtio-blk) and a read-only filesystem service over BlockDevice (kernel/src/cap/readonly_fs.rs, parsing a fixed CAPOSRO1 on-disk layout and serving Directory.list/open + File.read; make run-storage-fs) now serve a known on-disk tree to a userspace consumer. The Local Disk Storage Milestone’s final gate has also landed: a disk-backed persistent Store (kernel/src/cap/persistent_store.rs, a CAPOSST1 on-disk layout written through the virtio-blk driver, granted via the persistent_store KernelCapSource) with a two-pass reboot proof (make run-storage-persist) that stores+commits a capnp object on the first boot and reads it back on a fresh boot of the same disk image. The Writable Local Storage Milestone has now landed: directory/file mutation, the fail-closed concurrent-writer policy, clean-reboot durability for both filesystem mutations and co-located Store objects on one disk (kernel/src/cap/writable_fs.rs, a CAPOSWF1 sub-volume; two-pass proof make run-storage-writable), and a bounded unclean-shutdown recovery proof (make run-storage-writable-recovery): an induced forced poweroff in the record-written / superblock-pending window proves the next mount recovers to a consistent tree with the interrupted allocation atomically absent. See docs/proposals/storage-and-naming-proposal.md.
  5. Keep serial diagnostics as the first remote troubleshooting path for cloud/hardware bring-up, then add SSH, Telnet development access, and basic WebShell access when network and identity prerequisites are credible. The host-served remote-session UI remains separate from the self-served capOS web UI path. The old self-served proof target is retired with the qemu-only kernel TCP listener; the replacement proof is the future Phase C Web UI L4 gate. Ordinary make run still starts the host-local remote-session CapSet path, and the full boot-resource UI bundle is served with fixed names and integrity labeling. The host-served make remote-session-ui bridge remains a separate trusted development path, not the self-hosted cloud Web UI proof.
  6. Boot on GCP/AWS in staged provider tracks. The first GCP serial-console boot proof landed as run 1778230874-715a (2026-05-08 09:06 UTC, source commit 3951e275). The GCP-first usable-instance provider rollup is also closed: serial-console operator access, live virtio-net raw-frame provider-nic-bound, live NVMe Persistent Disk brokered READ, and separate gVNIC raw-frame / typed-Nic portability evidence are recorded under cloud-usable-instance-provider-nic-storage. AWS/Azure providers, public L4 ingress, SSH/WebShell productization, broader storage variants, and cloud benchmark reruns remain future gates.

Game/demo plans (Paperclips, Aurelian Frontier) are deprioritized opportunistic-only per the same redirect; see docs/tasks/README.md Ad-Hoc Planning / Research Tasks for the High / Normal / Low / Closed bands and the dispatch ordering.

Earlier (pre-2026-05-05) priority ladder retained as background:

  1. Finish a reasonable SMP/threading milestone, including the current scheduler hot-lock bottleneck if the milestone still claims scalability.
  2. Build the device-driver foundation before cloud/network/storage expansion: ACPI/MADT/MCFG, PCI/PCIe, I/O APIC, MSI/MSI-X, DMA/MMIO/IRQ authority, and reusable virtio/device lifecycle code.
  3. Implement storage capability interfaces, starting with RAM-backed Store/Namespace; proceed to local disk and a small read-only filesystem when the block path is ready.
  4. Keep serial diagnostics as the first remote troubleshooting path for cloud/hardware bring-up, then add SSH, Telnet development access, and basic WebShell access when network and identity prerequisites are credible.
  5. Boot on GCP/AWS in two stages: first imported-image serial-console boot, then a usable cloud instance with provider storage/network drivers and network shell access.

The 2026-05-05 ladder above is the authoritative current ordering; the earlier ladder remains as background context only.

Details:

  • docs/tasks/README.md
  • docs/backlog/smp-phase-c.md
  • docs/backlog/session-bound-invocation-context.md
  • docs/proposals/session-bound-invocation-context-proposal.md
  • docs/proposals/user-identity-and-policy-proposal.md
  • docs/backlog/local-users-management.md
  • docs/proposals/boot-to-shell-proposal.md
  • docs/proposals/oidc-and-oauth2-proposal.md

Whitepaper Track

A future capOS whitepaper / technical report consumes – not duplicates – work from the other tracks. The plan, outline, and live evidence-gap log remain in docs/paper/ (plan.md, outline.md, evidence-gaps.md). The paper itself is a Typst project at papers/schema-as-abi/ and is built via make paper.

The paper’s Tier-1 evidence requirements pull these existing items into explicit paper-supporting roles. They are not new tracks; they are the selection lens this track applies:

  • Stage 6 session-bound invocation context migration (closes the “interface IS the permission” claim).
  • A measurement harness over make run-measure producing reproducible ring throughput, cap_enter latency, IPC handoff, and schema-dispatch numbers (closes the ring-as-sufficient-boundary claim).
  • A paper-scoped persistence proof-of-concept narrower than the storage proposal (closes the wire-format-enables-persistence claim).
  • A paper-scoped network-transparency proof-of-concept narrower than the general networking proposal (closes the wire-format-enables-network-transparency claim).
  • At least one of {promise pipelining, notification objects} (closes capnp-rpc-shaped composition beyond CALL/RECV).

Tier-2 strengtheners: ring-protocol Kani proof, full concurrent SMP scheduling, end-to-end SSH Shell Gateway, one non-toy demo beyond Adventure or First Chat.

Out of scope for the first paper (acknowledge in Future Work only): aarch64, GPU, live upgrade, formal MAC/MIC, Go/WASI, cloud metadata, production volume encryption.

When workplan slices close a paper-evidence gap they should reference docs/paper/evidence-gaps.md and update it in the same task, including the matching #todo block in papers/schema-as-abi/main.typ. A structural pre-evidence draft already exists at papers/schema-as-abi/main.typ; the abstract, the Evaluation section, the Conclusion, and any contribution claim that depends on missing Tier-1 evidence stay deferred until that evidence lands. New paper content that does not depend on missing artifacts may be drafted at any time and lives next to the existing #todo blocks.

Completed Foundation

  • Stage 0: Foundations: bitmap physical frame allocator, heap for alloc, IDT exception handling, and initial Cap’n Proto schema scaffolding.
  • Stage 1: Virtual Memory: kernel and per-process address spaces, page table abstraction, HHDM preservation, and user-half cleanup.
  • Stage 2: User-Space Transition: GDT/TSS/syscall setup and Ring 3 round-trip path.
  • Stage 3: Process Abstraction: ELF loading, process ownership of address spaces and cap tables, process exit cleanup, and the current exit / cap_enter syscall surface.
  • Stage 4: Capability Syscalls / Ring Transport: Console capability, shared-memory submission/completion rings, cap_enter, CQE transport errors, and alloc-free dispatch paths.
  • Stage 5: Scheduling Core: PIT/PIC timer preemption, round-robin scheduler, context switching, generation-tagged caps, and VirtualMemory cap.
  • Kernel Networking Smoke: in-kernel QEMU virtio-net lower-layer fixture evidence for PCI/device discovery, descriptor-accounting guards, ARP, and ICMP. TCP/UDP socket proof has moved to the Phase C userspace network-stack gates.
  • Boot To Shell / Native Shell: shell-led boot flow, split debug/terminal UARTs, local setup/login, anonymous/operator sessions, and shell REPL.
  • Verified Core: bounded local/GitHub Kani model-checking gate plus high-memory proof gate for selected cap-table, frame-bitmap, transfer rollback, and resource accounting invariants. These are bounded model checks (small input sizes such as <=8 frames and 63 ELF bytes), not unbounded proofs; they hold within the harness bounds, not for all inputs.
  • Shared-Service Demo Base: chat, adventure, NPC-as-process, and shared service harness prototypes.

Historical completion reports live in docs/changelog.md.

Stage 6: IPC And Capability Transfer

Outcome: cross-process capability calls, capability transfer, revocation, and process spawning are capability-shaped and usable by init-owned service graphs. Caller-selected service-visible identity is being replaced by session-bound invocation context: each normal process has one immutable session context, endpoint calls expose privacy-preserving caller-session metadata, and broker-granted service roots/facets carry service access.

Implemented:

  • cap_enter blocking wait
  • Endpoint kernel object
  • RECV/RETURN ring opcodes
  • cross-process IPC
  • direct-switch IPC handoff
  • legacy endpoint receiver metadata as transitional IPC machinery
  • copy/move capability transfer
  • CAP_OP_RELEASE
  • runtime handle release integration
  • epoch revocation and Revocable Read proof
  • MemoryObject substrate – the kernel-level mapping mechanism that backs zero-copy IPC. Demonstrated end-to-end by make run-memoryobject-shared (single-shot transfer) and make run-ipc-zerocopy (multi-message shared point-to-point buffer with metadata-only endpoint CALLs). The typed SharedBuffer surface and service APIs that consume it (File.readBuf, BlockDevice.readBlocks, NIC RX/TX rings) are still pending.
  • ProcessSpawner / ProcessHandle
  • init-owned manifest execution and boot package boundary cleanup
  • immutable per-process SessionContext ownership, default child-session inheritance, and trusted broker-selected child sessions, demonstrated by make run-session-context

Remaining themes:

  • typed SharedBuffer capability and consuming service APIs (storage, block, network, GPU) on top of the existing MemoryObject substrate
  • notification objects (so zero-copy producers/consumers can signal each other without per-record endpoint CALLs)
  • promise pipelining
  • CapabilityManager list/grant interface
  • stable service-audit identity for endpoint caller-session references across intentional service replacement or upgrade
  • scheduling context and resource donation
  • init ELF embedding

Details:

  • docs/backlog/session-bound-invocation-context.md
  • docs/backlog/service-object-identity-migration.md (superseded)
  • docs/backlog/stage-6-capability-semantics.md
  • docs/proposals/service-architecture-proposal.md
  • docs/proposals/storage-and-naming-proposal.md
  • docs/proposals/error-handling-proposal.md

Stage 7: SMP, Runtime, Networking, And Shell

Outcome: capOS moves from single-CPU scheduling and local-only shell access to multi-CPU execution, thread-aware runtime behavior, socket-shaped network capabilities, and agent/web shell entry points.

SMP status:

  • Phase A complete: BSP per-CPU syscall stack/current-thread state and unified kernel-entry stack hook.
  • Phase B complete: APs start through Limine MP, switch to capOS kernel paging/stacks, initialize AP-local CPU state, and park.
  • Phase C selected AP scheduler-owner proof complete: GS/swapgs, LAPIC timer/IPI, TLB shootdown, and first AP scheduler-owner proof are complete. Commit d88bca7 at 2026-04-25 11:31 UTC proves AP cpu=1 can run scheduler-owned user contexts under -smp 2 while a scheduler-owner latch keeps the BSP in kernel idle. Per-CPU scheduler ownership, the narrow idle-to-runnable reschedule-IPI wake path, and the focused process-scale proof harness are now present.
  • Multi-Process SMP Concurrency is complete at commit 3fb89923 (2026-04-30 09:45 UTC). make run-smp-process-scale records repeated raw QEMU serial logs plus per-case medians and fails closed below the 1.6x speedup threshold. The accepted KVM-backed run recorded 1.608x 1-to-2 speedup, and ordinary run-smoke/run-spawn coverage passed under -smp 2.
  • In-Process Threading Scalability has the formal capOS+Linux thread-scale evidence pair on capos-bench 2026-05-02 21:38 UTC against main commit 374f8556: capOS work 1.883x and total 1.787x clear the configured 1-to-2 gates against the then-current single-global-queue scheduler; matching Linux pthread baseline 1.988x/1.987x validates the workload shape. Its 1-to-4 row became the diagnostic that justified Phase D’s fair-share enqueue policy (capOS 1.566x/1.538x vs Linux 3.963x/3.858x on the same physical-core pin set). Phase D WFQ later manually accepted the recorded 1-to-4 diagnostic with capOS 3.088x/2.700x and matching Linux 3.974x/3.850x.

Runtime/network/shell themes:

  • reconcile in-process threading implementation status and any follow-on work
  • scheduler evolution after the accepted Phase D WFQ closeout: Phase E SchedulingContext capability authority is closed; CPU isolation housekeeping/deferred-work placement is closed; bounded SQPOLL ring mode and the clockevent/deadline substrate are closed; bounded non-periodic SQPOLL producer-wake progress is closed. The narrow single-runnable-entity and SQPOLL-coupled automatic nohz activation increments are closed (scheduler-phase-f-auto-nohz-activation, scheduler-phase-f-auto-nohz-sqpoll under docs/tasks/done/2026/); generic full-nohz for explicitly budgeted compute leases and generic SQPOLL nohz for explicitly leased caller-thread rings have since landed, while policy issuance remains future work. Keep EEVDF as a follow-on best-effort ordering evaluation and keep stateful task/job graph coordinators above CPU dispatch rather than turning them into global schedulers. Userspace policy-service AutoNoHz placement for ordinary “capable of saturating a CPU core” threads sits in Phase H of docs/backlog/scheduler-evolution.md and the “Policy-Service Userstories” section of docs/proposals/tickless-realtime-scheduling-proposal.md: the policy-service-issued CpuIsolationLease adds placement isolation only and never mints CPU-time authority, with bounded lifetime, revocation, accounting target, and operator-declared auto-claim pool
  • session lifecycle for production shell UX: mutable session liveness cells, UserSession.logout, owner-shell/gateway close propagation, and narrow renewal/recovery paths that mint fresh grants without reviving stale ordinary caps; clean local owner-shell exit now reaches the logout path, while renewal/recovery remains future work
  • Telnet Shell Demo as first TCP-backed TerminalSession proof. Plaintext, loopback-only research demo; not a shippable Telnet service.
  • Tickless idle as the near-term timer cleanup: split clocksource from clockevent, convert timeout waiters to absolute deadlines (done), migrate the scheduler idle path to a CPL0 per-CPU kernel idle thread (done), then stop the periodic tick only when no runnable work exists. After the one-SQ-consumer, CPU-isolation authority, nohz telemetry, and housekeeping placement prerequisites, bounded SQPOLL ring mode and the clockevent/deadline substrate closed, and bounded non-periodic SQPOLL progress was proven; the periodic tick is now suppressed for the narrow single-runnable-entity window and for the ring-coupled kernelSqpoll lease (scheduler-phase-f-auto-nohz-activation, scheduler-phase-f-auto-nohz-sqpoll), with the periodic tick as the fail-closed fallback everywhere else. Timeout-based auto-revoke, generic full-nohz for explicitly budgeted compute leases, and generic SQPOLL nohz for explicitly leased caller-thread rings have since landed. See docs/proposals/tickless-realtime-scheduling-proposal.md and docs/research/nohz-sqpoll-realtime.md.
  • SSH Shell Gateway as the production remote CLI successor to plaintext Telnet after host-key, authorized-key, audit, and persistence prerequisites exist
  • remote session CapSet clients as the programmatic/UI counterpart to shells: regular host apps, desktop GUI/Tauri front ends, and server-side webapp gateways authenticate through the same session/admission path, receive broker-issued remote capability views, and call granted services over Cap’n Proto RPC without turning chat, Paperclips, agent tools, or future command surfaces into shell-only protocols. The first default-run development endpoint and focused interop harness now prove this shape with schema-framed Cap’n Proto DTOs; standard capnp-rpc proxy transport remains future work. Later UI-composition caps let capOS-side services or agents propose bounded session workspace changes without receiving arbitrary browser or desktop authority.
  • self-served capOS web UI has historical focused proof evidence, but the old make run-remote-session-self-served-web-ui target is retired with the qemu-only kernel TCP listener. The replacement proof belongs to the future Phase C Web UI L4 gate. make run forwarding the guest remote-session CapSet endpoint is still not the same as capOS serving the web UI, and make remote-session-ui remains the host-side trusted development bridge. The blocked remote-session-self-served-web-ui-default-run task records the future decision and wiring gate if self-served UI should become part of ordinary make run.
  • Telnet over TLS as an optional compatibility/service-terminal transport after certificate/TLS, durable identity, and session lifecycle work exists. It should not be a default main access interface ahead of SSH/WebShell.
  • decomposed userspace NIC/network-stack milestone after driver authority gates
  • native shell agent runner
  • WebShellGateway using the same broker-issued shell/agent authority model

Remote shell priority: do not treat Agent Shell or WebShellGateway as the next default visible milestone before the driver/storage foundation unless the user explicitly redirects. SSH/WebShell production access is more useful after session lifecycle, durable account/key material, network listener authority, and serial/cloud diagnostics have credible proofs. Plaintext Telnet remains a loopback/local development proof and a simple transport for exercising TerminalSession; it is not a production cloud access target. Telnet over TLS may remain as a later optional transport, but SSH and WebShell are the main production access tracks.

Details:

  • docs/backlog/smp-phase-c.md
  • docs/backlog/scheduler-evolution.md
  • docs/backlog/runtime-network-shell.md
  • docs/backlog/remote-session-capset-client.md
  • docs/proposals/smp-proposal.md
  • docs/proposals/scheduler-evolution-proposal.md
  • docs/research/future-scheduler-architecture.md
  • docs/proposals/tickless-realtime-scheduling-proposal.md
  • docs/proposals/networking-proposal.md
  • docs/proposals/shell-proposal.md
  • docs/proposals/remote-session-capset-client-proposal.md
  • docs/proposals/llm-and-agent-proposal.md
  • docs/proposals/boot-to-shell-proposal.md

Hardware, Boot, And Storage

Outcome: capOS boots beyond the current ISO/QEMU manifest path, discovers real hardware, supports block devices, and exposes local persistent storage through typed capabilities.

Tracks:

  • hybrid BIOS+UEFI raw disk image and make run-disk
  • serial diagnostics console for cloud/hardware bring-up
  • ACPI/MADT/MCFG discovery
  • reusable interrupt and PCI/PCIe infrastructure
  • virtio-blk and NVMe block-device paths
  • boot binary ISO layout that moves ELF payloads out of the manifest blob
  • RAM-backed Store/Namespace
  • read-only local filesystem proof
  • writable local storage with recovery policy
  • installable system: boot from disk with persistent, mutable system configuration composed over the immutable boot manifest (own milestone, sequenced after the writable-local-storage milestone it builds on)
  • staged cloud boot: first serial-console boot, then provider block/NIC drivers and network shell access

Details:

  • docs/backlog/hardware-boot-storage.md
  • docs/proposals/cloud-deployment-proposal.md
  • docs/proposals/storage-and-naming-proposal.md
  • docs/proposals/installable-system-proposal.md
  • docs/dma-isolation-design.md

User Identity, Sessions, And Policy

Outcome: shell, service, and future web sessions receive narrow capability bundles based on explicit identity, freshness, policy, and audit context.

Implemented base:

  • anonymous/operator shell sessions
  • password setup/login proof
  • broker-issued shell bundles
  • redacted auth/session audit records

Remaining themes:

  • manifest-seeded local accounts, recovery identities, service identities, and initial role/resource profiles
  • disk-backed local account store over capability-native storage
  • default per-account, guest, anonymous, external, and service-account resource bundles
  • explicit external identity bindings for OIDC/passkey/cloud/certificate principals
  • durable verifier/passkey records
  • WebAuthn and passkey-only setup path
  • broader AuditLog completion
  • ABAC context such as auth freshness, session age, source, and claims
  • mandatory-policy labels and wrapper caps
  • guest and anonymous workload demos
  • POSIX profile adapter metadata
  • OIDC/OAuth2 integration

Details:

  • docs/proposals/user-identity-and-policy-proposal.md
  • docs/backlog/local-users-management.md
  • docs/proposals/oidc-and-oauth2-proposal.md
  • docs/proposals/certificates-and-tls-proposal.md
  • docs/proposals/cryptography-and-key-management-proposal.md
  • docs/security/trust-boundaries.md

Security And Verification

Outcome: trust boundaries fail closed, proof gates stay practical, and trusted build inputs remain review-visible.

Implemented base:

  • host tests for pure logic
  • Loom ring model (a bounded concurrency model of the ring protocol, not the shipped kernel/src/cap/ring.rs)
  • Miri/proptest/bounded Kani model-checking paths
  • dependency policy checks
  • pinned Limine and Cap’n Proto tooling
  • DMA isolation design gate
  • panic-surface inventory

Remaining themes:

  • Stage-6 trust-boundary refresh
  • untrusted-service hardening and quota/exhaustion smokes
  • Kani harness bounds refresh when new proof obligations are concrete
  • DMA assurance model operationalization: turn the v0 TLA+/Alloy skeletons into checked run targets (make model-dma-tla / model-dma-alloy / kani-dma-authority + a DeferredCompletionQueue Loom) reconciled with landed DMA code and wired to CI
  • Scheduler & IRQ assurance models: first formal coverage for the densest unmodeled race surface – nohz activation/rollback (TLA+ + Loom), the LAPIC one-shot timer fix (Kani + TLA+), CpuIsolationLease authority (Alloy + TLA+), and the MSI-X waiter determinism ordering (TLA+)

Details:

  • docs/backlog/security-verification.md
  • REVIEW.md
  • docs/tasks/README.md
  • docs/proposals/security-and-verification-proposal.md
  • docs/security/verification-workflow.md
  • docs/trusted-build-inputs.md

Shared-Service Demos

Outcome: multi-process demos prove resident services, shell-spawned clients, session-bound invocation context, shared harnesses, and eventually network-transparent federation.

Implemented:

  • First Chat MVP
  • Local MUD/adventure prototype
  • NPC-as-process fleet
  • shared service harness extraction
  • session-bound chat/adventure state keyed by live caller-session metadata

Remaining themes:

  • per-principal chat state and audit
  • Aurelian Frontier game-depth work after the first deterministic mission slice
  • native command-surface replacement for prototype StdIO
  • federated chat after network transparency

Details:

  • docs/backlog/shared-service-demos.md
  • docs/backlog/aurelian-frontier.md
  • docs/demos/adventure.md
  • docs/proposals/aurelian-frontier-proposal.md
  • docs/proposals/interactive-command-surface-proposal.md

aarch64 Support

Outcome: port the architecture layer after x86_64 hardware abstraction stabilizes.

Shared code expected to carry over:

  • capability model and schema
  • ring structs and transport contracts
  • userspace runtime model
  • process/capability abstractions above arch/

Architecture-specific work:

  • EL0/EL1 syscall entry/exit
  • GICv3 interrupts
  • ARM generic timer
  • PL011 UART
  • TTBR0/TTBR1 MMU setup
  • TPIDR_EL1 per-CPU data
  • kernel/linker-aarch64.ld

Future Tracks

These are not selected unless docs/tasks/state.toml or explicit user direction pulls them into active selected-milestone scope. Add root task records and backlog/proposal decomposition only when one of these tracks becomes the selected visible outcome:

  • regular Rust runtime support
  • C libcapos
  • Go GOOS=capos
  • Python runtime adapters
  • Lua scripting (Phase 0 capability-aware Lua-subset interpreter shipped in demos/lua-smoke/; PUC Lua dialect compatibility remains future, awaiting C/libcapos)
  • POSIX compatibility adapters
  • WASI runtime
  • C++ experiments
  • GPU/CUDA capability integration
  • system monitoring
  • network transparency
  • process persistence/checkpoint-restore
  • live upgrade
  • cloud metadata
  • volume encryption
  • formal MAC/MIC modeling
  • browser/WASM support
  • robotics realtime control
  • trusted time and clock authority
  • crash recovery and supervision
  • debug and trace authority

Use proposal files under docs/proposals/ and research notes under docs/research/ before promoting any future track into docs/tasks/README.md. Lua scripting should arrive as an ordinary capability-scoped userspace runner, not as kernel scripting or ambient shell authority.

seL4 HAMR (model-based high-assurance engineering)

Evaluated HAMR (High Assurance Modeling and Rapid engineering): AADL component models, Slang/GUMBO contracts, and seL4/CAmkES backend generation, and how that model-to-capability-system pipeline compares with capOS’s “the Cap’n Proto schema is the contract” model, capability partitioning, and the schema-as-ABI story. Findings: docs/research/sel4-hamr.md (reference talk: https://youtu.be/gP1klZJi04U).

Crate publication

Publish capOS’s reusable no_std crates – capos-abi, capos-lib, capos-config, and the capos/capos-rt runtime/facade – to crates.io with stable versioning, rendered docs, and license/metadata, so the ELF parser, capability table, ring/SQE wire validation, manifest/CUE loader, and typed clients can be reused and cited independently of the kernel tree. The publish-set decision is pinned in docs/backlog/capos-sdk-dual-transport.md: publish capos-abi, the capos-capnp-build build helper, capos-config, and capos-lib first; publish capos-rt and the bare capos facade with the transport seam; ship the libcapos/libcapos-posix C substrate as release artifacts only (not crates.io – their consumers link .a archives, decision 2026-06-02 16:10 UTC); the publish-set MSRV is the stable Rust 1.88.0 proven by the slice-2 dry-run (the Rust 2024 floor 1.85.0 cannot build capos-config’s let chains); and keep generated Cap’n Proto bindings inside capos-config rather than publishing a separate bindings crate. The versioning policy (pre-1.0 SemVer, schema/ABI changes as breaking bumps, lockstep across the set) and the repeatable make sdk-publish-dry-run gate are recorded in docs/backlog/capos-sdk-dual-transport.md.

This track now also covers the front-door capos SDK crate: one published crate whose typed capability clients run unchanged against two transports – the in-process capability ring (an application running inside capOS) and a remote connection (a host-side RPC client) – behind a Transport seam. The bare capos name is the facade; capos-rt provides the ring transport and the remote feature provides the host transport. The seam and facade have landed: capos-rt defines the Transport trait and the in-system RingTransport, the typed clients are transport-generic, and the standalone capos facade crate re-exports the runtime, clients, and entry_point! macro behind the default ring feature (proved in-system by make run-spawn). The remote transport backend remains ahead. Crates.io remains a flat, first-come namespace; the exact crate names were verified free before the 2026-06-05 upload and are now claimed by the capOS 0.1.0 release, while the adjacent capos-bitstruct crate from an unrelated cap-os/rust-tools repository shows the namespace contention risk. The near-term reservation work is closed: existing reusable layers were published with real content, the bare capos facade was reserved with transport-seam content, and the seam landed early. The repository-wide license file required by the public-release boundary is recorded (LICENSE-APACHE / LICENSE-MIT, MIT OR Apache-2.0 on the SDK crates). The first six-crate 0.1.0 publish completed on 2026-06-05 after the final crates.io name re-check, the custom-target SDK gate, and the local Cargo API-token upload. The capos-config docs.rs accommodation is implemented through the packaged generated-binding fallback, and the GitHub Actions trusted-publishing workflow is present for subsequent releases from refs/heads/main after a current explicit user release instruction and crates.io trusted publishers are configured for the six crates. Decomposition and publication ordering are in docs/backlog/capos-sdk-dual-transport.md; the transitional host-backend remote transport (slice 4a) can ship now, while the live-proxy capnp-rpc upgrade (slice 4b) remains gated on the remote-session async-runtime rewrite.

Observable Milestones

Completed visible milestones:

  • 2026-04-22 16:35 UTC, commit d4016ab: Unprivileged Stranger
  • 2026-04-23 08:41 UTC, commit f554e88: Native Cap Shell
  • 2026-04-23 13:39 UTC, commit e5adafb: Boot to Shell
  • 2026-04-23 16:15 UTC, commit 7f19af2: Revocable Read
  • 2026-04-23 16:34 UTC, commit 8b66c13: split UART shell session
  • 2026-04-23 22:09 UTC, commit d43b691: Verified Core
  • 2026-04-24 00:13 UTC, commit 2cd85a8: First Chat MVP
  • 2026-04-24 01:40 UTC, commit add7f9b: Local MUD/adventure prototype
  • 2026-04-24 03:13 UTC, commit da5f5e9: Ring as Black Box
  • 2026-04-24 15:37 UTC, commit b56a5c1: First Packet
  • 2026-04-24 16:47 UTC, commit a4f1722: First HTTP
  • 2026-04-25 05:36 UTC, commit 0b79054: SMP Phase A: per-CPU data on BSP
  • 2026-04-25 06:59 UTC, commit d3c30c6: SMP Phase B: APs running
  • 2026-04-25 11:31 UTC, commit d88bca7: First AP Scheduler
  • 2026-04-25 20:25 UTC, commit 2834bfc: Telnet Shell Demo
  • 2026-04-30 09:45 UTC, commit 3fb89923: Multi-Process SMP Concurrency
  • 2026-05-01 14:23 UTC, commit fb102828: Remote Session CapSet Web UI Proof
  • 2026-05-11 14:38 UTC, branch commit 28db3277: Self-Served capOS Remote Session Web UI Proof. The now-retired make run-remote-session-self-served-web-ui target booted the focused manifest, loaded browser assets from the capOS remote-session-web-ui service over its scoped listener, denied no-cookie browser commands, called backend-held SystemInfo, logged out, and then attempted the retained backend-held SystemInfo capability to prove expired-session stale failure. The host make remote-session-ui bridge remains a development tool.
  • 2026-05-13 11:05 UTC, branch commit 5f5028e7: WASI bounded environment grant smoke. make run-wasi-env boots the focused wasm-host manifest, reads the bounded initConfig.init.wasiEnv text grant, reflects it through Preview 1 environ_get / environ_sizes_get, and the Rust wasm32-wasip1 payload prints [wasi-env] CAPOS_WASI_ENV_SENTINEL=capos-wasi-env-sentinel. Missing wasiEnv remains the empty-environment behavior.
  • 2026-05-01 16:13 UTC, commit 5198e255: Remote Session Adventure Launch
  • Cloudboot run 1778230874-715a (2026-05-08 09:06 UTC), source commit 3951e275 (2026-05-08 08:50 UTC): GCP Imported-Image Serial Boot. make cloudboot-test booted the GCE imported disk image to the capos kernel starting serial landmark on a temporary no-public-IP, no-service-account e2-small instance, captured serial output, and tore down the temporary cloud resources. This is a boot-path portability milestone, not provider NIC/storage driver readiness.
  • GCP-first usable-instance provider rollup, closed 2026-06-07 05:26 UTC by commit b5fdcc3e and cloud-usable-instance-provider-nic-storage: serial-console operator access run 1779868872-2424 (source commit c92c8bc1), live legacy virtio-net raw-frame provider-nic-bound run 1780412056-e1cb (source commit 1fb65683), live NVMe Persistent Disk brokered READ run 1780806087-bf69 (source commit 28518165), and separate live gVNIC raw-frame / typed-Nic portability runs 1780794927-1aa9 (source commit 3ef8997a) and 1780796615-decc (source commit 2a0857d). This closes the selected GCP provider NIC/storage bar while leaving public L4 ingress, SSH/WebShell productization, AWS/Azure providers, broader storage, high-throughput/multiqueue NIC, and direct-remapping DMA for future tracks.
  • Device Driver Foundation (DDF) bounded-authority proof series, 2026-05-08 through 2026-05-23: read-only hardware-audit snapshots (make run-hardware-audit*), bounded DMAPool/DMABuffer result caps with parent-first release and proof-slot reuse (make run-dmapool-grant), DeviceMmio brokered read/write and Interrupt wait/ack/mask/unmask grant proofs (make run-devicemmio-grant, make run-interrupt-grant, make run-hardware-grant-cycle), a device-manager-owned DMAPool budget ledger, and the userspace provider-consumer TX/RX path (make run-ddf-provider-consumer): bounded selected-route descriptor/avail/ doorbell/used-ring/CQ handoffs, full selected TX queue-depth CQ ownership, bounded RX synthetic-token CQ identity, selected TX/RX MSI-X/LAPIC wait/ack/EOI, selected-route reset/reassignment, and teardown/stale-handle blocking. These are bounded-proof milestones, not live hardware RX used-ring ownership, full virtio-net ownership, direct DMA/IOMMU, cloud NIC/storage readiness, or production userspace driver readiness. The provider virtio-net closeout slice is commit c86374f8 (2026-05-23 16:51 UTC); the executable decomposition and remaining gates live in docs/backlog/hardware-boot-storage.md and the DDF task files under docs/tasks/. Visible demo follow-ups:
  • Adventure/shared-service follow-ups after the Local MUD prototype: 73d83aa, da51dc7, 353c8bc, e20cf07, 948c96e, and ca6300c. These refine discoverability, room context, expedition map, relic custody, explicit resume, and chat-only named actors; detailed reports live in commit history.
  • 2026-04-26 04:10 UTC, commit 5480304: Scoped Telnet Gateway Authority. telnet-gateway now uses manifest-forwarded scoped listener authority plus RestrictedShellLauncher; detailed verification history lives in commit history.
  • 2026-04-26 23:12 EEST, commit 4304b0e: Default run Telnet wiring. The default manifest starts telnet-gateway, and make run attaches host-local 127.0.0.1:2323 -> guest :23 forwarding.
  • 2026-05-01 16:54 UTC, branch commit 367117be: Default run Telnet wiring retired. The default manifest no longer starts telnet-gateway, and make run now forwards only the remote-session CapSet endpoint. The plaintext Telnet research fixture was later retired with the qemu-only kernel TCP listener; make run-telnet now exits before QEMU with a retirement diagnostic.
  • 2026-05-02 02:24 UTC, branch commit 84f5ac61: Remote Session Gate 3 auth-denial proof. Focused backend/account-store coverage rejects inactive accounts, unknown principals, and missing or retired resource profiles before remote-client bundle authority exists. The live CLI/QEMU proof now drives bad password proof, unknown account, wrong requested profile, and anonymous profile mismatch denials before any session, CapSet, or service-launch activity; denied re-login clears prior gateway/client/UI session state.
  • 2026-05-02 06:23 UTC, branch commit 482e5e07: Remote Session Adventure mutable control proof. The remote Adventure fixture and trusted web bridge now call bounded Adventure.go(direction) through the same session-bound worker/client path as status, look, and inventory, then verify movement text, changed room state, redacted transcripts, and visible-button UI automation without exposing raw capOS authority.
  • 2026-04-27 00:02 EEST, commit 7a155f4: Telnet IAC handoff fix and repeat-connect support. Telnet handoff no longer consumes raw socket input before intoTerminalSession, repeated host connections succeed, and the harness drives two consecutive sessions.
  • 2026-04-28 17:46 UTC, commit d09243d: Aurelian Phase 9 competency gates. The adventure proof now has host-testable rank/star/circle policy, status output for rank marks and standing, signifer skill gates, first-mission spell gates, and QEMU assertions for rank denial plus debrief reward.
  • 2026-04-28 18:12 UTC, commit 47dbfc5: Aurelian Phase 10 market logistics. Adventure now has typed quote/buy/sell/trade/repair calls, bounded market roles, a deterministic Maro route purchase, and QEMU assertions for market quote, successful exchange, and clean-custody trade refusal.
  • 2026-04-28 19:36 UTC, commit e204454: Aurelian Phase 11a calendar foundation. Generated content now carries fixed-smoke season/day/weather and hazard state plus bounded seasonal resources, Adventure status prints that state, and the real scenario process asserts it through Adventure.status.
  • 2026-04-30 08:56 UTC, commit 4045576: Aurelian Phase 11a calendar event metadata. Generated content now carries a fixed-smoke active festival and later military event with pure Rust validation; Adventure status prints the active event metadata, and the real scenario process asserts it through Adventure.status. Actor movement, shop mutation, witness blocking, route mutation, debrief branching, quests, gifts, and affection remain future work.
  • 2026-04-30 13:09 UTC, commit 64933131: Aurelian Phase 11a seasonal shop-stock purchase. adventure-content owns the bounded active-stock, standing-gate, remaining-stock, and depletion decision for seasonal shop purchases. The quartermaster field-rations buy path now spends audited Aurelian standing, records service-owned per-expedition seasonal stock usage, adds the ration to inventory, and the real scenario process asserts both the pre-debrief refusal and post-debrief purchase through Adventure.buy. Broader seasonal economy mutation, persistence, seeded normal-play calendars, and automatic world advancement remain future work.
  • 2026-04-28 20:08 UTC, commit 48c62db: Aurelian Phase 11b regional foundation. Generated content now carries settlement, outpost, and route metadata with validation and stable ordering; Adventure status prints a regional summary, and the real scenario process asserts it through Adventure.status.
  • 2026-04-30 12:07 UTC, commit 6afd87aa: Aurelian Phase 11b regional market transaction proof. adventure-content owns bounded reserve, commit, cancel/release, stale-version rejection, idempotent replay from ordered receipt facts, and terminal-receipt-capacity checks for one generated order-book match at a time. adventure-server keeps transaction state inside each expedition PlayerState, so fresh and resumed expeditions do not share market idempotency history. The real scenario process asserts regional quote/reserve/retry/commit/stale/release/cancel flows through existing Adventure.quote, Adventure.buy, and Adventure.sell calls.
  • 2026-04-30 13:39 UTC, commit 6605ee6a: Aurelian Phase 11b regional market delivery proof. Fresh committed field-ration receipt facts now produce a bounded player-local supply delivery into expedition inventory, while commit replay and errors do not duplicate items. The real scenario process asserts delivery of the committed quantity and no replay duplication through existing Adventure.buy and Adventure.inventory calls. NPC stores, outpost stock, currency, durable ledgers, profile balances, and crash recovery remain future work.
  • 2026-04-30 14:15 UTC, commit b1c98eb1: Aurelian ordinary inventory capacity proof. adventure-content now owns a deterministic admission helper for bounded ordinary inventory, and adventure-server routes room takes, seasonal harvests, quartermaster field-ration purchases, and regional market delivery through one helper. Regional committed delivery fails closed when the full quantity cannot fit, avoids partial duplication, and remains replayable after items are dropped.
  • 2026-04-30 14:51 UTC, commit f06aa732: Aurelian capacity replay proof. The capacity-denial path now uses authored/generated resources only, keeps transfer on the same ordinary inventory admission helper, exposes bounded repair-material collection at resource sites, and proves through the real scenario process that held regional delivery mutates no partial items and later delivers the full quantity after buy commit-field-ration from regional-market is replayed.
  • 2026-04-30 15:14 UTC, commit fd432147: Aurelian regional market currency debit proof. Fresh committed regional field-ration buys now spend two player-local Aurelian chits exactly once, expose the balance in inventory, reject insufficient balances before transaction mutation, and keep held item delivery replay independent from debit replay. NPC stores, outpost stock, durable currency ledgers, profile balances, fees, expiry advancement, and crash recovery remain future work.
  • 2026-04-30 15:53 UTC, commit 7a9a4af5: Aurelian regional outpost stock proof. Fresh committed regional field-ration buys now decrement seller ash_farm stock from six to two exactly once, expose that stock in status, reject insufficient seller stock before mutation, and keep committed replay plus held item delivery replay from decrementing again. NPC stores, broader outpost inventories, durable stock ledgers, profile balances, fees, expiry advancement, and crash recovery remain future work.
  • 2026-04-30 16:23 UTC, commit 00b18598: Aurelian regional market fee accrual proof. Fresh committed regional field-ration buys now accrue the generated buy and sell order fees into a service-owned regional-market pool exactly once, expose that pool in status, ignore release/no-cross and non-ration facts, and keep committed replay plus held item delivery replay from accruing again. NPC stores, broader outpost inventories, durable stock and currency ledgers, profile balances, durable fee ledgers, expiry advancement, and crash recovery remain future work.
  • 2026-04-30 16:57 UTC, commit bdcc23ed: Aurelian regional seller proceeds proof. Fresh committed regional field-ration buys now credit the service-owned ash_farm proceeds pool two chits exactly once, expose that pool in status, ignore release/no-cross, stale, mismatched, and non-ration facts, and keep committed replay plus held item delivery replay from crediting proceeds again. NPC stores, broader outpost inventories, durable stock and currency ledgers, durable seller-proceeds ledgers, profile balances, durable fee ledgers, expiry advancement, and crash recovery remain future work.
  • 2026-04-30 17:41 UTC, commit 29c065a9: Aurelian regional market order expiry proof. adventure-content now has pure order activity and day-aware deterministic matching; adventure-server uses the fixed smoke day for live regional-market reserve and quote, and the scenario process proves a day-73 expired field-ration reserve releases without status, inventory, currency, outpost stock, fee, seller-proceeds, or delivery mutation. Durable calendar advancement, durable order books, profile ledgers, durable fee ledgers, and crash recovery remain future work.
  • 2026-04-30 18:40 UTC, commit 205fd6a0: Aurelian regional market fee withdrawal proof. adventure-content now has a pure resolver for bounded regional-market fee withdrawal from the current pool plus applied withdrawal ids; adventure-server owns the live fee pool, applied withdrawal ids, and service treasury balance; and the scenario process proves sell withdraw-fees to regional-market moves the two accrued fee chits exactly once without mutating inventory, currency, outpost stock, seller proceeds, or delivery state.
  • 2026-04-30 19:43 UTC, commit a547db3d: Aurelian regional market receipt snapshot proof. adventure-content reconstructs RegionalMarketTransactionState from ordered receipt facts with bounded validation, and adventure-server exposes buy receipt-snapshot from regional-market to prove the old field-ration commit still replays after reconstruction without mutating live market, inventory, fee, treasury, seller-proceeds, stock, or delivery state. Durable restart loading remains future work.
  • 2026-04-30 20:07 UTC, commit 4b44b32: Aurelian regional market settlement snapshot-view proof. adventure-content checks the settlement side-effect snapshot view from applied delivery, currency debit, outpost stock decrement, fee accrual, fee withdrawal, and seller proceeds ids plus the current balances, rejects over-capacity id snapshots, and proves the already committed field-ration fact plus fee withdrawal replay as already applied. adventure-server exposes buy settlement-snapshot from regional-market, and the real scenario process proves the command leaves live status and inventory unchanged. Durable restart loading remains future work.
  • 2026-04-28 21:08 UTC, commit 0b7db05: Aurelian Phase 11c construction foundation. Generated content now carries material, facility, blueprint, artifact, and enchantment-slot metadata with pure Rust validation and deterministic property derivation; Adventure status prints a construction summary, and the real scenario process asserts it through Adventure.status. Service-mediated construction jobs are tracked by the later Phase 11c construction-job proof; escrow, durable stock ledgers, output/currency inventory, and full artifact crafting gameplay remain future work.
  • 2026-04-30 13:01 UTC, commit 9f8cfb6c: Aurelian Phase 11c construction-job proof. adventure-content owns bounded reserve/start, completion, cancel/release, stale-version rejection, idempotent replay, service-owned material hold/release facts, older terminal replay, and fact capacity checks on top of existing construction metadata. adventure-server owns per-player construction material stock and applies holds/restores only for new successful repair outcomes; completion consumes the held materials, while replay and denial paths do not mutate stock. The real scenario process asserts denial, reserve/retry, open-reserve conflict, complete/replay, stale rejection, release/replay, and reserve-after-release through existing Adventure.repair calls. Durable persistence, broad stock ledgers, outpost replenishment, output/currency inventory, job-time advancement, and general crafting remain future work.
  • 2026-04-30 22:46 UTC, commit fd57de6b: the Aurelian construction receipt snapshot follow-on is scoped to pure Rust construction receipt snapshot semantics plus a size-constrained QEMU no-mutation probe. Pure adventure-content tests reconstruct a separate construction job state from ordered facts and reject malformed, over-capacity, and non-closed snapshot shapes. The QEMU scenario drives repair receipt-snapshot with field-engineer only to confirm status, inventory, live construction state, and material stock are not mutated. The runtime command is not a proof that receipts replay into the live service, and this is not durable restart loading or a general construction persistence layer.
  • 2026-04-28 21:36 UTC, commit f53d044: Aurelian Phase 11d agent NPC budget foundation. Generated content now carries disabled-by-default optional NPC agent budget metadata with model profiles, per-session/day input/output token limits, tool-call limits, cooldown, fatigue, sleep, refusal, and audit visibility. Pure Rust fake-model tests cover spending, refusals, disabled transcript stability, bounded output, and no authority mutation from model text; Adventure status prints an aggregate budget line asserted through Adventure.status. Live LLM integration, hosted-agent execution, durable memory, autonomous NPC actions, and authority mutation from model output remain future work.
  • 2026-04-30 08:22 UTC, commit c6d887: Aurelian Phase 11d fake-agent purpose expansion. Deterministic fake-agent responses now cover personal routines, nonbinding shop negotiation flavor, and festival reactions as dialogue/proposed-action data only. Pure Rust tests cover quota spending, quota refusal, bounded lines, and no authority mutation; Adventure status prints the supported purpose count and the real scenario process asserts it through Adventure.status.
  • 2026-04-28 22:22 UTC, commit 335a9ee: Aurelian Phase 12 party foundation. Adventure now has typed local party create/invite/accept/leave/delegate calls and assist, keyed by service-created local player labels derived from live caller-session keys. The server uses the unit-tested adventure-content party transition state for invite, accept, scoped delegation, assist, and leave cleanup; the scenario process asserts the one-client cap surface and party status line. Two-client QEMU proof, transfer escrow, duel/spar/contest authority, and cross-device multiplayer remain future work.
  • 2026-04-29 06:43 UTC, commit ac49375: Aurelian Phase 12 physical-item transfer foundation. Adventure adds typed transfer for same-party service-local player labels, with ordinary inventory mutation kept atomic inside the existing service and backed by pure Rust transfer tests. The scenario process asserts one-client refusal paths without faking a second live session. Currency escrow, broad market/trade coordination, and successful two-client QEMU transfer proof remain future work.
  • 2026-04-29 18:07 UTC, commit f4a7fdb: Aurelian authority-combat verb foundation. Adventure adds the bounded challenge-authority skill and challenge authority <target> text alias for the ward-wraith proof slice: accepted ward-writ attacks hostile ward authority instead of hp, records success-only evidence/effects, and QEMU coverage exercises wrong-target, missing-authority, success, and shell-alias paths. Broader authority-combat verbs, hostile authority enemy variants, writ affixes, and rank/base reach unlocks remain future work.
  • Merged on main at commit 6678d40 (2026-04-30 03:55 UTC): Paperclips Terminal Demo follow-up. The default manifest advertises the clean-room paperclips terminal game, and system-paperclips.cue plus make run-paperclips provide the focused QEMU proof for one-at-a-time manual production, representative refusal output, explicit sales, repeatable marketing, autoclipper unlock, real-time automation, generated Cap’n Proto content loading, scaled business-phase production, precision-rollers, design-search, forecast-engine, survey-drones, and the visible == autonomous phase == transition. The demo remains outside the current SMP process scaling milestone because it exercises a standalone StdIO plus Timer terminal process rather than SMP process-count or scheduler behavior.
  • Task branch commit 88536a9e (2026-04-30 17:38 UTC): Paperclips client/server showcase first slice. The focused manifest now boots Paperclips server services plus a terminal client; the server owns generated content, game state, regular timer cadence, unlock checks, game-rule mutation, and proof-command gating, while the client receives explicit StdIO plus a PaperclipsGame endpoint.
  • Task branch commit 532207c1 (2026-04-30 20:54 UTC): Paperclips structured command-list slice. The server exposes current command specs for terminal help without changing the raw text command execution path. Normal and proof sessions use separate server endpoints, preserving proof-only run <ms> and status --json authority.
  • Task branch commit e9ae4e97 (2026-04-30 22:02 UTC): Paperclips structured plain-status snapshot slice. The server exposes PaperclipsStatusSnapshot fields for terminal-rendered plain status, while status --json remains proof-only and server-gated.
  • Task branch commit 32462e9f (2026-04-30 22:32 UTC): Paperclips structured project-list slice. The server exposes unlocked project entries for terminal-rendered plain projects, while project <id> remains raw text execution against server-owned mutable state. Remaining Paperclips showcase work includes broader structured state/events, command facets, capability transfer/revocation ergonomics, and the later web-shell client path.
  • Commit 5ef16c3 (2026-04-30 04:17 UTC): Paperclips autonomous scaling follow-up. The CUE-authored generated content now owns millisecond drone matter-conversion, factory production, probe harvest, and probe replication caps; host tests cover the bounded transitions and completion gating. The focused QEMU proof continues after == autonomous phase == through material-harvesters and foundry-lines, then asserts lower local matter, increased autonomous production, and clean process exit.
  • Commit 65f9d2c (2026-04-30 07:36 UTC): Paperclips cosmic/completion transcript follow-up. The focused QEMU proof now continues through mesh-coordination, seed-probes, == cosmic phase ==, a bounded probe interval with visible replication, cosmic-matter conversion, and clip production, then final-conversion and == complete phase ==. That proof used compact clean-room values for the cosmic matter grant and terminal conversion clip cost so the run remained representative rather than an exhaustive full playthrough.
  • Commit 52d30d2b (2026-04-30 12:00 UTC): Paperclips completion rebalance. The late-game matter and final conversion costs now prevent normal play from reaching == complete phase == within one real-time hour. The focused QEMU proof stops at the cosmic production milestone with final-conversion still locked instead of scripting a compact full win.
  • Commit 9262938b (2026-04-30 12:26 UTC): Paperclips machine-readable status follow-up. The terminal demo now supports status --json as a stable compact state snapshot, and the focused QEMU proof asserts that late-game JSON line after the cosmic milestone while preserving the human transcript checks.
  • Commit 119acaad (2026-04-30 12:53 UTC): Paperclips review-fix follow-up. Active schema, CUE content, Rust rules, generated-content guardrails, and focused smoke assertions now use clean-room Strategy internals. Purchase parsing keeps omitted counts as one but rejects explicit zero counts without mutating game state.

Recently completed visible milestone:

  • Device Driver Foundation: the selected milestone is complete by the production-authority closeout task ddf-production-authority-closeout at commit ef8d98c2 (2026-06-07 08:15 UTC; task completion recorded 2026-06-07 08:23 UTC). The DDF closeout records the landed DeviceMmio/DMAPool/Interrupt lifecycle status, the provider-driver local authority evidence, hardware-audit consumption for abort-held DMA mapping records, and the runtime fail-closed DMA backend baseline. The related GCP-first usable-instance rollup cloud-usable-instance-provider-nic-storage (2026-06-07 05:26 UTC) records live operator serial access, selected raw-frame NIC/storage evidence, and gVNIC portability, without claiming public L4 ingress, AWS/Azure support, direct-remapping production hardware, device-autonomous MSI-X delivery, full userspace smoltcp/L4 readiness, or high-throughput/multiqueue NIC readiness.
  • POSIX Adapter v0 – File/Directory fd closeout: commit f97d9833 (2026-05-23 06:23 UTC) closes the P1.4 file/directory fd surface over the existing RAM-backed root Directory cap. libcapos-posix now exposes functional open, read, write, close, lseek, opendir, readdir, and closedir for the v0 Directory-backed path, with readdir backed by a lazy Directory.list snapshot and lseek backed by the fd-table file position plus File.stat for SEEK_END. make run-posix-file boots a C process that creates "/hostname", writes and seeks through it, reads the full payload and tail, lists the root directory to find the file, proves relative paths still fail closed, exits 0, and halts QEMU.
  • POSIX Adapter v0 – Identity stubs: commit 1a8a9896 (2026-05-23 06:51 UTC) closes the P1.4 identity-stub surface. libcapos-posix now exposes getpid, getuid, and getgid from the existing unistd-style header; getpid returns the stable capos-rt bootstrap pid for the current process, while getuid and getgid return the single-identity uid/gid 0. make run-posix-identity boots a C process that prints its identity, fork/execs the same binary through the recording shim, proves the child observes a distinct pid, exits both processes cleanly, and halts QEMU. The later make run-posix-printf proof closes the printf/string subset with live formatted output, string/mem, numeric conversion, and ctype markers. Commit 90e64011 (2026-05-23 08:11 UTC) closes the signal/time surface: make run-posix-signal-time proves Timer-backed time/sleep observations plus fail-closed kill/raise signal-delivery stubs. Remaining dash-port gates are dash vendoring/patching, the multi-translation-unit C build, and run-posix-shell-smoke.
  • POSIX Adapter v0 – Pipe + fork-for-exec plus direct posix_spawn Smoke: POSIX adapter Phase P1.3 first closed at commit ceaf5475 (2026-05-07 10:04 UTC) under an in-process x86_64 setjmp/longjmp recording-shim contract. A subsequent fix slice on top – spanning commits 44838ad7 (2026-05-07 11:07 UTC) through 7c08501c (2026-05-07 14:24 UTC) and integrated into mainline-tracking history via merge commit b8c7fb43 (2026-05-07 18:16 UTC) – replaced setjmp/longjmp with the return-the-pid contract because the longjmp re-entered fork()’s already-deallocated stack frame (undefined behaviour). An iter-15..iter-22 SMP-correctness hardening cycle followed, extending the fix slice through commit 05b52873 (2026-05-07 21:07 UTC); each iteration closed a distinct kernel pipe race surface (transport-error CQE on saturated waiter restore at iter-15, deferred-error retry queue + nested-fork reset at iter-16, write-overflow queue preserving partial-write CQE at iter-17, buffer-aware EOF + combined-cap waiters + child-order fd replay + EBADF on Moved at iter-18, close+write race + fd-recording precheck + Moved self-dup2 at iter-19, same-end waiter completion on close at iter-20, close_side publishing under the buffer lock at iter-21, and the matching in-lock close re-check in handle_write at iter-22). make run-posix-pipe-smoke boots the focused manifest, links the demos/posix-pipe-shim/main.c parent and demos/posix-pipe-child/main.c child against libcapos.a + libcapos_posix.a, drives pipe(); pid_t child = fork(); if (child == 0) { dup2(); close(); child = execve(...); } close(); read(); waitpid(child); end to end through the kernel Pipe capability and the recording-shim ProcessSpawner Move-grant path, and prints [posix-pipe] read 14 bytes: hello via pipe from the parent. The parent and child both exit 0 cleanly and the QEMU scheduler halts. fork() returns 0 unconditionally; dup2/close between fork and execve record into a TLS window without mutating the parent fd table; execve() drains the recording and returns the synthetic child pid as its own return value (a deliberate v0 deviation from POSIX). The direct public posix_spawn() successor proof landed at commit b8fb3131 (2026-05-13 10:15 UTC): libcapos-posix exposes posix_spawn() plus posix_spawn_file_actions_init/destroy/adddup2/addclose, and make run-posix-spawn-smoke creates a pipe, uses file actions to move the existing posix-pipe-child stdout onto the pipe, reads [posix-spawn] read 14 bytes: hello via pipe, waitpid()s the child, and halts after both processes exit 0. argv and envp are accepted for source compatibility but remain undelivered until LaunchParameters / environment support lands. The Console-backed stdio successor proof landed at commit aa6a56d7 (2026-05-13 11:03 UTC): libcapos-posix maps POSIX fd 1/2 to the granted Console cap when no stdio_<N> Pipe grant already occupies the slot, keeps fd 0 closed without stdin backing, and make run-posix-stdio-smoke prints distinct stdout/stderr markers through POSIX write before proving the no-stdin refusal path.
  • WASI Host Adapter Phase W.4 – random_get production wiring: Phase W.4 closed at commit b0f6939f (2026-05-07 20:09 UTC); Phase W.3 closed at commit ca41ecc1 (2026-05-07 18:29 UTC; the W.3 narrative stamps from 2026-05-07 18:25 UTC predate the feat commit by a few minutes); Phase W.2 closed at commit 7bfcb1d8 (2026-05-07 10:53 UTC) across four sub-slices. The bounded environment grant smoke landed at branch commit 5f5028e7 (2026-05-13 11:05 UTC). Sandboxed wasm32-wasi is now a booted language path on capOS; the W.2 slice delivered the first WASI-hosted, sandboxed portable-payload path (native C boots already existed via the libcapos C-substrate make run-c-hello and the historical POSIX-adapter DNS resolver); W.3 added the per-instance argv text grant; W.4 wires Preview 1 random_get through the kernel EntropySource cap; the 2026-05-13 follow-up adds the bounded initConfig.init.wasiEnv text grant as the v0 environment source. make run-wasi-hello-rust, make run-wasi-hello-c, make run-wasi-cli-args, make run-wasi-env, make run-wasi-random (granted), and make run-wasi-random-ungranted (refusal) are the regression, environment-grant, and W.4 gates; the environment smoke proves one granted value reaches a Rust wasm32-wasip1 payload through Preview 1 environ_get / environ_sizes_get; the random granted variant reads N=64 bytes through random_get and prints [wasi-random] entropy_bytes=64 entropy_bound_ok=true, and the ungranted variant observes ERRNO_NOSYS = 52 from the closed-fail refusal branch which never enters the kernel. Wall-clock support stays deferred: clock_time_get(CLOCKID_REALTIME) keeps the W.2 sentinel ERRNO_NOSYS until capOS has a typed WallClock/RealTimeClock cap. The next selectable WASI work is Phase W.5 (Preview 1 filesystem), blocked on the missing Namespace/File/Store cap surface.
  • POSIX Adapter v0 – DNS Resolver Smoke: POSIX adapter Phase P1.2 Phase B completed at commit b4f1a400 (2026-05-05 21:21 UTC). The now-retired make run-posix-dns-smoke booted the focused manifest, linked the demos/posix-dns-resolver/main.c C binary against libcapos.a + the new libcapos_posix.a, sent a DNS A query for example.com through the kernel UdpSocket capability to QEMU slirp’s resolver at 10.0.2.3:53, decoded the answer-section IN/A record, and printed [posix-dns-resolver] resolved example.com -> <ipv4> (e.g. 104.20.23.154; the upstream resolver picks the value, the harness grepped loosely). The target now exits before QEMU because the qemu-only kernel UdpSocket owner was removed; rebuild the resolver on the Phase C userspace network stack before using it as validation. The vendor/dns-c-wahern/ snapshot at rel-20160808 is in-tree as a structural reference but not yet compiled into the smoke; widening the POSIX surface so dns.c can build whole is follow-on work after P1.3.
  • In-Process Threading Scalability: completed at commit 136b72de (2026-05-01 14:58 UTC) after the benchmark repair replaced the invalid 1 MiB/spinning-parent four-worker shape with a blocking-parent 16 MiB/64-round shape. Reaffirmed against the then-current single-global-queue scheduler on capos-bench 2026-05-02 21:38 UTC against main commit 374f8556 with the formal capOS+Linux 5-run pair pinned to physical-core logical CPUs 0,1,2,3: capOS work 1.883x and total 1.787x clear the configured 1-to-2 gates; matching Linux pthread baseline 1.988x/1.987x validates the shape. The 1-to-4 row became the diagnostic that justified Phase D’s fair-share enqueue policy (capOS 1.566x/1.538x vs Linux 3.963x/3.858x); Phase D WFQ later manually accepted the recorded 1-to-4 diagnostic with capOS 3.088x/2.700x and matching Linux 3.974x/3.850x. Four-worker capOS speedup remains evidence of material improvement, not a completed linear-scaling claim.
  • Multi-Process SMP Concurrency: completed at commit 3fb89923 (2026-04-30 09:45 UTC), with repeated KVM-backed process-scale evidence in target/smp-process-scale/cycle-balanced-default/ (1.608x 1-to-2 speedup) and ordinary run-smoke/run-spawn coverage under -smp 2.
  • Session-Bound Invocation Context: completed at commit 503abc9 (2026-04-30 02:26 UTC), with Gate 4 implementation verification recorded at commit faeff80 (2026-04-29 21:39 UTC). The milestone includes one immutable process session, privacy-preserving endpoint caller metadata, explicit disclosure gating, session-aware transfer scopes, chat migration, terminal/stdio bridge liveness guards, adventure shared-service cleanup, and aligned paper evidence/status text.
  • Installable System: completed through commit 12b8334a (commit timestamp 2026-06-07 18:19 UTC; task closeout 2026-06-07 18:20 UTC) for the bounded local/QEMU contract. The milestone includes persistent data-region mount, config-overlay compose/merge fallback, generation/rollback machinery, integrated installable disk packaging, target-disk install, first-boot provision, update/rollback, and structural proposal/body wording reconcile. It preserves the RAM-only Namespace caveat and does not claim secure boot/signing, production release authority, public ingress, AWS/Azure live support, direct-remapping production hardware, full userspace smoltcp/L4 readiness, or full durable account policy.

Active visible milestone:

  • GCE Self-Hosted Web UI: serve the remote-session Web UI through the Phase C userspace network stack, prove the local cloudboot L4 path, and then prove private GCE reachability before any public endpoint. The selected milestone now has the userspace smoltcp-backed TcpListenAuthority local path proved by cloud-prod-userspace-network-stack-smoltcp-local-proof and local DHCP/IPv4 address/default-route/ARP configuration proved by cloud-prod-network-stack-dhcp-ipv4-config-local-proof; the cloudboot authority inventory (remote-session-webui-cloudboot-authority-inventory) is done and records the Web UI service authority boundary for the local L4 proof. The local Web UI L4 proof (cloud-prod-remote-session-web-ui-l4-local-proof) is done: the Phase C userspace network-stack process serves remote-session-web-ui on guest port 8080 with the full fixed-name bundle, login, a backend-held SystemInfo call, logout/stale failure, and the manual viewer under make run-cloud-prod-remote-session-web-ui-l4. Web UI session hardening (remote-session-web-ui-session-hardening) is done (2026-06-09), and Web UI connection bounds (remote-session-web-ui-connection-bounds) are done (2026-06-09): per-connection request-read/response-send deadlines in the Web UI client with a drip-feed abandon proof on the L4 gate. The narrow legacy kernel socket-path retirement is done; non-qemu manifests now reject kernel network_manager / tcp_listen_authority grants and leave those sources as qemu-only fixtures. The broader cloud-prod-phase-c-kernel-smoltcp-virtio-net-removal cleanup is also done: the kernel no longer depends on smoltcp, qemu-only kernel TCP/UDP socket entry points fail closed, and the remaining virtio-net code is lower-layer QEMU fixture evidence rather than production cloud socket ownership. The local cloud-prod-remote-session-web-ui-l4-local-proof gate consumed the done DHCP/IPv4 task and landed. Legacy GCE virtio-net Web UI serving is done locally (cloud-gce-legacy-virtio-webui-serving-local-proof, 2026-06-11), the public-ingress browser hardening set (public-origin policy, SameSite policy, JSON content-type guard, headers/CSP, forwarded-scheme trust, /healthz, in-guest login hardening) is done on the L4 gate, and the no-spend provider-harness gates (private preflight, private/public evidence validators, ingress plan, teardown engine, provider-command allowlist) are done as stub-fixture evidence. cloud-gce-private-self-hosted-webui-proof remains on hold on missing firewall IAM and per-run billable authorization. Public GCE ingress and TLS remain under the separate on-hold cloud-gce-public-self-hosted-webui-ingress-tls task and require explicit authorization; the local fixture gates bound that future run but do not authorize exposure.

Paused visible milestone:

  • SSH Shell Gateway: ssh reaches the capOS login/native shell flow through an SSH-backed TerminalSession in QEMU, using host-local forwarding, public-key authentication, denied unsupported SSH features, and the same child shell capability boundary proven by Telnet. This remains planned Stage 7 work, but network-backed shell delegation should wait for durable remote-account/key prerequisites.

Candidate next visible milestones:

  • Storage Capability Substrate: add RAM-backed Store/Namespace first, then BlockDevice, local disk, and a read-only filesystem proof if the block path is ready.
  • Serial Diagnostics And AWS Serial Boot: extend the current bounded COM1 diagnostics console with richer device dumps and prove the same imported image path on AWS. GCP imported-image serial boot is already recorded.
  • Remote Shell Access: SSH, Telnet development access, and basic WebShell over the capability terminal model after session lifecycle, durable key/account, and network prerequisites are credible.
  • Cloud follow-ups after the GCP-first provider rollup: public L4 ingress and SSH/WebShell productization, AWS/Azure provider ports, broader storage variants, high-throughput/multiqueue NIC readiness, and separate cloud benchmark reruns. The completed GCP rollup record is cloud-usable-instance-provider-nic-storage.
  • Agent Shell and federated chat remain future candidates, not the default next milestones ahead of the driver/storage/cloud bring-up ladder.

Select the next milestone in docs/tasks/state.toml only after the current selected milestone is achieved and recorded, or when the user explicitly changes the selected milestone. Update or add task records and linked backlog/proposal decomposition in the same change when the new milestone needs different execution context.