Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Topics Index

This page is generated from document front matter fields during mdbook builds:

  • status
  • description
  • topics

Quick Orientation

Capabilities, IPC, and Authority

  • ABI Evolution PolicyCompatibility policy for capOS schema and ring ABIs.
  • Authority AccountingAuthority accounting rules for capability transfer and resource charges.
  • Cap’n Proto Error HandlingPrior-art on capnp-rpc error semantics.
  • Capability ModelCore capability object model, cap tables, schema interface IDs, grants, receiver metadata, and transfer.
  • Capability RingShared-memory capability ring ABI, dispatch paths, and completion semantics.
  • Capability-Infrastructure ClusterDecomposition of the near-term capability-infrastructure cluster: matured proposals and Stage 6 remainder that share the schema serial surface.
  • Cloudflare, Cap’n Proto, Workers RPC, and Cap’n WebCloudflare Workers, workerd, Durable Objects, Workers RPC, Cap’n Web, and Cloudflare’s production use of Cap’n Proto/KJ.
  • Crash Recovery and SupervisionUnplanned-failure detection, stale-cap propagation, structured crash records, watchdog liveness, and bounded restart policy for capOS services.
  • Debug and Trace AuthorityCapability-scoped debug session attach, read-only cap-table inspection, ring-trace replay, and sampler authority without ambient process inspection.
  • Delegated Subject ContextFuture delegated-subject and act-on-behalf-of capability model.
  • Error HandlingCurrent error model for capability ring CQE status, CapException payloads, endpoint RETURN exceptions, and ordinary schema result unions.
  • Error HandlingTransport and application error model for capability calls and CQE results.
  • GenodeGenode OS Framework: capability-based component model, session routing, VFS plugin architecture, POSIX compatibility, and Sculpt OS – with lessons for capOS.
  • IPC and EndpointsEndpoint IPC, capability transfer, direct handoff, and shared-memory data paths.
  • Memory Authority ModelMemory authority, residency classes, mapping consistency, OOM boundaries, and proof obligations.
  • OS Error HandlingCross-OS error-model comparison.
  • Rejected: Cap’n Proto SQE EnvelopeRationale for keeping ring SQEs fixed-layout instead of Cap’n Proto envelopes.
  • Rejected: Endpoint Badges as Service IdentityPost-mortem of the rejected seL4-style endpoint badge service identity model.
  • Remote Session CapSet ClientsRemote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap’n Proto RPC.
  • Resource Accounting and QuotasResource profiles, quota ledgers, donation, reservation, and fail-closed accounting semantics.
  • Schema RegistryA SchemaRegistry capability that serves Cap’n Proto reflection metadata – interface IDs, method names and ordinals, parameter/result layouts, and doc comments – at runtime, as the machine-readable twin of the System Manual.
  • Service ArchitectureCapability-based service composition, authority-at-spawn, exports, and service graph policy.
  • Service Object Identity MigrationSuperseded large-chunk migration plan for service object identity, retained as historical context after the active direction changed to session-bound invocation context.
  • Session ContextCurrent session-bound invocation context, endpoint caller-session metadata, disclosure, transfer-scope, and liveness rules.
  • Session-Bound Invocation ContextImplementation plan for one-session-per-process invocation context and session-keyed shared services.
  • Session-Bound Invocation ContextSession-bound invocation context and privacy-aware disclosure model replacing service-object identity migration.
  • Spritely, OCapN, and CapTPSpritely, OCapN, CapTP, netlayers, locators, Syrup, promise pipelining, handoffs, and capability-network lessons for capOS.
  • Stage 6 Capability SemanticsStage 6 capability work.
  • Standard App CapabilitiesPer-app AppData storage, a user-mediated powerbox/file-picker grant, and attenuated capability sharing as standard app-facing capabilities.
  • Superseded: Service Object CapabilitiesSuperseded service-minted object capability model that was replaced by session-bound invocation context.
  • System Info CapabilitySystemInfo capability for MOTD, hostname, host metadata, help topics, and shell bundle integration.
  • System Manual CapabilityA built-in man-pages analog: the Manual capability serves Unix-style reference pages, schema-derived interface manuals, and a man-shaped reference corpus through the shell, the self-served web UI, and a typed capnp API.
  • Time and Clock AuthorityCapability-native wall-clock authority with provenance labeling, clock discipline, and trusted timestamps for audit and TLS.
  • Userspace Authority BrokerUserspace shell-bundle broker and lifecycle-control authority model.
  • ZirconFuchsia Zircon kernel: handle-based capability model, channels, VMARs/VMOs, async ports, and FIDL – with lessons for capOS capability dispatch, IPC, and memory design.

Boot, Manifests, and Init

  • Boot FlowKernel boot, manifest handoff, init launch, and QEMU boot-proof flow.
  • Boot to ShellLogin, setup, session, credential, and broker path from boot into the native shell.
  • Cloud Image Import and Serial-Console BootCloud provider disk-image import and serial-console-boot notes.
  • Cloud MetadataCloud metadata and config-drive bootstrap through scoped configuration capabilities.
  • ConfigurationHow operators extend the default capOS boot manifest with a gitignored system.local.cue overlay and convert CUE-authored data to specified Cap’n Proto schemas.
  • Hardware, Boot, and StorageHardware bring-up backlog.
  • Installable SystemOrdered implementation track turning the installable-system proposal into work grounded in the landed BlockDevice/filesystem/Store/writable-persistence/disk-image contracts.
  • Installable SystemDesign for an installed, persistent capOS that boots from disk and keeps mutable system configuration across reboots, composed with the immutable boot manifest.
  • Manifest and Service StartupManifest encoding, service graph validation, bootstrap grants, and init-side spawning.
  • Run Targets, Init Mandate, and Default-Run IntegrationRun-target governance.
  • Stateful Task and Job GraphsDurable stateful task and job graphs for init orchestration, package builds, operator work, and notebook-style run stories without creating a god object.
  • System Configuration and Operator ExtensibilityLayered CUE configuration model for operator boot-manifest overlays, host-user injection, and per-user toolchain caches.

Process Model, Threading, and Scheduling

Memory and Resource Accounting

  • Cloud DMA Provider Evidence InventoryOfficial AWS/Azure/GCP device-surface facts, an evidence-matrix schema, a live guest-probe checklist, and classification rules for the cloud DMA backend decision.
  • Cloud Driver Foundation Gap AnalysisGap analysis between the existing userspace virtio driver foundation and the blocked cloud NIC/storage driver tasks: what is already proven, the narrow per-task remaining work, and the superseded live-NIC runnable-now claim.
  • Device Manager RefactorRefactor direction for separating the kernel device authority ledger from QEMU proof scaffolding.
  • DMA Assurance ModelAssurance model for DMA authority, backend selection, and proof obligations.
  • DMA IsolationDMA isolation model for device memory, IOMMU policy, and capability-scoped hardware access.
  • DMA User-Space Driver IsolationDMA, user-space driver, vIOMMU, and no-IOMMU bounce-buffer design consequences for capOS device authority.
  • Go VirtualMemory ContractVirtualMemory cap contract for Go.
  • IOMMU Remapping GroundingPrimary-source grounding for Intel VT-d (landed under cfg(qemu)), AMD-Vi, and QEMU IOMMU remapping work.
  • Memory Authority ModelMemory authority model backlog.
  • Memory Authority ModelMemory authority, residency classes, mapping consistency, OOM boundaries, and proof obligations.
  • Memory ManagementPhysical frames, address spaces, user buffers, MemoryObject, and VirtualMemory contracts.
  • NVMe Model B Doorbell DMA ValidatorConditional DMA-address ownership model for the userspace NVMe storage provider: provider-written queue-base and PRP/SGL addresses require a non-host-physical device-visible namespace; no-IOMMU GCP planning must use brokered bounce address publication instead.
  • OOM Handling and SwapMemory-pressure, OOM, anonymous-memory budgeting, and optional encrypted swap policy.
  • Resource Accounting and QuotasResource profiles, quota ledgers, donation, reservation, and fail-closed accounting semantics.
  • virtio-rngProvenance map for the in-tree virtio-rng entropy device - spec basis, implemented wire-format subset, and its role as a QEMU-only DDF metadata and IOMMU-remapping hardware-DMA proof fixture (no userspace-facing capability, not a production driver).

Userspace Runtime, Languages, and Binaries

  • Browser Capability and Agent Web SessionsBrowser profiles, cap-native document engines, visual browsing, and agent/shell browser sessions as capability-scoped services.
  • Browser Engines, Document Engines, and Agent BrowsersBrowser engine portability, cap-native document-engine options, and agent-browser patterns for capOS browser capabilities.
  • Browser/WASMBrowser-hosted capOS experiment using WebAssembly and worker-per-process isolation.
  • capOS SDK and Dual TransportcapOS front-door SDK crate with a transport abstraction for in-system and remote clients, plus crate-namespace publication.
  • capos-serviceUserspace service framework (Rust crate capos-service) for lifecycle, endpoint loops, readiness, shutdown, metrics, context, and resource hooks.
  • Cloudflare, Cap’n Proto, Workers RPC, and Cap’n WebCloudflare Workers, workerd, Durable Objects, Workers RPC, Cap’n Web, and Cloudflare’s production use of Cap’n Proto/KJ.
  • Go RuntimeGo runtime plan for GOOS=capos, memory growth, TLS, scheduling, and networking.
  • IX-on-capOS HostingIX as a package corpus, content-addressed build/store model, and a capability-native build-service surface for capOS.
  • Language Support Status and PlansCurrent and planned programming-language support on capOS.
  • Linux Sandboxes and Virtualization for WorkloadsLinux sandbox, container, gVisor, KVM, microVM, and CPU-isolation prior art for generic Linux workload execution.
  • LLVM TargetCustom LLVM target triple requirements: kernel on x86_64-unknown-none, userspace on x86_64-unknown-capos; calling conventions, TLS, relocations, and Go/C runtime porting.
  • Lua ScriptingCapability-scoped Lua runner with curated libraries and explicit grants.
  • POSIX AdapterPOSIX compatibility adapter (libcapos-posix) over the libcapos C-ABI substrate, with smallest-deps POSIX shell and DNS resolver as the first ports.
  • POSIX Adapter Dash PortPOSIX adapter Phase P1.4 (dash port) backlog – libcapos-posix file/dir/stdio/env/printf surface, dash vendoring + per-call-site patch, and the run-posix-shell-smoke harness.
  • Runtime, Networking, and ShellRuntime/network/shell backlog.
  • Scientific Agent-Lab Software StackScientific computing, solver, proof-assistant, notebook, and reproducible-package prior art for a capOS-hosted LLM research lab.
  • Scientific Standard Package and Agent Lab CapabilitiesScientific standard package and agent-lab capability services for CAS, solvers, proof assistants, notebooks, and reproducible research environments.
  • Userspace BinariesNative userspace binary model, capos-rt authority handling, language runtimes, and compatibility adapters.
  • Userspace Runtimecapos-rt entry ABI, heap, CapSet lookup, ring client, and typed userspace capability clients.
  • WASI Host AdapterWASI host adapter as a userspace process whose imports are backed by typed capOS capabilities. Phase W.1 host-runtime scaffold landed 2026-05-05 19:12 UTC; Phase W.2 sub-slice 1 (wasm-host binary + empty-instantiation smoke + userspace-image budget bump) landed 2026-05-06 20:19 UTC; Phase W.2 sub-slice 2 (Preview 1 stdout-only imports plus probe-driven nosys=52 proof) landed 2026-05-07 08:03 UTC; Phase W.2 sub-slice 3 (Rust hello, wasi smoke + manifest-payload load path) landed 2026-05-07 09:36 UTC; Phase W.2 sub-slice 4 (C hello, wasi smoke) landed 2026-05-07 10:53 UTC and closes Phase W.2; Phase W.3 (per-instance CapSet plumbing + LaunchParameters bounded-text argv grant + wasi-cli-args smoke) landed 2026-05-07 18:25 UTC; Phase W.4 (random_get production-ready against the kernel EntropySource cap + wasi-random granted/ungranted smokes) landed 2026-05-07 20:09 UTC. A 2026-05-13 compatibility-import smoke promotes authority-free Preview 1 imports (clock_res_get(MONOTONIC), sched_yield, and stdio fd metadata/seek behavior); a 2026-05-13 bounded environment grant reflects initConfig.init.wasiEnv through environ_get / environ_sizes_get, with make wasi-env-negative-check covering count, per-entry, total-byte, and interior-NUL rejection; the refusal smoke (make run-wasi-preview1-refusals) proves nine representative blocked filesystem/socket imports fail closed with ERRNO_NOSYS = 52 (extended 2026-05-13 21:15 UTC to cover fd_pread, fd_pwrite, path_create_directory, sock_shutdown in addition to the original five). Open Questions §1 (per-instance vs per-process) and §3 (poll_oneoff semantics) resolved 2026-05-13 16:46 UTC; §6 (environ_get source) and §7 (args_get source) reclassified as resolved by Phase W.3 with the bounded manifest-text grants. W.5 (filesystem) closed 2026-05-17 05:42 UTC: the wasm-host installs the manifest-granted root Directory cap (CapSet slot root) as a single Preview 1 preopen at fd 3 (/preopen-0) and implements path_open, fd_read, fd_write, fd_seek, fd_close, fd_filestat_get, fd_prestat_get, and fd_prestat_dir_name against the kernel Directory / File cap interface in capos-wasm/src/wasi/fs.rs (POSIX P1.4 Slice 4 resolver shape); fd_readdir over the preopen Directory.list landed 2026-05-24 08:44 UTC; fd_tell (host-side position read) and fd_filestat_set_size (over File.truncate) landed 2026-05-24 09:34 UTC, completing the File-cap method triad with no schema change; path_create_directory and path_remove_directory (over Directory.mkdir/remove, same preopen sandbox, no schema change) landed 2026-05-24 10:09 UTC; fd_pread and fd_pwrite landed 2026-05-30 14:49 UTC as positional I/O over the host File cap (no schema change – File.read/File.write already carry an explicit offset), using the WASI-supplied offset and leaving the fd’s stream position untouched (the positional-I/O invariant). path_filestat_get and path_unlink_file landed 2026-05-30 as path-resolved metadata/removal over the host File.stat / Directory.remove caps (no schema change), leaving only path_filestat_set_times, path_rename, and the symlink/link family fail-closed. The make run-wasi-fs smoke (system-wasi-fs.cue, demos/wasi-fs/, tools/qemu-wasi-fs-smoke.sh) completes a full path_open(CREAT+TRUNC) / fd_write / fd_close / re-open / fd_filestat_get / fd_seek / fd_read round trip, asserts the preopen sandbox refuses absolute paths and .. segments with ERRNO_NOTCAPABLE = 76, proves the positional fd_pwrite/fd_pread round trip leaves the offset unchanged plus the negative-offset and stdio refusals, and stats smoke.txt by path (size 4, regular-file type) before unlinking it; the existing make run-wasi-preview1-refusals smoke continues to pass with W.5-split errnos (path_open / fd_prestat_get / fd_read / path_create_directory / fd_pread / fd_pwrite / path_filestat_get / path_unlink_file now return ERRNO_BADF = 8 against an absent preopen, only the socket imports stay at ERRNO_NOSYS = 52). Store / Namespace integration remains deferred. W.6 (sockets) remains blocked on the userspace network stack. W.7 (Component Model) and W.8 (TinyGo / Go-on-WASI CUE evaluator) remain blocked on the std-userspace decision.

Shells and Interactive Surfaces

  • Boot to ShellLogin, setup, session, credential, and broker path from boot into the native shell.
  • Browser Capability and Agent Web SessionsBrowser profiles, cap-native document engines, visual browsing, and agent/shell browser sessions as capability-scoped services.
  • Browser Engines, Document Engines, and Agent BrowsersBrowser engine portability, cap-native document-engine options, and agent-browser patterns for capOS browser capabilities.
  • capOS-Hosted Agent SwarmscapOS-hosted OpenClaw-like personal agents, agent swarms, harness controls, memory, retrieval, and research agenda.
  • Chat As Multimedia SubstrateChat as unified text/audio/video multimedia transport across human, agent, and service participants, with listener-cap delivery and a clean WebRTC mapping.
  • Default User AvatarDeterministic default user avatar derived from a stable account identifier, with explicit user override.
  • Interactive Command SurfacesStructured command-session model for native interactive applications over typed invocations.
  • Language Models and Agent RuntimeLanguage-model, embedder, agent-runner, and browser-agent capability interfaces.
  • Realtime Voice Agent ShellRealtime audio agent shell model across browser media, provider sessions, and brokered tools.
  • Remote Session CapSet ClientsRemote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap’n Proto RPC.
  • Schema RegistryA SchemaRegistry capability that serves Cap’n Proto reflection metadata – interface IDs, method names and ordinals, parameter/result layouts, and doc comments – at runtime, as the machine-readable twin of the System Manual.
  • ShellNative, agent-oriented, and POSIX shell models over explicit capability grants.
  • SSH Shell GatewaySSH terminal gateway design preserving TerminalSession and broker-issued shell boundaries.
  • Stateful Task and Job GraphsDurable stateful task and job graphs for init orchestration, package builds, operator work, and notebook-style run stories without creating a god object.
  • System Info CapabilitySystemInfo capability for MOTD, hostname, host metadata, help topics, and shell bundle integration.
  • System Manual CapabilityA built-in man-pages analog: the Manual capability serves Unix-style reference pages, schema-derived interface manuals, and a man-shaped reference corpus through the shell, the self-served web UI, and a typed capnp API.
  • Telnet over TLS ShellOptional TLS-protected Telnet TerminalSession gateway with client certificates and credential fallback.

Networking

  • Azure MANAProvenance map for the Azure MANA NIC / GDMA wire logic - spec basis, implemented host-conformance wire-format subset, and capOS authority mapping.
  • Browser Capability and Agent Web SessionsBrowser profiles, cap-native document engines, visual browsing, and agent/shell browser sessions as capability-scoped services.
  • capOS SDK and Dual TransportcapOS front-door SDK crate with a transport abstraction for in-system and remote clients, plus crate-namespace publication.
  • capos-serviceUserspace service framework (Rust crate capos-service) for lifecycle, endpoint loops, readiness, shutdown, metrics, context, and resource hooks.
  • Chat As Multimedia SubstrateChat as unified text/audio/video multimedia transport across human, agent, and service participants, with listener-cap delivery and a clean WebRTC mapping.
  • Cloud DMA Provider Evidence InventoryOfficial AWS/Azure/GCP device-surface facts, an evidence-matrix schema, a live guest-probe checklist, and classification rules for the cloud DMA backend decision.
  • Cloudflare, Cap’n Proto, Workers RPC, and Cap’n WebCloudflare Workers, workerd, Durable Objects, Workers RPC, Cap’n Web, and Cloudflare’s production use of Cap’n Proto/KJ.
  • GCE gVNICProvenance map for the GCE gVNIC (Google Virtual Ethernet) NIC - spec basis from the public gVNIC docs and the GVE Linux driver, the wire-format subset capOS exercises today, and the bounded Nic-cap adaptation proof. capOS has live-GCE inventory, admin-queue/register, raw-frame GQI/QPL TX/RX, and typed Nic-adaptation proofs, but no reusable gVNIC provider service or host conformance suite yet.
  • Google Drive Storage BackendUse a Google-authenticated user’s Drive as a capOS storage backend behind the standard storage caps, via a browser-transport near-term path and a native OAuth2/HTTP/TLS backend later.
  • Network Usability and Post-smoltcpNetwork usability, resolver, diagnostics, and post-smoltcp backlog.
  • Network-Reachable Datapath Scope DecisionScope decision recording that the real-GCE-boot milestone’s reachable-network-stack requirement means raw-frame TX/RX (Option A), not L4 sockets, grounded in what the billable cloudboot harness actually gates on.
  • NetworkingNetwork capability architecture from virtio-net smoke to TCP sockets and terminal handoff.
  • Phase C Userspace NIC Driver RelocationPhase C design for relocating the virtio-net driver into userspace: the cap-surface delta, the inline-Data Nic ABI (matching the networking-proposal draft), the writable selected-write common-config window (an extension of the accepted notify-doorbell discipline; slice 1 landed 2026-06-02 20:30 UTC at c9518b2d), the userspace-vring slice that reuses the landed production DMA isolation (bounce policy + dma_backend probe + IOMMU IOVA-export), the sustained-receive Nic ABI design used by the multi-frame TCP path, the selected serve-from-userspace 7c-ii(b) socket-authority proof, and retirement of the non-qemu legacy kernel socket grant path.
  • PingoraProxy/server framework as a userspace runtime case study.
  • Remote Session CapSet ClientRemote session CapSet client backlog.
  • Remote Session CapSet ClientsRemote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap’n Proto RPC.
  • Spritely, OCapN, and CapTPSpritely, OCapN, CapTP, netlayers, locators, Syrup, promise pipelining, handoffs, and capability-network lessons for capOS.
  • SSH Shell GatewaySSH terminal gateway design preserving TerminalSession and broker-issued shell boundaries.
  • Telnet over TLS ShellOptional TLS-protected Telnet TerminalSession gateway with client certificates and credential fallback.
  • virtio-netProvenance map for the in-tree modern virtio-net PCI NIC - spec basis, implemented wire-format subset, and capOS authority binding.

Storage, Persistence, and Naming

  • Cloud DMA Provider Evidence InventoryOfficial AWS/Azure/GCP device-surface facts, an evidence-matrix schema, a live guest-probe checklist, and classification rules for the cloud DMA backend decision.
  • Google Drive Storage BackendUse a Google-authenticated user’s Drive as a capOS storage backend behind the standard storage caps, via a browser-transport near-term path and a native OAuth2/HTTP/TLS backend later.
  • Hardware Audit Log PersistenceDurable, tamper-evident persistence and admission policy for the hardware audit log.
  • Hardware, Boot, and StorageHardware bring-up backlog.
  • Installable SystemOrdered implementation track turning the installable-system proposal into work grounded in the landed BlockDevice/filesystem/Store/writable-persistence/disk-image contracts.
  • Installable SystemDesign for an installed, persistent capOS that boots from disk and keeps mutable system configuration across reboots, composed with the immutable boot manifest.
  • IX-on-capOS HostingIX as a package corpus, content-addressed build/store model, and a capability-native build-service surface for capOS.
  • Standard App CapabilitiesPer-app AppData storage, a user-mediated powerbox/file-picker grant, and attenuated capability sharing as standard app-facing capabilities.
  • Stateful Task and Job GraphsDurable stateful task and job graphs for init orchestration, package builds, operator work, and notebook-style run stories without creating a god object.
  • Storage and NamingCapability-native storage, namespaces, boot packages, volumes, and persistence model.
  • Volume EncryptionEncryption-at-rest model for system and user volumes with recovery and KMS options.

Identity, Policy, and User Accounts

  • ConfigurationHow operators extend the default capOS boot manifest with a gitignored system.local.cue overlay and convert CUE-authored data to specified Cap’n Proto schemas.
  • Default User AvatarDeterministic default user avatar derived from a stable account identifier, with explicit user override.
  • Delegated Subject ContextFuture delegated-subject and act-on-behalf-of capability model.
  • Formal MAC/MICFormal mandatory access and integrity model for future policy and proof work.
  • Google Drive Storage BackendUse a Google-authenticated user’s Drive as a capOS storage backend behind the standard storage caps, via a browser-transport near-term path and a native OAuth2/HTTP/TLS backend later.
  • Local Users, Storage, and PolicyIdentity/local-user backlog.
  • OIDC and OAuth2Federated login, OAuth2 clients, token capabilities, JWKS, DPoP, and broker integration.
  • Rejected: Endpoint Badges as Service IdentityPost-mortem of the rejected seL4-style endpoint badge service identity model.
  • Remote Session CapSet ClientRemote session CapSet client backlog.
  • Remote Session CapSet ClientsRemote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap’n Proto RPC.
  • Service Object Identity MigrationSuperseded large-chunk migration plan for service object identity, retained as historical context after the active direction changed to session-bound invocation context.
  • Session ContextCurrent session-bound invocation context, endpoint caller-session metadata, disclosure, transfer-scope, and liveness rules.
  • Session-Bound Invocation ContextImplementation plan for one-session-per-process invocation context and session-keyed shared services.
  • Session-Bound Invocation ContextSession-bound invocation context and privacy-aware disclosure model replacing service-object identity migration.
  • Standard App CapabilitiesPer-app AppData storage, a user-mediated powerbox/file-picker grant, and attenuated capability sharing as standard app-facing capabilities.
  • System Configuration and Operator ExtensibilityLayered CUE configuration model for operator boot-manifest overlays, host-user injection, and per-user toolchain caches.
  • User Identity and PolicyUser, session, profile, RBAC/ABAC/MAC, and policy-layer model for capability grants.

Cryptography, Certificates, and Trust

  • Certificates / TLSBounded implementation slice chain for the certificates/TLS track, from vendored verifier crates to a capOS-terminated Web UI endpoint.
  • Certificates and TLSCapability-native X.509, trust store, ACME, pinning, and TLS configuration model.
  • Cryptography and Key ManagementCapability model for keys, signing, encryption, vaults, entropy, and cryptographic policy.
  • Google Drive Storage BackendUse a Google-authenticated user’s Drive as a capOS storage backend behind the standard storage caps, via a browser-transport near-term path and a native OAuth2/HTTP/TLS backend later.
  • Hardware Audit Log PersistenceDurable, tamper-evident persistence and admission policy for the hardware audit log.
  • OIDC and OAuth2Federated login, OAuth2 clients, token capabilities, JWKS, DPoP, and broker integration.
  • Telnet over TLS ShellOptional TLS-protected Telnet TerminalSession gateway with client certificates and credential fallback.
  • Time and Clock AuthorityCapability-native wall-clock authority with provenance labeling, clock discipline, and trusted timestamps for audit and TLS.
  • Volume EncryptionEncryption-at-rest model for system and user volumes with recovery and KMS options.

Security and Verification

  • ABI Evolution PolicyCompatibility policy for capOS schema and ring ABIs.
  • AWS Nitro EBS (NVMe storage)Provenance map for the AWS Nitro EBS NVMe storage shape - spec basis, the standard-NVMe wire subset it shares with docs/devices/nvme.md, and the capOS cloud-shape classification plus DMA-backend policy it binds onto.
  • Azure managed disk (NVMe storage)Provenance map for the Azure managed-disk NVMe storage shape - spec basis, the standard-NVMe wire subset it shares with docs/devices/nvme.md, why the older-family virtio-scsi path is out of scope, and the capOS cloud-shape classification plus DMA-backend policy it binds onto.
  • Cloud DMA Provider Evidence InventoryOfficial AWS/Azure/GCP device-surface facts, an evidence-matrix schema, a live guest-probe checklist, and classification rules for the cloud DMA backend decision.
  • Cloud Driver Foundation Gap AnalysisGap analysis between the existing userspace virtio driver foundation and the blocked cloud NIC/storage driver tasks: what is already proven, the narrow per-task remaining work, and the superseded live-NIC runnable-now claim.
  • Debug and Trace AuthorityCapability-scoped debug session attach, read-only cap-table inspection, ring-trace replay, and sampler authority without ambient process inspection.
  • Device Manager RefactorRefactor direction for separating the kernel device authority ledger from QEMU proof scaffolding.
  • DMA Assurance ModelAssurance model for DMA authority, backend selection, and proof obligations.
  • DMA IsolationDMA isolation model for device memory, IOMMU policy, and capability-scoped hardware access.
  • DMA User-Space Driver IsolationDMA, user-space driver, vIOMMU, and no-IOMMU bounce-buffer design consequences for capOS device authority.
  • Error HandlingCurrent error model for capability ring CQE status, CapException payloads, endpoint RETURN exceptions, and ordinary schema result unions.
  • Formal MAC/MICFormal mandatory access and integrity model for future policy and proof work.
  • Full-Scope Review 2026-06-09Findings ledger and decomposition source for the 2026-06-09 full-scope review of the tree at 50e8eaba (review base bb776326e, 2026-05-23).
  • GCP Persistent Disk (storage)Provenance map for the GCP Persistent Disk storage shape - virtio-scsi vs NVMe families, the standard-NVMe wire subset it shares with docs/devices/nvme.md, the capOS cloud-shape classification, the DMA-backend policy on no-IOMMU GCE shapes, the local production brokered NVMe provider chain, and the bounded live-GCE NVMe Persistent Disk read proof.
  • IOMMU Remapping GroundingPrimary-source grounding for Intel VT-d (landed under cfg(qemu)), AMD-Vi, and QEMU IOMMU remapping work.
  • Memory Authority ModelMemory authority model backlog.
  • Memory Authority ModelMemory authority, residency classes, mapping consistency, OOM boundaries, and proof obligations.
  • NVMeProvenance map for the NVMe controller wire subset capOS touches - conditional Model B validator scan targets, the read-only userspace bind, the reset-only CC selected-write claim, the no-IOMMU manager-op controller enable through the brokeredNvmeControllerEnable @6 verb, the no-IOMMU manager-op admin IDENTIFY through the brokeredNvmeAdminIdentify @7 verb, the brokered admin SQ/CQ doorbell + IDENTIFY command, the split admin SUBMIT @8 / COMPLETE @9 verbs whose completion handoff runs through a cap-waiter Interrupt.wait/acknowledge MSI-X route, the brokered I/O queue pair + bounded READ including one live-GCE Persistent Disk proof, and the dedicated BlockDevice data-completion Interrupt route - with spec basis and capOS authority mapping.
  • NVMe Model B Doorbell DMA ValidatorConditional DMA-address ownership model for the userspace NVMe storage provider: provider-written queue-base and PRP/SGL addresses require a non-host-physical device-visible namespace; no-IOMMU GCP planning must use brokered bounce address publication instead.
  • Panic Surface InventoryPanic/unwrap/expect inventory.
  • Public Release and Maintainer BoundariesPublic release posture, maintainer boundaries, issue intake, and repository hygiene gates.
  • Remote Session UI SecurityWeb-security hardening posture for the trusted local remote-session-ui bridge, the capOS-served Web UI, public-origin carry-over policy, and the Tauri desktop wrapper.
  • Repository CompositionRepository scope, sibling project split criteria, and cross-repository organization plan.
  • Security and VerificationSecurity/verification backlog.
  • Security and VerificationSecurity review vocabulary, trust-boundary checklist, and verification tracks for capOS.
  • Security Verification Track RegistryManual reference for Security Verification Track labels.
  • Session Archive & Gantt EffortA pipeline to collect, normalize, and archive per-task effort data from the run-telemetry log and agent session transcripts, enabling development timeline visualization and task-duration prediction.
  • Trust BoundariesThe reviewer’s authority-boundary inventory.
  • Trusted Build InputsTrusted toolchain inventory.
  • Verification WorkflowThe verification gates used by capOS.

Services, Operations, and Monitoring

  • BenchmarksCurrent benchmark policy and results.
  • Capability-Infrastructure ClusterDecomposition of the near-term capability-infrastructure cluster: matured proposals and Stage 6 remainder that share the schema serial surface.
  • capos-serviceUserspace service framework (Rust crate capos-service) for lifecycle, endpoint loops, readiness, shutdown, metrics, context, and resource hooks.
  • Cloud DeploymentCloud VM deployment plan covering hardware abstraction, storage, networking, and aarch64.
  • Cloud MetadataCloud metadata and config-drive bootstrap through scoped configuration capabilities.
  • ConfigurationHow operators extend the default capOS boot manifest with a gitignored system.local.cue overlay and convert CUE-authored data to specified Cap’n Proto schemas.
  • Crash Recovery and SupervisionUnplanned-failure detection, stale-cap propagation, structured crash records, watchdog liveness, and bounded restart policy for capOS services.
  • Debug and Trace AuthorityCapability-scoped debug session attach, read-only cap-table inspection, ring-trace replay, and sampler authority without ambient process inspection.
  • Hardware Audit Log PersistenceDurable, tamper-evident persistence and admission policy for the hardware audit log.
  • HPC Parallel Processing PatternsGeneric single-node and multi-node parallel processing patterns for HPC-style benchmark coverage.
  • Live UpgradeService replacement, capability retargeting, quiesce/resume, and in-flight call handling.
  • Rejected: Endpoint Badges as Service IdentityPost-mortem of the rejected seL4-style endpoint badge service identity model.
  • Scientific Standard Package and Agent Lab CapabilitiesScientific standard package and agent-lab capability services for CAS, solvers, proof assistants, notebooks, and reproducible research environments.
  • Service ArchitectureCapability-based service composition, authority-at-spawn, exports, and service graph policy.
  • Session ContextCurrent session-bound invocation context, endpoint caller-session metadata, disclosure, transfer-scope, and liveness rules.
  • Session-Bound Invocation ContextSession-bound invocation context and privacy-aware disclosure model replacing service-object identity migration.
  • Stateful Task and Job GraphsDurable stateful task and job graphs for init orchestration, package builds, operator work, and notebook-style run stories without creating a god object.
  • Superseded: Service Object CapabilitiesSuperseded service-minted object capability model that was replaced by session-bound invocation context.
  • System Configuration and Operator ExtensibilityLayered CUE configuration model for operator boot-manifest overlays, host-user injection, and per-user toolchain caches.
  • System MonitoringCapability-scoped logs, metrics, health checks, traces, crash records, and status views.
  • System Performance BenchmarksCorrectness-gated benchmark model for primitives, workloads, and user stories.
  • Time and Clock AuthorityCapability-native wall-clock authority with provenance labeling, clock discipline, and trusted timestamps for audit and TLS.

AI, Agents, GPU, and Robotics

Demos, Onboarding, and Contributor Surfaces

Build, Tooling, and Documentation Site

  • ABI Evolution PolicyCompatibility policy for capOS schema and ring ABIs.
  • Build, Boot, and TestBuild, ISO, QEMU, host-test commands.
  • capOS Agentic Development ExperimentLongitudinal study design for using capOS development sessions, subagents, reviews, and recap tooling as an agentic software-engineering experiment.
  • capOS Repository Harness EngineeringRepository-local harness engineering for making capOS legible, checkable, and safer for long-running coding agents.
  • Current Design AuthorityCurrent-design authority map and proposal lifecycle rule for keeping implemented behavior out of archival proposal records.
  • Documentation WorkflowHow the mdBook site and generated PDF manual are positioned and built.
  • mdBook Documentation SiteDocumentation-site structure, metadata, status vocabulary, and curation workflow.
  • Repository CompositionRepository scope, sibling project split criteria, and cross-repository organization plan.
  • Repository MapSource-tree subsystem index.
  • Schema RegistryA SchemaRegistry capability that serves Cap’n Proto reflection metadata – interface IDs, method names and ordinals, parameter/result layouts, and doc comments – at runtime, as the machine-readable twin of the System Manual.
  • System Manual CapabilityA built-in man-pages analog: the Manual capability serves Unix-style reference pages, schema-derived interface manuals, and a man-shaped reference corpus through the shell, the self-served web UI, and a typed capnp API.
  • Trusted Build InputsTrusted toolchain inventory.

Research and Papers

  • Crash Recovery and SupervisionPrior-art survey of crash recovery and supervision for the Crash Recovery proposal.
  • Debug, Trace, and Profiling AuthorityPrior-art survey of debug/trace/profile authority for the Debug and Trace proposal.
  • PapersLong-form research write-ups.
  • ResearchIndex of research deep-dive reports informing capOS design.
  • seL4 HAMREvaluation of seL4 HAMR (AADL/Slang/CAmkES) versus the capOS Cap’n Proto schema-as-contract model.
  • Time and Clock AuthorityPrior-art survey of OS time/clock authority for the Time and Clock proposal.

Prior Art and Comparative OS Research

  • Capability-Based and Microkernel Operating Systems SurveyDesign consequences pulled from the survey.
  • Cloudflare, Cap’n Proto, Workers RPC, and Cap’n WebCloudflare Workers, workerd, Durable Objects, Workers RPC, Cap’n Web, and Cloudflare’s production use of Cap’n Proto/KJ.
  • EROS, CapROS, CoyotosPersistent capability-system lineage.
  • Future Scheduler ArchitectureSurvey of modern scheduler algorithms and architectures for capOS scheduler evolution.
  • Game Mechanics Prior ArtGrounded mechanics research for Aurelian Frontier seasonal play, markets, construction, and tactical combat.
  • GenodeGenode OS Framework: capability-based component model, session routing, VFS plugin architecture, POSIX compatibility, and Sculpt OS – with lessons for capOS.
  • HPC Parallel PatternsHPC benchmark and programming-model grounding for generic parallel processing patterns.
  • Linux Sandboxes and Virtualization for WorkloadsLinux sandbox, container, gVisor, KVM, microVM, and CPU-isolation prior art for generic Linux workload execution.
  • Out-of-Kernel SchedulingPrior art survey on kernel versus userspace CPU scheduling policy split, with capOS design implications.
  • Plan 9 and InfernoPlan 9 and Inferno: per-process namespaces, 9P protocol, file-server-as-service pattern, Dis VM, and Limbo concurrency — applied to capOS capability composition and IPC design.
  • Scientific Agent-Lab Software StackScientific computing, solver, proof-assistant, notebook, and reproducible-package prior art for a capOS-hosted LLM research lab.
  • seL4Microkernel and capability reference.
  • Spritely, OCapN, and CapTPSpritely, OCapN, CapTP, netlayers, locators, Syrup, promise pipelining, handoffs, and capability-network lessons for capOS.
  • ZirconFuchsia Zircon kernel: handle-based capability model, channels, VMARs/VMOs, async ports, and FIDL – with lessons for capOS capability dispatch, IPC, and memory design.

Stage Backlogs and Long-Form Planning

Capabilities And Security

  • POSIX fork/execve fd InheritanceTarget POSIX fork/execve full-fd-table inheritance for the recording shim, reconciled with the capability model, so unmodified POSIX software inherits stdio/cwd without bespoke per-app dup2 patches.

Hardware

  • Network-Reachable Datapath Scope DecisionScope decision recording that the real-GCE-boot milestone’s reachable-network-stack requirement means raw-frame TX/RX (Option A), not L4 sockets, grounded in what the billable cloudboot harness actually gates on.
  • Phase C Userspace NIC Driver RelocationPhase C design for relocating the virtio-net driver into userspace: the cap-surface delta, the inline-Data Nic ABI (matching the networking-proposal draft), the writable selected-write common-config window (an extension of the accepted notify-doorbell discipline; slice 1 landed 2026-06-02 20:30 UTC at c9518b2d), the userspace-vring slice that reuses the landed production DMA isolation (bounce policy + dma_backend probe + IOMMU IOVA-export), the sustained-receive Nic ABI design used by the multi-frame TCP path, the selected serve-from-userspace 7c-ii(b) socket-authority proof, and retirement of the non-qemu legacy kernel socket grant path.
  • Real-Filesystem DecisionReal-filesystem direction for capOS: a role-split between capnp-native managed state and read-only FAT32 for host-populated/interop images, with ext4-read deferred and FAT write rejected, grounded in the existing Directory/File/Store cap surface and the storage layouts already in tree.

Hardware And Drivers

  • ATAPI CD-ROM + ISO 9660Provenance map for the planned CD-ROM boot/install ATAPI PIO reader and read-only ISO 9660 driver - spec basis, implemented wire-format subset, and boot-only kernel-owned capOS mapping.
  • AWS Nitro EBS (NVMe storage)Provenance map for the AWS Nitro EBS NVMe storage shape - spec basis, the standard-NVMe wire subset it shares with docs/devices/nvme.md, and the capOS cloud-shape classification plus DMA-backend policy it binds onto.
  • Azure MANAProvenance map for the Azure MANA NIC / GDMA wire logic - spec basis, implemented host-conformance wire-format subset, and capOS authority mapping.
  • Azure managed disk (NVMe storage)Provenance map for the Azure managed-disk NVMe storage shape - spec basis, the standard-NVMe wire subset it shares with docs/devices/nvme.md, why the older-family virtio-scsi path is out of scope, and the capOS cloud-shape classification plus DMA-backend policy it binds onto.
  • Device Driver SpecificationsPer-device driver specs - cited authoritative spec, implemented wire-format subset, and capOS authority mapping.
  • Device Spec TemplateBlank three-part device-spec template - copy to docs/devices/.md when starting a driver.
  • DMA User-Space Driver IsolationDMA, user-space driver, vIOMMU, and no-IOMMU bounce-buffer design consequences for capOS device authority.
  • FAT32 (read-only backer)Provenance map for the read-only FAT32 Directory/File backer over virtio-blk and NVMe - spec basis, the vendored fatfs read subset used, timestamp provenance limits, and the capOS cap mapping.
  • GCE gVNICProvenance map for the GCE gVNIC (Google Virtual Ethernet) NIC - spec basis from the public gVNIC docs and the GVE Linux driver, the wire-format subset capOS exercises today, and the bounded Nic-cap adaptation proof. capOS has live-GCE inventory, admin-queue/register, raw-frame GQI/QPL TX/RX, and typed Nic-adaptation proofs, but no reusable gVNIC provider service or host conformance suite yet.
  • GCP Persistent Disk (storage)Provenance map for the GCP Persistent Disk storage shape - virtio-scsi vs NVMe families, the standard-NVMe wire subset it shares with docs/devices/nvme.md, the capOS cloud-shape classification, the DMA-backend policy on no-IOMMU GCE shapes, the local production brokered NVMe provider chain, and the bounded live-GCE NVMe Persistent Disk read proof.
  • NVMeProvenance map for the NVMe controller wire subset capOS touches - conditional Model B validator scan targets, the read-only userspace bind, the reset-only CC selected-write claim, the no-IOMMU manager-op controller enable through the brokeredNvmeControllerEnable @6 verb, the no-IOMMU manager-op admin IDENTIFY through the brokeredNvmeAdminIdentify @7 verb, the brokered admin SQ/CQ doorbell + IDENTIFY command, the split admin SUBMIT @8 / COMPLETE @9 verbs whose completion handoff runs through a cap-waiter Interrupt.wait/acknowledge MSI-X route, the brokered I/O queue pair + bounded READ including one live-GCE Persistent Disk proof, and the dedicated BlockDevice data-completion Interrupt route - with spec basis and capOS authority mapping.
  • virtio-blkProvenance map for the QEMU-fixture virtio-blk BlockDevice driver - spec basis, implemented wire-format subset, capOS authority binding, and why it is a qemu-gated fixture rather than the production storage route.
  • virtio-netProvenance map for the in-tree modern virtio-net PCI NIC - spec basis, implemented wire-format subset, and capOS authority binding.
  • virtio-rngProvenance map for the in-tree virtio-rng entropy device - spec basis, implemented wire-format subset, and its role as a QEMU-only DDF metadata and IOMMU-remapping hardware-DMA proof fixture (no userspace-facing capability, not a production driver).

Programming Languages And Runtimes

  • POSIX fork/execve fd InheritanceTarget POSIX fork/execve full-fd-table inheritance for the recording shim, reconciled with the capability model, so unmodified POSIX software inherits stdio/cwd without bespoke per-app dup2 patches.

Remote Session

  • Remote Session CapSet ClientsRemote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap’n Proto RPC.
  • Remote Session UI SecurityWeb-security hardening posture for the trusted local remote-session-ui bridge, the capOS-served Web UI, public-origin carry-over policy, and the Tauri desktop wrapper.

Security

  • Phase C Userspace NIC Driver RelocationPhase C design for relocating the virtio-net driver into userspace: the cap-surface delta, the inline-Data Nic ABI (matching the networking-proposal draft), the writable selected-write common-config window (an extension of the accepted notify-doorbell discipline; slice 1 landed 2026-06-02 20:30 UTC at c9518b2d), the userspace-vring slice that reuses the landed production DMA isolation (bounce policy + dma_backend probe + IOMMU IOVA-export), the sustained-receive Nic ABI design used by the multi-frame TCP path, the selected serve-from-userspace 7c-ii(b) socket-authority proof, and retirement of the non-qemu legacy kernel socket grant path.

Storage

  • FAT32 (read-only backer)Provenance map for the read-only FAT32 Directory/File backer over virtio-blk and NVMe - spec basis, the vendored fatfs read subset used, timestamp provenance limits, and the capOS cap mapping.
  • Real-Filesystem DecisionReal-filesystem direction for capOS: a role-split between capnp-native managed state and read-only FAT32 for host-populated/interop images, with ext4-read deferred and FAT write rejected, grounded in the existing Directory/File/Store cap surface and the storage layouts already in tree.
  • virtio-blkProvenance map for the QEMU-fixture virtio-blk BlockDevice driver - spec basis, implemented wire-format subset, capOS authority binding, and why it is a qemu-gated fixture rather than the production storage route.