# Roadmap Long-term direction for capOS. Related material lives elsewhere: detailed task decomposition in `docs/backlog/`, selected-milestone state in `docs/tasks/state.toml`, current execution order in root task records under `docs/tasks/`, and shipped-milestone reports in `docs/changelog.md`. ## Current Direction Current selected milestone: **GCE Self-Hosted Web UI**. The next visible goal is a self-hosted capOS Web UI reachable through the Phase C userspace network stack, then proved on private GCE reachability before any public endpoint. The userspace smoltcp-backed `TcpListenAuthority` local path is proved by [`cloud-prod-userspace-network-stack-smoltcp-local-proof`](tasks/done/2026-06-07/cloud-prod-userspace-network-stack-smoltcp-local-proof.md). The local DHCP/IPv4 configuration proof is done by [`cloud-prod-network-stack-dhcp-ipv4-config-local-proof`](tasks/done/2026-06-08/cloud-prod-network-stack-dhcp-ipv4-config-local-proof.md): the userspace stack acquires a QEMU SLIRP DHCPv4 lease, installs the default route, resolves gateway and same-subnet ARP neighbors, and serves `NetworkManager.getConfig` before public or live GCE exposure. The cloudboot-local Web UI authority inventory is done by [`remote-session-webui-cloudboot-authority-inventory`](tasks/done/2026-06-08/remote-session-webui-cloudboot-authority-inventory.md): it records the required and forbidden `remote-session-web-ui` grants, trusted listener/source metadata, browser-visible forbidden markers, and local L4 proof markers for the completed cloudboot proof. Server-side session hardening is done by [`remote-session-web-ui-session-hardening`](tasks/done/2026-06-09/remote-session-web-ui-session-hardening.md) (Review C high closed: unpredictable rotated server-side session ids, idle/absolute expiry enforced before dispatch, `Host`/`Origin`/double-submit-CSRF gates, and a `Secure`-when-HTTPS cookie posture). Web UI connection bounds are done by [`remote-session-web-ui-connection-bounds`](tasks/done/2026-06-09/remote-session-web-ui-connection-bounds.md) (per-connection request-read/response-send deadlines in the Web UI client over the bounded network-stack listener, with a drip-feed abandon proof). The legacy kernel socket-path retirement is done by [`cloud-prod-legacy-kernel-network-socket-path-retirement`](tasks/done/2026-06-08/cloud-prod-legacy-kernel-network-socket-path-retirement.md): non-`qemu` production manifests reject kernel `network_manager` / `tcp_listen_authority` grants, leaving those sources as qemu-only fixtures. The local [`cloud-prod-remote-session-web-ui-l4-local-proof`](tasks/done/2026-06-09/cloud-prod-remote-session-web-ui-l4-local-proof.md) is the done service-level L4 proof on top of the userspace L4 and DHCP/IPv4 substrate. The legacy-virtio serving gap is closed locally by [`cloud-gce-legacy-virtio-webui-serving-local-proof`](tasks/done/2026-06-11/cloud-gce-legacy-virtio-webui-serving-local-proof.md) (2026-06-11): a kernel-brokered legacy virtio 0.9 runtime backs the typed `Nic` cap and a host HTTP peer fetches the byte-verified UI bundle under `disable-modern=on`. A public-ingress hardening set is done on the L4 gate (public-origin policy, IAP-aware SameSite cookie policy, JSON content-type guard, security response headers and strict CSP, GFE-range-pinned forwarded-scheme trust, the public `/healthz` contract, and in-guest login peer-gate/backoff hardening), and a no-spend provider-harness fixture set is done (private `--preflight-only`, private/public proof-evidence validators, public ingress plan gate, journal-driven teardown engine, provider-command allowlist gate) — all local QEMU/cloudboot or recording-stub fixture evidence with no real provider invocation or mutation; the current ladder summary lives in [`docs/status.md`](status.md). [`cloud-gce-private-self-hosted-webui-proof`](tasks/on-hold/cloud-gce-private-self-hosted-webui-proof.md) remains on hold: the cloudtest credential lacks the firewall IAM a private same-VPC probe needs against GCE default-deny ingress, and the live run needs per-run billable authorization. Public GCE ingress and TLS remain under the explicit on-hold [`cloud-gce-public-self-hosted-webui-ingress-tls`](tasks/on-hold/cloud-gce-public-self-hosted-webui-ingress-tls.md) task and require separate authorization; the selected milestone does not grant public exposure, broad firewall changes, TLS key custody, or production release authority. The capOS-terminated TLS successor remains a separate later evidence class behind the provider-terminated first public proof. The previous selected milestone, **Installable System**, is complete through commit `12b8334a` (commit timestamp `2026-06-07 18:19 UTC`; task closeout `2026-06-07 18:20 UTC`) for the bounded local/QEMU contract: persistent data-region mount, config-overlay compose/merge fallback, generation/rollback machinery, integrated installable disk packaging, target-disk install (`make run-installable-install`), first-boot provision (`make run-installable-provision`), update/rollback (`make run-installable-update`), and structural proposal/body wording reconcile are landed. The closeout preserves the RAM-only `Namespace` caveat and does not claim secure boot/signing, production release authority, public ingress, AWS/Azure live support, direct-remapping production hardware, userspace smoltcp/L4 readiness, or full durable account policy. Detailed decomposition lives in `docs/backlog/installable-system.md`. The preceding selected milestone, **Device Driver Foundation**, is complete by the `2026-06-07 08:23 UTC` production-authority closeout recorded in [`ddf-production-authority-closeout`](tasks/done/2026-06-07/ddf-production-authority-closeout.md). That closeout ties together the landed provider-driver, interrupt, audit, and DMA-policy prerequisites and preserves the runtime fail-closed DMA backend baseline: remapping only when capOS can validate it, otherwise brokered bounce buffers or unsupported. The related GCP-first provider NIC/storage rollup is also closed by [`cloud-usable-instance-provider-nic-storage`](tasks/done/2026-06-07/cloud-usable-instance-provider-nic-storage.md) (`2026-06-07 05:26 UTC`), but only for the recorded operator serial path, selected raw-frame NIC/storage evidence, and gVNIC portability evidence. Public L4 ingress, AWS/Azure live support, direct-remapping production hardware, device-autonomous MSI-X delivery, userspace smoltcp/L4 readiness, and high-throughput or multiqueue NIC readiness remain explicit future follow-ups, not part of the closed DDF selected milestone. The previous selected milestone, **In-Process Threading Scalability**, is complete at commit `136b72de` (`2026-05-01 14:58 UTC`) after repairing the benchmark validity issue found on 2026-05-01: the old 1 MiB/spinning-parent workload was not a valid four-core scaling reference because the matching Linux pthread baseline also stayed flat at four workers. The repaired shape now uses a blocking parent join, 262,144 blocks (16 MiB), and `work_rounds=64`. The controlled capOS/Linux pair on `capos-bench` 2026-05-02 21:38 UTC against `main` commit `374f8556` (5 runs each, both pinned to physical-core logical CPUs `0,1,2,3`) recorded capOS 1-to-2 work/total speedups `1.883x` / `1.787x` and matching Linux pthread baseline `1.988x`/`1.987x`. Its 1-to-4 row became the diagnostic that justified Phase D's fair-share enqueue policy: capOS sat at `1.566x`/`1.538x` while Linux scaled to `3.963x`/`3.858x` on the same physical-core pin set. Phase D WFQ has now closed that diagnostic gap as a scheduler-evolution milestone, recording capOS `3.088x`/`2.700x` and Linux `3.974x`/`3.850x` on `2026-05-10`. These rows are summarized in `docs/benchmarks.md` and `docs/changelog.md`. Historical pre-collapse 1-to-2 (`1.828x`/`1.687x`) and the post-collapse 3-run diagnostic remain in `docs/benchmarks.md` for reference. Ordinary `-smp 2` regression coverage also passed. The previous selected milestone, **Multi-Process SMP Concurrency**, is complete at commit `3fb89923` (`2026-04-30 09:45 UTC`): `make run-smp-process-scale` has repeated KVM-backed evidence for independent CPU-bound worker processes with `1.608x` 1-to-2 speedup, and the ordinary `run-smoke`/`run-spawn` coverage passed under `-smp 2`. The previous selected milestone, **Session-Bound Invocation Context**, is complete: normal workload processes have one immutable live session context, endpoint calls reveal only privacy-preserving caller-session metadata by default, explicit subject disclosure is gated by request and scope, and chat/adventure/terminal/stdio paths no longer derive ordinary caller identity from caller-selected service-visible metadata. Gate 4 verification is recorded at commit `faeff80` (`2026-04-29 21:39 UTC`), and paper/status closeout is merged at commit `503abc9`. Follow-up session lifecycle work remains outside that completed milestone: production interactive shells need mutable session liveness cells, explicit logout/close propagation, and renewal/recovery paths so fixed short expiry is not the only way to bound stale authority. Username-aware local password login is prioritized ad-hoc implementation work, not the selected milestone, unless explicitly selected later. Current priority ladder, reflecting user direction (2026-05-05 17:56 UTC redirect supersedes the earlier SMP/threading-first ladder; the previous ordering is retained as background only at the end of this section): 1. Userspace driver transition prerequisites -- the S.11.2 hostile-smoke gate items in `docs/dma-isolation-design.md` and the matching open items of `docs/backlog/hardware-boot-storage.md` Task 3 are now closed. **S.11.2.7 stale IRQ after revoke/reset closed `2026-05-05 18:17 UTC`** via real-`INT $vector` cross-reset injection in `make run-net`. **S.11.2.8 stale DMA completion after revoke/reset closed `2026-05-05 19:37 UTC`** via the device-manager `prove_qemu_stale_dma_completion_handoff` proof in `make run-net`: real virtio-net DMA page free + reallocate cycle bumps the live ledger's page generation at three boundaries (after revoke, after detach, after reset/reuse), then a synthesized stale `DeviceDmaAllocation` is fed to the production `device_dma::record_virtio_net_completion_for_allocation` path and rejected as `stale-dma-handle` with side-effect blocking. **S.11.2.9 hostile-smoke gate-wiring closed `2026-05-05 20:49 UTC`** by aggregating every hostile-smoke acceptance matrix proof line into the `make run-net` -> `tools/qemu-net-smoke.sh` gate, including the newly wired `device-manager: devicemmio driver crash hook proof` and `device-manager: interrupt driver crash hook proof` assertions. The manifest-granted `DMAPool` path currently exposes eight fixed manager-owned bounce-buffer `DMABuffer` result caps with typed allocate/free/map/unmap/submit/complete surfaces; `DMABuffer.unmap` removes only the caller's borrowed userspace VMA and preserves pool/page and descriptor accounting, and accepted `submitDescriptor` now writes a bounded provider-owned queue entry plus submit marker after authority validation and the submit scrub. The manifest-granted `DeviceMmio` path now exposes a read-only borrowed userspace VMA over boot-preseeded BAR pages, with explicit `DeviceMmio.unmap`, duplicate-map/no-op-unmap denials, revoke-before-detach cleanup, brokered read-only `read32`, and one bounded `write32` effect for the provider-scoped PCI MSI-X metadata-derived virtio-rng vector-control mask dword, while arbitrary register writes, doorbells, host physical/IOVA exposure, and production provider-driver consumers remain blocked. The remaining gating prerequisites for moving NIC/block drivers out of the kernel are production userspace `DMAPool`/`DeviceMmio`/`Interrupt` handles, real device-manager page quiesce/scrub/release hooks, real userspace `Interrupt` waiter objects, and durable/signed production audit consumption beyond the first volatile `HardwareAuditLog.snapshot` cap. IOMMU domain programming has landed for the bounded QEMU Intel remapping path (umbrella closed `2026-05-23 23:35 UTC`); production-hardware IOMMU programming, AMD-Vi, and trusted sharing groups remain future work. The device-manager refactor proposal is already on `main` at commit `77358400`; treat its proof/handles/domain/transaction-helper splits as high-priority, behavior-preserving risk reduction only when they unblock or lower risk for those DDF authority gates. It remains subordinate to behavior-moving DDF slices and the scheduler SMP/nohz prerequisite chain. 2. Scheduler evolution in `docs/backlog/scheduler-evolution.md`: Phase D best-effort fair scheduling closed at commit `77caafc0` (`2026-05-10 19:39 UTC`) and docs commit `1a08ec23` (`2026-05-10 21:47 UTC`). The WFQ slice uses per-thread vruntime accounting, `SchedulingPolicyCap` weight/latency-class authority, per-CPU WFQ run queues, and bounded steal/migration invariants. The controlled Task 6 benchmark pair materially closed the 1-to-4 thread-scale diagnostic gap: capOS recorded work/total speedups `3.088x` / `2.700x` versus the prior `1.566x` / `1.538x` baseline, while Linux on the same host/pin set recorded `3.974x` / `3.850x`. Phase E `SchedulingContext` capability follow-ups are now closed: endpoint donation/return and the scheduler-observable `UserSession.logout()` hook are merged; timeout/depletion notifications use fixed per-context cells plus drain observer results; ordinary non-donated session-logout stale-context coverage is proven; donated receiver logout keeps the conservative counted/skipped policy until endpoint return restores only reduced donor budget; and clean local owner-shell exit calls the same `UserSession.logout()` path before process exit. Phase F auto-nohz / SQPOLL / tickless idle follows Phase E; the one-SQ-consumer ring ownership prerequisite, `CpuIsolationLease` scaffold, nohz activation/deactivation telemetry child, and explicit housekeeping/deferred-work placement, bounded SQPOLL ring mode, the clockevent/deadline substrate, and bounded producer-wake SQPOLL progress are complete. The telemetry proof records accepted active candidates, rejected activation decisions, stale/revoked rollback labels, ready and selected housekeeping CPUs, selected deferred-work placement or fail-closed reasons, target runnable entity counts, monotonic clocksource/accounting readiness, and explicit disabled tick/SQPOLL/full-nohz guardrails. The first two automatic nohz activation increments have since landed: the `CpuIsolationLease` preflight performs real per-CPU periodic-tick suppression for the narrow single-runnable-entity window with fail-closed rollback (`docs/tasks/done/2026/scheduler-phase-f-auto-nohz-activation.md`), and a ring-coupled `kernelSqpoll` lease whose bound ring is in SQPOLL running/sleeping mode with a live owner is admitted for tick suppression with the SQPOLL ring-state re-check as the decisive rollback gate (`docs/tasks/done/2026/scheduler-phase-f-auto-nohz-sqpoll.md`). Timeout-based auto-revoke, generic full-nohz for explicitly budgeted compute leases, and generic SQPOLL nohz for explicitly leased caller-thread rings have since landed; production policy-service issuance and broader userspace-poller/device-queue admission remain future work. The future full-SMP hardware scalability milestone is now recorded in the existing SMP/scheduler/benchmark/HPC proposal set and `docs/backlog/scheduler-evolution.md` Phase F.5. It targets direct high-core hardware/perf-runner rows at 1/2/4/8/16/32 workers, with QEMU kept for boot/regression and virtualization context rather than as the primary performance source. Phase G realtime islands follows Phase F. EEVDF is retained as a follow-on policy evaluation, not a Phase D blocker; generic full-nohz is landed for explicitly budgeted compute leases, with policy-service issuance still future. 3. Language-support tracks remain active high-priority parallel work alongside the kernel/scheduler focus. POSIX adapter v0 P1.2 (UDP cap + dns.c) and P1.3 (Pipe cap + fork-for-exec + recording-shim `posix_spawn`) landed; the remaining v0 phase is P1.4 (dash port + libcapos-posix file/dir/stdio/env/printf surface + the `run-posix-shell-smoke` harness), which is in flight against the Storage Phase 3 RAM-backed `File`/`Directory`/`Store`/`Namespace` caps. P1.4 Slice 3 (FdBacking File/Directory/Terminal variants + `make run-posix-file-backing-smoke`) landed at `ae58f936`, and Slice 4 (absolute-path resolver + functional `open()`/`opendir()` over the bootstrap-granted root Directory cap with per-fd file position + `make run-posix-open-smoke`) landed at `94b29177`. The file/directory fd closeout landed at commit `f97d9833` (`2026-05-23 06:23 UTC`): `make run-posix-file` proves `open()`, `write()`, `lseek()`, `read()`, `opendir()`, `readdir()`, and `closedir()` through a live POSIX C process. Together these bring POSIX file I/O to functional end-to-end parity as the first non-shell POSIX subsystem. Identity stubs landed at commit `1a8a9896` (`2026-05-23 06:51 UTC`): `make run-posix-identity` proves parent and fork/exec child `getpid` lines with hardcoded uid/gid `0`. The printf/string subset now has `make run-posix-printf`, which proves formatted output plus string/mem, numeric conversion, and ctype behavior from a live capOS C process. The signal/time surface landed at commit `90e64011` (`2026-05-23 08:11 UTC`): `make run-posix-signal-time` proves Timer-backed `time`, `nanosleep`, and `sleep` plus fail-closed signal-delivery stubs from a live capOS C process. Remaining P1.4 work is dash vendoring + smoke (Slices 11-13). Long-form decomposition lives in `docs/backlog/posix-adapter-dash-port.md`. WASI host adapter v0 W.1/W.2, Lua iteration follow-ons, libcapos / libcapos-posix successor work, and Go runtime stay in the parallel pool when selectable. 4. Storage capability interfaces, starting with RAM-backed `Store`/`Namespace`; proceed to local disk and a small read-only filesystem when the block path and the userspace-driver gate are ready. Phase 2 (schema-only `BlockDevice`/`File`/`Directory` interfaces), Phase 3 slice 1 (minimal RAM-backed `File` `CapObject` with the `KernelCapSource::file` grant source and the `make run-file-server-smoke` proof), Phase 3 slice 2 (minimal RAM-backed `Directory` `CapObject` with the `KernelCapSource::directory` grant source, result-cap transfer of `File`/`Directory` handles, and the `make run-directory-server-smoke` proof), and Phase 3 slice 3 (the `Store`/`Namespace` schema interfaces plus minimal RAM-backed `Store`/`Namespace` `CapObject`s with the `KernelCapSource::store`/`KernelCapSource::namespace` grant sources, content-addressed blob storage, `Namespace.sub()` result-cap transfer, and the `make run-store-namespace-smoke` proof) have landed. The local-disk path has also reached its first read-only milestone: the first virtio-blk `BlockDevice` `CapObject` (`make run-virtio-blk`) and a read-only filesystem service over `BlockDevice` (`kernel/src/cap/readonly_fs.rs`, parsing a fixed `CAPOSRO1` on-disk layout and serving `Directory.list`/`open` + `File.read`; `make run-storage-fs`) now serve a known on-disk tree to a userspace consumer. The Local Disk Storage Milestone's final gate has also landed: a disk-backed persistent `Store` (`kernel/src/cap/persistent_store.rs`, a `CAPOSST1` on-disk layout written through the virtio-blk driver, granted via the `persistent_store` `KernelCapSource`) with a two-pass reboot proof (`make run-storage-persist`) that stores+commits a capnp object on the first boot and reads it back on a fresh boot of the same disk image. The Writable Local Storage Milestone has now landed: directory/file mutation, the fail-closed concurrent-writer policy, clean-reboot durability for both filesystem mutations and co-located `Store` objects on one disk (`kernel/src/cap/writable_fs.rs`, a `CAPOSWF1` sub-volume; two-pass proof `make run-storage-writable`), and a bounded unclean-shutdown recovery proof (`make run-storage-writable-recovery`): an induced forced poweroff in the record-written / superblock-pending window proves the next mount recovers to a consistent tree with the interrupted allocation atomically absent. See `docs/proposals/storage-and-naming-proposal.md`. 5. Keep serial diagnostics as the first remote troubleshooting path for cloud/hardware bring-up, then add SSH, Telnet development access, and basic WebShell access when network and identity prerequisites are credible. The host-served remote-session UI remains separate from the self-served capOS web UI path. The old self-served proof target is retired with the qemu-only kernel TCP listener; the replacement proof is the future Phase C Web UI L4 gate. Ordinary `make run` still starts the host-local remote-session CapSet path, and the full boot-resource UI bundle is served with fixed names and integrity labeling. The host-served `make remote-session-ui` bridge remains a separate trusted development path, not the self-hosted cloud Web UI proof. 6. Boot on GCP/AWS in staged provider tracks. The first GCP serial-console boot proof landed as run `1778230874-715a` (`2026-05-08 09:06 UTC`, source commit `3951e275`). The GCP-first usable-instance provider rollup is also closed: serial-console operator access, live virtio-net raw-frame `provider-nic-bound`, live NVMe Persistent Disk brokered `READ`, and separate gVNIC raw-frame / typed-Nic portability evidence are recorded under `cloud-usable-instance-provider-nic-storage`. AWS/Azure providers, public L4 ingress, SSH/WebShell productization, broader storage variants, and cloud benchmark reruns remain future gates. Game/demo plans (Paperclips, Aurelian Frontier) are deprioritized opportunistic-only per the same redirect; see `docs/tasks/README.md` Ad-Hoc Planning / Research Tasks for the High / Normal / Low / Closed bands and the dispatch ordering. Earlier (pre-2026-05-05) priority ladder retained as background: 1. Finish a reasonable SMP/threading milestone, including the current scheduler hot-lock bottleneck if the milestone still claims scalability. 2. Build the device-driver foundation before cloud/network/storage expansion: ACPI/MADT/MCFG, PCI/PCIe, I/O APIC, MSI/MSI-X, DMA/MMIO/IRQ authority, and reusable virtio/device lifecycle code. 3. Implement storage capability interfaces, starting with RAM-backed `Store`/`Namespace`; proceed to local disk and a small read-only filesystem when the block path is ready. 4. Keep serial diagnostics as the first remote troubleshooting path for cloud/hardware bring-up, then add SSH, Telnet development access, and basic WebShell access when network and identity prerequisites are credible. 5. Boot on GCP/AWS in two stages: first imported-image serial-console boot, then a usable cloud instance with provider storage/network drivers and network shell access. The 2026-05-05 ladder above is the authoritative current ordering; the earlier ladder remains as background context only. Details: - `docs/tasks/README.md` - `docs/backlog/smp-phase-c.md` - `docs/backlog/session-bound-invocation-context.md` - `docs/proposals/session-bound-invocation-context-proposal.md` - `docs/proposals/user-identity-and-policy-proposal.md` - `docs/backlog/local-users-management.md` - `docs/proposals/boot-to-shell-proposal.md` - `docs/proposals/oidc-and-oauth2-proposal.md` ## Whitepaper Track A future capOS whitepaper / technical report consumes -- not duplicates -- work from the other tracks. The plan, outline, and live evidence-gap log remain in `docs/paper/` (`plan.md`, `outline.md`, `evidence-gaps.md`). The paper itself is a Typst project at `papers/schema-as-abi/` and is built via `make paper`. The paper's Tier-1 evidence requirements pull these existing items into explicit paper-supporting roles. They are not new tracks; they are the selection lens this track applies: - Stage 6 session-bound invocation context migration (closes the "interface IS the permission" claim). - A measurement harness over `make run-measure` producing reproducible ring throughput, `cap_enter` latency, IPC handoff, and schema-dispatch numbers (closes the ring-as-sufficient-boundary claim). - A paper-scoped persistence proof-of-concept narrower than the storage proposal (closes the wire-format-enables-persistence claim). - A paper-scoped network-transparency proof-of-concept narrower than the general networking proposal (closes the wire-format-enables-network-transparency claim). - At least one of {promise pipelining, notification objects} (closes capnp-rpc-shaped composition beyond CALL/RECV). Tier-2 strengtheners: ring-protocol Kani proof, full concurrent SMP scheduling, end-to-end SSH Shell Gateway, one non-toy demo beyond Adventure or First Chat. Out of scope for the first paper (acknowledge in Future Work only): aarch64, GPU, live upgrade, formal MAC/MIC, Go/WASI, cloud metadata, production volume encryption. When workplan slices close a paper-evidence gap they should reference `docs/paper/evidence-gaps.md` and update it in the same task, including the matching `#todo` block in `papers/schema-as-abi/main.typ`. A structural pre-evidence draft already exists at `papers/schema-as-abi/main.typ`; the abstract, the Evaluation section, the Conclusion, and any contribution claim that depends on missing Tier-1 evidence stay deferred until that evidence lands. New paper content that does not depend on missing artifacts may be drafted at any time and lives next to the existing `#todo` blocks. ## Completed Foundation - **Stage 0: Foundations**: bitmap physical frame allocator, heap for `alloc`, IDT exception handling, and initial Cap'n Proto schema scaffolding. - **Stage 1: Virtual Memory**: kernel and per-process address spaces, page table abstraction, HHDM preservation, and user-half cleanup. - **Stage 2: User-Space Transition**: GDT/TSS/syscall setup and Ring 3 round-trip path. - **Stage 3: Process Abstraction**: ELF loading, process ownership of address spaces and cap tables, process exit cleanup, and the current `exit` / `cap_enter` syscall surface. - **Stage 4: Capability Syscalls / Ring Transport**: Console capability, shared-memory submission/completion rings, `cap_enter`, CQE transport errors, and alloc-free dispatch paths. - **Stage 5: Scheduling Core**: PIT/PIC timer preemption, round-robin scheduler, context switching, generation-tagged caps, and VirtualMemory cap. - **Kernel Networking Smoke**: in-kernel QEMU virtio-net lower-layer fixture evidence for PCI/device discovery, descriptor-accounting guards, ARP, and ICMP. TCP/UDP socket proof has moved to the Phase C userspace network-stack gates. - **Boot To Shell / Native Shell**: shell-led boot flow, split debug/terminal UARTs, local setup/login, anonymous/operator sessions, and shell REPL. - **Verified Core**: bounded local/GitHub Kani model-checking gate plus high-memory proof gate for selected cap-table, frame-bitmap, transfer rollback, and resource accounting invariants. These are bounded model checks (small input sizes such as <=8 frames and 63 ELF bytes), not unbounded proofs; they hold within the harness bounds, not for all inputs. - **Shared-Service Demo Base**: chat, adventure, NPC-as-process, and shared service harness prototypes. Historical completion reports live in `docs/changelog.md`. ## Stage 6: IPC And Capability Transfer Outcome: cross-process capability calls, capability transfer, revocation, and process spawning are capability-shaped and usable by init-owned service graphs. Caller-selected service-visible identity is being replaced by session-bound invocation context: each normal process has one immutable session context, endpoint calls expose privacy-preserving caller-session metadata, and broker-granted service roots/facets carry service access. Implemented: - `cap_enter` blocking wait - Endpoint kernel object - RECV/RETURN ring opcodes - cross-process IPC - direct-switch IPC handoff - legacy endpoint receiver metadata as transitional IPC machinery - copy/move capability transfer - `CAP_OP_RELEASE` - runtime handle release integration - epoch revocation and Revocable Read proof - MemoryObject substrate -- the kernel-level mapping mechanism that backs zero-copy IPC. Demonstrated end-to-end by `make run-memoryobject-shared` (single-shot transfer) and `make run-ipc-zerocopy` (multi-message shared point-to-point buffer with metadata-only endpoint CALLs). The typed `SharedBuffer` surface and service APIs that consume it (`File.readBuf`, `BlockDevice.readBlocks`, NIC RX/TX rings) are still pending. - ProcessSpawner / ProcessHandle - init-owned manifest execution and boot package boundary cleanup - immutable per-process `SessionContext` ownership, default child-session inheritance, and trusted broker-selected child sessions, demonstrated by `make run-session-context` Remaining themes: - typed `SharedBuffer` capability and consuming service APIs (storage, block, network, GPU) on top of the existing `MemoryObject` substrate - notification objects (so zero-copy producers/consumers can signal each other without per-record endpoint CALLs) - promise pipelining - CapabilityManager list/grant interface - stable service-audit identity for endpoint caller-session references across intentional service replacement or upgrade - scheduling context and resource donation - init ELF embedding Details: - `docs/backlog/session-bound-invocation-context.md` - `docs/backlog/service-object-identity-migration.md` (superseded) - `docs/backlog/stage-6-capability-semantics.md` - `docs/proposals/service-architecture-proposal.md` - `docs/proposals/storage-and-naming-proposal.md` - `docs/proposals/error-handling-proposal.md` ## Stage 7: SMP, Runtime, Networking, And Shell Outcome: capOS moves from single-CPU scheduling and local-only shell access to multi-CPU execution, thread-aware runtime behavior, socket-shaped network capabilities, and agent/web shell entry points. SMP status: - Phase A complete: BSP per-CPU syscall stack/current-thread state and unified kernel-entry stack hook. - Phase B complete: APs start through Limine MP, switch to capOS kernel paging/stacks, initialize AP-local CPU state, and park. - Phase C selected AP scheduler-owner proof complete: GS/`swapgs`, LAPIC timer/IPI, TLB shootdown, and first AP scheduler-owner proof are complete. Commit `d88bca7` at `2026-04-25 11:31 UTC` proves AP cpu=1 can run scheduler-owned user contexts under `-smp 2` while a scheduler-owner latch keeps the BSP in kernel idle. Per-CPU scheduler ownership, the narrow idle-to-runnable reschedule-IPI wake path, and the focused process-scale proof harness are now present. - **Multi-Process SMP Concurrency** is complete at commit `3fb89923` (`2026-04-30 09:45 UTC`). `make run-smp-process-scale` records repeated raw QEMU serial logs plus per-case medians and fails closed below the `1.6x` speedup threshold. The accepted KVM-backed run recorded `1.608x` 1-to-2 speedup, and ordinary `run-smoke`/`run-spawn` coverage passed under `-smp 2`. - **In-Process Threading Scalability** has the formal capOS+Linux thread-scale evidence pair on `capos-bench` 2026-05-02 21:38 UTC against `main` commit `374f8556`: capOS work `1.883x` and total `1.787x` clear the configured 1-to-2 gates against the then-current single-global-queue scheduler; matching Linux pthread baseline `1.988x`/`1.987x` validates the workload shape. Its 1-to-4 row became the diagnostic that justified Phase D's fair-share enqueue policy (capOS `1.566x`/`1.538x` vs Linux `3.963x`/`3.858x` on the same physical-core pin set). Phase D WFQ later manually accepted the recorded 1-to-4 diagnostic with capOS `3.088x`/`2.700x` and matching Linux `3.974x`/`3.850x`. Runtime/network/shell themes: - reconcile in-process threading implementation status and any follow-on work - scheduler evolution after the accepted Phase D WFQ closeout: Phase E `SchedulingContext` capability authority is closed; CPU isolation housekeeping/deferred-work placement is closed; bounded SQPOLL ring mode and the clockevent/deadline substrate are closed; bounded non-periodic SQPOLL producer-wake progress is closed. The narrow single-runnable-entity and SQPOLL-coupled automatic nohz activation increments are closed (`scheduler-phase-f-auto-nohz-activation`, `scheduler-phase-f-auto-nohz-sqpoll` under `docs/tasks/done/2026/`); generic full-nohz for explicitly budgeted compute leases and generic SQPOLL nohz for explicitly leased caller-thread rings have since landed, while policy issuance remains future work. Keep EEVDF as a follow-on best-effort ordering evaluation and keep stateful task/job graph coordinators above CPU dispatch rather than turning them into global schedulers. Userspace policy-service AutoNoHz placement for ordinary "capable of saturating a CPU core" threads sits in Phase H of `docs/backlog/scheduler-evolution.md` and the "Policy-Service Userstories" section of `docs/proposals/tickless-realtime-scheduling-proposal.md`: the policy-service-issued `CpuIsolationLease` adds placement isolation only and never mints CPU-time authority, with bounded lifetime, revocation, accounting target, and operator-declared auto-claim pool - session lifecycle for production shell UX: mutable session liveness cells, `UserSession.logout`, owner-shell/gateway close propagation, and narrow renewal/recovery paths that mint fresh grants without reviving stale ordinary caps; clean local owner-shell exit now reaches the logout path, while renewal/recovery remains future work - Telnet Shell Demo as first TCP-backed `TerminalSession` proof. Plaintext, loopback-only research demo; not a shippable Telnet service. - Tickless idle as the near-term timer cleanup: split clocksource from clockevent, convert timeout waiters to absolute deadlines (done), migrate the scheduler idle path to a CPL0 per-CPU kernel idle thread (done), then stop the periodic tick only when no runnable work exists. After the one-SQ-consumer, CPU-isolation authority, nohz telemetry, and housekeeping placement prerequisites, bounded SQPOLL ring mode and the clockevent/deadline substrate closed, and bounded non-periodic SQPOLL progress was proven; the periodic tick is now suppressed for the narrow single-runnable-entity window and for the ring-coupled `kernelSqpoll` lease (`scheduler-phase-f-auto-nohz-activation`, `scheduler-phase-f-auto-nohz-sqpoll`), with the periodic tick as the fail-closed fallback everywhere else. Timeout-based auto-revoke, generic full-nohz for explicitly budgeted compute leases, and generic SQPOLL nohz for explicitly leased caller-thread rings have since landed. See `docs/proposals/tickless-realtime-scheduling-proposal.md` and `docs/research/nohz-sqpoll-realtime.md`. - SSH Shell Gateway as the production remote CLI successor to plaintext Telnet after host-key, authorized-key, audit, and persistence prerequisites exist - remote session CapSet clients as the programmatic/UI counterpart to shells: regular host apps, desktop GUI/Tauri front ends, and server-side webapp gateways authenticate through the same session/admission path, receive broker-issued remote capability views, and call granted services over Cap'n Proto RPC without turning chat, Paperclips, agent tools, or future command surfaces into shell-only protocols. The first default-run development endpoint and focused interop harness now prove this shape with schema-framed Cap'n Proto DTOs; standard `capnp-rpc` proxy transport remains future work. Later UI-composition caps let capOS-side services or agents propose bounded session workspace changes without receiving arbitrary browser or desktop authority. - self-served capOS web UI has historical focused proof evidence, but the old `make run-remote-session-self-served-web-ui` target is retired with the qemu-only kernel TCP listener. The replacement proof belongs to the future Phase C Web UI L4 gate. `make run` forwarding the guest remote-session CapSet endpoint is still not the same as capOS serving the web UI, and `make remote-session-ui` remains the host-side trusted development bridge. The blocked `remote-session-self-served-web-ui-default-run` task records the future decision and wiring gate if self-served UI should become part of ordinary `make run`. - Telnet over TLS as an optional compatibility/service-terminal transport after certificate/TLS, durable identity, and session lifecycle work exists. It should not be a default main access interface ahead of SSH/WebShell. - decomposed userspace NIC/network-stack milestone after driver authority gates - native shell agent runner - WebShellGateway using the same broker-issued shell/agent authority model Remote shell priority: do not treat Agent Shell or WebShellGateway as the next default visible milestone before the driver/storage foundation unless the user explicitly redirects. SSH/WebShell production access is more useful after session lifecycle, durable account/key material, network listener authority, and serial/cloud diagnostics have credible proofs. Plaintext Telnet remains a loopback/local development proof and a simple transport for exercising `TerminalSession`; it is not a production cloud access target. Telnet over TLS may remain as a later optional transport, but SSH and WebShell are the main production access tracks. Details: - `docs/backlog/smp-phase-c.md` - `docs/backlog/scheduler-evolution.md` - `docs/backlog/runtime-network-shell.md` - `docs/backlog/remote-session-capset-client.md` - `docs/proposals/smp-proposal.md` - `docs/proposals/scheduler-evolution-proposal.md` - `docs/research/future-scheduler-architecture.md` - `docs/proposals/tickless-realtime-scheduling-proposal.md` - `docs/proposals/networking-proposal.md` - `docs/proposals/shell-proposal.md` - `docs/proposals/remote-session-capset-client-proposal.md` - `docs/proposals/llm-and-agent-proposal.md` - `docs/proposals/boot-to-shell-proposal.md` ## Hardware, Boot, And Storage Outcome: capOS boots beyond the current ISO/QEMU manifest path, discovers real hardware, supports block devices, and exposes local persistent storage through typed capabilities. Tracks: - hybrid BIOS+UEFI raw disk image and `make run-disk` - serial diagnostics console for cloud/hardware bring-up - ACPI/MADT/MCFG discovery - reusable interrupt and PCI/PCIe infrastructure - virtio-blk and NVMe block-device paths - boot binary ISO layout that moves ELF payloads out of the manifest blob - RAM-backed `Store`/`Namespace` - read-only local filesystem proof - writable local storage with recovery policy - installable system: boot from disk with persistent, mutable system configuration composed over the immutable boot manifest (own milestone, sequenced after the writable-local-storage milestone it builds on) - staged cloud boot: first serial-console boot, then provider block/NIC drivers and network shell access Details: - `docs/backlog/hardware-boot-storage.md` - `docs/proposals/cloud-deployment-proposal.md` - `docs/proposals/storage-and-naming-proposal.md` - `docs/proposals/installable-system-proposal.md` - `docs/dma-isolation-design.md` ## User Identity, Sessions, And Policy Outcome: shell, service, and future web sessions receive narrow capability bundles based on explicit identity, freshness, policy, and audit context. Implemented base: - anonymous/operator shell sessions - password setup/login proof - broker-issued shell bundles - redacted auth/session audit records Remaining themes: - manifest-seeded local accounts, recovery identities, service identities, and initial role/resource profiles - disk-backed local account store over capability-native storage - default per-account, guest, anonymous, external, and service-account resource bundles - explicit external identity bindings for OIDC/passkey/cloud/certificate principals - durable verifier/passkey records - WebAuthn and passkey-only setup path - broader AuditLog completion - ABAC context such as auth freshness, session age, source, and claims - mandatory-policy labels and wrapper caps - guest and anonymous workload demos - POSIX profile adapter metadata - OIDC/OAuth2 integration Details: - `docs/proposals/user-identity-and-policy-proposal.md` - `docs/backlog/local-users-management.md` - `docs/proposals/oidc-and-oauth2-proposal.md` - `docs/proposals/certificates-and-tls-proposal.md` - `docs/proposals/cryptography-and-key-management-proposal.md` - `docs/security/trust-boundaries.md` ## Security And Verification Outcome: trust boundaries fail closed, proof gates stay practical, and trusted build inputs remain review-visible. Implemented base: - host tests for pure logic - Loom ring model (a bounded concurrency model of the ring protocol, not the shipped `kernel/src/cap/ring.rs`) - Miri/proptest/bounded Kani model-checking paths - dependency policy checks - pinned Limine and Cap'n Proto tooling - DMA isolation design gate - panic-surface inventory Remaining themes: - Stage-6 trust-boundary refresh - untrusted-service hardening and quota/exhaustion smokes - Kani harness bounds refresh when new proof obligations are concrete - DMA assurance model operationalization: turn the v0 TLA+/Alloy skeletons into checked run targets (`make model-dma-tla` / `model-dma-alloy` / `kani-dma-authority` + a `DeferredCompletionQueue` Loom) reconciled with landed DMA code and wired to CI - Scheduler & IRQ assurance models: first formal coverage for the densest unmodeled race surface -- nohz activation/rollback (TLA+ + Loom), the LAPIC one-shot timer fix (Kani + TLA+), `CpuIsolationLease` authority (Alloy + TLA+), and the MSI-X waiter determinism ordering (TLA+) Details: - `docs/backlog/security-verification.md` - `REVIEW.md` - `docs/tasks/README.md` - `docs/proposals/security-and-verification-proposal.md` - `docs/security/verification-workflow.md` - `docs/trusted-build-inputs.md` ## Shared-Service Demos Outcome: multi-process demos prove resident services, shell-spawned clients, session-bound invocation context, shared harnesses, and eventually network-transparent federation. Implemented: - First Chat MVP - Local MUD/adventure prototype - NPC-as-process fleet - shared service harness extraction - session-bound chat/adventure state keyed by live caller-session metadata Remaining themes: - per-principal chat state and audit - Aurelian Frontier game-depth work after the first deterministic mission slice - native command-surface replacement for prototype `StdIO` - federated chat after network transparency Details: - `docs/backlog/shared-service-demos.md` - `docs/backlog/aurelian-frontier.md` - `docs/demos/adventure.md` - `docs/proposals/aurelian-frontier-proposal.md` - `docs/proposals/interactive-command-surface-proposal.md` ## aarch64 Support Outcome: port the architecture layer after x86_64 hardware abstraction stabilizes. Shared code expected to carry over: - capability model and schema - ring structs and transport contracts - userspace runtime model - process/capability abstractions above `arch/` Architecture-specific work: - EL0/EL1 syscall entry/exit - GICv3 interrupts - ARM generic timer - PL011 UART - TTBR0/TTBR1 MMU setup - TPIDR_EL1 per-CPU data - `kernel/linker-aarch64.ld` ## Future Tracks These are not selected unless `docs/tasks/state.toml` or explicit user direction pulls them into active selected-milestone scope. Add root task records and backlog/proposal decomposition only when one of these tracks becomes the selected visible outcome: - regular Rust runtime support - C `libcapos` - Go `GOOS=capos` - Python runtime adapters - Lua scripting (Phase 0 capability-aware Lua-subset interpreter shipped in `demos/lua-smoke/`; PUC Lua dialect compatibility remains future, awaiting C/libcapos) - POSIX compatibility adapters - WASI runtime - C++ experiments - GPU/CUDA capability integration - system monitoring - network transparency - process persistence/checkpoint-restore - live upgrade - cloud metadata - volume encryption - formal MAC/MIC modeling - browser/WASM support - robotics realtime control - trusted time and clock authority - crash recovery and supervision - debug and trace authority Use proposal files under `docs/proposals/` and research notes under `docs/research/` before promoting any future track into `docs/tasks/README.md`. Lua scripting should arrive as an ordinary capability-scoped userspace runner, not as kernel scripting or ambient shell authority. ### seL4 HAMR (model-based high-assurance engineering) Evaluated HAMR (High Assurance Modeling and Rapid engineering): AADL component models, Slang/GUMBO contracts, and seL4/CAmkES backend generation, and how that model-to-capability-system pipeline compares with capOS's "the Cap'n Proto schema is the contract" model, capability partitioning, and the schema-as-ABI story. Findings: `docs/research/sel4-hamr.md` (reference talk: https://youtu.be/gP1klZJi04U). ### Crate publication Publish capOS's reusable `no_std` crates -- `capos-abi`, `capos-lib`, `capos-config`, and the `capos`/`capos-rt` runtime/facade -- to crates.io with stable versioning, rendered docs, and license/metadata, so the ELF parser, capability table, ring/SQE wire validation, manifest/CUE loader, and typed clients can be reused and cited independently of the kernel tree. The publish-set decision is pinned in `docs/backlog/capos-sdk-dual-transport.md`: publish `capos-abi`, the `capos-capnp-build` build helper, `capos-config`, and `capos-lib` first; publish `capos-rt` and the bare `capos` facade with the transport seam; ship the `libcapos`/`libcapos-posix` C substrate as **release artifacts only** (not crates.io -- their consumers link `.a` archives, decision `2026-06-02 16:10 UTC`); the publish-set MSRV is the stable Rust `1.88.0` proven by the slice-2 dry-run (the Rust 2024 floor `1.85.0` cannot build `capos-config`'s `let` chains); and keep generated Cap'n Proto bindings inside `capos-config` rather than publishing a separate bindings crate. The versioning policy (pre-1.0 SemVer, schema/ABI changes as breaking bumps, lockstep across the set) and the repeatable `make sdk-publish-dry-run` gate are recorded in `docs/backlog/capos-sdk-dual-transport.md`. This track now also covers the **front-door `capos` SDK crate**: one published crate whose typed capability clients run unchanged against two transports -- the in-process capability ring (an application running inside capOS) and a remote connection (a host-side RPC client) -- behind a `Transport` seam. The bare `capos` name is the facade; `capos-rt` provides the ring transport and the `remote` feature provides the host transport. The seam and facade have landed: `capos-rt` defines the `Transport` trait and the in-system `RingTransport`, the typed clients are transport-generic, and the standalone `capos` facade crate re-exports the runtime, clients, and `entry_point!` macro behind the default `ring` feature (proved in-system by `make run-spawn`). The `remote` transport backend remains ahead. Crates.io remains a flat, first-come namespace; the exact crate names were verified free before the `2026-06-05` upload and are now claimed by the capOS `0.1.0` release, while the adjacent `capos-bitstruct` crate from an unrelated `cap-os/rust-tools` repository shows the namespace contention risk. The near-term reservation work is closed: existing reusable layers were published with real content, the bare `capos` facade was reserved with transport-seam content, and the seam landed early. The repository-wide license file required by the public-release boundary is recorded (`LICENSE-APACHE` / `LICENSE-MIT`, `MIT OR Apache-2.0` on the SDK crates). The first six-crate `0.1.0` publish completed on 2026-06-05 after the final crates.io name re-check, the custom-target SDK gate, and the local Cargo API-token upload. The `capos-config` docs.rs accommodation is implemented through the packaged generated-binding fallback, and the GitHub Actions trusted-publishing workflow is present for subsequent releases from `refs/heads/main` after a current explicit user release instruction and crates.io trusted publishers are configured for the six crates. Decomposition and publication ordering are in `docs/backlog/capos-sdk-dual-transport.md`; the transitional host-backend remote transport (slice 4a) can ship now, while the live-proxy `capnp-rpc` upgrade (slice 4b) remains gated on the remote-session async-runtime rewrite. ## Observable Milestones Completed visible milestones: - 2026-04-22 16:35 UTC, commit `d4016ab`: Unprivileged Stranger - 2026-04-23 08:41 UTC, commit `f554e88`: Native Cap Shell - 2026-04-23 13:39 UTC, commit `e5adafb`: Boot to Shell - 2026-04-23 16:15 UTC, commit `7f19af2`: Revocable Read - 2026-04-23 16:34 UTC, commit `8b66c13`: split UART shell session - 2026-04-23 22:09 UTC, commit `d43b691`: Verified Core - 2026-04-24 00:13 UTC, commit `2cd85a8`: First Chat MVP - 2026-04-24 01:40 UTC, commit `add7f9b`: Local MUD/adventure prototype - 2026-04-24 03:13 UTC, commit `da5f5e9`: Ring as Black Box - 2026-04-24 15:37 UTC, commit `b56a5c1`: First Packet - 2026-04-24 16:47 UTC, commit `a4f1722`: First HTTP - 2026-04-25 05:36 UTC, commit `0b79054`: SMP Phase A: per-CPU data on BSP - 2026-04-25 06:59 UTC, commit `d3c30c6`: SMP Phase B: APs running - 2026-04-25 11:31 UTC, commit `d88bca7`: First AP Scheduler - 2026-04-25 20:25 UTC, commit `2834bfc`: Telnet Shell Demo - 2026-04-30 09:45 UTC, commit `3fb89923`: Multi-Process SMP Concurrency - 2026-05-01 14:23 UTC, commit `fb102828`: Remote Session CapSet Web UI Proof - 2026-05-11 14:38 UTC, branch commit `28db3277`: Self-Served capOS Remote Session Web UI Proof. The now-retired `make run-remote-session-self-served-web-ui` target booted the focused manifest, loaded browser assets from the capOS `remote-session-web-ui` service over its scoped listener, denied no-cookie browser commands, called backend-held `SystemInfo`, logged out, and then attempted the retained backend-held `SystemInfo` capability to prove expired-session stale failure. The host `make remote-session-ui` bridge remains a development tool. - 2026-05-13 11:05 UTC, branch commit `5f5028e7`: WASI bounded environment grant smoke. `make run-wasi-env` boots the focused wasm-host manifest, reads the bounded `initConfig.init.wasiEnv` text grant, reflects it through Preview 1 `environ_get` / `environ_sizes_get`, and the Rust `wasm32-wasip1` payload prints `[wasi-env] CAPOS_WASI_ENV_SENTINEL=capos-wasi-env-sentinel`. Missing `wasiEnv` remains the empty-environment behavior. - 2026-05-01 16:13 UTC, commit `5198e255`: Remote Session Adventure Launch - Cloudboot run `1778230874-715a` (`2026-05-08 09:06 UTC`), source commit `3951e275` (`2026-05-08 08:50 UTC`): GCP Imported-Image Serial Boot. `make cloudboot-test` booted the GCE imported disk image to the `capos kernel starting` serial landmark on a temporary no-public-IP, no-service-account `e2-small` instance, captured serial output, and tore down the temporary cloud resources. This is a boot-path portability milestone, not provider NIC/storage driver readiness. - GCP-first usable-instance provider rollup, closed `2026-06-07 05:26 UTC` by commit `b5fdcc3e` and `cloud-usable-instance-provider-nic-storage`: serial-console operator access run `1779868872-2424` (source commit `c92c8bc1`), live legacy virtio-net raw-frame `provider-nic-bound` run `1780412056-e1cb` (source commit `1fb65683`), live NVMe Persistent Disk brokered `READ` run `1780806087-bf69` (source commit `28518165`), and separate live gVNIC raw-frame / typed-Nic portability runs `1780794927-1aa9` (source commit `3ef8997a`) and `1780796615-decc` (source commit `2a0857d`). This closes the selected GCP provider NIC/storage bar while leaving public L4 ingress, SSH/WebShell productization, AWS/Azure providers, broader storage, high-throughput/multiqueue NIC, and direct-remapping DMA for future tracks. - Device Driver Foundation (DDF) bounded-authority proof series, `2026-05-08` through `2026-05-23`: read-only hardware-audit snapshots (`make run-hardware-audit*`), bounded `DMAPool`/`DMABuffer` result caps with parent-first release and proof-slot reuse (`make run-dmapool-grant`), `DeviceMmio` brokered read/write and `Interrupt` wait/ack/mask/unmask grant proofs (`make run-devicemmio-grant`, `make run-interrupt-grant`, `make run-hardware-grant-cycle`), a device-manager-owned `DMAPool` budget ledger, and the userspace provider-consumer TX/RX path (`make run-ddf-provider-consumer`): bounded selected-route descriptor/avail/ doorbell/used-ring/CQ handoffs, full selected TX queue-depth CQ ownership, bounded RX synthetic-token CQ identity, selected TX/RX MSI-X/LAPIC wait/ack/EOI, selected-route reset/reassignment, and teardown/stale-handle blocking. These are bounded-proof milestones, not live hardware RX used-ring ownership, full virtio-net ownership, direct DMA/IOMMU, cloud NIC/storage readiness, or production userspace driver readiness. The provider virtio-net closeout slice is commit `c86374f8` (`2026-05-23 16:51 UTC`); the executable decomposition and remaining gates live in `docs/backlog/hardware-boot-storage.md` and the DDF task files under `docs/tasks/`. Visible demo follow-ups: - Adventure/shared-service follow-ups after the Local MUD prototype: `73d83aa`, `da51dc7`, `353c8bc`, `e20cf07`, `948c96e`, and `ca6300c`. These refine discoverability, room context, expedition map, relic custody, explicit resume, and chat-only named actors; detailed reports live in commit history. - 2026-04-26 04:10 UTC, commit `5480304`: Scoped Telnet Gateway Authority. `telnet-gateway` now uses manifest-forwarded scoped listener authority plus `RestrictedShellLauncher`; detailed verification history lives in commit history. - 2026-04-26 23:12 EEST, commit `4304b0e`: Default run Telnet wiring. The default manifest starts `telnet-gateway`, and `make run` attaches host-local `127.0.0.1:2323 -> guest :23` forwarding. - 2026-05-01 16:54 UTC, branch commit `367117be`: Default run Telnet wiring retired. The default manifest no longer starts `telnet-gateway`, and `make run` now forwards only the remote-session CapSet endpoint. The plaintext Telnet research fixture was later retired with the qemu-only kernel TCP listener; `make run-telnet` now exits before QEMU with a retirement diagnostic. - 2026-05-02 02:24 UTC, branch commit `84f5ac61`: Remote Session Gate 3 auth-denial proof. Focused backend/account-store coverage rejects inactive accounts, unknown principals, and missing or retired resource profiles before remote-client bundle authority exists. The live CLI/QEMU proof now drives bad password proof, unknown account, wrong requested profile, and anonymous profile mismatch denials before any session, CapSet, or service-launch activity; denied re-login clears prior gateway/client/UI session state. - 2026-05-02 06:23 UTC, branch commit `482e5e07`: Remote Session Adventure mutable control proof. The remote Adventure fixture and trusted web bridge now call bounded `Adventure.go(direction)` through the same session-bound worker/client path as status, look, and inventory, then verify movement text, changed room state, redacted transcripts, and visible-button UI automation without exposing raw capOS authority. - 2026-04-27 00:02 EEST, commit `7a155f4`: Telnet IAC handoff fix and repeat-connect support. Telnet handoff no longer consumes raw socket input before `intoTerminalSession`, repeated host connections succeed, and the harness drives two consecutive sessions. - 2026-04-28 17:46 UTC, commit `d09243d`: Aurelian Phase 9 competency gates. The adventure proof now has host-testable rank/star/circle policy, status output for rank marks and standing, signifer skill gates, first-mission spell gates, and QEMU assertions for rank denial plus debrief reward. - 2026-04-28 18:12 UTC, commit `47dbfc5`: Aurelian Phase 10 market logistics. Adventure now has typed quote/buy/sell/trade/repair calls, bounded market roles, a deterministic Maro route purchase, and QEMU assertions for market quote, successful exchange, and clean-custody trade refusal. - 2026-04-28 19:36 UTC, commit `e204454`: Aurelian Phase 11a calendar foundation. Generated content now carries fixed-smoke season/day/weather and hazard state plus bounded seasonal resources, Adventure status prints that state, and the real scenario process asserts it through `Adventure.status`. - 2026-04-30 08:56 UTC, commit `4045576`: Aurelian Phase 11a calendar event metadata. Generated content now carries a fixed-smoke active festival and later military event with pure Rust validation; Adventure status prints the active event metadata, and the real scenario process asserts it through `Adventure.status`. Actor movement, shop mutation, witness blocking, route mutation, debrief branching, quests, gifts, and affection remain future work. - 2026-04-30 13:09 UTC, commit `64933131`: Aurelian Phase 11a seasonal shop-stock purchase. `adventure-content` owns the bounded active-stock, standing-gate, remaining-stock, and depletion decision for seasonal shop purchases. The quartermaster `field-rations` buy path now spends audited Aurelian standing, records service-owned per-expedition seasonal stock usage, adds the ration to inventory, and the real scenario process asserts both the pre-debrief refusal and post-debrief purchase through `Adventure.buy`. Broader seasonal economy mutation, persistence, seeded normal-play calendars, and automatic world advancement remain future work. - 2026-04-28 20:08 UTC, commit `48c62db`: Aurelian Phase 11b regional foundation. Generated content now carries settlement, outpost, and route metadata with validation and stable ordering; Adventure status prints a regional summary, and the real scenario process asserts it through `Adventure.status`. - 2026-04-30 12:07 UTC, commit `6afd87aa`: Aurelian Phase 11b regional market transaction proof. `adventure-content` owns bounded reserve, commit, cancel/release, stale-version rejection, idempotent replay from ordered receipt facts, and terminal-receipt-capacity checks for one generated order-book match at a time. `adventure-server` keeps transaction state inside each expedition `PlayerState`, so fresh and resumed expeditions do not share market idempotency history. The real scenario process asserts regional quote/reserve/retry/commit/stale/release/cancel flows through existing `Adventure.quote`, `Adventure.buy`, and `Adventure.sell` calls. - 2026-04-30 13:39 UTC, commit `6605ee6a`: Aurelian Phase 11b regional market delivery proof. Fresh committed `field-ration` receipt facts now produce a bounded player-local supply delivery into expedition inventory, while commit replay and errors do not duplicate items. The real scenario process asserts delivery of the committed quantity and no replay duplication through existing `Adventure.buy` and `Adventure.inventory` calls. NPC stores, outpost stock, currency, durable ledgers, profile balances, and crash recovery remain future work. - 2026-04-30 14:15 UTC, commit `b1c98eb1`: Aurelian ordinary inventory capacity proof. `adventure-content` now owns a deterministic admission helper for bounded ordinary inventory, and `adventure-server` routes room takes, seasonal harvests, quartermaster field-ration purchases, and regional market delivery through one helper. Regional committed delivery fails closed when the full quantity cannot fit, avoids partial duplication, and remains replayable after items are dropped. - 2026-04-30 14:51 UTC, commit `f06aa732`: Aurelian capacity replay proof. The capacity-denial path now uses authored/generated resources only, keeps transfer on the same ordinary inventory admission helper, exposes bounded repair-material collection at resource sites, and proves through the real scenario process that held regional delivery mutates no partial items and later delivers the full quantity after `buy commit-field-ration from regional-market` is replayed. - 2026-04-30 15:14 UTC, commit `fd432147`: Aurelian regional market currency debit proof. Fresh committed regional `field-ration` buys now spend two player-local Aurelian chits exactly once, expose the balance in inventory, reject insufficient balances before transaction mutation, and keep held item delivery replay independent from debit replay. NPC stores, outpost stock, durable currency ledgers, profile balances, fees, expiry advancement, and crash recovery remain future work. - 2026-04-30 15:53 UTC, commit `7a9a4af5`: Aurelian regional outpost stock proof. Fresh committed regional `field-ration` buys now decrement seller `ash_farm` stock from six to two exactly once, expose that stock in status, reject insufficient seller stock before mutation, and keep committed replay plus held item delivery replay from decrementing again. NPC stores, broader outpost inventories, durable stock ledgers, profile balances, fees, expiry advancement, and crash recovery remain future work. - 2026-04-30 16:23 UTC, commit `00b18598`: Aurelian regional market fee accrual proof. Fresh committed regional `field-ration` buys now accrue the generated buy and sell order fees into a service-owned regional-market pool exactly once, expose that pool in status, ignore release/no-cross and non-ration facts, and keep committed replay plus held item delivery replay from accruing again. NPC stores, broader outpost inventories, durable stock and currency ledgers, profile balances, durable fee ledgers, expiry advancement, and crash recovery remain future work. - 2026-04-30 16:57 UTC, commit `bdcc23ed`: Aurelian regional seller proceeds proof. Fresh committed regional `field-ration` buys now credit the service-owned `ash_farm` proceeds pool two chits exactly once, expose that pool in status, ignore release/no-cross, stale, mismatched, and non-ration facts, and keep committed replay plus held item delivery replay from crediting proceeds again. NPC stores, broader outpost inventories, durable stock and currency ledgers, durable seller-proceeds ledgers, profile balances, durable fee ledgers, expiry advancement, and crash recovery remain future work. - 2026-04-30 17:41 UTC, commit `29c065a9`: Aurelian regional market order expiry proof. `adventure-content` now has pure order activity and day-aware deterministic matching; `adventure-server` uses the fixed smoke day for live regional-market reserve and quote, and the scenario process proves a day-73 expired field-ration reserve releases without status, inventory, currency, outpost stock, fee, seller-proceeds, or delivery mutation. Durable calendar advancement, durable order books, profile ledgers, durable fee ledgers, and crash recovery remain future work. - 2026-04-30 18:40 UTC, commit `205fd6a0`: Aurelian regional market fee withdrawal proof. `adventure-content` now has a pure resolver for bounded regional-market fee withdrawal from the current pool plus applied withdrawal ids; `adventure-server` owns the live fee pool, applied withdrawal ids, and service treasury balance; and the scenario process proves `sell withdraw-fees to regional-market` moves the two accrued fee chits exactly once without mutating inventory, currency, outpost stock, seller proceeds, or delivery state. - 2026-04-30 19:43 UTC, commit `a547db3d`: Aurelian regional market receipt snapshot proof. `adventure-content` reconstructs `RegionalMarketTransactionState` from ordered receipt facts with bounded validation, and `adventure-server` exposes `buy receipt-snapshot from regional-market` to prove the old field-ration commit still replays after reconstruction without mutating live market, inventory, fee, treasury, seller-proceeds, stock, or delivery state. Durable restart loading remains future work. - 2026-04-30 20:07 UTC, commit `4b44b32`: Aurelian regional market settlement snapshot-view proof. `adventure-content` checks the settlement side-effect snapshot view from applied delivery, currency debit, outpost stock decrement, fee accrual, fee withdrawal, and seller proceeds ids plus the current balances, rejects over-capacity id snapshots, and proves the already committed field-ration fact plus fee withdrawal replay as already applied. `adventure-server` exposes `buy settlement-snapshot from regional-market`, and the real scenario process proves the command leaves live status and inventory unchanged. Durable restart loading remains future work. - 2026-04-28 21:08 UTC, commit `0b7db05`: Aurelian Phase 11c construction foundation. Generated content now carries material, facility, blueprint, artifact, and enchantment-slot metadata with pure Rust validation and deterministic property derivation; Adventure status prints a construction summary, and the real scenario process asserts it through `Adventure.status`. Service-mediated construction jobs are tracked by the later Phase 11c construction-job proof; escrow, durable stock ledgers, output/currency inventory, and full artifact crafting gameplay remain future work. - 2026-04-30 13:01 UTC, commit `9f8cfb6c`: Aurelian Phase 11c construction-job proof. `adventure-content` owns bounded reserve/start, completion, cancel/release, stale-version rejection, idempotent replay, service-owned material hold/release facts, older terminal replay, and fact capacity checks on top of existing construction metadata. `adventure-server` owns per-player construction material stock and applies holds/restores only for new successful `repair` outcomes; completion consumes the held materials, while replay and denial paths do not mutate stock. The real scenario process asserts denial, reserve/retry, open-reserve conflict, complete/replay, stale rejection, release/replay, and reserve-after-release through existing `Adventure.repair` calls. Durable persistence, broad stock ledgers, outpost replenishment, output/currency inventory, job-time advancement, and general crafting remain future work. - 2026-04-30 22:46 UTC, commit `fd57de6b`: the Aurelian construction receipt snapshot follow-on is scoped to pure Rust construction receipt snapshot semantics plus a size-constrained QEMU no-mutation probe. Pure `adventure-content` tests reconstruct a separate construction job state from ordered facts and reject malformed, over-capacity, and non-closed snapshot shapes. The QEMU scenario drives `repair receipt-snapshot with field-engineer` only to confirm status, inventory, live construction state, and material stock are not mutated. The runtime command is not a proof that receipts replay into the live service, and this is not durable restart loading or a general construction persistence layer. - 2026-04-28 21:36 UTC, commit `f53d044`: Aurelian Phase 11d agent NPC budget foundation. Generated content now carries disabled-by-default optional NPC agent budget metadata with model profiles, per-session/day input/output token limits, tool-call limits, cooldown, fatigue, sleep, refusal, and audit visibility. Pure Rust fake-model tests cover spending, refusals, disabled transcript stability, bounded output, and no authority mutation from model text; Adventure status prints an aggregate budget line asserted through `Adventure.status`. Live LLM integration, hosted-agent execution, durable memory, autonomous NPC actions, and authority mutation from model output remain future work. - 2026-04-30 08:22 UTC, commit `c6d887`: Aurelian Phase 11d fake-agent purpose expansion. Deterministic fake-agent responses now cover personal routines, nonbinding shop negotiation flavor, and festival reactions as dialogue/proposed-action data only. Pure Rust tests cover quota spending, quota refusal, bounded lines, and no authority mutation; Adventure status prints the supported purpose count and the real scenario process asserts it through `Adventure.status`. - 2026-04-28 22:22 UTC, commit `335a9ee`: Aurelian Phase 12 party foundation. Adventure now has typed local party create/invite/accept/leave/delegate calls and `assist`, keyed by service-created local player labels derived from live caller-session keys. The server uses the unit-tested `adventure-content` party transition state for invite, accept, scoped delegation, assist, and leave cleanup; the scenario process asserts the one-client cap surface and party status line. Two-client QEMU proof, transfer escrow, duel/spar/contest authority, and cross-device multiplayer remain future work. - 2026-04-29 06:43 UTC, commit `ac49375`: Aurelian Phase 12 physical-item transfer foundation. Adventure adds typed `transfer` for same-party service-local player labels, with ordinary inventory mutation kept atomic inside the existing service and backed by pure Rust transfer tests. The scenario process asserts one-client refusal paths without faking a second live session. Currency escrow, broad market/trade coordination, and successful two-client QEMU transfer proof remain future work. - 2026-04-29 18:07 UTC, commit `f4a7fdb`: Aurelian authority-combat verb foundation. Adventure adds the bounded `challenge-authority` skill and `challenge authority ` text alias for the ward-wraith proof slice: accepted `ward-writ` attacks hostile ward authority instead of hp, records success-only evidence/effects, and QEMU coverage exercises wrong-target, missing-authority, success, and shell-alias paths. Broader authority-combat verbs, hostile authority enemy variants, writ affixes, and rank/base reach unlocks remain future work. - Merged on main at commit `6678d40` (`2026-04-30 03:55 UTC`): Paperclips Terminal Demo follow-up. The default manifest advertises the clean-room `paperclips` terminal game, and `system-paperclips.cue` plus `make run-paperclips` provide the focused QEMU proof for one-at-a-time manual production, representative refusal output, explicit sales, repeatable marketing, autoclipper unlock, real-time automation, generated Cap'n Proto content loading, scaled business-phase production, `precision-rollers`, `design-search`, `forecast-engine`, `survey-drones`, and the visible `== autonomous phase ==` transition. The demo remains outside the current SMP process scaling milestone because it exercises a standalone `StdIO` plus `Timer` terminal process rather than SMP process-count or scheduler behavior. - Task branch commit `88536a9e` (`2026-04-30 17:38 UTC`): Paperclips client/server showcase first slice. The focused manifest now boots Paperclips server services plus a terminal client; the server owns generated content, game state, regular timer cadence, unlock checks, game-rule mutation, and proof-command gating, while the client receives explicit `StdIO` plus a `PaperclipsGame` endpoint. - Task branch commit `532207c1` (`2026-04-30 20:54 UTC`): Paperclips structured command-list slice. The server exposes current command specs for terminal `help` without changing the raw text command execution path. Normal and proof sessions use separate server endpoints, preserving proof-only `run ` and `status --json` authority. - Task branch commit `e9ae4e97` (`2026-04-30 22:02 UTC`): Paperclips structured plain-status snapshot slice. The server exposes `PaperclipsStatusSnapshot` fields for terminal-rendered plain `status`, while `status --json` remains proof-only and server-gated. - Task branch commit `32462e9f` (`2026-04-30 22:32 UTC`): Paperclips structured project-list slice. The server exposes unlocked project entries for terminal-rendered plain `projects`, while `project ` remains raw text execution against server-owned mutable state. Remaining Paperclips showcase work includes broader structured state/events, command facets, capability transfer/revocation ergonomics, and the later web-shell client path. - Commit `5ef16c3` (`2026-04-30 04:17 UTC`): Paperclips autonomous scaling follow-up. The CUE-authored generated content now owns millisecond drone matter-conversion, factory production, probe harvest, and probe replication caps; host tests cover the bounded transitions and completion gating. The focused QEMU proof continues after `== autonomous phase ==` through `material-harvesters` and `foundry-lines`, then asserts lower local matter, increased autonomous production, and clean process exit. - Commit `65f9d2c` (`2026-04-30 07:36 UTC`): Paperclips cosmic/completion transcript follow-up. The focused QEMU proof now continues through `mesh-coordination`, `seed-probes`, `== cosmic phase ==`, a bounded probe interval with visible replication, cosmic-matter conversion, and clip production, then `final-conversion` and `== complete phase ==`. That proof used compact clean-room values for the cosmic matter grant and terminal conversion clip cost so the run remained representative rather than an exhaustive full playthrough. - Commit `52d30d2b` (`2026-04-30 12:00 UTC`): Paperclips completion rebalance. The late-game matter and final conversion costs now prevent normal play from reaching `== complete phase ==` within one real-time hour. The focused QEMU proof stops at the cosmic production milestone with `final-conversion` still locked instead of scripting a compact full win. - Commit `9262938b` (`2026-04-30 12:26 UTC`): Paperclips machine-readable status follow-up. The terminal demo now supports `status --json` as a stable compact state snapshot, and the focused QEMU proof asserts that late-game JSON line after the cosmic milestone while preserving the human transcript checks. - Commit `119acaad` (`2026-04-30 12:53 UTC`): Paperclips review-fix follow-up. Active schema, CUE content, Rust rules, generated-content guardrails, and focused smoke assertions now use clean-room Strategy internals. Purchase parsing keeps omitted counts as one but rejects explicit zero counts without mutating game state. Recently completed visible milestone: - Device Driver Foundation: the selected milestone is complete by the production-authority closeout task [`ddf-production-authority-closeout`](tasks/done/2026-06-07/ddf-production-authority-closeout.md) at commit `ef8d98c2` (`2026-06-07 08:15 UTC`; task completion recorded `2026-06-07 08:23 UTC`). The DDF closeout records the landed `DeviceMmio`/`DMAPool`/`Interrupt` lifecycle status, the provider-driver local authority evidence, hardware-audit consumption for abort-held DMA mapping records, and the runtime fail-closed DMA backend baseline. The related GCP-first usable-instance rollup [`cloud-usable-instance-provider-nic-storage`](tasks/done/2026-06-07/cloud-usable-instance-provider-nic-storage.md) (`2026-06-07 05:26 UTC`) records live operator serial access, selected raw-frame NIC/storage evidence, and gVNIC portability, without claiming public L4 ingress, AWS/Azure support, direct-remapping production hardware, device-autonomous MSI-X delivery, full userspace smoltcp/L4 readiness, or high-throughput/multiqueue NIC readiness. - POSIX Adapter v0 -- File/Directory fd closeout: commit `f97d9833` (`2026-05-23 06:23 UTC`) closes the P1.4 file/directory fd surface over the existing RAM-backed root `Directory` cap. `libcapos-posix` now exposes functional `open`, `read`, `write`, `close`, `lseek`, `opendir`, `readdir`, and `closedir` for the v0 Directory-backed path, with `readdir` backed by a lazy `Directory.list` snapshot and `lseek` backed by the fd-table file position plus `File.stat` for `SEEK_END`. `make run-posix-file` boots a C process that creates `"/hostname"`, writes and seeks through it, reads the full payload and tail, lists the root directory to find the file, proves relative paths still fail closed, exits 0, and halts QEMU. - POSIX Adapter v0 -- Identity stubs: commit `1a8a9896` (`2026-05-23 06:51 UTC`) closes the P1.4 identity-stub surface. `libcapos-posix` now exposes `getpid`, `getuid`, and `getgid` from the existing unistd-style header; `getpid` returns the stable capos-rt bootstrap pid for the current process, while `getuid` and `getgid` return the single-identity uid/gid `0`. `make run-posix-identity` boots a C process that prints its identity, fork/execs the same binary through the recording shim, proves the child observes a distinct pid, exits both processes cleanly, and halts QEMU. The later `make run-posix-printf` proof closes the printf/string subset with live formatted output, string/mem, numeric conversion, and ctype markers. Commit `90e64011` (`2026-05-23 08:11 UTC`) closes the signal/time surface: `make run-posix-signal-time` proves Timer-backed time/sleep observations plus fail-closed `kill`/`raise` signal-delivery stubs. Remaining dash-port gates are dash vendoring/patching, the multi-translation-unit C build, and `run-posix-shell-smoke`. - POSIX Adapter v0 -- Pipe + fork-for-exec plus direct posix_spawn Smoke: POSIX adapter Phase P1.3 first closed at commit `ceaf5475` (`2026-05-07 10:04 UTC`) under an in-process x86_64 setjmp/longjmp recording-shim contract. A subsequent fix slice on top -- spanning commits `44838ad7` (`2026-05-07 11:07 UTC`) through `7c08501c` (`2026-05-07 14:24 UTC`) and integrated into mainline-tracking history via merge commit `b8c7fb43` (`2026-05-07 18:16 UTC`) -- replaced setjmp/longjmp with the return-the-pid contract because the longjmp re-entered fork()'s already-deallocated stack frame (undefined behaviour). An iter-15..iter-22 SMP-correctness hardening cycle followed, extending the fix slice through commit `05b52873` (`2026-05-07 21:07 UTC`); each iteration closed a distinct kernel pipe race surface (transport-error CQE on saturated waiter restore at iter-15, deferred-error retry queue + nested-fork reset at iter-16, write-overflow queue preserving partial-write CQE at iter-17, buffer-aware EOF + combined-cap waiters + child-order fd replay + EBADF on Moved at iter-18, close+write race + fd-recording precheck + Moved self-dup2 at iter-19, same-end waiter completion on close at iter-20, close_side publishing under the buffer lock at iter-21, and the matching in-lock close re-check in handle_write at iter-22). `make run-posix-pipe-smoke` boots the focused manifest, links the `demos/posix-pipe-shim/main.c` parent and `demos/posix-pipe-child/main.c` child against `libcapos.a` + `libcapos_posix.a`, drives `pipe(); pid_t child = fork(); if (child == 0) { dup2(); close(); child = execve(...); } close(); read(); waitpid(child);` end to end through the kernel `Pipe` capability and the recording-shim ProcessSpawner Move-grant path, and prints `[posix-pipe] read 14 bytes: hello via pipe` from the parent. The parent and child both exit 0 cleanly and the QEMU scheduler halts. fork() returns 0 unconditionally; dup2/close between fork and execve record into a TLS window without mutating the parent fd table; execve() drains the recording and returns the synthetic child pid as its own return value (a deliberate v0 deviation from POSIX). The direct public `posix_spawn()` successor proof landed at commit `b8fb3131` (`2026-05-13 10:15 UTC`): `libcapos-posix` exposes `posix_spawn()` plus `posix_spawn_file_actions_init/destroy/adddup2/addclose`, and `make run-posix-spawn-smoke` creates a pipe, uses file actions to move the existing `posix-pipe-child` stdout onto the pipe, reads `[posix-spawn] read 14 bytes: hello via pipe`, waitpid()s the child, and halts after both processes exit 0. `argv` and `envp` are accepted for source compatibility but remain undelivered until LaunchParameters / environment support lands. The Console-backed stdio successor proof landed at commit `aa6a56d7` (`2026-05-13 11:03 UTC`): `libcapos-posix` maps POSIX fd 1/2 to the granted Console cap when no `stdio_` Pipe grant already occupies the slot, keeps fd 0 closed without stdin backing, and `make run-posix-stdio-smoke` prints distinct stdout/stderr markers through POSIX `write` before proving the no-stdin refusal path. - WASI Host Adapter Phase W.4 -- `random_get` production wiring: Phase W.4 closed at commit `b0f6939f` (`2026-05-07 20:09 UTC`); Phase W.3 closed at commit `ca41ecc1` (`2026-05-07 18:29 UTC`; the W.3 narrative stamps from `2026-05-07 18:25 UTC` predate the feat commit by a few minutes); Phase W.2 closed at commit `7bfcb1d8` (`2026-05-07 10:53 UTC`) across four sub-slices. The bounded environment grant smoke landed at branch commit `5f5028e7` (`2026-05-13 11:05 UTC`). Sandboxed `wasm32-wasi` is now a booted language path on capOS; the W.2 slice delivered the first WASI-hosted, sandboxed portable-payload path (native C boots already existed via the libcapos C-substrate `make run-c-hello` and the historical POSIX-adapter DNS resolver); W.3 added the per-instance argv text grant; W.4 wires Preview 1 `random_get` through the kernel `EntropySource` cap; the 2026-05-13 follow-up adds the bounded `initConfig.init.wasiEnv` text grant as the v0 environment source. `make run-wasi-hello-rust`, `make run-wasi-hello-c`, `make run-wasi-cli-args`, `make run-wasi-env`, `make run-wasi-random` (granted), and `make run-wasi-random-ungranted` (refusal) are the regression, environment-grant, and W.4 gates; the environment smoke proves one granted value reaches a Rust `wasm32-wasip1` payload through Preview 1 `environ_get` / `environ_sizes_get`; the random granted variant reads N=64 bytes through `random_get` and prints `[wasi-random] entropy_bytes=64 entropy_bound_ok=true`, and the ungranted variant observes `ERRNO_NOSYS = 52` from the closed-fail refusal branch which never enters the kernel. Wall-clock support stays deferred: `clock_time_get(CLOCKID_REALTIME)` keeps the W.2 sentinel `ERRNO_NOSYS` until capOS has a typed `WallClock`/`RealTimeClock` cap. The next selectable WASI work is Phase W.5 (Preview 1 filesystem), blocked on the missing `Namespace`/`File`/`Store` cap surface. - POSIX Adapter v0 -- DNS Resolver Smoke: POSIX adapter Phase P1.2 Phase B completed at commit `b4f1a400` (`2026-05-05 21:21 UTC`). The now-retired `make run-posix-dns-smoke` booted the focused manifest, linked the `demos/posix-dns-resolver/main.c` C binary against `libcapos.a` + the new `libcapos_posix.a`, sent a DNS A query for `example.com` through the kernel `UdpSocket` capability to QEMU slirp's resolver at 10.0.2.3:53, decoded the answer-section IN/A record, and printed `[posix-dns-resolver] resolved example.com -> ` (e.g. `104.20.23.154`; the upstream resolver picks the value, the harness grepped loosely). The target now exits before QEMU because the qemu-only kernel `UdpSocket` owner was removed; rebuild the resolver on the Phase C userspace network stack before using it as validation. The `vendor/dns-c-wahern/` snapshot at `rel-20160808` is in-tree as a structural reference but not yet compiled into the smoke; widening the POSIX surface so dns.c can build whole is follow-on work after P1.3. - In-Process Threading Scalability: completed at commit `136b72de` (`2026-05-01 14:58 UTC`) after the benchmark repair replaced the invalid 1 MiB/spinning-parent four-worker shape with a blocking-parent 16 MiB/64-round shape. Reaffirmed against the then-current single-global-queue scheduler on `capos-bench` 2026-05-02 21:38 UTC against `main` commit `374f8556` with the formal capOS+Linux 5-run pair pinned to physical-core logical CPUs `0,1,2,3`: capOS work `1.883x` and total `1.787x` clear the configured 1-to-2 gates; matching Linux pthread baseline `1.988x`/`1.987x` validates the shape. The 1-to-4 row became the diagnostic that justified Phase D's fair-share enqueue policy (capOS `1.566x`/`1.538x` vs Linux `3.963x`/`3.858x`); Phase D WFQ later manually accepted the recorded 1-to-4 diagnostic with capOS `3.088x`/`2.700x` and matching Linux `3.974x`/`3.850x`. Four-worker capOS speedup remains evidence of material improvement, not a completed linear-scaling claim. - Multi-Process SMP Concurrency: completed at commit `3fb89923` (`2026-04-30 09:45 UTC`), with repeated KVM-backed process-scale evidence in `target/smp-process-scale/cycle-balanced-default/` (`1.608x` 1-to-2 speedup) and ordinary `run-smoke`/`run-spawn` coverage under `-smp 2`. - Session-Bound Invocation Context: completed at commit `503abc9` (`2026-04-30 02:26 UTC`), with Gate 4 implementation verification recorded at commit `faeff80` (`2026-04-29 21:39 UTC`). The milestone includes one immutable process session, privacy-preserving endpoint caller metadata, explicit disclosure gating, session-aware transfer scopes, chat migration, terminal/stdio bridge liveness guards, adventure shared-service cleanup, and aligned paper evidence/status text. - Installable System: completed through commit `12b8334a` (commit timestamp `2026-06-07 18:19 UTC`; task closeout `2026-06-07 18:20 UTC`) for the bounded local/QEMU contract. The milestone includes persistent data-region mount, config-overlay compose/merge fallback, generation/rollback machinery, integrated installable disk packaging, target-disk install, first-boot provision, update/rollback, and structural proposal/body wording reconcile. It preserves the RAM-only `Namespace` caveat and does not claim secure boot/signing, production release authority, public ingress, AWS/Azure live support, direct-remapping production hardware, full userspace smoltcp/L4 readiness, or full durable account policy. Active visible milestone: - GCE Self-Hosted Web UI: serve the remote-session Web UI through the Phase C userspace network stack, prove the local cloudboot L4 path, and then prove private GCE reachability before any public endpoint. The selected milestone now has the userspace smoltcp-backed `TcpListenAuthority` local path proved by `cloud-prod-userspace-network-stack-smoltcp-local-proof` and local DHCP/IPv4 address/default-route/ARP configuration proved by `cloud-prod-network-stack-dhcp-ipv4-config-local-proof`; the cloudboot authority inventory (`remote-session-webui-cloudboot-authority-inventory`) is done and records the Web UI service authority boundary for the local L4 proof. The local Web UI L4 proof (`cloud-prod-remote-session-web-ui-l4-local-proof`) is done: the Phase C userspace network-stack process serves `remote-session-web-ui` on guest port 8080 with the full fixed-name bundle, login, a backend-held `SystemInfo` call, logout/stale failure, and the manual viewer under `make run-cloud-prod-remote-session-web-ui-l4`. Web UI session hardening (`remote-session-web-ui-session-hardening`) is done (2026-06-09), and Web UI connection bounds (`remote-session-web-ui-connection-bounds`) are done (2026-06-09): per-connection request-read/response-send deadlines in the Web UI client with a drip-feed abandon proof on the L4 gate. The narrow legacy kernel socket-path retirement is done; non-`qemu` manifests now reject kernel `network_manager` / `tcp_listen_authority` grants and leave those sources as qemu-only fixtures. The broader `cloud-prod-phase-c-kernel-smoltcp-virtio-net-removal` cleanup is also done: the kernel no longer depends on `smoltcp`, qemu-only kernel TCP/UDP socket entry points fail closed, and the remaining virtio-net code is lower-layer QEMU fixture evidence rather than production cloud socket ownership. The local `cloud-prod-remote-session-web-ui-l4-local-proof` gate consumed the done DHCP/IPv4 task and landed. Legacy GCE virtio-net Web UI serving is done locally (`cloud-gce-legacy-virtio-webui-serving-local-proof`, 2026-06-11), the public-ingress browser hardening set (public-origin policy, SameSite policy, JSON content-type guard, headers/CSP, forwarded-scheme trust, `/healthz`, in-guest login hardening) is done on the L4 gate, and the no-spend provider-harness gates (private preflight, private/public evidence validators, ingress plan, teardown engine, provider-command allowlist) are done as stub-fixture evidence. `cloud-gce-private-self-hosted-webui-proof` remains on hold on missing firewall IAM and per-run billable authorization. Public GCE ingress and TLS remain under the separate on-hold `cloud-gce-public-self-hosted-webui-ingress-tls` task and require explicit authorization; the local fixture gates bound that future run but do not authorize exposure. Paused visible milestone: - SSH Shell Gateway: `ssh` reaches the capOS login/native shell flow through an SSH-backed `TerminalSession` in QEMU, using host-local forwarding, public-key authentication, denied unsupported SSH features, and the same child shell capability boundary proven by Telnet. This remains planned Stage 7 work, but network-backed shell delegation should wait for durable remote-account/key prerequisites. Candidate next visible milestones: - Storage Capability Substrate: add RAM-backed `Store`/`Namespace` first, then `BlockDevice`, local disk, and a read-only filesystem proof if the block path is ready. - Serial Diagnostics And AWS Serial Boot: extend the current bounded COM1 diagnostics console with richer device dumps and prove the same imported image path on AWS. GCP imported-image serial boot is already recorded. - Remote Shell Access: SSH, Telnet development access, and basic WebShell over the capability terminal model after session lifecycle, durable key/account, and network prerequisites are credible. - Cloud follow-ups after the GCP-first provider rollup: public L4 ingress and SSH/WebShell productization, AWS/Azure provider ports, broader storage variants, high-throughput/multiqueue NIC readiness, and separate cloud benchmark reruns. The completed GCP rollup record is `cloud-usable-instance-provider-nic-storage`. - Agent Shell and federated chat remain future candidates, not the default next milestones ahead of the driver/storage/cloud bring-up ladder. Select the next milestone in `docs/tasks/state.toml` only after the current selected milestone is achieved and recorded, or when the user explicitly changes the selected milestone. Update or add task records and linked backlog/proposal decomposition in the same change when the new milestone needs different execution context.