# Topics Index

This page is generated from document front matter fields during `mdbook` builds:
- `status`
- `description`
- `topics`

## Quick Orientation

- [Backlog](backlog/index.md) — _Detailed task decompositions._
- [Benchmarks](benchmarks.md) — _Current benchmark policy and results._
- [Build, Boot, and Test](build-run-test.md) — _Build, ISO, QEMU, host-test commands._
- [Capability-Based and Microkernel Operating Systems Survey](research/capability-systems-survey.md) — _Design consequences pulled from the survey._
- [capOS Agentic Development Experiment](proposals/agentic-development-experiment-proposal.md) — _Longitudinal study design for using capOS development sessions, subagents, reviews, and recap tooling as an agentic software-engineering experiment._
- [capOS Repository Harness Engineering](proposals/capos-repo-harness-engineering-proposal.md) — _Repository-local harness engineering for making capOS legible, checkable, and safer for long-running coding agents._
- [Changelog](changelog.md) — _Historical milestone reports._
- [Current Design Authority](architecture/design-authority.md) — _Current-design authority map and proposal lifecycle rule for keeping implemented behavior out of archival proposal records._
- [Current Status](status.md) — _What works, what is partial._
- [Design Risks and Open Questions](design-risks-register.md) — _Consolidated index of long-horizon design risks._
- [Introduction](index.md) — _Top-level documentation site entry._
- [Proposal Index](proposals/index.md) — _Proposal status table._
- [Repository Map](repo-map.md) — _Source-tree subsystem index._
- [Research and Design Gaps](backlog/research-design-gaps.md) — _Research/design gap triage backlog._
- [Roadmap](roadmap.md) — _Long-term architectural plan._
- [What capOS Is](overview.md) — _One-page system model._

## Capabilities, IPC, and Authority

- [ABI Evolution Policy](abi-evolution-policy.md) — _Compatibility policy for capOS schema and ring ABIs._
- [Authority Accounting](authority-accounting-transfer-design.md) — _Authority accounting rules for capability transfer and resource charges._
- [Cap'n Proto Error Handling](research/capnp-error-handling.md) — _Prior-art on capnp-rpc error semantics._
- [Capability Model](capability-model.md) — _Core capability object model, cap tables, schema interface IDs, grants, receiver metadata, and transfer._
- [Capability Ring](architecture/capability-ring.md) — _Shared-memory capability ring ABI, dispatch paths, and completion semantics._
- [Capability-Infrastructure Cluster](backlog/capability-infrastructure-cluster.md) — _Decomposition of the near-term capability-infrastructure cluster: matured proposals and Stage 6 remainder that share the schema serial surface._
- [Cloudflare, Cap'n Proto, Workers RPC, and Cap'n Web](research/cloudflare-capnproto-workers.md) — _Cloudflare Workers, workerd, Durable Objects, Workers RPC, Cap'n Web, and Cloudflare's production use of Cap'n Proto/KJ._
- [Crash Recovery and Supervision](proposals/crash-recovery-supervision-proposal.md) — _Unplanned-failure detection, stale-cap propagation, structured crash records, watchdog liveness, and bounded restart policy for capOS services._
- [Debug and Trace Authority](proposals/debug-trace-authority-proposal.md) — _Capability-scoped debug session attach, read-only cap-table inspection, ring-trace replay, and sampler authority without ambient process inspection._
- [Delegated Subject Context](proposals/delegated-subject-context-proposal.md) — _Future delegated-subject and act-on-behalf-of capability model._
- [Error Handling](architecture/error-handling.md) — _Current error model for capability ring CQE status, CapException payloads, endpoint RETURN exceptions, and ordinary schema result unions._
- [Error Handling](proposals/error-handling-proposal.md) — _Transport and application error model for capability calls and CQE results._
- [Genode](research/genode.md) — _Genode OS Framework: capability-based component model, session routing, VFS plugin architecture, POSIX compatibility, and Sculpt OS -- with lessons for capOS._
- [IPC and Endpoints](architecture/ipc-endpoints.md) — _Endpoint IPC, capability transfer, direct handoff, and shared-memory data paths._
- [Memory Authority Model](proposals/memory-authority-model-proposal.md) — _Memory authority, residency classes, mapping consistency, OOM boundaries, and proof obligations._
- [OS Error Handling](research/os-error-handling.md) — _Cross-OS error-model comparison._
- [Rejected: Cap'n Proto SQE Envelope](proposals/rejected-capnp-ring-sqe-proposal.md) — _Rationale for keeping ring SQEs fixed-layout instead of Cap'n Proto envelopes._
- [Rejected: Endpoint Badges as Service Identity](proposals/rejected-endpoint-badges-proposal.md) — _Post-mortem of the rejected seL4-style endpoint badge service identity model._
- [Remote Session CapSet Clients](proposals/remote-session-capset-client-proposal.md) — _Remote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap'n Proto RPC._
- [Resource Accounting and Quotas](proposals/resource-accounting-proposal.md) — _Resource profiles, quota ledgers, donation, reservation, and fail-closed accounting semantics._
- [Schema Registry](proposals/schema-registry-proposal.md) — _A SchemaRegistry capability that serves Cap'n Proto reflection metadata -- interface IDs, method names and ordinals, parameter/result layouts, and doc comments -- at runtime, as the machine-readable twin of the System Manual._
- [Service Architecture](proposals/service-architecture-proposal.md) — _Capability-based service composition, authority-at-spawn, exports, and service graph policy._
- [Service Object Identity Migration](backlog/service-object-identity-migration.md) — _Superseded large-chunk migration plan for service object identity, retained as historical context after the active direction changed to session-bound invocation context._
- [Session Context](architecture/session-context.md) — _Current session-bound invocation context, endpoint caller-session metadata, disclosure, transfer-scope, and liveness rules._
- [Session-Bound Invocation Context](backlog/session-bound-invocation-context.md) — _Implementation plan for one-session-per-process invocation context and session-keyed shared services._
- [Session-Bound Invocation Context](proposals/session-bound-invocation-context-proposal.md) — _Session-bound invocation context and privacy-aware disclosure model replacing service-object identity migration._
- [Spritely, OCapN, and CapTP](research/spritely-captp-ocapn.md) — _Spritely, OCapN, CapTP, netlayers, locators, Syrup, promise pipelining, handoffs, and capability-network lessons for capOS._
- [Stage 6 Capability Semantics](backlog/stage-6-capability-semantics.md) — _Stage 6 capability work._
- [Standard App Capabilities](proposals/standard-app-capabilities-proposal.md) — _Per-app AppData storage, a user-mediated powerbox/file-picker grant, and attenuated capability sharing as standard app-facing capabilities._
- [Superseded: Service Object Capabilities](proposals/service-object-capabilities-proposal.md) — _Superseded service-minted object capability model that was replaced by session-bound invocation context._
- [System Info Capability](proposals/system-info-proposal.md) — _SystemInfo capability for MOTD, hostname, host metadata, help topics, and shell bundle integration._
- [System Manual Capability](proposals/system-manual-proposal.md) — _A built-in man-pages analog: the Manual capability serves Unix-style reference pages, schema-derived interface manuals, and a man-shaped reference corpus through the shell, the self-served web UI, and a typed capnp API._
- [Time and Clock Authority](proposals/time-and-clock-proposal.md) — _Capability-native wall-clock authority with provenance labeling, clock discipline, and trusted timestamps for audit and TLS._
- [Userspace Authority Broker](proposals/userspace-authority-broker-proposal.md) — _Userspace shell-bundle broker and lifecycle-control authority model._
- [Zircon](research/zircon.md) — _Fuchsia Zircon kernel: handle-based capability model, channels, VMARs/VMOs, async ports, and FIDL -- with lessons for capOS capability dispatch, IPC, and memory design._

## Boot, Manifests, and Init

- [Boot Flow](architecture/boot-flow.md) — _Kernel boot, manifest handoff, init launch, and QEMU boot-proof flow._
- [Boot to Shell](proposals/boot-to-shell-proposal.md) — _Login, setup, session, credential, and broker path from boot into the native shell._
- [Cloud Image Import and Serial-Console Boot](backlog/cloud-image-import.md) — _Cloud provider disk-image import and serial-console-boot notes._
- [Cloud Metadata](proposals/cloud-metadata-proposal.md) — _Cloud metadata and config-drive bootstrap through scoped configuration capabilities._
- [Configuration](configuration.md) — _How operators extend the default capOS boot manifest with a gitignored `system.local.cue` overlay and convert CUE-authored data to specified Cap'n Proto schemas._
- [Hardware, Boot, and Storage](backlog/hardware-boot-storage.md) — _Hardware bring-up backlog._
- [Installable System](backlog/installable-system.md) — _Ordered implementation track turning the installable-system proposal into work grounded in the landed BlockDevice/filesystem/Store/writable-persistence/disk-image contracts._
- [Installable System](proposals/installable-system-proposal.md) — _Design for an installed, persistent capOS that boots from disk and keeps mutable system configuration across reboots, composed with the immutable boot manifest._
- [Manifest and Service Startup](architecture/manifest-startup.md) — _Manifest encoding, service graph validation, bootstrap grants, and init-side spawning._
- [Run Targets, Init Mandate, and Default-Run Integration](backlog/run-targets-and-init-policy.md) — _Run-target governance._
- [Stateful Task and Job Graphs](proposals/stateful-task-job-graphs-proposal.md) — _Durable stateful task and job graphs for init orchestration, package builds, operator work, and notebook-style run stories without creating a god object._
- [System Configuration and Operator Extensibility](proposals/system-configuration-proposal.md) — _Layered CUE configuration model for operator boot-manifest overlays, host-user injection, and per-user toolchain caches._

## Process Model, Threading, and Scheduling

- [Completion Rings And Threaded Runtimes](research/completion-ring-threading.md) — _Io_uring-style transports under threaded runtimes._
- [Crash Recovery and Supervision](proposals/crash-recovery-supervision-proposal.md) — _Unplanned-failure detection, stale-cap propagation, structured crash records, watchdog liveness, and bounded restart policy for capOS services._
- [Future Scheduler Architecture](research/future-scheduler-architecture.md) — _Survey of modern scheduler algorithms and architectures for capOS scheduler evolution._
- [HPC Parallel Patterns](research/hpc-parallel-patterns.md) — _HPC benchmark and programming-model grounding for generic parallel processing patterns._
- [HPC Parallel Processing Patterns](proposals/hpc-parallel-patterns-proposal.md) — _Generic single-node and multi-node parallel processing patterns for HPC-style benchmark coverage._
- [In-Process Threading](architecture/threading.md) — _In-process thread lifecycle, scheduler references, ThreadControl, and ParkSpace integration._
- [Linux Sandboxes and Virtualization for Workloads](research/linux-sandboxes-virtualization.md) — _Linux sandbox, container, gVisor, KVM, microVM, and CPU-isolation prior art for generic Linux workload execution._
- [NO_HZ, SQPOLL, and Realtime Scheduling](research/nohz-sqpoll-realtime.md) — _Linux NO_HZ, io_uring SQPOLL, CPU isolation, PREEMPT_RT, SCHED_DEADLINE, and seL4 MCS grounding for capOS timer and realtime design._
- [Out-of-Kernel Scheduling](research/out-of-kernel-scheduling.md) — _Prior art survey on kernel versus userspace CPU scheduling policy split, with capOS design implications._
- [Park Authority](architecture/park.md) — _ParkSpace wait/wake authority, ABI, and shared park-word constraints._
- [Process Model](architecture/process-model.md) — _Process isolation, ELF loading, bootstrap ABI, lifecycle, and spawn authority._
- [Rejected: Sleep(INF) Process Termination](proposals/rejected-sleep-inf-termination-proposal.md) — _Rationale for explicit process termination instead of infinite-sleep lifecycle semantics._
- [Ring v2 For Full SMP](proposals/ring-v2-smp-proposal.md) — _Per-thread ring, completion routing, SQPOLL ownership, and full-SMP transport model._
- [Scheduler Evolution](backlog/scheduler-evolution.md) — _Detailed task decomposition for future capOS scheduler evolution._
- [Scheduler Evolution](proposals/scheduler-evolution-proposal.md) — _Layered scheduler evolution from bootstrap round-robin to per-CPU fair scheduling, scheduling contexts, CPU leases, and user-space policy._
- [Scheduling](architecture/scheduling.md) — _Preemption, run queues, blocking waits, timer wakeups, and SMP scheduler proof points._
- [SMP](proposals/smp-proposal.md) — _Per-CPU state, AP startup, scheduler ownership, TLB shootdown, and multi-core roadmap._
- [SMP Phase C](backlog/smp-phase-c.md) — _SMP backlog._
- [Tickless and Realtime Scheduling](proposals/tickless-realtime-scheduling-proposal.md) — _Tickless idle, SQPOLL nohz CPU isolation, request deadlines, scheduling contexts, and realtime islands._
- [x2APIC And APIC Virtualization](research/x2apic-and-virtualization.md) — _Primary-source grounding for xAPIC/x2APIC backend selection and APIC virtualization constraints._

## Memory and Resource Accounting

- [Cloud DMA Provider Evidence Inventory](research/cloud-dma-provider-evidence.md) — _Official AWS/Azure/GCP device-surface facts, an evidence-matrix schema, a live guest-probe checklist, and classification rules for the cloud DMA backend decision._
- [Cloud Driver Foundation Gap Analysis](proposals/cloud-driver-foundation-gap-analysis.md) — _Gap analysis between the existing userspace virtio driver foundation and the blocked cloud NIC/storage driver tasks: what is already proven, the narrow per-task remaining work, and the superseded live-NIC runnable-now claim._
- [Device Manager Refactor](proposals/device-manager-refactor-proposal.md) — _Refactor direction for separating the kernel device authority ledger from QEMU proof scaffolding._
- [DMA Assurance Model](proposals/dma-assurance-model-proposal.md) — _Assurance model for DMA authority, backend selection, and proof obligations._
- [DMA Isolation](dma-isolation-design.md) — _DMA isolation model for device memory, IOMMU policy, and capability-scoped hardware access._
- [DMA User-Space Driver Isolation](research/dma-userspace-driver-isolation.md) — _DMA, user-space driver, vIOMMU, and no-IOMMU bounce-buffer design consequences for capOS device authority._
- [Go VirtualMemory Contract](backlog/go-virtual-memory-contract.md) — _VirtualMemory cap contract for Go._
- [IOMMU Remapping Grounding](research/iommu-remapping.md) — _Primary-source grounding for Intel VT-d (landed under cfg(qemu)), AMD-Vi, and QEMU IOMMU remapping work._
- [Memory Authority Model](backlog/memory-authority-model.md) — _Memory authority model backlog._
- [Memory Authority Model](proposals/memory-authority-model-proposal.md) — _Memory authority, residency classes, mapping consistency, OOM boundaries, and proof obligations._
- [Memory Management](architecture/memory.md) — _Physical frames, address spaces, user buffers, MemoryObject, and VirtualMemory contracts._
- [NVMe Model B Doorbell DMA Validator](proposals/nvme-model-b-doorbell-dma-validator.md) — _Conditional DMA-address ownership model for the userspace NVMe storage provider: provider-written queue-base and PRP/SGL addresses require a non-host-physical device-visible namespace; no-IOMMU GCP planning must use brokered bounce address publication instead._
- [OOM Handling and Swap](proposals/oom-and-swap-proposal.md) — _Memory-pressure, OOM, anonymous-memory budgeting, and optional encrypted swap policy._
- [Resource Accounting and Quotas](proposals/resource-accounting-proposal.md) — _Resource profiles, quota ledgers, donation, reservation, and fail-closed accounting semantics._
- [virtio-rng](devices/virtio-rng.md) — _Provenance map for the in-tree virtio-rng entropy device - spec basis, implemented wire-format subset, and its role as a QEMU-only DDF metadata and IOMMU-remapping hardware-DMA proof fixture (no userspace-facing capability, not a production driver)._

## Userspace Runtime, Languages, and Binaries

- [Browser Capability and Agent Web Sessions](proposals/browser-capability-proposal.md) — _Browser profiles, cap-native document engines, visual browsing, and agent/shell browser sessions as capability-scoped services._
- [Browser Engines, Document Engines, and Agent Browsers](research/browser-engines-and-agent-browsers.md) — _Browser engine portability, cap-native document-engine options, and agent-browser patterns for capOS browser capabilities._
- [Browser/WASM](proposals/browser-wasm-proposal.md) — _Browser-hosted capOS experiment using WebAssembly and worker-per-process isolation._
- [capOS SDK and Dual Transport](backlog/capos-sdk-dual-transport.md) — _capOS front-door SDK crate with a transport abstraction for in-system and remote clients, plus crate-namespace publication._
- [capos-service](proposals/capos-service-proposal.md) — _Userspace service framework (Rust crate `capos-service`) for lifecycle, endpoint loops, readiness, shutdown, metrics, context, and resource hooks._
- [Cloudflare, Cap'n Proto, Workers RPC, and Cap'n Web](research/cloudflare-capnproto-workers.md) — _Cloudflare Workers, workerd, Durable Objects, Workers RPC, Cap'n Web, and Cloudflare's production use of Cap'n Proto/KJ._
- [Go Runtime](proposals/go-runtime-proposal.md) — _Go runtime plan for GOOS=capos, memory growth, TLS, scheduling, and networking._
- [IX-on-capOS Hosting](research/ix-on-capos-hosting.md) — _IX as a package corpus, content-addressed build/store model, and a capability-native build-service surface for capOS._
- [Language Support Status and Plans](programming-languages.md) — _Current and planned programming-language support on capOS._
- [Linux Sandboxes and Virtualization for Workloads](research/linux-sandboxes-virtualization.md) — _Linux sandbox, container, gVisor, KVM, microVM, and CPU-isolation prior art for generic Linux workload execution._
- [LLVM Target](research/llvm-target.md) — _Custom LLVM target triple requirements: kernel on x86_64-unknown-none, userspace on x86_64-unknown-capos; calling conventions, TLS, relocations, and Go/C runtime porting._
- [Lua Scripting](proposals/lua-scripting-proposal.md) — _Capability-scoped Lua runner with curated libraries and explicit grants._
- [POSIX Adapter](proposals/posix-adapter-proposal.md) — _POSIX compatibility adapter (libcapos-posix) over the libcapos C-ABI substrate, with smallest-deps POSIX shell and DNS resolver as the first ports._
- [POSIX Adapter Dash Port](backlog/posix-adapter-dash-port.md) — _POSIX adapter Phase P1.4 (dash port) backlog -- libcapos-posix file/dir/stdio/env/printf surface, dash vendoring + per-call-site patch, and the run-posix-shell-smoke harness._
- [Runtime, Networking, and Shell](backlog/runtime-network-shell.md) — _Runtime/network/shell backlog._
- [Scientific Agent-Lab Software Stack](research/scientific-agent-lab-stack.md) — _Scientific computing, solver, proof-assistant, notebook, and reproducible-package prior art for a capOS-hosted LLM research lab._
- [Scientific Standard Package and Agent Lab Capabilities](proposals/scientific-capabilities-package-proposal.md) — _Scientific standard package and agent-lab capability services for CAS, solvers, proof assistants, notebooks, and reproducible research environments._
- [Userspace Binaries](proposals/userspace-binaries-proposal.md) — _Native userspace binary model, capos-rt authority handling, language runtimes, and compatibility adapters._
- [Userspace Runtime](architecture/userspace-runtime.md) — _capos-rt entry ABI, heap, CapSet lookup, ring client, and typed userspace capability clients._
- [WASI Host Adapter](proposals/wasi-host-adapter-proposal.md) — _WASI host adapter as a userspace process whose imports are backed by typed capOS capabilities. Phase W.1 host-runtime scaffold landed 2026-05-05 19:12 UTC; Phase W.2 sub-slice 1 (wasm-host binary + empty-instantiation smoke + userspace-image budget bump) landed 2026-05-06 20:19 UTC; Phase W.2 sub-slice 2 (Preview 1 stdout-only imports plus probe-driven nosys=52 proof) landed 2026-05-07 08:03 UTC; Phase W.2 sub-slice 3 (Rust `hello, wasi` smoke + manifest-payload load path) landed 2026-05-07 09:36 UTC; Phase W.2 sub-slice 4 (C `hello, wasi` smoke) landed 2026-05-07 10:53 UTC and closes Phase W.2; Phase W.3 (per-instance CapSet plumbing + LaunchParameters bounded-text argv grant + wasi-cli-args smoke) landed 2026-05-07 18:25 UTC; Phase W.4 (`random_get` production-ready against the kernel `EntropySource` cap + wasi-random granted/ungranted smokes) landed 2026-05-07 20:09 UTC. A 2026-05-13 compatibility-import smoke promotes authority-free Preview 1 imports (`clock_res_get(MONOTONIC)`, `sched_yield`, and stdio fd metadata/seek behavior); a 2026-05-13 bounded environment grant reflects `initConfig.init.wasiEnv` through `environ_get` / `environ_sizes_get`, with `make wasi-env-negative-check` covering count, per-entry, total-byte, and interior-NUL rejection; the refusal smoke (`make run-wasi-preview1-refusals`) proves nine representative blocked filesystem/socket imports fail closed with `ERRNO_NOSYS = 52` (extended 2026-05-13 21:15 UTC to cover `fd_pread`, `fd_pwrite`, `path_create_directory`, `sock_shutdown` in addition to the original five). Open Questions §1 (per-instance vs per-process) and §3 (`poll_oneoff` semantics) resolved 2026-05-13 16:46 UTC; §6 (`environ_get` source) and §7 (`args_get` source) reclassified as resolved by Phase W.3 with the bounded manifest-text grants. W.5 (filesystem) closed 2026-05-17 05:42 UTC: the wasm-host installs the manifest-granted root `Directory` cap (CapSet slot `root`) as a single Preview 1 preopen at fd 3 (`/preopen-0`) and implements `path_open`, `fd_read`, `fd_write`, `fd_seek`, `fd_close`, `fd_filestat_get`, `fd_prestat_get`, and `fd_prestat_dir_name` against the kernel `Directory` / `File` cap interface in `capos-wasm/src/wasi/fs.rs` (POSIX P1.4 Slice 4 resolver shape); `fd_readdir` over the preopen `Directory.list` landed 2026-05-24 08:44 UTC; `fd_tell` (host-side position read) and `fd_filestat_set_size` (over `File.truncate`) landed 2026-05-24 09:34 UTC, completing the File-cap method triad with no schema change; `path_create_directory` and `path_remove_directory` (over `Directory.mkdir`/`remove`, same preopen sandbox, no schema change) landed 2026-05-24 10:09 UTC; `fd_pread` and `fd_pwrite` landed 2026-05-30 14:49 UTC as positional I/O over the host `File` cap (no schema change -- `File.read`/`File.write` already carry an explicit offset), using the WASI-supplied offset and leaving the fd's stream position untouched (the positional-I/O invariant). `path_filestat_get` and `path_unlink_file` landed 2026-05-30 as path-resolved metadata/removal over the host `File.stat` / `Directory.remove` caps (no schema change), leaving only `path_filestat_set_times`, `path_rename`, and the symlink/link family fail-closed. The `make run-wasi-fs` smoke (`system-wasi-fs.cue`, `demos/wasi-fs/`, `tools/qemu-wasi-fs-smoke.sh`) completes a full `path_open(CREAT+TRUNC)` / `fd_write` / `fd_close` / re-open / `fd_filestat_get` / `fd_seek` / `fd_read` round trip, asserts the preopen sandbox refuses absolute paths and `..` segments with `ERRNO_NOTCAPABLE = 76`, proves the positional `fd_pwrite`/`fd_pread` round trip leaves the offset unchanged plus the negative-offset and stdio refusals, and stats `smoke.txt` by path (size 4, regular-file type) before unlinking it; the existing `make run-wasi-preview1-refusals` smoke continues to pass with W.5-split errnos (`path_open` / `fd_prestat_get` / `fd_read` / `path_create_directory` / `fd_pread` / `fd_pwrite` / `path_filestat_get` / `path_unlink_file` now return `ERRNO_BADF = 8` against an absent preopen, only the socket imports stay at `ERRNO_NOSYS = 52`). `Store` / `Namespace` integration remains deferred. W.6 (sockets) remains blocked on the userspace network stack. W.7 (Component Model) and W.8 (TinyGo / Go-on-WASI CUE evaluator) remain blocked on the std-userspace decision._

## Shells and Interactive Surfaces

- [Boot to Shell](proposals/boot-to-shell-proposal.md) — _Login, setup, session, credential, and broker path from boot into the native shell._
- [Browser Capability and Agent Web Sessions](proposals/browser-capability-proposal.md) — _Browser profiles, cap-native document engines, visual browsing, and agent/shell browser sessions as capability-scoped services._
- [Browser Engines, Document Engines, and Agent Browsers](research/browser-engines-and-agent-browsers.md) — _Browser engine portability, cap-native document-engine options, and agent-browser patterns for capOS browser capabilities._
- [capOS-Hosted Agent Swarms](proposals/hosted-agent-swarm-proposal.md) — _capOS-hosted OpenClaw-like personal agents, agent swarms, harness controls, memory, retrieval, and research agenda._
- [Chat As Multimedia Substrate](proposals/chat-multimedia-substrate-proposal.md) — _Chat as unified text/audio/video multimedia transport across human, agent, and service participants, with listener-cap delivery and a clean WebRTC mapping._
- [Default User Avatar](proposals/default-user-avatar-proposal.md) — _Deterministic default user avatar derived from a stable account identifier, with explicit user override._
- [Interactive Command Surfaces](proposals/interactive-command-surface-proposal.md) — _Structured command-session model for native interactive applications over typed invocations._
- [Language Models and Agent Runtime](proposals/llm-and-agent-proposal.md) — _Language-model, embedder, agent-runner, and browser-agent capability interfaces._
- [Realtime Voice Agent Shell](proposals/realtime-voice-agent-shell-proposal.md) — _Realtime audio agent shell model across browser media, provider sessions, and brokered tools._
- [Remote Session CapSet Clients](proposals/remote-session-capset-client-proposal.md) — _Remote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap'n Proto RPC._
- [Schema Registry](proposals/schema-registry-proposal.md) — _A SchemaRegistry capability that serves Cap'n Proto reflection metadata -- interface IDs, method names and ordinals, parameter/result layouts, and doc comments -- at runtime, as the machine-readable twin of the System Manual._
- [Shell](proposals/shell-proposal.md) — _Native, agent-oriented, and POSIX shell models over explicit capability grants._
- [SSH Shell Gateway](proposals/ssh-shell-proposal.md) — _SSH terminal gateway design preserving TerminalSession and broker-issued shell boundaries._
- [Stateful Task and Job Graphs](proposals/stateful-task-job-graphs-proposal.md) — _Durable stateful task and job graphs for init orchestration, package builds, operator work, and notebook-style run stories without creating a god object._
- [System Info Capability](proposals/system-info-proposal.md) — _SystemInfo capability for MOTD, hostname, host metadata, help topics, and shell bundle integration._
- [System Manual Capability](proposals/system-manual-proposal.md) — _A built-in man-pages analog: the Manual capability serves Unix-style reference pages, schema-derived interface manuals, and a man-shaped reference corpus through the shell, the self-served web UI, and a typed capnp API._
- [Telnet over TLS Shell](proposals/telnet-tls-shell-proposal.md) — _Optional TLS-protected Telnet TerminalSession gateway with client certificates and credential fallback._

## Networking

- [Azure MANA](devices/azure-mana.md) — _Provenance map for the Azure MANA NIC / GDMA wire logic - spec basis, implemented host-conformance wire-format subset, and capOS authority mapping._
- [Browser Capability and Agent Web Sessions](proposals/browser-capability-proposal.md) — _Browser profiles, cap-native document engines, visual browsing, and agent/shell browser sessions as capability-scoped services._
- [capOS SDK and Dual Transport](backlog/capos-sdk-dual-transport.md) — _capOS front-door SDK crate with a transport abstraction for in-system and remote clients, plus crate-namespace publication._
- [capos-service](proposals/capos-service-proposal.md) — _Userspace service framework (Rust crate `capos-service`) for lifecycle, endpoint loops, readiness, shutdown, metrics, context, and resource hooks._
- [Chat As Multimedia Substrate](proposals/chat-multimedia-substrate-proposal.md) — _Chat as unified text/audio/video multimedia transport across human, agent, and service participants, with listener-cap delivery and a clean WebRTC mapping._
- [Cloud DMA Provider Evidence Inventory](research/cloud-dma-provider-evidence.md) — _Official AWS/Azure/GCP device-surface facts, an evidence-matrix schema, a live guest-probe checklist, and classification rules for the cloud DMA backend decision._
- [Cloudflare, Cap'n Proto, Workers RPC, and Cap'n Web](research/cloudflare-capnproto-workers.md) — _Cloudflare Workers, workerd, Durable Objects, Workers RPC, Cap'n Web, and Cloudflare's production use of Cap'n Proto/KJ._
- [GCE gVNIC](devices/gvnic.md) — _Provenance map for the GCE gVNIC (Google Virtual Ethernet) NIC - spec basis from the public gVNIC docs and the GVE Linux driver, the wire-format subset capOS exercises today, and the bounded Nic-cap adaptation proof. capOS has live-GCE inventory, admin-queue/register, raw-frame GQI/QPL TX/RX, and typed Nic-adaptation proofs, but no reusable gVNIC provider service or host conformance suite yet._
- [Google Drive Storage Backend](proposals/drive-storage-backend-proposal.md) — _Use a Google-authenticated user's Drive as a capOS storage backend behind the standard storage caps, via a browser-transport near-term path and a native OAuth2/HTTP/TLS backend later._
- [Network Usability and Post-smoltcp](backlog/network-usability-post-smoltcp.md) — _Network usability, resolver, diagnostics, and post-smoltcp backlog._
- [Network-Reachable Datapath Scope Decision](proposals/network-reachable-datapath-scope-decision.md) — _Scope decision recording that the real-GCE-boot milestone's reachable-network-stack requirement means raw-frame TX/RX (Option A), not L4 sockets, grounded in what the billable cloudboot harness actually gates on._
- [Networking](proposals/networking-proposal.md) — _Network capability architecture from virtio-net smoke to TCP sockets and terminal handoff._
- [Phase C Userspace NIC Driver Relocation](proposals/phase-c-userspace-nic-driver-relocation.md) — _Phase C design for relocating the virtio-net driver into userspace: the cap-surface delta, the inline-`Data` Nic ABI (matching the networking-proposal draft), the writable selected-write common-config window (an extension of the accepted notify-doorbell discipline; slice 1 landed 2026-06-02 20:30 UTC at c9518b2d), the userspace-vring slice that reuses the landed production DMA isolation (bounce policy + dma_backend probe + IOMMU IOVA-export), the sustained-receive `Nic` ABI design used by the multi-frame TCP path, the selected serve-from-userspace 7c-ii(b) socket-authority proof, and retirement of the non-qemu legacy kernel socket grant path._
- [Pingora](research/pingora.md) — _Proxy/server framework as a userspace runtime case study._
- [Remote Session CapSet Client](backlog/remote-session-capset-client.md) — _Remote session CapSet client backlog._
- [Remote Session CapSet Clients](proposals/remote-session-capset-client-proposal.md) — _Remote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap'n Proto RPC._
- [Spritely, OCapN, and CapTP](research/spritely-captp-ocapn.md) — _Spritely, OCapN, CapTP, netlayers, locators, Syrup, promise pipelining, handoffs, and capability-network lessons for capOS._
- [SSH Shell Gateway](proposals/ssh-shell-proposal.md) — _SSH terminal gateway design preserving TerminalSession and broker-issued shell boundaries._
- [Telnet over TLS Shell](proposals/telnet-tls-shell-proposal.md) — _Optional TLS-protected Telnet TerminalSession gateway with client certificates and credential fallback._
- [virtio-net](devices/virtio-net.md) — _Provenance map for the in-tree modern virtio-net PCI NIC - spec basis, implemented wire-format subset, and capOS authority binding._

## Storage, Persistence, and Naming

- [Cloud DMA Provider Evidence Inventory](research/cloud-dma-provider-evidence.md) — _Official AWS/Azure/GCP device-surface facts, an evidence-matrix schema, a live guest-probe checklist, and classification rules for the cloud DMA backend decision._
- [Google Drive Storage Backend](proposals/drive-storage-backend-proposal.md) — _Use a Google-authenticated user's Drive as a capOS storage backend behind the standard storage caps, via a browser-transport near-term path and a native OAuth2/HTTP/TLS backend later._
- [Hardware Audit Log Persistence](proposals/hardware-audit-persistence-proposal.md) — _Durable, tamper-evident persistence and admission policy for the hardware audit log._
- [Hardware, Boot, and Storage](backlog/hardware-boot-storage.md) — _Hardware bring-up backlog._
- [Installable System](backlog/installable-system.md) — _Ordered implementation track turning the installable-system proposal into work grounded in the landed BlockDevice/filesystem/Store/writable-persistence/disk-image contracts._
- [Installable System](proposals/installable-system-proposal.md) — _Design for an installed, persistent capOS that boots from disk and keeps mutable system configuration across reboots, composed with the immutable boot manifest._
- [IX-on-capOS Hosting](research/ix-on-capos-hosting.md) — _IX as a package corpus, content-addressed build/store model, and a capability-native build-service surface for capOS._
- [Standard App Capabilities](proposals/standard-app-capabilities-proposal.md) — _Per-app AppData storage, a user-mediated powerbox/file-picker grant, and attenuated capability sharing as standard app-facing capabilities._
- [Stateful Task and Job Graphs](proposals/stateful-task-job-graphs-proposal.md) — _Durable stateful task and job graphs for init orchestration, package builds, operator work, and notebook-style run stories without creating a god object._
- [Storage and Naming](proposals/storage-and-naming-proposal.md) — _Capability-native storage, namespaces, boot packages, volumes, and persistence model._
- [Volume Encryption](proposals/volume-encryption-proposal.md) — _Encryption-at-rest model for system and user volumes with recovery and KMS options._

## Identity, Policy, and User Accounts

- [Configuration](configuration.md) — _How operators extend the default capOS boot manifest with a gitignored `system.local.cue` overlay and convert CUE-authored data to specified Cap'n Proto schemas._
- [Default User Avatar](proposals/default-user-avatar-proposal.md) — _Deterministic default user avatar derived from a stable account identifier, with explicit user override._
- [Delegated Subject Context](proposals/delegated-subject-context-proposal.md) — _Future delegated-subject and act-on-behalf-of capability model._
- [Formal MAC/MIC](proposals/formal-mac-mic-proposal.md) — _Formal mandatory access and integrity model for future policy and proof work._
- [Google Drive Storage Backend](proposals/drive-storage-backend-proposal.md) — _Use a Google-authenticated user's Drive as a capOS storage backend behind the standard storage caps, via a browser-transport near-term path and a native OAuth2/HTTP/TLS backend later._
- [Local Users, Storage, and Policy](backlog/local-users-management.md) — _Identity/local-user backlog._
- [OIDC and OAuth2](proposals/oidc-and-oauth2-proposal.md) — _Federated login, OAuth2 clients, token capabilities, JWKS, DPoP, and broker integration._
- [Rejected: Endpoint Badges as Service Identity](proposals/rejected-endpoint-badges-proposal.md) — _Post-mortem of the rejected seL4-style endpoint badge service identity model._
- [Remote Session CapSet Client](backlog/remote-session-capset-client.md) — _Remote session CapSet client backlog._
- [Remote Session CapSet Clients](proposals/remote-session-capset-client-proposal.md) — _Remote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap'n Proto RPC._
- [Service Object Identity Migration](backlog/service-object-identity-migration.md) — _Superseded large-chunk migration plan for service object identity, retained as historical context after the active direction changed to session-bound invocation context._
- [Session Context](architecture/session-context.md) — _Current session-bound invocation context, endpoint caller-session metadata, disclosure, transfer-scope, and liveness rules._
- [Session-Bound Invocation Context](backlog/session-bound-invocation-context.md) — _Implementation plan for one-session-per-process invocation context and session-keyed shared services._
- [Session-Bound Invocation Context](proposals/session-bound-invocation-context-proposal.md) — _Session-bound invocation context and privacy-aware disclosure model replacing service-object identity migration._
- [Standard App Capabilities](proposals/standard-app-capabilities-proposal.md) — _Per-app AppData storage, a user-mediated powerbox/file-picker grant, and attenuated capability sharing as standard app-facing capabilities._
- [System Configuration and Operator Extensibility](proposals/system-configuration-proposal.md) — _Layered CUE configuration model for operator boot-manifest overlays, host-user injection, and per-user toolchain caches._
- [User Identity and Policy](proposals/user-identity-and-policy-proposal.md) — _User, session, profile, RBAC/ABAC/MAC, and policy-layer model for capability grants._

## Cryptography, Certificates, and Trust

- [Certificates / TLS](backlog/certificates-tls.md) — _Bounded implementation slice chain for the certificates/TLS track, from vendored verifier crates to a capOS-terminated Web UI endpoint._
- [Certificates and TLS](proposals/certificates-and-tls-proposal.md) — _Capability-native X.509, trust store, ACME, pinning, and TLS configuration model._
- [Cryptography and Key Management](proposals/cryptography-and-key-management-proposal.md) — _Capability model for keys, signing, encryption, vaults, entropy, and cryptographic policy._
- [Google Drive Storage Backend](proposals/drive-storage-backend-proposal.md) — _Use a Google-authenticated user's Drive as a capOS storage backend behind the standard storage caps, via a browser-transport near-term path and a native OAuth2/HTTP/TLS backend later._
- [Hardware Audit Log Persistence](proposals/hardware-audit-persistence-proposal.md) — _Durable, tamper-evident persistence and admission policy for the hardware audit log._
- [OIDC and OAuth2](proposals/oidc-and-oauth2-proposal.md) — _Federated login, OAuth2 clients, token capabilities, JWKS, DPoP, and broker integration._
- [Telnet over TLS Shell](proposals/telnet-tls-shell-proposal.md) — _Optional TLS-protected Telnet TerminalSession gateway with client certificates and credential fallback._
- [Time and Clock Authority](proposals/time-and-clock-proposal.md) — _Capability-native wall-clock authority with provenance labeling, clock discipline, and trusted timestamps for audit and TLS._
- [Volume Encryption](proposals/volume-encryption-proposal.md) — _Encryption-at-rest model for system and user volumes with recovery and KMS options._

## Security and Verification

- [ABI Evolution Policy](abi-evolution-policy.md) — _Compatibility policy for capOS schema and ring ABIs._
- [AWS Nitro EBS (NVMe storage)](devices/aws-nvme.md) — _Provenance map for the AWS Nitro EBS NVMe storage shape - spec basis, the standard-NVMe wire subset it shares with docs/devices/nvme.md, and the capOS cloud-shape classification plus DMA-backend policy it binds onto._
- [Azure managed disk (NVMe storage)](devices/azure-disk.md) — _Provenance map for the Azure managed-disk NVMe storage shape - spec basis, the standard-NVMe wire subset it shares with docs/devices/nvme.md, why the older-family virtio-scsi path is out of scope, and the capOS cloud-shape classification plus DMA-backend policy it binds onto._
- [Cloud DMA Provider Evidence Inventory](research/cloud-dma-provider-evidence.md) — _Official AWS/Azure/GCP device-surface facts, an evidence-matrix schema, a live guest-probe checklist, and classification rules for the cloud DMA backend decision._
- [Cloud Driver Foundation Gap Analysis](proposals/cloud-driver-foundation-gap-analysis.md) — _Gap analysis between the existing userspace virtio driver foundation and the blocked cloud NIC/storage driver tasks: what is already proven, the narrow per-task remaining work, and the superseded live-NIC runnable-now claim._
- [Debug and Trace Authority](proposals/debug-trace-authority-proposal.md) — _Capability-scoped debug session attach, read-only cap-table inspection, ring-trace replay, and sampler authority without ambient process inspection._
- [Device Manager Refactor](proposals/device-manager-refactor-proposal.md) — _Refactor direction for separating the kernel device authority ledger from QEMU proof scaffolding._
- [DMA Assurance Model](proposals/dma-assurance-model-proposal.md) — _Assurance model for DMA authority, backend selection, and proof obligations._
- [DMA Isolation](dma-isolation-design.md) — _DMA isolation model for device memory, IOMMU policy, and capability-scoped hardware access._
- [DMA User-Space Driver Isolation](research/dma-userspace-driver-isolation.md) — _DMA, user-space driver, vIOMMU, and no-IOMMU bounce-buffer design consequences for capOS device authority._
- [Error Handling](architecture/error-handling.md) — _Current error model for capability ring CQE status, CapException payloads, endpoint RETURN exceptions, and ordinary schema result unions._
- [Formal MAC/MIC](proposals/formal-mac-mic-proposal.md) — _Formal mandatory access and integrity model for future policy and proof work._
- [Full-Scope Review 2026-06-09](backlog/full-scope-review-2026-06-09.md) — _Findings ledger and decomposition source for the 2026-06-09 full-scope review of the tree at 50e8eaba (review base bb776326e, 2026-05-23)._
- [GCP Persistent Disk (storage)](devices/gcp-storage.md) — _Provenance map for the GCP Persistent Disk storage shape - virtio-scsi vs NVMe families, the standard-NVMe wire subset it shares with docs/devices/nvme.md, the capOS cloud-shape classification, the DMA-backend policy on no-IOMMU GCE shapes, the local production brokered NVMe provider chain, and the bounded live-GCE NVMe Persistent Disk read proof._
- [IOMMU Remapping Grounding](research/iommu-remapping.md) — _Primary-source grounding for Intel VT-d (landed under cfg(qemu)), AMD-Vi, and QEMU IOMMU remapping work._
- [Memory Authority Model](backlog/memory-authority-model.md) — _Memory authority model backlog._
- [Memory Authority Model](proposals/memory-authority-model-proposal.md) — _Memory authority, residency classes, mapping consistency, OOM boundaries, and proof obligations._
- [NVMe](devices/nvme.md) — _Provenance map for the NVMe controller wire subset capOS touches - conditional Model B validator scan targets, the read-only userspace bind, the reset-only CC selected-write claim, the no-IOMMU manager-op controller enable through the brokeredNvmeControllerEnable @6 verb, the no-IOMMU manager-op admin IDENTIFY through the brokeredNvmeAdminIdentify @7 verb, the brokered admin SQ/CQ doorbell + IDENTIFY command, the split admin SUBMIT @8 / COMPLETE @9 verbs whose completion handoff runs through a cap-waiter Interrupt.wait/acknowledge MSI-X route, the brokered I/O queue pair + bounded READ including one live-GCE Persistent Disk proof, and the dedicated BlockDevice data-completion Interrupt route - with spec basis and capOS authority mapping._
- [NVMe Model B Doorbell DMA Validator](proposals/nvme-model-b-doorbell-dma-validator.md) — _Conditional DMA-address ownership model for the userspace NVMe storage provider: provider-written queue-base and PRP/SGL addresses require a non-host-physical device-visible namespace; no-IOMMU GCP planning must use brokered bounce address publication instead._
- [Panic Surface Inventory](panic-surface-inventory.md) — _Panic/unwrap/expect inventory._
- [Public Release and Maintainer Boundaries](proposals/public-release-boundaries-proposal.md) — _Public release posture, maintainer boundaries, issue intake, and repository hygiene gates._
- [Remote Session UI Security](proposals/remote-session-ui-security-proposal.md) — _Web-security hardening posture for the trusted local remote-session-ui bridge, the capOS-served Web UI, public-origin carry-over policy, and the Tauri desktop wrapper._
- [Repository Composition](proposals/repository-composition-proposal.md) — _Repository scope, sibling project split criteria, and cross-repository organization plan._
- [Security and Verification](backlog/security-verification.md) — _Security/verification backlog._
- [Security and Verification](proposals/security-and-verification-proposal.md) — _Security review vocabulary, trust-boundary checklist, and verification tracks for capOS._
- [Security Verification Track Registry](security-verification-track-registry.md) — _Manual reference for Security Verification Track labels._
- [Session Archive & Gantt Effort](proposals/session-archive-and-gantt-effort-proposal.md) — _A pipeline to collect, normalize, and archive per-task effort data from the run-telemetry log and agent session transcripts, enabling development timeline visualization and task-duration prediction._
- [Trust Boundaries](security/trust-boundaries.md) — _The reviewer's authority-boundary inventory._
- [Trusted Build Inputs](trusted-build-inputs.md) — _Trusted toolchain inventory._
- [Verification Workflow](security/verification-workflow.md) — _The verification gates used by capOS._

## Services, Operations, and Monitoring

- [Benchmarks](benchmarks.md) — _Current benchmark policy and results._
- [Capability-Infrastructure Cluster](backlog/capability-infrastructure-cluster.md) — _Decomposition of the near-term capability-infrastructure cluster: matured proposals and Stage 6 remainder that share the schema serial surface._
- [capos-service](proposals/capos-service-proposal.md) — _Userspace service framework (Rust crate `capos-service`) for lifecycle, endpoint loops, readiness, shutdown, metrics, context, and resource hooks._
- [Cloud Deployment](proposals/cloud-deployment-proposal.md) — _Cloud VM deployment plan covering hardware abstraction, storage, networking, and aarch64._
- [Cloud Metadata](proposals/cloud-metadata-proposal.md) — _Cloud metadata and config-drive bootstrap through scoped configuration capabilities._
- [Configuration](configuration.md) — _How operators extend the default capOS boot manifest with a gitignored `system.local.cue` overlay and convert CUE-authored data to specified Cap'n Proto schemas._
- [Crash Recovery and Supervision](proposals/crash-recovery-supervision-proposal.md) — _Unplanned-failure detection, stale-cap propagation, structured crash records, watchdog liveness, and bounded restart policy for capOS services._
- [Debug and Trace Authority](proposals/debug-trace-authority-proposal.md) — _Capability-scoped debug session attach, read-only cap-table inspection, ring-trace replay, and sampler authority without ambient process inspection._
- [Hardware Audit Log Persistence](proposals/hardware-audit-persistence-proposal.md) — _Durable, tamper-evident persistence and admission policy for the hardware audit log._
- [HPC Parallel Processing Patterns](proposals/hpc-parallel-patterns-proposal.md) — _Generic single-node and multi-node parallel processing patterns for HPC-style benchmark coverage._
- [Live Upgrade](proposals/live-upgrade-proposal.md) — _Service replacement, capability retargeting, quiesce/resume, and in-flight call handling._
- [Rejected: Endpoint Badges as Service Identity](proposals/rejected-endpoint-badges-proposal.md) — _Post-mortem of the rejected seL4-style endpoint badge service identity model._
- [Scientific Standard Package and Agent Lab Capabilities](proposals/scientific-capabilities-package-proposal.md) — _Scientific standard package and agent-lab capability services for CAS, solvers, proof assistants, notebooks, and reproducible research environments._
- [Service Architecture](proposals/service-architecture-proposal.md) — _Capability-based service composition, authority-at-spawn, exports, and service graph policy._
- [Session Context](architecture/session-context.md) — _Current session-bound invocation context, endpoint caller-session metadata, disclosure, transfer-scope, and liveness rules._
- [Session-Bound Invocation Context](proposals/session-bound-invocation-context-proposal.md) — _Session-bound invocation context and privacy-aware disclosure model replacing service-object identity migration._
- [Stateful Task and Job Graphs](proposals/stateful-task-job-graphs-proposal.md) — _Durable stateful task and job graphs for init orchestration, package builds, operator work, and notebook-style run stories without creating a god object._
- [Superseded: Service Object Capabilities](proposals/service-object-capabilities-proposal.md) — _Superseded service-minted object capability model that was replaced by session-bound invocation context._
- [System Configuration and Operator Extensibility](proposals/system-configuration-proposal.md) — _Layered CUE configuration model for operator boot-manifest overlays, host-user injection, and per-user toolchain caches._
- [System Monitoring](proposals/system-monitoring-proposal.md) — _Capability-scoped logs, metrics, health checks, traces, crash records, and status views._
- [System Performance Benchmarks](proposals/system-performance-benchmarks-proposal.md) — _Correctness-gated benchmark model for primitives, workloads, and user stories._
- [Time and Clock Authority](proposals/time-and-clock-proposal.md) — _Capability-native wall-clock authority with provenance labeling, clock discipline, and trusted timestamps for audit and TLS._

## AI, Agents, GPU, and Robotics

- [Browser Capability and Agent Web Sessions](proposals/browser-capability-proposal.md) — _Browser profiles, cap-native document engines, visual browsing, and agent/shell browser sessions as capability-scoped services._
- [Browser Engines, Document Engines, and Agent Browsers](research/browser-engines-and-agent-browsers.md) — _Browser engine portability, cap-native document-engine options, and agent-browser patterns for capOS browser capabilities._
- [capOS Agentic Development Experiment](proposals/agentic-development-experiment-proposal.md) — _Longitudinal study design for using capOS development sessions, subagents, reviews, and recap tooling as an agentic software-engineering experiment._
- [capOS As A Robot Brain](proposals/robot-brain-proposal.md) — _Robotics service graph, actuator gateway, safety monitor, realtime island, and ROS bridge model._
- [capOS Repository Harness Engineering](proposals/capos-repo-harness-engineering-proposal.md) — _Repository-local harness engineering for making capOS legible, checkable, and safer for long-running coding agents._
- [capOS-Hosted Agent Swarms](proposals/hosted-agent-swarm-proposal.md) — _capOS-hosted OpenClaw-like personal agents, agent swarms, harness controls, memory, retrieval, and research agenda._
- [Chat As Multimedia Substrate](proposals/chat-multimedia-substrate-proposal.md) — _Chat as unified text/audio/video multimedia transport across human, agent, and service participants, with listener-cap delivery and a clean WebRTC mapping._
- [Enterprise Agent Game Showcase](proposals/enterprise-agent-game-proposal.md) — _Enterprise agent-management showcase through a capability-scoped business simulation game._
- [GPU Capability](proposals/gpu-capability-proposal.md) — _Capability-oriented GPU access, driver isolation, memory sharing, and CUDA-style compute model._
- [Hosted Agent Harnesses](research/hosted-agent-harnesses.md) — _OpenClaw-like harnesses, swarms, memory/wiki systems, and agent orchestration research for capOS-hosted agents._
- [Language Models and Agent Runtime](proposals/llm-and-agent-proposal.md) — _Language-model, embedder, agent-runner, and browser-agent capability interfaces._
- [Linux Sandboxes and Virtualization for Workloads](research/linux-sandboxes-virtualization.md) — _Linux sandbox, container, gVisor, KVM, microVM, and CPU-isolation prior art for generic Linux workload execution._
- [Multimedia Pipeline Latency](research/multimedia-pipeline-latency.md) — _Research note._
- [NO_HZ, SQPOLL, and Realtime Scheduling](research/nohz-sqpoll-realtime.md) — _Linux NO_HZ, io_uring SQPOLL, CPU isolation, PREEMPT_RT, SCHED_DEADLINE, and seL4 MCS grounding for capOS timer and realtime design._
- [Realtime Multimodal Agent APIs](research/realtime-multimodal-agent-apis.md) — _Research note._
- [Realtime Voice Agent Shell](proposals/realtime-voice-agent-shell-proposal.md) — _Realtime audio agent shell model across browser media, provider sessions, and brokered tools._
- [Robotics Realtime Control](research/robotics-realtime-control.md) — _Research note._
- [Scientific Agent-Lab Software Stack](research/scientific-agent-lab-stack.md) — _Scientific computing, solver, proof-assistant, notebook, and reproducible-package prior art for a capOS-hosted LLM research lab._
- [Scientific Standard Package and Agent Lab Capabilities](proposals/scientific-capabilities-package-proposal.md) — _Scientific standard package and agent-lab capability services for CAS, solvers, proof assistants, notebooks, and reproducible research environments._
- [Small LLM Survey](research/small-llm-survey.md) — _Model candidates for the on-ISO local LLM._
- [Tickless and Realtime Scheduling](proposals/tickless-realtime-scheduling-proposal.md) — _Tickless idle, SQPOLL nohz CPU isolation, request deadlines, scheduling contexts, and realtime islands._

## Demos, Onboarding, and Contributor Surfaces

- [Aurelian Frontier](backlog/aurelian-frontier.md) — _Aurelian Frontier game-depth backlog._
- [Aurelian Frontier](proposals/aurelian-frontier-proposal.md) — _Capability-native Aurelian Frontier game design, mission model, content pipeline, and QEMU proof slice._
- [Aurelian Frontier (proof slice)](demos/adventure.md) — _Multi-process Aurelian Frontier smoke proof._
- [Contributor Quest Mechanics](proposals/contributor-quest-mechanics-proposal.md) — _Contributor reward mechanics layered on Aurelian Frontier without granting repository authority._
- [Enterprise Agent Game Showcase](proposals/enterprise-agent-game-proposal.md) — _Enterprise agent-management showcase through a capability-scoped business simulation game._
- [First Chat Demo](demos/chat.md) — _Smallest resident-service proof._
- [Game Mechanics Prior Art](research/game-mechanics-prior-art.md) — _Grounded mechanics research for Aurelian Frontier seasonal play, markets, construction, and tactical combat._
- [Paperclips Terminal Demo](demos/paperclips.md) — _Clean-room incremental terminal demo._
- [Paperclips Terminal Demo](backlog/paperclips.md) — _Paperclips terminal demo backlog and content migration notes._
- [Shared-Service Demos](backlog/shared-service-demos.md) — _Demo backlog._

## Build, Tooling, and Documentation Site

- [ABI Evolution Policy](abi-evolution-policy.md) — _Compatibility policy for capOS schema and ring ABIs._
- [Build, Boot, and Test](build-run-test.md) — _Build, ISO, QEMU, host-test commands._
- [capOS Agentic Development Experiment](proposals/agentic-development-experiment-proposal.md) — _Longitudinal study design for using capOS development sessions, subagents, reviews, and recap tooling as an agentic software-engineering experiment._
- [capOS Repository Harness Engineering](proposals/capos-repo-harness-engineering-proposal.md) — _Repository-local harness engineering for making capOS legible, checkable, and safer for long-running coding agents._
- [Current Design Authority](architecture/design-authority.md) — _Current-design authority map and proposal lifecycle rule for keeping implemented behavior out of archival proposal records._
- [Documentation Workflow](documentation-workflow.md) — _How the mdBook site and generated PDF manual are positioned and built._
- [mdBook Documentation Site](proposals/mdbook-docs-site-proposal.md) — _Documentation-site structure, metadata, status vocabulary, and curation workflow._
- [Repository Composition](proposals/repository-composition-proposal.md) — _Repository scope, sibling project split criteria, and cross-repository organization plan._
- [Repository Map](repo-map.md) — _Source-tree subsystem index._
- [Schema Registry](proposals/schema-registry-proposal.md) — _A SchemaRegistry capability that serves Cap'n Proto reflection metadata -- interface IDs, method names and ordinals, parameter/result layouts, and doc comments -- at runtime, as the machine-readable twin of the System Manual._
- [System Manual Capability](proposals/system-manual-proposal.md) — _A built-in man-pages analog: the Manual capability serves Unix-style reference pages, schema-derived interface manuals, and a man-shaped reference corpus through the shell, the self-served web UI, and a typed capnp API._
- [Trusted Build Inputs](trusted-build-inputs.md) — _Trusted toolchain inventory._

## Research and Papers

- [Crash Recovery and Supervision](research/crash-recovery-supervision.md) — _Prior-art survey of crash recovery and supervision for the Crash Recovery proposal._
- [Debug, Trace, and Profiling Authority](research/debug-trace-authority.md) — _Prior-art survey of debug/trace/profile authority for the Debug and Trace proposal._
- [Papers](papers.md) — _Long-form research write-ups._
- [Research](research/index.md) — _Index of research deep-dive reports informing capOS design._
- [seL4 HAMR](research/sel4-hamr.md) — _Evaluation of seL4 HAMR (AADL/Slang/CAmkES) versus the capOS Cap'n Proto schema-as-contract model._
- [Time and Clock Authority](research/time-and-clock-authority.md) — _Prior-art survey of OS time/clock authority for the Time and Clock proposal._

## Prior Art and Comparative OS Research

- [Capability-Based and Microkernel Operating Systems Survey](research/capability-systems-survey.md) — _Design consequences pulled from the survey._
- [Cloudflare, Cap'n Proto, Workers RPC, and Cap'n Web](research/cloudflare-capnproto-workers.md) — _Cloudflare Workers, workerd, Durable Objects, Workers RPC, Cap'n Web, and Cloudflare's production use of Cap'n Proto/KJ._
- [EROS, CapROS, Coyotos](research/eros-capros-coyotos.md) — _Persistent capability-system lineage._
- [Future Scheduler Architecture](research/future-scheduler-architecture.md) — _Survey of modern scheduler algorithms and architectures for capOS scheduler evolution._
- [Game Mechanics Prior Art](research/game-mechanics-prior-art.md) — _Grounded mechanics research for Aurelian Frontier seasonal play, markets, construction, and tactical combat._
- [Genode](research/genode.md) — _Genode OS Framework: capability-based component model, session routing, VFS plugin architecture, POSIX compatibility, and Sculpt OS -- with lessons for capOS._
- [HPC Parallel Patterns](research/hpc-parallel-patterns.md) — _HPC benchmark and programming-model grounding for generic parallel processing patterns._
- [Linux Sandboxes and Virtualization for Workloads](research/linux-sandboxes-virtualization.md) — _Linux sandbox, container, gVisor, KVM, microVM, and CPU-isolation prior art for generic Linux workload execution._
- [Out-of-Kernel Scheduling](research/out-of-kernel-scheduling.md) — _Prior art survey on kernel versus userspace CPU scheduling policy split, with capOS design implications._
- [Plan 9 and Inferno](research/plan9-inferno.md) — _Plan 9 and Inferno: per-process namespaces, 9P protocol, file-server-as-service pattern, Dis VM, and Limbo concurrency — applied to capOS capability composition and IPC design._
- [Scientific Agent-Lab Software Stack](research/scientific-agent-lab-stack.md) — _Scientific computing, solver, proof-assistant, notebook, and reproducible-package prior art for a capOS-hosted LLM research lab._
- [seL4](research/sel4.md) — _Microkernel and capability reference._
- [Spritely, OCapN, and CapTP](research/spritely-captp-ocapn.md) — _Spritely, OCapN, CapTP, netlayers, locators, Syrup, promise pipelining, handoffs, and capability-network lessons for capOS._
- [Zircon](research/zircon.md) — _Fuchsia Zircon kernel: handle-based capability model, channels, VMARs/VMOs, async ports, and FIDL -- with lessons for capOS capability dispatch, IPC, and memory design._

## Stage Backlogs and Long-Form Planning

- [Aurelian Frontier](backlog/aurelian-frontier.md) — _Aurelian Frontier game-depth backlog._
- [Capability-Infrastructure Cluster](backlog/capability-infrastructure-cluster.md) — _Decomposition of the near-term capability-infrastructure cluster: matured proposals and Stage 6 remainder that share the schema serial surface._
- [capOS SDK and Dual Transport](backlog/capos-sdk-dual-transport.md) — _capOS front-door SDK crate with a transport abstraction for in-system and remote clients, plus crate-namespace publication._
- [Certificates / TLS](backlog/certificates-tls.md) — _Bounded implementation slice chain for the certificates/TLS track, from vendored verifier crates to a capOS-terminated Web UI endpoint._
- [Cloud Driver Foundation Gap Analysis](proposals/cloud-driver-foundation-gap-analysis.md) — _Gap analysis between the existing userspace virtio driver foundation and the blocked cloud NIC/storage driver tasks: what is already proven, the narrow per-task remaining work, and the superseded live-NIC runnable-now claim._
- [Cloud Image Import and Serial-Console Boot](backlog/cloud-image-import.md) — _Cloud provider disk-image import and serial-console-boot notes._
- [Device Manager Refactor](proposals/device-manager-refactor-proposal.md) — _Refactor direction for separating the kernel device authority ledger from QEMU proof scaffolding._
- [Full-Scope Review 2026-06-09](backlog/full-scope-review-2026-06-09.md) — _Findings ledger and decomposition source for the 2026-06-09 full-scope review of the tree at 50e8eaba (review base bb776326e, 2026-05-23)._
- [Go VirtualMemory Contract](backlog/go-virtual-memory-contract.md) — _VirtualMemory cap contract for Go._
- [Hardware, Boot, and Storage](backlog/hardware-boot-storage.md) — _Hardware bring-up backlog._
- [Installable System](backlog/installable-system.md) — _Ordered implementation track turning the installable-system proposal into work grounded in the landed BlockDevice/filesystem/Store/writable-persistence/disk-image contracts._
- [Local Users, Storage, and Policy](backlog/local-users-management.md) — _Identity/local-user backlog._
- [Network Usability and Post-smoltcp](backlog/network-usability-post-smoltcp.md) — _Network usability, resolver, diagnostics, and post-smoltcp backlog._
- [NVMe Model B Doorbell DMA Validator](proposals/nvme-model-b-doorbell-dma-validator.md) — _Conditional DMA-address ownership model for the userspace NVMe storage provider: provider-written queue-base and PRP/SGL addresses require a non-host-physical device-visible namespace; no-IOMMU GCP planning must use brokered bounce address publication instead._
- [Paperclips Terminal Demo](backlog/paperclips.md) — _Paperclips terminal demo backlog and content migration notes._
- [POSIX Adapter Dash Port](backlog/posix-adapter-dash-port.md) — _POSIX adapter Phase P1.4 (dash port) backlog -- libcapos-posix file/dir/stdio/env/printf surface, dash vendoring + per-call-site patch, and the run-posix-shell-smoke harness._
- [Proposal Group Archive](proposals/other.md) — _Archived proposal cluster._
- [Remote Session CapSet Client](backlog/remote-session-capset-client.md) — _Remote session CapSet client backlog._
- [Research and Design Gaps](backlog/research-design-gaps.md) — _Research/design gap triage backlog._
- [Run Targets, Init Mandate, and Default-Run Integration](backlog/run-targets-and-init-policy.md) — _Run-target governance._
- [Runtime, Networking, and Shell](backlog/runtime-network-shell.md) — _Runtime/network/shell backlog._
- [Scheduler Evolution](backlog/scheduler-evolution.md) — _Detailed task decomposition for future capOS scheduler evolution._
- [Security and Verification](backlog/security-verification.md) — _Security/verification backlog._
- [Service Object Identity Migration](backlog/service-object-identity-migration.md) — _Superseded large-chunk migration plan for service object identity, retained as historical context after the active direction changed to session-bound invocation context._
- [Session Archive & Gantt Effort](proposals/session-archive-and-gantt-effort-proposal.md) — _A pipeline to collect, normalize, and archive per-task effort data from the run-telemetry log and agent session transcripts, enabling development timeline visualization and task-duration prediction._
- [Session-Bound Invocation Context](backlog/session-bound-invocation-context.md) — _Implementation plan for one-session-per-process invocation context and session-keyed shared services._
- [Shared-Service Demos](backlog/shared-service-demos.md) — _Demo backlog._
- [SMP Phase C](backlog/smp-phase-c.md) — _SMP backlog._
- [Stage 6 Capability Semantics](backlog/stage-6-capability-semantics.md) — _Stage 6 capability work._

## Capabilities And Security

- [POSIX fork/execve fd Inheritance](proposals/posix-fd-inheritance-proposal.md) — _Target POSIX fork/execve full-fd-table inheritance for the recording shim, reconciled with the capability model, so unmodified POSIX software inherits stdio/cwd without bespoke per-app dup2 patches._

## Hardware

- [Network-Reachable Datapath Scope Decision](proposals/network-reachable-datapath-scope-decision.md) — _Scope decision recording that the real-GCE-boot milestone's reachable-network-stack requirement means raw-frame TX/RX (Option A), not L4 sockets, grounded in what the billable cloudboot harness actually gates on._
- [Phase C Userspace NIC Driver Relocation](proposals/phase-c-userspace-nic-driver-relocation.md) — _Phase C design for relocating the virtio-net driver into userspace: the cap-surface delta, the inline-`Data` Nic ABI (matching the networking-proposal draft), the writable selected-write common-config window (an extension of the accepted notify-doorbell discipline; slice 1 landed 2026-06-02 20:30 UTC at c9518b2d), the userspace-vring slice that reuses the landed production DMA isolation (bounce policy + dma_backend probe + IOMMU IOVA-export), the sustained-receive `Nic` ABI design used by the multi-frame TCP path, the selected serve-from-userspace 7c-ii(b) socket-authority proof, and retirement of the non-qemu legacy kernel socket grant path._
- [Real-Filesystem Decision](proposals/real-filesystem-decision.md) — _Real-filesystem direction for capOS: a role-split between capnp-native managed state and read-only FAT32 for host-populated/interop images, with ext4-read deferred and FAT write rejected, grounded in the existing Directory/File/Store cap surface and the storage layouts already in tree._

## Hardware And Drivers

- [ATAPI CD-ROM + ISO 9660](devices/atapi-iso9660.md) — _Provenance map for the planned CD-ROM boot/install ATAPI PIO reader and read-only ISO 9660 driver - spec basis, implemented wire-format subset, and boot-only kernel-owned capOS mapping._
- [AWS Nitro EBS (NVMe storage)](devices/aws-nvme.md) — _Provenance map for the AWS Nitro EBS NVMe storage shape - spec basis, the standard-NVMe wire subset it shares with docs/devices/nvme.md, and the capOS cloud-shape classification plus DMA-backend policy it binds onto._
- [Azure MANA](devices/azure-mana.md) — _Provenance map for the Azure MANA NIC / GDMA wire logic - spec basis, implemented host-conformance wire-format subset, and capOS authority mapping._
- [Azure managed disk (NVMe storage)](devices/azure-disk.md) — _Provenance map for the Azure managed-disk NVMe storage shape - spec basis, the standard-NVMe wire subset it shares with docs/devices/nvme.md, why the older-family virtio-scsi path is out of scope, and the capOS cloud-shape classification plus DMA-backend policy it binds onto._
- [Device Driver Specifications](devices/index.md) — _Per-device driver specs - cited authoritative spec, implemented wire-format subset, and capOS authority mapping._
- [Device Spec Template](devices/_template.md) — _Blank three-part device-spec template - copy to docs/devices/<device>.md when starting a driver._
- [DMA User-Space Driver Isolation](research/dma-userspace-driver-isolation.md) — _DMA, user-space driver, vIOMMU, and no-IOMMU bounce-buffer design consequences for capOS device authority._
- [FAT32 (read-only backer)](devices/fat32.md) — _Provenance map for the read-only FAT32 Directory/File backer over virtio-blk and NVMe - spec basis, the vendored fatfs read subset used, timestamp provenance limits, and the capOS cap mapping._
- [GCE gVNIC](devices/gvnic.md) — _Provenance map for the GCE gVNIC (Google Virtual Ethernet) NIC - spec basis from the public gVNIC docs and the GVE Linux driver, the wire-format subset capOS exercises today, and the bounded Nic-cap adaptation proof. capOS has live-GCE inventory, admin-queue/register, raw-frame GQI/QPL TX/RX, and typed Nic-adaptation proofs, but no reusable gVNIC provider service or host conformance suite yet._
- [GCP Persistent Disk (storage)](devices/gcp-storage.md) — _Provenance map for the GCP Persistent Disk storage shape - virtio-scsi vs NVMe families, the standard-NVMe wire subset it shares with docs/devices/nvme.md, the capOS cloud-shape classification, the DMA-backend policy on no-IOMMU GCE shapes, the local production brokered NVMe provider chain, and the bounded live-GCE NVMe Persistent Disk read proof._
- [NVMe](devices/nvme.md) — _Provenance map for the NVMe controller wire subset capOS touches - conditional Model B validator scan targets, the read-only userspace bind, the reset-only CC selected-write claim, the no-IOMMU manager-op controller enable through the brokeredNvmeControllerEnable @6 verb, the no-IOMMU manager-op admin IDENTIFY through the brokeredNvmeAdminIdentify @7 verb, the brokered admin SQ/CQ doorbell + IDENTIFY command, the split admin SUBMIT @8 / COMPLETE @9 verbs whose completion handoff runs through a cap-waiter Interrupt.wait/acknowledge MSI-X route, the brokered I/O queue pair + bounded READ including one live-GCE Persistent Disk proof, and the dedicated BlockDevice data-completion Interrupt route - with spec basis and capOS authority mapping._
- [virtio-blk](devices/virtio-blk.md) — _Provenance map for the QEMU-fixture virtio-blk BlockDevice driver - spec basis, implemented wire-format subset, capOS authority binding, and why it is a qemu-gated fixture rather than the production storage route._
- [virtio-net](devices/virtio-net.md) — _Provenance map for the in-tree modern virtio-net PCI NIC - spec basis, implemented wire-format subset, and capOS authority binding._
- [virtio-rng](devices/virtio-rng.md) — _Provenance map for the in-tree virtio-rng entropy device - spec basis, implemented wire-format subset, and its role as a QEMU-only DDF metadata and IOMMU-remapping hardware-DMA proof fixture (no userspace-facing capability, not a production driver)._

## Programming Languages And Runtimes

- [POSIX fork/execve fd Inheritance](proposals/posix-fd-inheritance-proposal.md) — _Target POSIX fork/execve full-fd-table inheritance for the recording shim, reconciled with the capability model, so unmodified POSIX software inherits stdio/cwd without bespoke per-app dup2 patches._

## Remote Session

- [Remote Session CapSet Clients](proposals/remote-session-capset-client-proposal.md) — _Remote host app model for authenticated capOS sessions, broker-issued CapSet views, and typed capability calls over Cap'n Proto RPC._
- [Remote Session UI Security](proposals/remote-session-ui-security-proposal.md) — _Web-security hardening posture for the trusted local remote-session-ui bridge, the capOS-served Web UI, public-origin carry-over policy, and the Tauri desktop wrapper._

## Security

- [Phase C Userspace NIC Driver Relocation](proposals/phase-c-userspace-nic-driver-relocation.md) — _Phase C design for relocating the virtio-net driver into userspace: the cap-surface delta, the inline-`Data` Nic ABI (matching the networking-proposal draft), the writable selected-write common-config window (an extension of the accepted notify-doorbell discipline; slice 1 landed 2026-06-02 20:30 UTC at c9518b2d), the userspace-vring slice that reuses the landed production DMA isolation (bounce policy + dma_backend probe + IOMMU IOVA-export), the sustained-receive `Nic` ABI design used by the multi-frame TCP path, the selected serve-from-userspace 7c-ii(b) socket-authority proof, and retirement of the non-qemu legacy kernel socket grant path._

## Storage

- [FAT32 (read-only backer)](devices/fat32.md) — _Provenance map for the read-only FAT32 Directory/File backer over virtio-blk and NVMe - spec basis, the vendored fatfs read subset used, timestamp provenance limits, and the capOS cap mapping._
- [Real-Filesystem Decision](proposals/real-filesystem-decision.md) — _Real-filesystem direction for capOS: a role-split between capnp-native managed state and read-only FAT32 for host-populated/interop images, with ext4-read deferred and FAT write rejected, grounded in the existing Directory/File/Store cap surface and the storage layouts already in tree._
- [virtio-blk](devices/virtio-blk.md) — _Provenance map for the QEMU-fixture virtio-blk BlockDevice driver - spec basis, implemented wire-format subset, capOS authority binding, and why it is a qemu-gated fixture rather than the production storage route._