Trusted Build Inputs
This inventory covers the build inputs currently trusted by the capOS boot image, generated bindings, host tooling, and verification paths. It started as the S.10.0 inventory and now records the S.10.2 generated-code drift check. It now also records the S.10.3 dependency policy.
Summary
| Input | Current source | Pinning status | Drift-review status |
|---|---|---|---|
| Limine bootloader binaries | Makefile:5-10, Makefile:34-49 | Git commit and selected binary SHA-256 values are pinned. | make limine-verify fails if the checked-out commit or copied bootloader artifacts drift. |
| Rust toolchain | rust-toolchain.toml:1-3 | Floating nightly channel with target triples only. | No repo-visible date, hash, or installed component audit. The current local resolver reported rustc 1.96.0-nightly (2972b5e59 2026-04-03). |
| Workspace cargo dependencies | Cargo.toml:1-9, crate Cargo.toml files, Cargo.lock | Lockfile pins exact crate versions and checksums for the root workspace. Manifest requirements remain semver ranges. | make dependency-policy-check runs cargo deny check plus cargo audit against the root workspace and lockfile in CI. |
| Standalone cargo dependencies | init/Cargo.lock, demos/Cargo.lock, tools/mkmanifest/Cargo.lock, capos-rt/Cargo.lock, fuzz/Cargo.lock | Each standalone workspace has its own lockfile. | make dependency-policy-check runs the shared deny/audit baseline against every standalone manifest and lockfile. Cross-workspace version drift remains review-visible and intentional where lockfiles differ. |
| Cap’n Proto compiler | Makefile:12-80, kernel/build.rs, capos-config/build.rs, tools/check-generated-capnp.sh | Official capnproto-c++-1.2.0.tar.gz source tarball URL, version, and SHA-256 are pinned in Makefile; make capnp-ensure builds a shared .capos-tools/capnp/1.2.0/bin/capnp under the git common-dir parent so linked worktrees reuse it. The build rule patches the distributed CLI version placeholder to the pinned version before compiling. | Build scripts default to the clone-shared pinned path and reject CAPOS_CAPNP when it points elsewhere. Make targets export the pinned path and CI persists it through $GITHUB_ENV. make generated-code-check verifies both the exact compiler path and Cap'n Proto version 1.2.0 before regenerating bindings through Cargo. |
| Cap’n Proto Rust runtime/codegen crates | capos-config/Cargo.toml:9, capos-config/Cargo.toml:15, kernel/Cargo.toml:12, kernel/Cargo.toml:21, Cargo.lock | Cargo manifests use exact capnp = "=0.25.4" and capnpc = "=0.25.3" requirements where declared; lockfiles pin exact crate versions and checksums. | S.10.3 now requires dependency-class and no_std review before these changes are accepted. |
| Generated capnp bindings | capos-config/src/lib.rs:10-12, kernel/src/main.rs:15-18, tools/generated/capos_capnp.rs, tools/check-generated-capnp.sh | Generated into Cargo OUT_DIR; the expected patched output is checked in under tools/generated/. | make generated-code-check regenerates both crate outputs through Cargo and fails if either output differs from the checked-in baseline. |
| no_std patching of generated bindings | kernel/build.rs:13-30, capos-config/build.rs:10-25, tools/check-generated-capnp.sh | Patch anchors are asserted in both build scripts. | make generated-code-check verifies the patched output contains the expected no_std imports for both crates. |
| Linker script build scripts | kernel/build.rs:2, init/build.rs:2-5, demos/*/build.rs | Source-controlled scripts and linker scripts. | Build rerun boundaries are explicit; generated link args are not independently audited. |
| CUE manifest compiler | Makefile:13-91, tools/mkmanifest/src/main.rs:65-130, tools/mkmanifest/src/lib.rs:30-80, .github/workflows/ci.yml | make cue-ensure installs cuelang.org/go/cmd/cue pinned to v0.16.0 into the clone-shared .capos-tools/cue/0.16.0/bin/cue path. | Make exports CAPOS_CUE to tools/mkmanifest, and CI records that exact path through $GITHUB_ENV before QEMU smoke. mkmanifest also derives the same clone-shared path, rejects missing or non-canonical CAPOS_CUE, and checks cue version v0.16.0 before export. |
| mdBook documentation tools | Makefile, book.toml | GitHub release assets for mdBook v0.5.0 and mdbook-mermaid v0.17.0 are pinned by version and SHA-256 under the clone-shared .capos-tools path. | make docs and make cloudflare-pages-build verify the tarball checksums and executable versions, refresh the Mermaid assets, and build target/docs-site. |
| QEMU and firmware | Makefile:67-83 | Host-installed qemu-system-x86_64; OVMF path is hard-coded for UEFI. | No repo-visible version or firmware checksum. Current local host reported QEMU 10.2.2. |
| ISO and host filesystem tools | Makefile:51-65 | Host-installed xorriso, sha256sum, git, make, shell utilities. | No version capture except ad hoc local inspection. |
| Boot manifest and embedded binaries | system.cue:1-144, tools/mkmanifest/src/lib.rs:82-115, Makefile:28-29, Makefile:51-65 | Source manifest is checked in; embedded ELF payloads are build artifacts. | Manifest validation checks references and path containment, but final manifest.bin is generated and not checksum-recorded. |
| Build downloads | Makefile, Cargo lockfiles, rust-toolchain.toml | Limine and documentation tool tarballs are explicitly fetched; Cargo, Go, and rustup downloads are implicit when caches/toolchains are absent. | Limine artifacts and documentation tool tarballs are verified. Cargo, Go, and rustup downloads rely on upstream tooling and lockfiles, with no repo policy. |
S.10.3 Dependency Policy
Dependency changes are accepted only if they satisfy this policy and are recorded in the owning task checklist.
Dependency classes
Use these classes when reviewing a dependency change:
- Kernel-critical no_std: crates used directly by
kernel,capos-lib, andcapos-config. - Userspace-runtime no_std: crates used by
init,demos, andcapos-rt. - Host/build: crates used by
tools/*,build.rshelpers, and generated output pipelines. - Test/fuzz/dev: crates gated by
dev-dependenciesortarget-specificfor fuzz/proptests/smoke support.
Required pre-merge criteria
For any added dependency (or bump in any class):
- Manifest and features are explicit. Dependency entries must include
explicit feature choices; avoid
default-features = trueunless justified. - No_std compatibility is proven for no_std classes. Kernel-critical and
userspace-runtime dependencies must compile in a
#![no_std]mode withallocwhere expected.cargo build -p <crate> --target x86_64-unknown-nonemust succeed for every kernel/no_std crate affected. - Security policy checks run and pass. CI-equivalent checks for the
touched workspace are required through
make dependency-policy-check, which runscargo deny checkon every Cargo manifest andcargo auditon every lockfile. - Dependency class change is justified in review. PR text must include target class, ownership rationale, transitive graph impact, and why the crate is not a transitive replacement for an already-allowed dependency.
- Lockfile behavior is explicit. Update only intended lockfiles and record intentional cross-workspace drift in this document if workspace purpose differs.
No_std add/edit checklist
- Reject crates that require
std, OS I/O, or unsupported platform APIs in the dependency path intended for kernel classes. - Reject dependencies that re-export broad platform facades or large unsafe surface unless there is a replacement with smaller scope and better audit visibility.
- Record a license and supply-chain review result (via policy checks) before merge.
- Confirm no
unsafecontract escapes are added without a review surface note in the relevant module.
Standing requirements
- Add
S.10.3checks to the target branch plan item for any kernel/no_std crate dependency change and document the exact pass command set. - Keep lockfile deltas review-visible in normal PR flow; lockfile pinning is the minimum bar, not the gate.
- Keep transitive drift in sync with the trust class: class-wide divergence across lockfiles requires explicit justification.
Remaining gaps after S.10.3 policy
- Continue Rust toolchain pinning work (date/hash pin, reproducible host compiler inputs) as a separate build-reproducibility task.
- Decide whether final ISO/payload hashes become policy-grade inputs in production-hardening stages.
Bootloader and ISO Inputs
The Makefile now pins Limine at commit
aad3edd370955449717a334f0289dee10e2c5f01 and verifies these copied artifacts:
| Artifact | Checksum reference |
|---|---|
limine/limine-bios.sys | Makefile:7 |
limine/limine-bios-cd.bin | Makefile:8 |
limine/limine-uefi-cd.bin | Makefile:9 |
limine/BOOTX64.EFI | Makefile:10 |
make limine-ensure clones https://github.com/limine-bootloader/limine.git
only when limine/.git is absent, fetches the pinned commit if needed, checks
it out detached, and runs make inside the Limine tree (Makefile:34-40).
make limine-verify then checks the repository HEAD and artifact checksums
(Makefile:42-49). The ISO copies the kernel, generated manifest.bin,
Limine config, and verified Limine artifacts into iso_root/, runs xorriso,
then runs limine bios-install (Makefile:51-65).
Remaining reproducibility gap: Limine source is pinned, but the Limine build host compiler and environment are not pinned or recorded.
Rust Toolchain
rust-toolchain.toml specifies:
channel = "nightly"targets = ["x86_64-unknown-none", "aarch64-unknown-none"]
This is a floating channel pin, not a reproducible toolchain pin. A future
rustup resolution can move the compiler even when the repository is
unchanged. The current local host resolved to:
rustc 1.96.0-nightly (2972b5e59 2026-04-03)cargo 1.96.0-nightly (888f67534 2026-03-30)- host target
x86_64-unknown-linux-gnu
The Makefile derives HOST_TARGET from rustc -vV (Makefile:12) and uses
that for tools/mkmanifest (Makefile:28-29). Cargo aliases in
.cargo/config.toml:4-22 hard-code x86_64-unknown-linux-gnu for host tests.
Remaining reproducibility gap: pin the nightly by date or exact toolchain hash, and record required components. Until then, compiler drift can change codegen, linking, lints, and generated bindings without a repository diff.
Cargo Dependencies
The root workspace members are capos-config, capos-lib, and kernel
(Cargo.toml:1-4). init/, demos/, tools/mkmanifest/, and fuzz/ are
standalone workspaces with their own lockfiles.
Important direct dependencies and current root-lock resolutions:
| Dependency | Manifest references | Root lock resolution |
|---|---|---|
capnp | capos-config/Cargo.toml:8, capos-lib/Cargo.toml:7, kernel/Cargo.toml:11 | 0.25.4 in Cargo.lock |
capnpc | capos-config/Cargo.toml:14, kernel/Cargo.toml:19 | 0.25.3 in Cargo.lock |
limine crate | kernel/Cargo.toml:7 | 0.6.3 in Cargo.lock |
spin | kernel/Cargo.toml:8 | 0.9.8 in Cargo.lock |
x86_64 | kernel/Cargo.toml:9 | 0.15.4 in Cargo.lock |
linked_list_allocator | kernel/Cargo.toml:10 | 0.10.6 in Cargo.lock |
loom | capos-config/Cargo.toml:17 | 0.7.2 in Cargo.lock |
proptest | capos-lib/Cargo.toml:9-10 | 1.11.0 in Cargo.lock |
Standalone lockfile drift observed during this inventory:
| Lockfile | Notable direct/runtime resolution |
|---|---|
init/Cargo.lock | capnp 0.25.4, capnpc 0.25.3, linked_list_allocator 0.10.5 |
demos/Cargo.lock | capnp 0.25.4, capnpc 0.25.3, linked_list_allocator 0.10.6 |
tools/mkmanifest/Cargo.lock | capnp 0.25.4, capnpc 0.25.3, serde_json 1.0.149 |
capos-rt/Cargo.lock | capnp 0.25.4, capnpc 0.25.3, linked_list_allocator 0.10.6 |
fuzz/Cargo.lock | capnp 0.25.4, capnpc 0.25.3, libfuzzer-sys 0.4.12 |
Cargo lockfiles pin exact crate versions and crates.io checksums, so ordinary crate upgrades are review-visible through lockfile diffs. They do not, by themselves, define whether a dependency is acceptable for kernel/no_std use, whether multiple lockfiles must converge, or whether advisories/licenses block the build.
S.10.3 policy gate:
deny.tomldefines the shared license, advisory, ban, and source baseline.make dependency-policy-checkrunscargo deny checkon the root workspace,init,demos,tools/mkmanifest,capos-rt, andfuzz.- The same target runs
cargo audit --deny warningson every checked-in lockfile. - Local packages are marked
publish = falseso cargo-deny treats them as private, and local path dependencies includeversion = "0.1.0"so registry wildcard requirements can remain denied. - CI installs pinned
cargo-deny 0.19.4andcargo-audit 0.22.1and runs the target.
Remaining dependency-policy gap: decide whether standalone lockfiles may
intentionally drift from the root lockfile, especially for capnp and
allocator crates used by userspace.
Cap’n Proto Compiler, Runtime, and Generated Bindings
The trusted Cap’n Proto inputs are:
schema/capos.capnp, the source schema.- Repo-local pinned
capnp, invoked through thecapnpcRust build dependency viaCAPOS_CAPNP. capnpruntime crate withdefault-features = falseandalloc.capnpccodegen crate.- Generated
capos_capnp.rswritten to CargoOUT_DIR. - Local no_std patching applied after generation.
kernel/build.rs and capos-config/build.rs both run
capnpc::CompilerCommand over ../schema/capos.capnp, then read the generated
capos_capnp.rs, assert that the expected #![allow(unused_variables)] anchor
is present, and inject:
#![allow(unused)]
#![allow(unused_imports)]
fn main() {
use ::alloc::boxed::Box;
use ::alloc::string::ToString;
}The generated code used by builds is included from OUT_DIR in
capos-config/src/lib.rs:10-12 and kernel/src/main.rs:15-18. The expected
patched output is checked in as tools/generated/capos_capnp.rs, so schema,
compiler, capnpc crate, and patch-output changes must update that baseline and
become review-visible as a source diff.
S.10.2 generated-code drift check:
make generated-code-checkrunstools/check-generated-capnp.sh.- The script invokes the actual Cargo build-script path for
capos-configandcapos-kernelin an isolated target directory, so it checks the generated artifacts that those crates would include fromOUT_DIR. - The script verifies that each patched file still contains the capnpc anchor
plus the local no_std patch imports, compares the two crate outputs
byte-for-byte, and then compares both outputs against
tools/generated/capos_capnp.rs. - Any intentional schema/codegen/patch change must update the checked-in baseline in the same review, making generated output drift review-visible.
make checkrunsfmt-checkplusgenerated-code-checkfor a single local or CI entry point.- Current pinned compiler source is
capnproto-c++-1.2.0.tar.gzfromhttps://capnproto.org/with SHA-256ed00e44ecbbda5186bc78a41ba64a8dc4a861b5f8d4e822959b0144ae6fd42ef. The checked-intools/generated/capos_capnp.rsbaseline must be regenerated with that compiler when schema or codegen behavior intentionally changes. The current pinned baseline SHA-256 is224b4ec2296f800bd577b75cfbd679ebb78e7aa2f813ad9893061f4867c9dd3d.
Remaining gaps for S.10.3:
- The no_std patching logic still lives in both build scripts. The baseline and pairwise output comparison catch divergent results, but a future cleanup could move the patch helper into shared source to reduce duplication.
Cargo Build Scripts
Build scripts currently do these trusted operations:
| Script | Behavior |
|---|---|
kernel/build.rs | Watches kernel/linker-x86_64.ld, schema/capos.capnp, and itself; generates and patches capnp bindings. Checked by make generated-code-check. |
capos-config/build.rs | Watches schema/capos.capnp; generates and patches capnp bindings. Checked by make generated-code-check. |
init/build.rs | Emits a linker script argument for init/linker.ld. |
demos/*/build.rs | Emits a linker script argument for demos/linker.ld. |
The linker build scripts derive CARGO_MANIFEST_DIR from Cargo and only emit
link arguments plus rerun directives. The capnp build scripts read and rewrite
generated code under OUT_DIR. None of these scripts fetch network resources.
S.10.2 coverage: make generated-code-check exercises both capnp build
scripts through Cargo, validates the patched generated files, and fails if the
two crate outputs drift apart or no longer match the checked-in generated
baseline.
Manifest, Embedded Binaries, and Downloaded Artifacts
system.cue declares named binaries and services. Makefile:54-55 builds
manifest.bin by running tools/mkmanifest on the host. mkmanifest runs:
- Resolve the clone-shared pinned CUE compiler from git state, reject missing
or mismatched
CAPOS_CUE, checkcue version v0.16.0, then runcue export system.cue --out json(tools/mkmanifest/src/main.rs:65-128). - JSON-to-
CueValueconversion and manifest validation (tools/mkmanifest/src/main.rs:13-23). - Binary embedding from relative paths (
tools/mkmanifest/src/lib.rs:135-180). - Binary-reference validation and Cap’n Proto serialization
(
tools/mkmanifest/src/main.rs:37-49).
Path handling rejects absolute paths, parent traversal, non-normal components,
and canonicalized paths that escape the manifest directory
(tools/mkmanifest/src/lib.rs:182-217). The generated manifest.bin is copied
into the ISO as /boot/manifest.bin (Makefile:117) and loaded by Limine via
limine.conf:5.
Downloaded or generated artifacts in the current build:
| Artifact | Producer | Pinning/drift status |
|---|---|---|
limine/ checkout | git clone/git fetch in Makefile:34-40 | Commit-pinned and artifact-verified. |
| Cargo registry crates | cargo build, cargo run, tests, fuzz | Lockfile-pinned checksums plus CI-enforced deny/audit checks through make dependency-policy-check. |
| Rust toolchain and targets | rustup from rust-toolchain.toml when absent | Floating nightly channel. |
target/ kernel and host artifacts | Cargo | Generated, not checked in. |
init/target/ and demos/target/ ELFs | Cargo standalone builds | Generated, embedded into manifest.bin; no final payload checksums recorded in source. |
manifest.bin | tools/mkmanifest | Generated from system.cue plus ELF payloads; not checked in. |
iso_root/ and capos.iso | Makefile, xorriso, Limine installer | Generated and gitignored; Limine inputs verified, full ISO checksum not source-recorded. |
Remaining gaps for S.10.2/S.10.3:
- Decide whether CI should record or compare hashes for
manifest.bin, embedded ELF payloads, or the final ISO for reproducible-build tracking. - Pin or record
xorriso,qemu-system-x86_64, OVMF firmware, and other host tools used by build and boot verification with the same strictness ascapnpandcue. - Decide whether CI should record the pinned
cue exportJSON or finalmanifest.binbytes if manifest reproducibility becomes release-critical.
Host Tools
Current local host versions observed during this inventory:
| Tool | Observed version | Build role |
|---|---|---|
capnp | 1.2.0 | Repo-local schema compiler built by make capnp-ensure from a SHA-256-pinned official source tarball into the shared .capos-tools cache for this clone. |
cue | v0.16.0 | Repo-local manifest compiler installed by make cue-ensure into the shared .capos-tools cache for this clone. |
qemu-system-x86_64 | 10.2.2 | Boot verification via make run and make run-uefi. |
xorriso | 1.5.8 | ISO generation. |
make | 4.4.1 | Build orchestration. |
git | 2.53.0 | Limine checkout/fetch and review workflow. |
These are environment observations, not repository pins. make run-uefi also
trusts /usr/share/edk2/x64/OVMF.4m.fd (Makefile:82-83) without a checksum.
Remaining gap for S.10.3: decide the minimum supported host tool versions and whether they are enforced by CI, a container/devshell, or explicit preflight checks.
Inventory Method
This inventory is based on source inspection, Cargo metadata, lockfile checks, and local host-tool version queries. Local host-tool versions are observations, not repository pins; the tables above distinguish enforced pins from observed environment state.
Useful commands for refreshing the inventory:
git status --short --branchrg -n "S\\.10|trusted|supply|Limine|limine|capnp|capnpc|QEMU|qemu|download|curl|git clone|wget|build\\.rs|rust-toolchain|Cargo\\.lock" ...rg --filescargo metadata --locked --format-version 1 --no-depsrg -n '^name = |^version = |^checksum = ' Cargo.lock init/Cargo.lock demos/Cargo.lock tools/mkmanifest/Cargo.lock fuzz/Cargo.lockcommand -v rustc cargo capnp cue qemu-system-x86_64 xorriso sha256sum git makerustc -Vv,cargo -V,capnp --version,cue version,qemu-system-x86_64 --version,xorriso -version,make --version,git --version