# ANVAYA 1.0 Acceptance Matrix

This matrix turns the roadmap 1.0 goal into RFC-backed acceptance criteria. It
does not claim implementation is complete.

## Release Target

ANVAYA 1.0 means a production-ready RISC-V-first operating system that can boot
on supported hardware, run userspace services and WASM applications, execute AI
agents through AECs, enforce capability authority, preserve auditability, and
meet defined security, crypto, verification, documentation, and governance
criteria.

## Matrix

| 1.0 Criterion | Required RFCs | Evidence Required | Non-goal |
| --- | --- | --- | --- |
| Nucleus formally verified | RFC 0006, RFC 0010, RFC 0016 | Formal proof artifacts for accepted kernel invariants plus syscall-dispatch CI gates | Proving every userspace service. |
| Capability system functional | RFC 0001, RFC 0004, RFC 0005, RFC 0007, RFC 0009, RFC 0010 | Create, delegate, revoke, transfer, malformed-handle, stale-handle, generation-reuse, parent/lineage, IPC import/export, and fail-closed tests through the accepted RFC 0007 representation and RFC 0010 syscall numbers; accepted RFC 0004/0005 evidence remains prototype evidence | Ambient Unix-style authority. |
| IPC working | RFC 0009, RFC 0010 | `ipc.send`, `ipc.receive`, `ipc.call`, `ipc.reply`, cap transfer, timeout, cancel, revoked endpoint tests, and audit-event smoke tests | Distributed IPC in 1.0 unless separately accepted. |
| Scheduler operational | RFC 0011 | State transition, priority, timeout, quota, starvation tests | Perfect global optimal scheduling. |
| Memory management complete | RFC 0008, RFC 0007, RFC 0010 | `mem.frame_alloc`, `mem.map`, `mem.unmap`, `mem.share`, CSpace frame-cap resolution, fault/revoke tests; v0.2 proves the first staged frame/address-space slice, not production paging | Full advanced VM features by default. |
| Real hardware supported | RFC 0012, RFC 0013, RFC 0014, RFC 0015 | Board-profile boot transcript, HAL checks, hardware limitations documented | Every RISC-V board. |
| Userspace services operational | RFC 0017, RFC 0018, RFC 0019 | Init, service registry, device manager, restart/revocation tests | Linux compatibility layer. |
| Storage service operational | RFC 0020, RFC 0028 | Content-addressed put/get, namespace, snapshot, GC, hash verification | Full cloud sync if not accepted. |
| WASM apps run | RFC 0021, RFC 0022 | Install signed app, grant caps, launch, deny missing cap, trap/quota tests | Native app priority over WASM. |
| SDK released | RFC 0022 | Versioned crates/docs tied to stable ABI/WASI | SDK APIs ahead of accepted ABI. |
| AI agents run reliably | RFC 0002, RFC 0023, RFC 0024 | Accepted RFC 0002 lifecycle/state-machine conformance, approval, broker inference, revocation, cancellation, quota, and audit traces | Unbounded autonomous action. |
| Cognitive sandboxing works | RFC 0002, RFC 0023, RFC 0027 | RFC 0002 plan-without-side-effects boundary, approval binding, action-substitution denial, world-model reconciliation, and audit evidence | Disclosing unsafe private reasoning verbatim. |
| Device mesh scoped | RFC 0030 | Pairing, device identity, scoped remote delegation, remote revocation, offline behavior, namespace conflict, and audit reconciliation tests | Ambient trust between paired devices. |
| Energy accountability scoped | RFC 0031, RFC 0011, RFC 0027 | Budget grant/exhaustion, carbon-source freshness, scheduler policy input, override, and audit tests | Energy optimization overriding safety or real-time constraints. |
| Audit trail verifiable | RFC 0027 | Append-only verification, redaction, denied read, tamper detection | Public logs for all private data. |
| Security audit passed | RFC 0025, RFC 0029 | Threat model review, response tabletop, external assessment report | Claiming invulnerability. |
| PQC integrated | RFC 0028 | Signed packages, identity, audit segments, hybrid/PQC tests | Designing custom crypto primitives. |
| Hardware escape supported | RFC 0026, RFC 0015 | Board-profile safe-mode/halt/recovery evidence | Same escape hardware on every dev board. |
| Complete documentation | RFC index, traceability matrix, status docs | Docs/link checks, status parity, claim-to-RFC matrix complete | Marketing claims without status labels. |
| Governance operational | RFC 0029 | Bootstrap authority, security contact, RFC process, transition criteria | Waiting for full foundation before security response. |
| Community/package ecosystem | RFC 0022, governance docs | Package format, contribution docs, release docs, examples | 500-package ecosystem before kernel contracts stabilize. |

## 100% Vision/Spec Readiness Gate

The spec direction is ready when:

- RFC 0001 and RFC 0002 are accepted semantic baselines, not placeholders.
- Every matrix row has an RFC owner.
- Every manifesto/architecture claim is labeled in `VISION_TRACEABILITY.md`.
- Public status, README, roadmap, glossary, RFC index, and website agree on
  labels.
- No accepted RFC depends on a `TBD` section for normative meaning.
- Accepted syscall ABI rows define inputs, outputs, required rights, failure
  modes, audit events, and current implementation status.
- Accepted CSpace/handle representation defines per-task CSpaces, slot layout,
  handle encoding, IPC import/export, revocation, stale failure, CHERI mapping,
  and software fallback.
- CHERI hardware encoding, formal verification, hardware escape, PQC, AEC
  runtime, userspace, and brokers are not overclaimed beyond their evidence
  labels.