Update log (ISO 8601)

Added a QEMU-visible rights-checked service-registry resolution plus proof-harness endpoint IPC proof: the nucleus now resolves the running endpoint-receive service from the init/service registry, dispatches service=0xb803 through the scheduler, delivers an exact receive-only endpoint transfer with transfer_rights=0x2, marks it syscall-returned, and requires ANVAYA WASM SERVICE REGISTRY RESOLUTION IPC OK while production registry-routed userspace service IPC remains future work.

Added a QEMU-visible storage app package loader proof: the nucleus now derives READ+WRITE application manifest rights from installed storage-roundtrip package launch grants, dispatches process=0xa804 through the launch table and scheduler proof, and requires ANVAYA WASM APP STORAGE PACKAGE LOADER OK while production loader-launched userspace services remain future work.

Added a QEMU-visible installed storage runner proof: the nucleus now installs storage-roundtrip, runs the installed record through service-backed storage dispatch, requires two bounded storage IPC calls and zero network IPC calls, and requires ANVAYA WASM APP INSTALL STORAGE RUNNER OK while production loader-launched userspace services remain future work.

Added a QEMU-visible signed package signature denial proof: the nucleus now tampers the signed read-config bundle, proves runtime/anvaya-installer rejects it without recording an install, proves runtime/anvaya-runner rejects it before execution, and requires ANVAYA WASM APP SIGNATURE DENIAL OK while production trust-root and key policy remain future work.

Added an installed app package loader proof: the nucleus now derives application process-manifest rights from the installed network-echo package launch grants, dispatches it as application process=0xa803 through the launch table and scheduler proof, and requires ANVAYA WASM APP PACKAGE LOADER OK while production loader-launched userspace app execution remains future work.

Added a scheduler-bound cap.delegate proof: the scheduler/launch-table-bound manifest-loaded process delegates timer authority under the stored process satp, validates the narrowed child handle, parent slot, and rights, revokes the temporary proof handles, proves the returned child handle is denied as revoked in the same scheduler-bound process context, and now requires ANVAYA SCHEDULER PROCESS CAP DELEGATE OK pid=0xa313 plus ANVAYA SCHEDULER PROCESS CAP DELEGATE REVOKE OK pid=0xa313 in QEMU smoke while production arbitrary userspace loader integration remains future work.

Added a scheduler process wait-token proof: the scheduler/launch-table-bound manifest-loaded process now dispatches wait_one timeout, cancel_token, canceled wait, and completed wait outcomes under the stored process satp, revalidates launch-table resume between returns, and now requires ANVAYA SCHEDULER PROCESS WAIT TOKEN OK pid=0xa313 in QEMU smoke while production service-grade wait-token integration remains future work.

Added a process-bound cap.delegate RFC 0010 U-mode ecall proof: the nucleus runs cap.delegate under the mapped process satp, validates process-local CSpace authority, returns a narrowed timer-capability child handle, checks parent-slot lineage, revokes temporary proof handles, and now requires ANVAYA USER PROCESS CAP DELEGATE OK pid=0xa315 in QEMU smoke while the full reusable scheduler/loader-bound dispatcher remains future work.

Added a bounded DNS Ethernet frame proof: services/anvaya-net now wraps DNS-over-UDP/IPv4 packets in Ethernet frames with MAC and ethertype validation, the network-service core proof requires dns_eth_query=75 dns_eth_response=91 before ANVAYA NETWORK SERVICE CORE OK, and the live virtio-net TX proof requires ANVAYA VIRTIO NET DNS TX OK for a 75-byte DNS Ethernet frame while live TCP/IP state machines, timers, routing, and network service integration remain future work.

Added a bounded DNS-over-UDP/IPv4 packet proof: services/anvaya-net now wraps deterministic DNS A query/response packets in IPv4 and UDP headers, validates IPv4 header checksums and UDP pseudo-header checksums, fails closed on malformed packet shapes, ports, addresses, protocols, and short outputs, and the nucleus QEMU proof requires dns_udp_query=61 dns_udp_response=77 before ANVAYA NETWORK SERVICE CORE OK while live TCP/IP state machines, timers, routing, and network service integration remain future work.

Added a bounded DNS A packet proof: services/anvaya-net now writes and parses deterministic DNS A query/response packets, uses an answer-name compression pointer so maximum valid names fit inside the 512-byte bound, fails closed on malformed packet shapes, and the nucleus QEMU proof requires dns_query=33 dns_response=49 before ANVAYA NETWORK SERVICE CORE OK while live TCP/IP and DNS-over-UDP/IP service integration remain future work.

Added a live virtio-net RX proof: the nucleus configures QEMU virtio-net RX queue 0 with a writable DMA packet buffer, triggers the deterministic ARP request through TX queue 1, waits for TX and RX used-ring completion, validates zero-length TX completion plus the returned ARP reply from 10.0.2.2 to 10.0.2.15, and leaves full TCP/IP packet handling and network service integration as future work.

Added a live virtio-net TX proof: the nucleus configures the QEMU virtio-net transmit queue, DMA-submits a deterministic ARP/Ethernet frame through the bounded virtqueue path, waits for used-ring completion, validates healthy device status and interrupt state, and leaves virtio-net RX plus full TCP/IP packet handling as future work.

Added a live storage-block package restore proof: the nucleus archives the signed network-echo WASM package through the storage core, writes it to QEMU virtio-blk sector 2, reads it back, revalidates the content and package ids, reinstalls the restored bytes, and launches the restored installed record.

Added a two-boot virtio-blk exact-pattern persistence proof: the nucleus validates the deterministic sector-1 proof pattern byte-for-byte, the QEMU script reuses one raw block image across two completed boots, and storage/package service integration remains planned.

Added a live virtio-blk write/read-back proof: the nucleus writes a deterministic sector-1 pattern to QEMU virtio-blk, reads it back through the bounded virtqueue path, and keeps block persistence across separate QEMU runs planned.

Aligned the core docs, public site, LLM surfaces, changelog truth claims, and search index around the scheduler-bound revoked-endpoint audit evidence: eight events with two failure records, while preserving search recall for the literal audit=8 transcript marker.

Extended the scheduler/launch-table-bound manifest process loop with a delegated-child revoked-endpoint ipc.send failure before memory dispatch, preserving launch-table resume validation, preserved queued request state, no reply mutation, failure-closed Revoked results, and audit evidence: eight events with two failure records.

Extended the scheduler/launch-table-bound manifest process loop to cap.identify, ipc.send, ipc.receive, ipc.reply, ipc.call, ipc.cancel, mem.frame_alloc, mem.map, mem.unmap, and cap.revoke with checked launch-table resume, scheduler-bound pending-request cancel clearing, empty cancel idempotence, cumulative IPC audit=7 validation, and the existing send/receive/reply/call, mapping, unmap, and revoke proof coverage.

Extended the scheduler/launch-table-bound manifest process loop to cap.identify, ipc.send, ipc.receive, ipc.reply, ipc.call, mem.frame_alloc, mem.map, mem.unmap, and cap.revoke with checked launch-table resume, translated send, receive, reply, call-request, and call-reply window validation, endpoint queue delivery, transferred timer capability checks, returned endpoint and device-frame capability evidence, cumulative send+receive+reply+call IPC audit success validation, scheduler-bound bad-length ipc.call failure/audit validation with reply_preserved=1, and the existing mapping/unmap/revoke proof.

Extended the scheduler/launch-table-bound manifest process loop to cap.identify, ipc.send, ipc.receive, ipc.reply, mem.frame_alloc, mem.map, mem.unmap, and cap.revoke with checked launch-table resume, translated send-request, receive, and reply-request window validation, endpoint queue delivery, transferred timer capability checks, returned endpoint capability field evidence, cumulative send+receive+reply IPC audit success validation, and the existing mapping/unmap/revoke proof.

Extended the scheduler/launch-table-bound manifest process loop to cap.identify, ipc.send, ipc.receive, mem.frame_alloc, mem.map, mem.unmap, and cap.revoke with checked launch-table resume, translated send-request and receive-window validation, endpoint queue delivery, transferred timer capability checks, cumulative send+receive IPC audit success validation, exact receive capability field evidence, and the existing mapping/unmap/revoke proof.

Extended the scheduler/launch-table-bound manifest process loop to cap.identify, ipc.send, mem.frame_alloc, mem.map, mem.unmap, and cap.revoke with checked launch-table resume, translated send-window validation, endpoint queue delivery, transferred timer capability checks, IPC audit success validation, and the existing mapping/unmap/revoke proof.

Extended the scheduler/launch-table-bound manifest process loop to cap.identify, mem.frame_alloc, mem.map, mem.unmap, and cap.revoke with checked launch-table resume, mapping handle resolution, page-table entry validation, explicit unmap proof, stale mapping-handle denial, and frame revocation.

Added a launch-table resume contract and widened the scheduler/launch-table-bound manifest process proof from cap.identify to a cap.identify, mem.frame_alloc, and cap.revoke loop with checked scheduler task, Sv39 satp identity, transient frame authority, and frame revocation.

Added a scheduler/launch-table-bound U-mode cap.identify syscall proof for a manifest-loaded process, reusing the stored Sv39 satp identity and running scheduler-task binding, rejecting wrong trap records in host tests, asserting a new QEMU marker, and refreshing v0.3 status evidence.

Added a scheduler/launch-table-bound manifest init entry and return proof that binds the launch record to a running scheduler task and stored Sv39 satp identity, rejects stale scheduler or satp drift in host tests, emits a QEMU proof marker, and refreshes v0.3 status evidence.

Added a reusable process-bound U-mode syscall runner for mem.frame_alloc, mem.map, mem.unmap, and cap.revoke under active process satp, validating transient frame authority, mapping authority, page-walk resolution, stale mapping-handle denial, and frame revocation.

Mapped the manifest-declared init stack, materialized text plus stack leaves in owned Sv39 tables, ran a stack-touching ABI-version U-mode ecall under the process satp, preserved trapped user sp through the sscratch trap path, and denied a third distinct L0-table bucket at map time.

Connected the parsed process manifest to the init launch path, dispatched the init process first, ran an ABI-version U-mode ecall from the manifest entry under process satp, and marked the launch record syscall-returned while keeping production stack materialization planned.

Added a bounded byte-backed process-manifest ABI parser with magic/version validation, fixed init/service records, role and right decoding, reserved-bit denial, empty-manifest denial, atomic launch-table loading, host tests, and QEMU smoke assertions.

Added executable process-manifest handoff evidence, a v0.3 goal gate document, U-mode ecall proof expansion, bounded scheduler semantics, bounded init/service-manager semantics, owned page-table materialization, satp activation/restore, and process-bound syscall proof paths.

Added a proof-backed RFC 0010 dispatch facade for ABI version, capability, IPC receive/call/reply, and memory calls, including malformed-rights denial and revoke-driven mapping invalidation, plus Sv39-shaped PTE records in the staged memory mapping proof while keeping U-mode ecall dispatch and satp switching future work.

Accepted RFC 0007 as the software CSpace and handle representation contract, freezing per-task CSpaces, slot/generation/lineage metadata, opaque u64 handle format 0x1, IPC import/export, revocation, stale-handle failure, CHERI mapping, and software fallback while keeping CHERI sealed-handle encoding future profile work.

Accepted RFC 0002 as the Agent Execution Context semantic model and aligned status, traceability, acceptance, roadmap, glossary, and public mirrors around accepted AEC semantics with runtime implementation still planned.

Accepted RFC 0010 as the first userspace/Nucleus syscall contract and aligned status, traceability, roadmap, and public mirrors around the frozen ABI boundary.

Denied requested or invalid page rights, added host-side permission tests, and extended staged frame revocation evidence across producer and auditor CSpaces/address spaces.

Added the first capability-backed memory-isolation proof slice with frame caps, task-owned CSpaces, staged address spaces, map/unmap, revocation invalidation, stale mapping failure, and page-fault evidence.

Published local site mirrors for the vision traceability and 1.0 acceptance matrices so the public docs page does not depend on private GitHub blob visibility.

Filled RFC 0001 and RFC 0002, added RFC 0006-0031 as draft contracts, and published draft vision traceability plus 1.0 acceptance matrices.

Moved the public site and nucleus proof workflows to Node 24-backed GitHub Actions pins after the v0.1.6 release validation.

Tightened object-family lineage, metadata validation, parent-slot revocation, lineage isolation, slot reclamation, and route-check CI coverage for the capability table proof.

Added a bounded internal capability table with slots, lineage, rights, object metadata, narrowed two-task delegation, and table-backed parent/derivative invalidation evidence.

Added executable evidence for endpoint capability attenuation, no-amplification, delegated IPC transfer, and parent/derivative revocation.

Accepted RFC 0004, added explicit IPC failure-path evidence, widened DTB-backed inventory, and added a second task-context request/reply slice.

Published the verified first-light proof bundle, accepted the boot-path RFC, and added a prototype child-task timer/IPC handoff slice.

Published the implementation-status page and added the first-light RISC-V/QEMU nucleus scaffold to the main repository.

Added structured data, machine-readable files, and documentation pages.

Initial public release of the ANVAYA OS website and manifesto.

The ANVAYA Manifesto is published as the core reference document.