current.md + T-021 task file cite PR #34 (base main, 9 commits, bundles T-020 +
T-021 in one combined review per the maintainer's call). Matches the project's
PR-reference convention (cf. T-019/PR #31, B4/PR #33).

Refs: ADR-0030, ADR-0031
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…-021) (#34)

* docs(adr): propose ADR-0030/0031 — syscall ABI + initial syscall set

ADR-0030 settles the EL0->EL1 syscall calling convention (x8 = number,
x0-x5 args, x0 status + x1-x7 payload, SVC #0), the dedicated-status
error encoding, and the K2-5 split of IpcError::InvalidCapability into
StaleHandle / WrongObjectKind / MissingRight (with the per-subject-cap
security argument and the arena-staleness ordering caveat). ADR-0031
fixes the v1 syscall set (send, recv, console_write [capability-gated +
release debug-gated], task_yield, task_exit), reserves number 0 as
invalid, and pins each call's register layout; every object-naming
syscall performs a capability check (P1/P4).

Opens T-020 (error taxonomy + Capability/CapObject Debug redaction — the
pure-Rust foundation, In Progress) and T-021 (SVC trap trampoline +
panic-free dispatcher + copy-from/to-user — Ready, the security-critical
hardware-facing half) to ground both ADRs' dependency chains per ADR-0025
Rule 1. Both ADRs land at Proposed; Accept follows in a separate commit.

Refs: ADR-0030, ADR-0031

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(adr): accept ADR-0030/0031 after careful re-read + maintainer review

Flip ADR-0030 and ADR-0031 Proposed -> Accepted in a commit separate from
the propose draft, per write-adr skill section 10. The careful re-read plus
a same-day maintainer review surfaced and corrected several drafting issues
*before* this Accept — all folded into the proposed bodies above, so the
Accepted text is correct from the start (no post-Accept body edit):
  - an SVC from a B5 EL1 kernel-stub takes the current-EL (VBAR_EL1+0x200)
    sync vector, not the lower-EL (+0x400) EL0 vector, so the real EL0
    round-trip is runtime-verified in B6, not B5;
  - console_write is capability-gated on a debug-console capability (it was
    ambient authority, a P1/P4 violation); the release debug-gate is a
    separate, independent defense-in-depth gate;
  - the syscall numbers 1..5 are a fixed decision (tests regression-verify
    them), and the payload registers are x1..x7.
Adds the additive ADR-0017 revision rider recording that the IpcError
taxonomy is refined (not superseded) and the three-primitive surface is
unchanged.

Refs: ADR-0030, ADR-0031

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(ipc): split IpcError::InvalidCapability into three typed variants

Per ADR-0030's K2-5 bundle, replace the collapsed IpcError::InvalidCapability
with StaleHandle / WrongObjectKind / MissingRight so the in-kernel and the
future userspace error spaces agree and each failure is a distinct, handleable
case. Validation now resolves in the order resolve -> type-check -> authority
(kind before rights), matching CapError's InvalidHandle/WrongKind/
InsufficientRights shape, across validate_ep_cap, validate_notif_cap, and
sched::resolve_ep_cap; the four arena-staleness sites map to StaleHandle.
Revealing which check failed is safe for a per-subject, unforgeable capability
table (ADR-0030 security argument). Remaps the existing rights/stale test
assertions and adds 5 new tests pinning each variant (incl. wrong-kind-with-
right, proving kind-before-rights, and a destroyed-endpoint StaleHandle).
InvalidTransferCap is intentionally left intact (note C3-008). Updates
docs/architecture/ipc.md taxonomy section.

Security-relevant (capabilities + IPC). fmt / host-test (194 kernel) /
host-clippy / kernel-clippy / kernel-build / miri (no UB) all green.

Refs: ADR-0030

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(cap): redact Capability and CapObject Debug to hide object identity

Per ADR-0030 "Security of the taxonomy split" / B5 sub-item 6 (K3-9, security
review section 6): a userspace-reachable log path (the future console_write
syscall) must never disclose the kernel object a capability names. Replace the
derived Debug on Capability with a hand-written impl that shows rights but
prints the object as <redacted>, and redact CapObject likewise (kind-only
Debug, hiding the wrapped slot index + generation). The individual kernel-
object handle types keep their derived Debug for kernel-internal diagnostics
(they never cross to userspace; T-021's console_write review gates that). Two
host tests pin both redaction layers. Broadens security-model.md's
"no unredacted Debug/Display" rule to capabilities.

The CapObject redaction was folded in from an adversarial self-review that
flagged it as a latent defense-in-depth gap (no current production formatter,
but conservative per CLAUDE.md rule 1). Security-relevant.

Refs: ADR-0030

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(ipc): pin StaleHandle + WrongObjectKind on ipc_cancel_recv

Add two tests so ipc_cancel_recv pins all three split variants
(it already had MissingRight): a Task cap carrying RECV proves the
kind-before-rights ordering (WrongObjectKind), and a cap whose endpoint
was destroyed exercises the arena-staleness branch (StaleHandle). This
makes ADR-0030's row-3 verification mapping accurate for cancel_recv
(it previously over-claimed cancel coverage). Kernel host tests 194 -> 196.

Refs: ADR-0030
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(roadmap): T-020 In Review; narrow B5 acceptance to current-EL proxy

Address the remaining maintainer-review findings (the ADR append-only fix
landed via the propose/accept rebase; this commit covers the rest):

- Major: phase-b §B5 acceptance over-promised a real EL0->EL1 round-trip,
  which ADR-0030 shows is impossible at B5 (an EL1 kernel-stub SVC takes
  the current-EL 0x200 vector, not the lower-EL 0x400 EL0 vector). Narrow
  B5 to "dispatch mechanism verified via the current-EL kernel-stub" and
  move the real EL0 0x400 round-trip to the B6 acceptance criteria.
- Minor: current.md banner said "In Progress" while the fields said
  "In Review"; fix the banner and the two broken T-021 links (../).
- Move T-020 to In Review in the task index + task doc; record the
  maintainer-review round and the row-to-verification mapping (now incl.
  the two new cancel_recv variant tests) in T-020's review history.
- Add EL0/EL1, SVC, Syscall, and Syscall ABI glossary entries and note
  the taxonomy split on the ipc.md architecture status row.

Refs: ADR-0030, ADR-0031
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(ipc): make wrong-kind tests actually prove kind-before-rights

Second-round review found the four *_wrong_object_kind tests handed the
cap the operation's own right, so they returned WrongObjectKind under
*both* the chosen kind-first order and a hypothetical rights-first
regression — i.e. ordering-agnostic, proving nothing (a rights-first flip
would not fail them). Fix: each test now uses a wrong-kind cap that also
LACKS the required right (CapRights::empty()), the only input that
discriminates the order (WrongObjectKind under kind-first, MissingRight
under rights-first), so a regression to rights-first now fails the tests.
Updates the section comment and T-020 AC#4 to state what each test
actually proves; corrects T-020's stale test counts (AC#6 194 -> 196;
review history "8 new" -> "9 new").

(The stale-variant references in the Turkish technical-analysis IPC
chapter were also refreshed on disk for local reference, but that tree is
gitignored, so it is not part of this commit / the repo.)

No production code change; fmt / host-test 196 / clippy / build / miri
(no UB) all green.

Refs: ADR-0030
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(syscalls): EL0→EL1 SVC dispatch — trampoline, panic-free dispatcher, copy-user

Land the security-critical hardware-facing half of B5 (T-021): the EL0→EL1
SVC trap path that instantiates ADR-0030's calling convention and ADR-0031's
five-syscall v1 set.

New architecture-agnostic, panic-free, host-tested kernel `syscall` module:
- error.rs: SyscallError composing CapError/IpcError via From, with a stable
  numeric status encoding (0 = Ok; 1-3 top-level; 0x10x = Cap; 0x20x = Ipc).
- abi.rs: SyscallNumber decode (release debug-gate on console_write via
  cfg!(debug_assertions)), the register frame types, value↔register packing
  for Message/outcomes, and the Option<CapHandle> null-handle sentinel.
- user_access.rs: UserAccessWindow + validated copy_from_user/copy_to_user
  (range-check-then-copy; wrap and zero-length handled; never derefs an
  unvalidated user pointer).
- dispatch.rs: the panic-free dispatcher + per-syscall handlers + the
  debug-console capability check; control-plane syscalls (task_yield/exit)
  return a SyscallEffect directive rather than touching the scheduler.

Capability surface: CapObject::DebugConsole (singleton, no handle) +
CapRights::CONSOLE_WRITE (bit 7, added to KNOWN_BITS) + CapHandle::from_raw
(ABI-decode constructor; reconstructed handles are validated by lookup).

BSP (hardware-facing): tyrne_sync_trampoline in vectors.s installed at both
VBAR_EL1+0x200 (current-EL, the B5 path) and +0x400 (lower-EL AArch64, the B6
EL0 path) — saves the full x0-x30 + SP_EL0 + ELR_EL1 + SPSR_EL1 frame, routes
ESR_EL1.EC==SVC64 to a Rust syscall_entry, else to the existing panic path.
SyscallTrapFrame (272 B, #[repr(C)], const-asserted to match the asm).
kernel_entry runs an EL1 kernel-stub SVC smoke (console_write + bad-number).

Gates: fmt / host-clippy / kernel-clippy / kernel-build clean; host tests 236
(+40); cargo test --release green (the debug-gate release-path tests);
cargo miri test --workspace --exclude tyrne-bsp-qemu-virt clean (43+236+53).
QEMU smoke (debug): two SVCs taken at the current-EL vector (ESR 0x15/SVC64,
EL1→EL1), clean ERET; console_write emits its buffer via the syscall path
(status 0x0, 63 bytes); a reserved-invalid number returns BadSyscallNumber
(0x1); -d int,unimp,guest_errors shows no new fault class; the cooperative
demo still runs to "tyrne: all tasks complete".

The real EL0 +0x400 round-trip (EL0↔EL1 transition + copy-user against a
separate userspace TTBR0_EL1) is wired but runtime-verified in B6 per
ADR-0030 §Simulation.

Refs: ADR-0030, ADR-0031
Audit: UNSAFE-2026-0029, UNSAFE-2026-0030
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(syscalls): T-021 review-round follow-up — dispatch tests + compile-time payload guard

Apply the actionable findings from the T-021 adversarial review-round (which
confirmed no live B5 defect). All changes are test coverage, a behavior-
preserving defensive refactor, and B6 forward-gate tracking — no production
behavior change (QEMU trace byte-stable; the const-generic emits identical
register values).

Test coverage (+4 dispatch-level tests; host tests 236 -> 240) closing gaps the
review surfaced:
- send_with_transfer_cap_then_recv_returns_cap_in_x6 — the x5 transfer-handle
  decode -> ipc_send cap_take AND ipc_recv -> encode_recv_outcome x6 cap-pack,
  end-to-end through dispatch (previously untested; verified non-vacuous via a
  mutation check — breaking the x6 pack makes it fail).
- send_with_stale_transfer_handle_returns_invalid_transfer_cap — status 0x205.
- recv_with_no_sender_returns_pending_packing — Pending packing (x1=pending,
  x2..x7 zeroed).
- console_write_exactly_one_chunk_emits_all_bytes — the len == CONSOLE_WRITE_CHUNK
  loop boundary (debug-gated).

Hardening (nit): SyscallReturn::with_payload is now a const-generic
with_payload::<IDX> with `const { assert!(IDX < 7) }`, turning the (already
unreachable-from-untrusted-input) runtime index panic into a compile-time error
at the call site — matching the kernel's compile-time-guard idiom. Call sites
updated to the ::<N> turbofish.

Clarity: the three scattered "unreachable re-validation" comments in
sys_console_write consolidated into one inequality-chain proof.

Docs: phase-b.md §B6 gains an explicit "T-021 carry-forward gates" list (per-task
console_write window + per-page user-VA translation returning FaultAddress not
panic; SP_EL1 init on the +0x400 entry; SYSCALL_STUB_TABLE -> current-task table)
so B6 cannot miss them; T-021 review history records the round.

Gates re-run green: fmt / host-clippy / kernel-clippy / kernel-build clean;
host-test 240; test --release green; miri --workspace excl BSP clean (43+240+53,
0 UB); QEMU smoke round-trip byte-stable.

Refs: ADR-0030, ADR-0031
Audit: UNSAFE-2026-0029, UNSAFE-2026-0030
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(roadmap): record PR #34 (combined T-020 + T-021 B5 review)

current.md + T-021 task file cite PR #34 (base main, 9 commits, bundles T-020 +
T-021 in one combined review per the maintainer's call). Matches the project's
PR-reference convention (cf. T-019/PR #31, B4/PR #33).

Refs: ADR-0030, ADR-0031
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(syscalls): T-021 review-round 2 — overlap-safe copy-user + scope/guard fixes

Address the second review-round on PR #34. Fix only still-valid issues; one
finding (release-wrap of a const) was refuted but its requested guard kept as a
clearer compile-time tripwire; one (test-scaffolding helper) skipped.

Soundness (headline): copy_from_user / copy_to_user are SAFE `pub fn`s, so they
must be sound for every input — but `UserAccessWindow::validate` proves *bounds*,
not *disjointness*, and under the v1 identity map (VA == PA) a caller could pass
a user_ptr range that aliases the kernel-owned dst/src slice, making
`copy_nonoverlapping`'s non-overlap precondition violable from safe code (UB).
Switch both moves to `core::ptr::copy` (memmove), which is correct for any
overlap; drop the unprovable "source and destination are disjoint" claim from
the SAFETY comments and document why `copy` (not `copy_nonoverlapping`) is the
sound choice. Behaviour is identical for the non-overlapping case (all current
callers are disjoint), so QEMU/Miri/host evidence is unchanged. UNSAFE-2026-0030
gains an append-only Amendment recording the change (title/anchor preserved).

Hardening (compile-time guards, no runtime cost):
- abi.rs: a `const _: () = assert!(NULL_CAP_HANDLE > max-packable-handle-word)`
  locks the sentinel-collision-freedom invariant — a future CapHandle widening
  that could push a packed word into the sentinel's bit range fails the build.
- bsp syscall.rs: an explicit `const _: () = assert!(PMM_EXTENT_END >=
  PMM_EXTENT_START)` with a clear message in front of SYSCALL_USER_WINDOW_LEN.
  (The reviewer's "wraps in release" premise is incorrect — the subtraction is a
  `const`, and const-eval rejects underflow at build time, never wraps — but the
  named assert gives a clearer failure than a raw const-eval overflow error.)

Docs:
- T-021 §Informs: scope the ADR-0030 §Simulation discharge — rows 2/4 in full +
  the mechanism half of rows 0/1/5 via the EL1-stub proxy at the current-EL
  +0x200 vector; the EL0-runtime half of rows 0/1/5 (the +0x400 vector, the
  EL0↔EL1 transition, copy-user vs a separate userspace TTBR0_EL1) is deferred to
  B6, not discharged here.
- current.md: remove the blank lines between adjacent banner paragraphs so they
  form one contiguous `>` blockquote (matches the file's existing multi-paragraph
  style; resolves markdownlint MD028).

Skipped: extracting a SyscallContext test-builder — the scaffolding verbosity is
largely forced by the borrow structure (tests declare + later inspect the
borrowed locals), so a helper saves only the struct-literal line per test and
isn't worth churning the just-reviewed test suite on an in-review PR.

Gates re-run green: fmt / host-clippy / kernel-clippy / kernel-build; host-test
240; test --release 233; miri --workspace excl BSP clean (0 UB); QEMU smoke
round-trip byte-stable.

Refs: ADR-0030, ADR-0031
Audit: UNSAFE-2026-0030
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* audit(syscalls): correct UNSAFE-2026-0030 amendment — disjointness is the soundness basis

Review-round on PR #34 (two findings; each verified against current code):

1. UNSAFE-2026-0030 amendment (docs/audits/unsafe-log.md) — VALID, fixed. The
   amendment added in 2c713c0 (a) lacked the commit SHA the audit-log format
   wants and (b) over-claimed that switching to `core::ptr::copy` makes the copy
   "overlap-tolerant". An empirical Miri probe disproved that: an overlapping
   (user_ptr, kernel-slice) pair is UB *regardless* of the copy primitive —
   `copy_from_user`'s `dst: &mut [u8]` (and `copy_to_user`'s `src: &[u8]`)
   parameter is exclusive / shared, so an aliasing access through the exposed
   `user_ptr` violates that borrow (Stacked Borrows: "not granting access to tag
   <wildcard> … strongly protected"). The amendment now carries SHA 2c713c0,
   marks the original `copy_nonoverlapping` §Operation / invariant(3) /
   rejected-alternatives wording as superseded, and states the true soundness
   basis: the user/kernel **disjointness** invariant (user_ptr = userspace,
   kernel slice = distinct allocation in v1 / separate AS in B6), under which
   both `copy` and `copy_nonoverlapping` are sound. `core::ptr::copy` is kept as
   the conservative primitive. The copy_from_user / copy_to_user SAFETY comments
   are corrected to match (invariant 3 = disjointness, not "overlap-tolerant").

2. Add overlapping-copy regression tests — SKIPPED, with reason. The requested
   tests assert "overlapping copies are allowed", but overlap is UB here (see
   above — Miri-confirmed via a temporary probe, now removed), independent of
   `copy` vs `copy_nonoverlapping`. Such tests would (a) break the Miri gate and
   (b) codify an unsound expectation. The real invariant is disjointness, which
   the existing tests + the structural user/kernel split already cover; an
   overlapping call correctly fails under Miri's borrow model.

No code-behaviour change (the `core::ptr::copy` calls are unchanged; only SAFETY
comments + the audit amendment text). Gates: fmt / host-clippy / kernel-clippy /
kernel-build clean; host-test 240; miri (syscall) 0 UB. Production code is
byte-identical to 2c713c0, already validated with full miri + test --release +
QEMU smoke.

Refs: ADR-0030, ADR-0031
Audit: UNSAFE-2026-0030
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>