diff --git a/bsp-qemu-virt/src/main.rs b/bsp-qemu-virt/src/main.rs
index dfdcc91..4345000 100644
--- a/bsp-qemu-virt/src/main.rs
+++ b/bsp-qemu-virt/src/main.rs
@@ -49,6 +49,7 @@ mod exceptions;
 mod gic;
 mod mmu;
 mod mmu_bootstrap;
+mod syscall;
 
 use console::Pl011Uart;
 use cpu::QemuVirtCpu;
@@ -384,6 +385,16 @@ static EP_CAP_A: StaticCell<CapHandle> = StaticCell::new();
 /// Task B's endpoint capability handle (index into `TABLE_B`).
 static EP_CAP_B: StaticCell<CapHandle> = StaticCell::new();
 
+// ─── T-021 syscall-boundary smoke ─────────────────────────────────────────────
+
+/// The EL1 kernel-stub's capability table — the `caller_table` the syscall
+/// dispatcher resolves capabilities in for the B5 `SVC` smoke (see
+/// [`syscall::syscall_entry`]). In B5 the only `SVC` comes from a kernel-stub,
+/// so it has a dedicated table holding a single debug-console capability;
+/// B6 replaces this with the scheduler's current-task table once a real EL0
+/// task exists. Distinct from `TABLE_A` / `TABLE_B` (the IPC-demo tables).
+static SYSCALL_STUB_TABLE: StaticCell<CapabilityTable> = StaticCell::new();
+
 /// Task kernel-object arena — global per [ADR-0016]. Although the v1 demo
 /// never reads this arena after `create_task` has returned the two
 /// `TaskHandle`s, global storage is the uniform pattern established by
@@ -653,6 +664,109 @@ fn task_a() -> ! {
     }
 }
 
+// ─── T-021 syscall-boundary smoke ──────────────────────────────────────────────
+
+/// EL1 kernel-stub `SVC` smoke for the B5 syscall boundary ([T-021]).
+///
+/// Issues two `SVC #0` traps **from EL1** — exercising the current-EL
+/// `VBAR_EL1 + 0x200` sync vector and the full save → decode → dispatch →
+/// `ERET` round-trip (an `SVC` issued at EL1 cannot take the lower-EL `+0x400`
+/// vector; that real-EL0 path is B6's smoke per [ADR-0030 §Simulation]):
+///
+/// 1. **`console_write`** (number `5`) through a granted debug-console
+///    capability — the dispatcher's capability check passes, `copy_from_user`
+///    validates the buffer against the active address space, and the bytes are
+///    emitted on the serial console (the round-trip + emitted-bytes half of B5
+///    acceptance criterion #7).
+/// 2. a **reserved-invalid number** (`0`) — the panic-free error path returns
+///    `SyscallError::BadSyscallNumber` (status `0x1`) without touching any
+///    capability.
+///
+/// Runs after the IPC statics are published (the dispatcher's
+/// [`SyscallContext`][tyrne_kernel::syscall::SyscallContext] borrows
+/// `EP_ARENA` / `IPC_QUEUES`) and before `start()`. `task_yield` / `task_exit`
+/// are not driven here — their dispatcher routing is host-tested; their real
+/// EL0 semantics land in B6.
+///
+/// [T-021]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md
+/// [ADR-0030 §Simulation]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+#[allow(
+    clippy::cast_possible_truncation,
+    reason = "Tyrne's BSP target is 64-bit aarch64; pointer/usize → u64 \
+              register-word casts are lossless"
+)]
+fn syscall_boundary_smoke(console: &Pl011Uart) {
+    // Mint a debug-console capability into the kernel-stub's table.
+    //
+    // SAFETY: `SYSCALL_STUB_TABLE` lives in `.bss`; this is its single write,
+    // performed before any `SVC` issues. The momentary `&mut` for the
+    // `insert_root` drops before the trap. Audit: UNSAFE-2026-0010 (StaticCell)
+    // + UNSAFE-2026-0014 (momentary `&mut`).
+    let cons_cap = unsafe {
+        (*SYSCALL_STUB_TABLE.0.get()).write(CapabilityTable::new());
+        let table = (*SYSCALL_STUB_TABLE.0.get()).assume_init_mut();
+        table
+            .insert_root(Capability::new(
+                CapRights::CONSOLE_WRITE,
+                CapObject::DebugConsole,
+            ))
+            .expect("debug-console cap mint in empty table cannot fail")
+    };
+    let cons_cap_word = tyrne_kernel::syscall::encode_cap_handle(Some(cons_cap));
+
+    // (1) console_write via SVC: x8 = 5, x0 = cap, x1 = buffer VA, x2 = length.
+    let greeting: &[u8] = b"tyrne: hello from the syscall boundary (console_write via SVC)\n";
+    let ptr = greeting.as_ptr() as u64;
+    let len = greeting.len() as u64;
+    let status: u64;
+    let written: u64;
+    // SAFETY: `SVC #0` traps to the EL1 current-EL sync vector (+0x200), runs
+    // the panic-free dispatcher, and `ERET`s back here. The convention is
+    // x8 = number, x0..x2 = args; the handler writes x0 = status, x1 = bytes
+    // written, clobbers x0..x7, and preserves x8..x30 + SP_EL0. The emitted
+    // greeting bytes are the observable round-trip proof. Audit: UNSAFE-2026-0029.
+    unsafe {
+        core::arch::asm!(
+            "svc #0",
+            in("x8") 5u64,
+            inout("x0") cons_cap_word => status,
+            inout("x1") ptr => written,
+            in("x2") len,
+            out("x3") _,
+            out("x4") _,
+            out("x5") _,
+            out("x6") _,
+            out("x7") _,
+        );
+    }
+
+    // (2) reserved-invalid number 0 → BadSyscallNumber, panic-free.
+    let bad_status: u64;
+    // SAFETY: same `SVC` trap mechanism; number 0 is reserved-invalid, so the
+    // dispatcher returns a typed `SyscallError::BadSyscallNumber` in x0 without
+    // touching any capability or panicking. Audit: UNSAFE-2026-0029.
+    unsafe {
+        core::arch::asm!(
+            "svc #0",
+            in("x8") 0u64,
+            out("x0") bad_status,
+            out("x1") _,
+            out("x2") _,
+            out("x3") _,
+            out("x4") _,
+            out("x5") _,
+            out("x6") _,
+            out("x7") _,
+        );
+    }
+
+    let mut w = FmtWriter(console);
+    let _ = writeln!(
+        w,
+        "tyrne: syscall smoke ok (console_write status={status:#x}, bytes={written}; bad-number status={bad_status:#x})"
+    );
+}
+
 // ─── Boot entry ───────────────────────────────────────────────────────────────
 
 // Reset entry (`_start`). See `boot.s` and `docs/architecture/boot.md`.
@@ -1216,6 +1330,15 @@ pub extern "C" fn kernel_entry() -> ! {
         (*EP_CAP_B.0.get()).write(ep_cap_b);
     }
 
+    // ── Syscall-boundary smoke — T-021 ────────────────────────────────────────
+    //
+    // Exercise the EL0→EL1 `SVC` trap → panic-free dispatcher → `ERET`
+    // round-trip via an EL1 kernel-stub (the current-EL `+0x200` vector). Runs
+    // here, after the IPC statics the dispatcher's context borrows are live, and
+    // before `start()` hands control to the cooperative demo. The real EL0
+    // (`+0x400`) round-trip is B6's smoke.
+    syscall_boundary_smoke(console);
+
     // ── Scheduler setup ───────────────────────────────────────────────────────
 
     let mut sched = Scheduler::<QemuVirtCpu>::new();
diff --git a/bsp-qemu-virt/src/syscall.rs b/bsp-qemu-virt/src/syscall.rs
new file mode 100644
index 0000000..aa2ec24
--- /dev/null
+++ b/bsp-qemu-virt/src/syscall.rs
@@ -0,0 +1,214 @@
+//! BSP-side syscall glue: the `SVC` trap frame and the Rust entry the
+//! `vectors.s` sync trampoline calls.
+//!
+//! The architecture-agnostic, panic-free dispatch logic lives in the kernel
+//! ([`tyrne_kernel::syscall`]). This module owns only the **hardware-facing**
+//! half:
+//!
+//! - [`SyscallTrapFrame`] — the `#[repr(C)]` mirror of the register frame the
+//!   `tyrne_sync_trampoline` in `vectors.s` saves (`x0`–`x30` + `SP_EL0` +
+//!   `ELR_EL1` + `SPSR_EL1`); its field order and offsets must match the asm
+//!   `stp` sequence byte-for-byte (a compile-time `size_of` guard catches drift).
+//! - [`syscall_entry`] — reads the syscall number + arguments from the saved
+//!   frame, builds a [`SyscallContext`] from the BSP statics, calls
+//!   [`tyrne_kernel::syscall::dispatch`], and applies the returned
+//!   [`SyscallEffect`] by writing the status + payload back into the frame.
+//!
+//! ## B5 scope and the `0x200` / `0x400` split
+//!
+//! The shared trampoline is installed at **both** sync vector slots — current-EL
+//! (`VBAR_EL1 + 0x200`) and lower-EL-AArch64 (`VBAR_EL1 + 0x400`) — because the
+//! save → dispatch → `ERET` mechanism is privilege-entry-agnostic. In B5 the
+//! only `SVC` comes from an **EL1 kernel-stub** (see `kernel_entry`'s syscall
+//! smoke), which — executing at the *current* EL — takes the `0x200` vector,
+//! **not** the lower-EL `0x400` vector. A real EL0 task taking the `0x400`
+//! vector (with the EL0↔EL1 privilege transition and copy-user against a
+//! separate userspace `TTBR0_EL1`) is verified at runtime in **B6**, per
+//! [ADR-0030 §Simulation row-to-verification mapping][adr-0030]. The `0x400`
+//! handler is installed now so B6 adds only the EL0 task, not new trap plumbing.
+//!
+//! `caller_table` is a dedicated **kernel-stub** capability table in B5
+//! ([`crate::SYSCALL_STUB_TABLE`]); B6 replaces it with the scheduler's
+//! current-task table once a real EL0 task exists.
+//!
+//! Audit: UNSAFE-2026-0029 (the trap-frame asm + this entry's frame
+//! reads/writes).
+//!
+//! [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+
+use tyrne_kernel::syscall::{
+    dispatch, SyscallArgs, SyscallContext, SyscallEffect, UserAccessWindow,
+};
+
+/// Saved-register frame the `tyrne_sync_trampoline` in `vectors.s` populates
+/// before branching into [`syscall_entry`] on an `SVC`.
+///
+/// `#[repr(C)]` is **mandatory**: the field order and byte offsets must match
+/// the asm `stp` sequence in `vectors.s` exactly. The frame is 272 bytes total
+/// (`x0`–`x29` as 15 pairs, then `x30`/`SP_EL0`, then `ELR_EL1`/`SPSR_EL1`),
+/// 16-byte SP-aligned. Unlike the IRQ [`TrapFrame`][crate::exceptions::TrapFrame]
+/// (which saves only the AAPCS64 caller-saved set), the syscall frame saves the
+/// **full** general-purpose register file plus `SP_EL0` so it is a complete
+/// snapshot of the trapped context — the shape a real EL0 task (B6) and any
+/// future preemption arc require.
+///
+/// Fields are private: the only reader/writer is [`syscall_entry`] in this
+/// module, and keeping the raw register snapshot un-`pub` avoids exposing
+/// (or accidentally logging) trapped register contents elsewhere.
+#[repr(C)]
+pub struct SyscallTrapFrame {
+    // `x0`–`x29` saved as 15 consecutive pairs at offsets 0x00..0xF0.
+    x0_x1: [u64; 2],
+    x2_x3: [u64; 2],
+    x4_x5: [u64; 2],
+    x6_x7: [u64; 2],
+    x8_x9: [u64; 2],
+    x10_x11: [u64; 2],
+    x12_x13: [u64; 2],
+    x14_x15: [u64; 2],
+    x16_x17: [u64; 2],
+    x18_x19: [u64; 2],
+    x20_x21: [u64; 2],
+    x22_x23: [u64; 2],
+    x24_x25: [u64; 2],
+    x26_x27: [u64; 2],
+    x28_x29: [u64; 2],
+    /// `x30` (LR) at 0xF0 and `SP_EL0` at 0xF8.
+    x30_sp_el0: [u64; 2],
+    /// `ELR_EL1` (return address) at 0x100 and `SPSR_EL1` (saved PSTATE) at 0x108.
+    elr_spsr: [u64; 2],
+}
+
+// The trampoline reserves exactly 272 bytes and writes through fixed offsets
+// mirroring the field order above. A size/layout drift between the asm and this
+// `#[repr(C)]` would corrupt saved registers on every syscall; this guard fails
+// the build before that can ship. (Mirrors the `TrapFrame` 192-byte guard.)
+const _: () = assert!(core::mem::size_of::<SyscallTrapFrame>() == 272);
+
+/// Length of the syscall copy-from/to-user window in B5: the whole
+/// identity-mapped RAM extent the bootstrap address space covers.
+///
+/// The B5 EL1 kernel-stub runs on the bootstrap AS, which identity-maps the
+/// managed extent (per [ADR-0027 §Decision outcome (a)]), so the stub's buffer
+/// — a `.rodata`-resident `&[u8]` in the kernel image — is in range. B6's real
+/// EL0 task derives a tighter window from its own mapped region (see
+/// [`UserAccessWindow`]'s module docs). The subtraction is a `const`, so it
+/// cannot wrap at runtime: const-eval rejects an underflow at **build time**
+/// (an inverted extent is a hard compile error, never a release wrap). The
+/// explicit assertion below makes that invariant — and its failure message —
+/// unambiguous rather than relying on a raw "subtract with overflow" const-eval
+/// error.
+const _: () = assert!(
+    crate::PMM_EXTENT_END >= crate::PMM_EXTENT_START,
+    "PMM extent must be non-inverted: PMM_EXTENT_END >= PMM_EXTENT_START"
+);
+const SYSCALL_USER_WINDOW_LEN: usize = crate::PMM_EXTENT_END - crate::PMM_EXTENT_START;
+
+/// Rust entry for the `SVC` sync trampoline (`vectors.s`).
+///
+/// Reads the syscall number (`x8`) and arguments (`x0`–`x5`) from the saved
+/// `frame`, dispatches through [`tyrne_kernel::syscall::dispatch`], and applies
+/// the resulting [`SyscallEffect`] by writing the status (`x0`) and payload
+/// (`x1`–`x7`) back into the frame. Returns to the trampoline, which restores
+/// the (now result-bearing) frame and `ERET`s.
+///
+/// # Safety
+///
+/// `extern "C"` so the asm trampoline can `bl` it. `frame` is guaranteed valid
+/// by the trampoline (constructed via `stp` immediately before the `bl`, on the
+/// kernel stack); this function dereferences it only inside `unsafe` blocks.
+///
+/// **Why `unsafe` is required.** The function reads and writes the saved
+/// register frame through a raw `*mut SyscallTrapFrame` (the asm calling
+/// convention passes a pointer, not a `&mut`), and it materialises momentary
+/// references to the write-once BSP statics via `assume_init_{mut,ref}`.
+/// **Invariants upheld.** (1) The four statics it reaches
+/// (`EP_ARENA` / `IPC_QUEUES` / `SYSCALL_STUB_TABLE` / `CONSOLE`) are all
+/// written before the syscall smoke issues any `SVC`; (2) v1 is single-core and
+/// the `SVC` handler runs with interrupts masked (exception entry masks `DAIF`),
+/// so no peer aliases them mid-call; (3) the momentary `&mut`s are scoped to the
+/// single `dispatch` call and do not cross a context switch — the data-plane
+/// syscalls do not switch and the control-plane ones return a directive *before*
+/// any switch, honouring the [ADR-0021] discipline; (4) the frame writes touch
+/// only `x0`–`x7`, leaving the trampoline's restore of `x8`–`x30` + `SP_EL0` +
+/// `ELR_EL1` + `SPSR_EL1` intact. **Rejected alternatives.** Passing a `&mut
+/// SyscallTrapFrame` from the asm is impossible (asm has no Rust references);
+/// holding the BSP statics behind a lock would deadlock the interrupts-masked
+/// handler with no soundness gain under single-core cooperative semantics.
+///
+/// Audit: UNSAFE-2026-0029 (trap-frame asm + frame access) + UNSAFE-2026-0010
+/// (`StaticCell` pattern) + UNSAFE-2026-0014 (momentary `&mut` to kernel state).
+#[unsafe(no_mangle)]
+pub unsafe extern "C" fn syscall_entry(frame: *mut SyscallTrapFrame) {
+    // SAFETY: `frame` is valid per the trampoline contract above; read the
+    // syscall number (x8) and argument words (x0..x5) out of the saved frame.
+    // Audit: UNSAFE-2026-0029.
+    let args = unsafe {
+        let f = &*frame;
+        SyscallArgs {
+            number: f.x8_x9[0],
+            args: [
+                f.x0_x1[0], f.x0_x1[1], f.x2_x3[0], f.x2_x3[1], f.x4_x5[0], f.x4_x5[1],
+            ],
+        }
+    };
+
+    // SAFETY: build the dispatch context from the write-once BSP statics. All
+    // four are initialised in `kernel_entry` before the syscall smoke runs;
+    // single-core + interrupts-masked-in-handler means no aliasing; the
+    // momentary `&mut`s drop at the end of the `dispatch` call and never cross a
+    // switch. Audit: UNSAFE-2026-0010 (StaticCell) + UNSAFE-2026-0014 (momentary
+    // `&mut` to kernel state) + UNSAFE-2026-0029 (the syscall arc).
+    let effect = unsafe {
+        let mut ctx = SyscallContext {
+            ep_arena: (*crate::EP_ARENA.0.get()).assume_init_mut(),
+            queues: (*crate::IPC_QUEUES.0.get()).assume_init_mut(),
+            caller_table: (*crate::SYSCALL_STUB_TABLE.0.get()).assume_init_mut(),
+            console: (*crate::CONSOLE.0.get()).assume_init_ref(),
+            user_window: UserAccessWindow::new(crate::PMM_EXTENT_START, SYSCALL_USER_WINDOW_LEN),
+        };
+        dispatch(&mut ctx, args)
+    };
+
+    match effect {
+        SyscallEffect::Resume(r) => {
+            // SAFETY: write the status (x0) + payload (x1..x7) back into the
+            // saved frame; the trampoline restores them on `ERET`. Touches only
+            // x0..x7. Audit: UNSAFE-2026-0029.
+            unsafe {
+                let f = &mut *frame;
+                f.x0_x1[0] = r.status; // x0 = status
+                f.x0_x1[1] = r.payload[0]; // x1
+                f.x2_x3[0] = r.payload[1]; // x2
+                f.x2_x3[1] = r.payload[2]; // x3
+                f.x4_x5[0] = r.payload[3]; // x4
+                f.x4_x5[1] = r.payload[4]; // x5
+                f.x6_x7[0] = r.payload[5]; // x6
+                f.x6_x7[1] = r.payload[6]; // x7
+            }
+        }
+        SyscallEffect::Reschedule => {
+            // task_yield. v1 B5 stand-in: there is no scheduler-resident EL0
+            // task issuing this (the smoke runs the stub before `start()`), so
+            // the real `yield_now` wiring lands in B6 once the caller is an EL0
+            // task. The dispatcher-level routing (number 3 → Reschedule) is
+            // host-tested; here we resume with `Ok` (x0 = 0) — task_yield
+            // "always succeeds in v1" per ADR-0031.
+            // SAFETY: write x0 only. Audit: UNSAFE-2026-0029.
+            unsafe {
+                (*frame).x0_x1[0] = tyrne_kernel::syscall::OK_STATUS;
+            }
+        }
+        SyscallEffect::Terminate(_code) => {
+            // task_exit. The ABI says "does not return", but v1 has no EL0
+            // context register file to drop — real termination lands in B6. The
+            // dispatcher-level routing (number 4 → Terminate) is host-tested;
+            // here we defensively resume with `Ok` so a stray kernel-stub
+            // task_exit cannot wedge the boot before B6 wires real termination.
+            // SAFETY: write x0 only. Audit: UNSAFE-2026-0029.
+            unsafe {
+                (*frame).x0_x1[0] = tyrne_kernel::syscall::OK_STATUS;
+            }
+        }
+    }
+}
diff --git a/bsp-qemu-virt/src/vectors.s b/bsp-qemu-virt/src/vectors.s
index 3da5554..1224f3b 100644
--- a/bsp-qemu-virt/src/vectors.s
+++ b/bsp-qemu-virt/src/vectors.s
@@ -27,8 +27,14 @@
  *
  * Tyrne runs at EL1 with SPSel = 1 (per ADR-0024's EL drop +
  * SPSR_EL2 = 0x3c5 = EL1h). An IRQ taken from kernel code lands at
- * +0x280; userspace doesn't exist in v1 so the lower-EL entries are
- * unreachable. Sync/FIQ/SError on any class trampoline to a panic.
+ * +0x280. The two *sync* entries (+0x200 current-EL and +0x400 lower-EL
+ * AArch64) route to the SVC sync trampoline (T-021): on ESR_EL1.EC ==
+ * SVC64 they save the full register frame and call the Rust syscall
+ * dispatcher; any other sync cause falls through to the panic path.
+ * In v1 only the +0x200 path fires (an EL1 kernel-stub `SVC`); the
+ * +0x400 (real EL0) path is wired now but exercised at runtime in B6.
+ * FIQ/SError on any class, and sync on the unused SP_EL0 / AArch32
+ * categories, still trampoline to a panic.
  *
  * Each entry is one `b <label>` instruction; the rest of the 32-slot
  * region pads with .balign back to the next entry boundary so the
@@ -52,7 +58,7 @@ tyrne_vectors:
 
     // ── Current EL with SP_ELx (the live category in v1) ──────────────
     .balign 0x80
-    b       tyrne_unhandled_exception_trampoline    // +0x200 sync
+    b       tyrne_sync_trampoline                   // +0x200 sync (SVC→dispatch; else→panic) ★
     .balign 0x80
     b       tyrne_irq_curr_el_trampoline            // +0x280 IRQ ★
     .balign 0x80
@@ -60,9 +66,9 @@ tyrne_vectors:
     .balign 0x80
     b       tyrne_unhandled_exception_trampoline    // +0x380 SError
 
-    // ── Lower EL using AArch64 (no userspace in v1) ──────────────────
+    // ── Lower EL using AArch64 (the real EL0 syscall path; B6) ───────
     .balign 0x80
-    b       tyrne_unhandled_exception_trampoline    // +0x400 sync
+    b       tyrne_sync_trampoline                   // +0x400 sync (EL0 SVC path; runtime-verified in B6)
     .balign 0x80
     b       tyrne_unhandled_irq_trampoline          // +0x480 IRQ
     .balign 0x80
@@ -153,6 +159,106 @@ tyrne_irq_curr_el_trampoline:
     add     sp, sp, #192
     eret
 
+/*
+ * ── SVC sync trampoline (current-EL +0x200 and lower-EL +0x400) ──────
+ *
+ * Installed at BOTH sync slots (T-021); the save → dispatch → ERET
+ * mechanism is privilege-entry-agnostic. Saves the FULL register file
+ * (x0..x30) plus SP_EL0, ELR_EL1, and SPSR_EL1 to a 272-byte frame,
+ * routes on ESR_EL1.EC, and — for SVC64 (EC == 0x15) — calls the Rust
+ * dispatcher with a pointer to the frame, then restores and ERETs. Any
+ * other sync cause (data/instruction abort, etc.) falls through to the
+ * panic path: those are out of scope for T-021's syscall arc.
+ *
+ * Frame layout (272 bytes; 16-byte aligned) — MUST match the
+ * `#[repr(C)] SyscallTrapFrame` in `src/syscall.rs` byte-for-byte; the
+ * `const _: () = assert!(size_of::<SyscallTrapFrame>() == 272)` guard
+ * there fails the build on drift:
+ *   [sp + 0x00] x0,  x1        [sp + 0x80] x16, x17
+ *   [sp + 0x10] x2,  x3        [sp + 0x90] x18, x19
+ *   [sp + 0x20] x4,  x5        [sp + 0xA0] x20, x21
+ *   [sp + 0x30] x6,  x7        [sp + 0xB0] x22, x23
+ *   [sp + 0x40] x8,  x9        [sp + 0xC0] x24, x25
+ *   [sp + 0x50] x10, x11       [sp + 0xD0] x26, x27
+ *   [sp + 0x60] x12, x13       [sp + 0xE0] x28, x29
+ *   [sp + 0x70] x14, x15       [sp + 0xF0] x30 (lr), SP_EL0
+ *                              [sp + 0x100] ELR_EL1, SPSR_EL1
+ *
+ * Rust function signature:
+ *   #[no_mangle] extern "C" fn syscall_entry(frame: *mut SyscallTrapFrame);
+ *
+ * On return the dispatcher has written x0 (status) + x1..x7 (payload)
+ * into the frame; the restore below reloads them, and x8..x30 + SP_EL0 +
+ * ELR_EL1 + SPSR_EL1 are restored to their trapped values. Audit:
+ * UNSAFE-2026-0029.
+ */
+tyrne_sync_trampoline:
+    sub     sp, sp, #272
+    stp     x0,  x1,  [sp, #0x00]
+    stp     x2,  x3,  [sp, #0x10]
+    stp     x4,  x5,  [sp, #0x20]
+    stp     x6,  x7,  [sp, #0x30]
+    stp     x8,  x9,  [sp, #0x40]
+    stp     x10, x11, [sp, #0x50]
+    stp     x12, x13, [sp, #0x60]
+    stp     x14, x15, [sp, #0x70]
+    stp     x16, x17, [sp, #0x80]
+    stp     x18, x19, [sp, #0x90]
+    stp     x20, x21, [sp, #0xA0]
+    stp     x22, x23, [sp, #0xB0]
+    stp     x24, x25, [sp, #0xC0]
+    stp     x26, x27, [sp, #0xD0]
+    stp     x28, x29, [sp, #0xE0]
+    mrs     x0,  sp_el0
+    stp     x30, x0,  [sp, #0xF0]      // x30 (lr) + SP_EL0
+    mrs     x0,  elr_el1
+    mrs     x1,  spsr_el1
+    stp     x0,  x1,  [sp, #0x100]     // ELR_EL1 + SPSR_EL1
+
+    // Route on ESR_EL1.EC (bits [31:26]). SVC64 == 0x15 → syscall
+    // dispatch; any other sync cause → panic path.
+    mrs     x0,  esr_el1
+    lsr     x0,  x0,  #26
+    and     x0,  x0,  #0x3f
+    cmp     x0,  #0x15
+    b.ne    1f
+
+    // SVC: hand the frame pointer to the Rust dispatcher.
+    mov     x0,  sp
+    bl      syscall_entry
+
+    // Restore the (now result-bearing) frame and ERET. x0/x1 are scratch
+    // for the system-register restores, so they are reloaded LAST.
+    ldp     x0,  x1,  [sp, #0x100]
+    msr     elr_el1,  x0
+    msr     spsr_el1, x1
+    ldp     x30, x0,  [sp, #0xF0]
+    msr     sp_el0,   x0
+    ldp     x2,  x3,  [sp, #0x10]
+    ldp     x4,  x5,  [sp, #0x20]
+    ldp     x6,  x7,  [sp, #0x30]
+    ldp     x8,  x9,  [sp, #0x40]
+    ldp     x10, x11, [sp, #0x50]
+    ldp     x12, x13, [sp, #0x60]
+    ldp     x14, x15, [sp, #0x70]
+    ldp     x16, x17, [sp, #0x80]
+    ldp     x18, x19, [sp, #0x90]
+    ldp     x20, x21, [sp, #0xA0]
+    ldp     x22, x23, [sp, #0xB0]
+    ldp     x24, x25, [sp, #0xC0]
+    ldp     x26, x27, [sp, #0xD0]
+    ldp     x28, x29, [sp, #0xE0]
+    ldp     x0,  x1,  [sp, #0x00]
+    add     sp,  sp,  #272
+    eret
+
+    // Non-SVC sync exception → panic (class 0 = generic). Does not return.
+1:  mov     x0,  #0
+    mrs     x1,  esr_el1
+    bl      panic_entry
+2:  wfe
+    b       2b
+
 /*
  * ── Unhandled-exception trampoline (sync/FIQ/SError, any class) ──────
  *
diff --git a/docs/analysis/tasks/phase-b/README.md b/docs/analysis/tasks/phase-b/README.md
index c49630d..b430231 100644
--- a/docs/analysis/tasks/phase-b/README.md
+++ b/docs/analysis/tasks/phase-b/README.md
@@ -19,5 +19,7 @@ Tasks belonging to [Phase B — Real userspace](../../../roadmap/phases/phase-b.
 | [T-017](T-017-physical-memory-manager.md) | Physical Memory Manager (PMM): bitmap allocator + reservation tracking + `FrameProvider` impl (implements ADR-0035) | B3 | Done (2026-05-10) |
 | [T-018](T-018-address-space-kernel-object.md) | `AddressSpace` kernel object + capability-gated `Mmu::map`/`unmap` wrappers + activation-on-context-switch (implements ADR-0028) | B3 | Done (2026-05-11; live on `main` 2026-05-14 via PR #28) |
 | [T-019](T-019-task-loader.md) | Task loader: embedded raw-flat userspace image → `LoadedImage` metadata (implements ADR-0029) | B4 | Done (2026-05-16 via PR #31 merge) |
+| [T-020](T-020-syscall-error-taxonomy.md) | Syscall error taxonomy: split `IpcError::InvalidCapability` + redact `Capability`/`CapObject` `Debug` (implements ADR-0030 K2-5 / K3-9) | B5 | In Review |
+| [T-021](T-021-syscall-dispatch.md) | EL0→EL1 `SVC` dispatch: trap trampoline + panic-free dispatcher + copy-from/to-user (implements ADR-0030 / ADR-0031) | B5 | Ready |
 
 Tasks are added here as they become active. See [`../../../roadmap/phases/phase-b.md`](../../../roadmap/phases/phase-b.md) for the full phase plan.
diff --git a/docs/analysis/tasks/phase-b/T-020-syscall-error-taxonomy.md b/docs/analysis/tasks/phase-b/T-020-syscall-error-taxonomy.md
new file mode 100644
index 0000000..3ed9208
--- /dev/null
+++ b/docs/analysis/tasks/phase-b/T-020-syscall-error-taxonomy.md
@@ -0,0 +1,80 @@
+# T-020 — Syscall error taxonomy: split `IpcError::InvalidCapability` + redact `Capability` `Debug`
+
+- **Phase:** B
+- **Milestone:** B5 — Syscall boundary (this task is B5's pure-Rust foundation: the userspace-facing error taxonomy + capability-Debug redaction that the dispatcher in [T-021](T-021-syscall-dispatch.md) builds on; [ADR-0030](../../../decisions/0030-syscall-abi.md) settles the taxonomy)
+- **Status:** In Review
+- **Created:** 2026-05-29
+- **Author:** @cemililik (+ Claude Opus 4.8 agent)
+- **Dependencies:** [ADR-0030](../../../decisions/0030-syscall-abi.md) — must be `Accepted` before code lands (settles the `StaleHandle` / `MissingRight` / `WrongObjectKind` split and the §"Security of the taxonomy split" rationale). No prior task gates this; it is pure-Rust over the existing `kernel/src/ipc` + `kernel/src/cap` surfaces.
+- **Informs:** Grounds [ADR-0030 §Dependency chain step 1](../../../decisions/0030-syscall-abi.md#dependency-chain) and discharges [ADR-0030 §Simulation row 3](../../../decisions/0030-syscall-abi.md#simulation). Unblocks [T-021](T-021-syscall-dispatch.md), whose dispatcher composes `SyscallError` from the now-granular `IpcError` and must never log an unredacted `Capability`. Closes the [2026-04-21 Phase-A code review](../../reviews/code-reviews/2026-04-21-tyrne-to-phase-a.md)'s `InvalidCapability`-collapse follow-up (K2-5) and the security review §6 redaction item (K3-9).
+- **ADRs required:** [ADR-0030](../../../decisions/0030-syscall-abi.md). Adds an additive §Revision-notes rider to [ADR-0017](../../../decisions/0017-ipc-primitive-set.md) (the IPC primitive set whose error taxonomy is refined — **not** superseded; the three-primitive surface is unchanged). No supersession.
+
+---
+
+## User story
+
+As a future userspace caller (and the [T-021](T-021-syscall-dispatch.md) dispatcher that serves it), I want IPC capability failures to be reported as three distinct, handleable errors — a stale handle, a wrong-kind object, a missing right — instead of one collapsed `InvalidCapability`, and I want a `Capability`'s `Debug` output to never leak the kernel object it names, so the syscall error space is honest and a userspace-reachable log path cannot disclose capability internals.
+
+## Context
+
+[ADR-0030](../../../decisions/0030-syscall-abi.md) bundles the **K2-5** error-taxonomy decision with the syscall ABI so the in-kernel and userspace error spaces agree from the start. Today [`IpcError::InvalidCapability`](../../../../kernel/src/ipc/mod.rs) collapses three failure modes the [error-handling standard §"design checklist"](../../../standards/error-handling.md) says a caller would handle differently. This task performs the split — pure-Rust, host-testable, with no dependency on the (yet-unwritten) trap trampoline — so the error space is exercised by the existing IPC test suite well ahead of the first syscall.
+
+The same milestone's security item (**K3-9**, B5 sub-item 6, [security review §6](../../reviews/security-reviews/2026-04-21-tyrne-to-phase-a.md)) requires `Capability`'s derived `Debug` to be redacted before any userspace-reachable log path (`console_write`, T-021) can format one. The redaction is equally pure-Rust and is bundled here because it touches the same `kernel/src/cap` surface and shares the "make the userspace-observable error/diagnostic surface safe before the dispatcher exists" framing.
+
+This task deliberately **excludes** the trap trampoline, the dispatcher, `SyscallError`, and copy-from/to-user — those are [T-021](T-021-syscall-dispatch.md). Splitting the milestone keeps the security-critical hardware-facing boundary in its own task with its own review, per CLAUDE.md §6 ("do not dump entire subsystems in a single pass").
+
+## Acceptance criteria
+
+- [x] `IpcError::InvalidCapability` is removed and replaced by `IpcError::StaleHandle`, `IpcError::MissingRight`, `IpcError::WrongObjectKind`, each with a doc-comment describing its distinct meaning per [ADR-0030](../../../decisions/0030-syscall-abi.md). `IpcError` stays `#[non_exhaustive]`.
+- [x] Every production site is mapped to the correct variant: `validate_ep_cap` / `validate_notif_cap` (`ipc/mod.rs`) and `resolve_ep_cap` (`sched/mod.rs`) resolve in the order `StaleHandle → WrongObjectKind → MissingRight`; arena `get`/`get_mut` staleness failures map to `StaleHandle`.
+- [x] Every existing test asserting `InvalidCapability` is updated to its correct post-split variant (rights failures → `MissingRight`; stale-handle/destroyed-object → `StaleHandle`), and the `sched` bridge test is updated.
+- [x] New host tests pin each new variant on a path that does **not** already prove it — `WrongObjectKind` for `ipc_send` / `ipc_recv` / `ipc_notify` / `ipc_cancel_recv` using a **wrong-kind cap that also lacks the operation's right** (the only input that discriminates the kind-before-rights order: `WrongObjectKind` under kind-first, `MissingRight` under a rights-first regression), and `StaleHandle` for `ipc_send` (dropped cap handle + destroyed endpoint) and `ipc_cancel_recv` (destroyed endpoint).
+- [x] `Capability`'s `Debug` impl is custom (not derived) and prints `Capability { rights: <rights>, object: <redacted> }` — `rights` visible, the named object redacted — per [ADR-0030 §"Security of the taxonomy split"](../../../decisions/0030-syscall-abi.md#security-of-the-taxonomy-split) and the K3-9 redaction requirement. **`CapObject` is also redacted** (kind-only `Debug`, hiding the wrapped handle) — closing the defense-in-depth gap the adversarial review raised. Two host tests pin both layers.
+- [x] All gates green: `cargo fmt --all -- --check`, `cargo host-test` (196 kernel / 43 hal / 53 test-hal), `cargo host-clippy`, `cargo kernel-clippy`, `cargo kernel-build`, and `cargo miri test --workspace --exclude tyrne-bsp-qemu-virt` (no UB).
+- [x] Docs updated: [`docs/architecture/ipc.md`](../../../architecture/ipc.md) §"`IpcError` taxonomy", [`docs/architecture/security-model.md`](../../../architecture/security-model.md) redaction rule broadened to capabilities, [`docs/glossary.md`](../../../glossary.md) syscall terms, the ADR index, and the [ADR-0017](../../../decisions/0017-ipc-primitive-set.md) §Revision-notes rider.
+
+## Out of scope
+
+- The EL0→EL1 `SVC` trap trampoline, the panic-free dispatcher, `SyscallError`, and copy-from/to-user — all [T-021](T-021-syscall-dispatch.md).
+- Splitting `IpcError::InvalidTransferCap` (note C3-008) — deferred to a future ADR when a userspace transfer consumer needs the `TransferCapHasChildren` distinction.
+- Redacting the **individual kernel-object handle types** (`TaskHandle` / `EndpointHandle` / `NotificationHandle` / `AddressSpaceHandle` / `SlotId`) and the userspace-facing `CapHandle` — these keep their derived `Debug` for kernel-internal diagnostics (scheduler dispatch traces, arena bookkeeping, test-failure messages) where the slot/generation is the useful information and never crosses to userspace. (`CapObject` *is* redacted in this task — see §Design notes — because it is the type a `Capability` carries toward a log boundary. The deeper per-handle redaction, if ever wanted, is a separate kernel-Debug-hygiene decision; T-021's `console_write` review must confirm no kernel-object handle is formatted into the userspace-reachable path.)
+- Any userspace crate, EL0 context, or real syscall invocation — Phase B6.
+
+## Approach
+
+### Error split (`kernel/src/ipc/mod.rs`)
+
+Replace the single `InvalidCapability` variant with the three new ones (doc-commented). Rewrite `validate_ep_cap` and `validate_notif_cap` to the `lookup→StaleHandle`, `kind→WrongObjectKind`, `rights→MissingRight` order (resolve, then type-check, then authority-check — matching `CapError`'s `InvalidHandle`/`WrongKind`/`InsufficientRights` shape). Map the four arena `get`/`get_mut` staleness sites (`ipc_send`/`ipc_recv`/`ipc_notify`/`ipc_cancel_recv`) to `StaleHandle`. Update each operation's `# Errors` doc section to name the three variants.
+
+### Scheduler bridge (`kernel/src/sched/mod.rs`)
+
+`resolve_ep_cap` maps `lookup→StaleHandle` and `kind→WrongObjectKind` (it performs no rights check; rights are validated inside `ipc_send`/`ipc_recv`). `SchedError::Ipc(IpcError)` + its `From` impl propagate the split transparently through `?`; the only test to update is the bridge's send-error-preserves-state test (a correct-kind endpoint cap lacking `SEND` → `MissingRight`).
+
+### Capability `Debug` redaction (`kernel/src/cap/mod.rs`)
+
+Remove `#[derive(Debug)]` from `Capability`; add a hand-written `impl core::fmt::Debug` that emits `rights` and a `<redacted>` placeholder for `object`. `EndpointState` (which embeds `Option<Capability>`) derives only `Default`, so no cascade. Update the struct doc-comment to describe the redaction instead of "Debug is derived … exposes typed handles".
+
+### Simulation
+
+This task is a refactor of an existing state machine, not a new one; the relevant state-machine simulation is [ADR-0030 §Simulation](../../../decisions/0030-syscall-abi.md#simulation). This task **discharges row 3** of that table (the IPC-error-taxonomy mapping) via the per-variant host tests; the row-to-verification mapping is recorded in §Review history on completion.
+
+### Error handling
+
+Per [error-handling standard §2](../../../standards/error-handling.md): the enum stays `#[non_exhaustive]`, derives `Debug, Copy, Clone, Eq, PartialEq`, and each new variant is a distinct handleable case. No `From` impl changes (the split is within `IpcError`; `SchedError::Ipc`/`SyscallError::Ipc` wrap it unchanged).
+
+## Definition of done
+
+All acceptance criteria checked; gates green (incl. Miri — a [Phase-B exit prerequisite](../../../roadmap/phases/phase-b.md) with weight on `sched`/`ipc`); docs updated; ADR-0017 rider added; `current.md` reflects T-020 `In Review` (implementation complete, awaiting maintainer merge) and B5 in progress. **Security-relevant** (capabilities + IPC): flagged for explicit review per CLAUDE.md.
+
+## Design notes
+
+- The validation **order change** (kind-before-rights) is observable only for a capability that is both wrong-kind *and* missing-right; all existing rights-failure tests use correct-kind caps and remain `MissingRight`. Documented in [ADR-0030 §"The K2-5 `IpcError` split"](../../../decisions/0030-syscall-abi.md#the-k2-5-ipcerror-split-lands-now-in-t-020).
+- The security argument for revealing the failure mode (per-subject, unforgeable handles ⇒ no forgery/enumeration aid) is in [ADR-0030 §"Security of the taxonomy split"](../../../decisions/0030-syscall-abi.md#security-of-the-taxonomy-split). The redaction keeps the *object identity* hidden even as the *failure mode* becomes visible — the two are independent surfaces.
+- Redaction approach is a custom `impl Debug`, not a `Redacted<T>` wrapper, matching the codebase's direct-impl style and avoiding a cascading wrapper refactor; no code structurally depends on `Capability: Debug`.
+- **`CapObject` redaction (folded in from the adversarial review).** The first redaction pass touched only `Capability`. An adversarial self-review flagged that `CapObject` (and the handle types it wraps) still derived `Debug`, so a `CapObject` formatted directly — now or in a future error/log — would leak the slot index + generation the `Capability` layer hides. Verified there is **no** current production formatter of `CapObject` (the only capability-type `Debug` formatter in the tree is the redacting `Capability::Debug`; `IpcError`/`SchedError` carry no capability payload; `EndpointState` has no `Debug`), so this was a *latent* gap, not a live leak. Per CLAUDE.md rule 1 ("when in doubt, choose the more conservative option") the gap was closed at the source: `CapObject` now has a kind-only redacting `Debug`. The individual handle types keep their derived `Debug` (kernel-internal diagnostics) — see §Out of scope.
+
+## Review history
+
+- **2026-05-29 — Implementation complete; `In Progress → In Review`.** Landed the K2-5 `IpcError` split (`StaleHandle` / `WrongObjectKind` / `MissingRight`, validation reordered to resolve→type-check→authority across `validate_ep_cap` / `validate_notif_cap` / `sched::resolve_ep_cap`; 4 arena-staleness sites → `StaleHandle`) and the K3-9 redaction (`Capability` + `CapObject` `Debug` redacted). Tests: 6 existing assertions remapped + 9 new variant/redaction tests (kernel suite **187 → 196**: 5 `ipc` variant + 2 `cancel_recv` variant + 2 `cap` redaction). **Row-to-verification mapping** ([ADR-0030 §Simulation](../../../decisions/0030-syscall-abi.md#simulation)): row 3 (IPC error taxonomy) → `send_with_wrong_object_kind_returns_wrong_object_kind`, `recv_with_wrong_object_kind_returns_wrong_object_kind`, `notify_with_wrong_object_kind_returns_wrong_object_kind`, `cancel_recv_with_wrong_object_kind_returns_wrong_object_kind`, `send_with_dropped_cap_handle_returns_stale_handle`, `send_to_destroyed_endpoint_returns_stale_handle`, `cancel_recv_to_destroyed_endpoint_returns_stale_handle`, `notify_with_stale_handle_after_slot_reuse_fails`, plus the remapped `*_without_*_right_fails` (`MissingRight`) tests and the `sched` bridge `ipc_send_and_yield_send_error_preserves_scheduler_state` test — so all four operations (`ipc_send` / `ipc_recv` / `ipc_notify` / `ipc_cancel_recv`) pin all three variants; the K3-9 redaction → `cap::tests::debug_redacts_named_object_but_keeps_rights` + `capobject_debug_redacts_handle_but_shows_kind`. Gates all green: `fmt`, `host-test` (196 kernel / 43 hal / 53 test-hal), `host-clippy`, `kernel-clippy`, `kernel-build`, `miri` (no UB; Stacked Borrows).
+- **2026-05-29 — Adversarial multi-lens self-review** (security / correctness / completeness / design). Verdict: **no Blocker/Major findings**; the split's reordering is consistent across the direct and scheduler-bridge paths, the `format_args!` redaction is sound, and `EndpointState` cannot leak. One Minor defense-in-depth finding (`CapObject`/handle `Debug` derives) was folded in for `CapObject` (see §Design notes); one Nit (test-module `#[allow]` pragma) was assessed and intentionally not applied (the test uses only `format!`/`assert!`, triggering none of the forbidden pragmas).
+- **2026-05-29 — Maintainer review (post-rebase).** A maintainer review of the ADR/task arc raised: (Major) the same-day ADR corrections had been folded into the *Accepted* bodies (append-only concern) — resolved by rebasing the branch so the corrections land in the `Proposed` draft and Accept is a separate clean commit (no Accepted body edited post-Accept); (Major) the phase-b §B5 acceptance criterion over-promised a real EL0 round-trip — narrowed to the current-EL kernel-stub mechanism, with the real `0x400` EL0 round-trip moved to §B6; (Minor) `current.md` banner/links and (Minor) the ADR-0030 row-3 mapping over-claiming `cancel_recv` coverage — the latter resolved by adding `cancel_recv_with_wrong_object_kind_*` + `cancel_recv_to_destroyed_endpoint_*` tests; (Nit) the arena-staleness ordering caveat added to ADR-0030 §K2-5. No code-correctness or security bug was found by either review.
diff --git a/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md b/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md
new file mode 100644
index 0000000..adf1004
--- /dev/null
+++ b/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md
@@ -0,0 +1,108 @@
+# T-021 — EL0→EL1 `SVC` dispatch: trap trampoline, panic-free dispatcher, copy-from/to-user
+
+- **Phase:** B
+- **Milestone:** B5 — Syscall boundary (this task is B5's trap/dispatch implementation — the EL0→EL1 `SVC` path that instantiates [ADR-0030](../../../decisions/0030-syscall-abi.md)'s convention and [ADR-0031](../../../decisions/0031-initial-syscall-set.md)'s syscall set)
+- **Status:** In Review
+- **Created:** 2026-05-29
+- **In Progress:** 2026-05-29
+- **In Review:** 2026-05-29 ([PR #34](https://github.com/HodeTech/Tyrne/pull/34), base `main`, branch `t-021-syscall-dispatch`; bundles T-020 + T-021 in one combined review per the maintainer's call)
+- **Author:** @cemililik (+ Claude Opus 4.8 agent)
+- **Dependencies:** [ADR-0030](../../../decisions/0030-syscall-abi.md) + [ADR-0031](../../../decisions/0031-initial-syscall-set.md) (both `Accepted`); [T-020](T-020-syscall-error-taxonomy.md) (the granular `IpcError` + redacted `Capability` `Debug` the dispatcher composes/relies on); [T-012](T-012-exception-and-irq-infrastructure.md) (the `VBAR_EL1` vector table the EL0-sync vector slots into); [T-013](T-013-el-drop-to-el1.md) (EL drop to EL1).
+- **Informs:** Closes [ADR-0030 §Dependency chain steps 2–5](../../../decisions/0030-syscall-abi.md#dependency-chain) and [ADR-0031 §Dependency chain steps 2–5](../../../decisions/0031-initial-syscall-set.md#dependency-chain). Discharges every [ADR-0031 §Simulation](../../../decisions/0031-initial-syscall-set.md#simulation) row (all are dispatch behaviours), and discharges [ADR-0030 §Simulation](../../../decisions/0030-syscall-abi.md#simulation) **rows 2 and 4 in full** plus the **mechanism half of rows 0/1/5** — the shared trap-frame save → dispatch → `ERET` path — via the EL1-kernel-stub proxy that takes the current-EL `VBAR_EL1+0x200` vector. The **EL0-runtime half of rows 0/1/5** (the lower-EL `+0x400` vector, the EL0↔EL1 privilege transition, and copy-user against a separate userspace `TTBR0_EL1`) is **not** discharged here — it is deferred to **Phase B6**, where a real EL0 task first takes the `+0x400` vector. Unblocks Phase B6 (first userspace "hello"); the deferred `task_create_from_image` wrapper ([phase-b §B4 §Revision-notes](../../../roadmap/phases/phase-b.md#milestone-b4--task-loader)) composes on top.
+- **ADRs required:** [ADR-0030](../../../decisions/0030-syscall-abi.md), [ADR-0031](../../../decisions/0031-initial-syscall-set.md). Will introduce at least one new `UNSAFE-YYYY-NNNN` audit entry for the trap-frame save/restore asm (per [unsafe-policy](../../../standards/unsafe-policy.md)).
+
+---
+
+## User story
+
+As the kernel, I want a userspace `SVC #0` to land in the EL1 sync vector, save the caller's registers, decode the syscall number, validate the caller's capabilities, perform the operation through an existing kernel primitive, encode a typed result, and `ERET` back to EL0 — **never panicking on any untrusted input** — so that EL0 code can call the kernel safely and a bad number / missing capability / out-of-bounds pointer returns a typed `SyscallError` instead of taking down the kernel.
+
+## Context
+
+[T-020](T-020-syscall-error-taxonomy.md) landed the pure-Rust foundation (the granular `IpcError`, the redacted `Capability` `Debug`). This task lands the **hardware-facing** half of B5 and is deliberately a separate task: the EL0→EL1 trap is the single most security-sensitive boundary in the system, involves hand-written register-save asm and `unsafe`, and warrants its own focused review rather than being bundled with the error-taxonomy refactor (CLAUDE.md §6).
+
+A structural constraint shapes this task's *runtime* verification, and the vector path it can actually exercise. A **real** EL0 task cannot yet take the trap, because the loaded userspace address space holds only image + stack (no kernel mappings, so the EL1 vector fetch would translation-fault) and the `Task` struct carries no EL0 context register file — both gated on the [ADR-0033 high-half placeholder](../../../decisions/0027-kernel-virtual-memory-layout.md) and Phase B6.
+
+Crucially, the only `SVC` this milestone can drive comes from an **EL1 kernel-stub**, and an `SVC` issued at EL1 takes the **current-EL-with-SPx** sync vector at `VBAR_EL1 + 0x200` — **not** the lower-EL (EL0) sync vector at `+0x400`. So B5's acceptance criterion #7 proves the *shared* dispatcher / trap-frame / `ERET` mechanism via the `0x200` self-`SVC` path; it does **not** prove the `0x400` vector entry, the EL0↔EL1 privilege transition, or copy-user against a separate userspace `TTBR0_EL1` AS. Those are runtime-verified in **B6** with the first real EL0 task, per [ADR-0030 §Simulation row-to-verification mapping](../../../decisions/0030-syscall-abi.md#simulation). This task therefore installs the dispatcher at *both* the `0x200` and `0x400` sync slots (the handler is privilege-entry-agnostic) but only the `0x200` path runs at B5; host tests carry the rest of the dispatcher's correctness.
+
+## Acceptance criteria
+
+- [x] The Rust dispatcher is installed at **both** sync exception-vector slots — current-EL-with-SPx (`VBAR_EL1 + 0x200`, the EL1 self-`SVC` path B5 exercises) and lower-EL-AArch64 (`VBAR_EL1 + 0x400`, the real EL0 path verified in B6). The vector entry saves `x0`–`x30` + `SP_EL0` to a trap frame and, on `ESR_EL1.EC == SVC64`, routes to the dispatcher; other sync causes route to the existing fault path (out of scope here).
+- [x] A panic-free dispatcher decodes `x8`: number `0` and any number outside the v1 set return `SyscallError::BadSyscallNumber`; numbers `1`–`5` dispatch to handlers for `send` / `recv` / `task_yield` / `task_exit` / `console_write` per [ADR-0031](../../../decisions/0031-initial-syscall-set.md). No path can `panic!`/`unwrap`/`expect` on register-supplied input.
+- [x] **Every object-naming syscall performs a capability check** ([P1 / P4](../../../standards/architectural-principles.md)): `send`/`recv` validate the endpoint cap; `console_write` validates a **debug-console capability** (its `x0` arg) — a new `CapObject` kind introduced here — before any output. `task_yield`/`task_exit` act only on the trusted current-task identity (no object-cap argument).
+- [x] `SyscallError` (per [ADR-0030](../../../decisions/0030-syscall-abi.md)) lands with `From<CapError>` / `From<IpcError>` impls and a stable numeric status encoding host-tested against the fixed [ADR-0031](../../../decisions/0031-initial-syscall-set.md) numbers; `0` is reserved for `Ok`.
+- [x] `copy_from_user` / `copy_to_user` validate the byte range against the **active** address space and never dereference a raw user pointer outside a validated mapping; `console_write`'s buffer goes through `copy_from_user` **after** its capability check passes.
+- [x] `console_write` carries **two independent gates**: the capability check above (all builds) and the release debug-gate — absent (returns `BadSyscallNumber`) in non-debug builds (mechanism chosen here, recorded in §Design notes).
+- [x] Host ABI encode/decode tests cover: number decode (incl. `0`/out-of-range), the debug-console **capability-check-fails** path, `From<IpcError>`/`From<CapError>` round-trips, `RecvOutcome`+`Message`+`Option<CapHandle>` register packing, and copy-from/to-user range validation (in-range, out-of-range, zero-length, wrap).
+- [x] QEMU smoke: an EL1 kernel-stub issues an `SVC` (taking the current-EL `0x200` sync vector) and the trace shows the round-trip (and, for `console_write` with a granted debug-console cap, the emitted bytes). New `UNSAFE-YYYY-NNNN` audit entry for the trap-frame asm. **(The real EL0 `0x400` round-trip is B6's smoke, not this task's.)**
+- [x] All gates green incl. `cargo miri test --workspace --exclude tyrne-bsp-qemu-virt`.
+
+## Out of scope
+
+- A real EL0 task taking the trap, the per-task EL0 context register file, kernel mappings in the userspace AS, and therefore the **runtime proof of the lower-EL `0x400` vector + EL0↔EL1 transition + userspace-AS copy-user** — Phase B6 + the [ADR-0033 high-half placeholder](../../../decisions/0027-kernel-virtual-memory-layout.md). (This task installs the `0x400` handler but only runtime-exercises the `0x200` current-EL path.)
+- Granting the debug-console capability to a userspace task (this task defines the cap kind + the check; the grant-at-load wiring is B6) — Phase B6.
+- The `tyrne-user` safe wrapper crate and the `userland/hello` binary — Phase B6.
+- `notify` / capability-management / address-space syscalls — not in the [ADR-0031](../../../decisions/0031-initial-syscall-set.md) v1 set.
+- Full fault containment / supervisor endpoint (a crashing task's parent observes the fault) — Phase E per [phase-b §B5 flag K3-4](../../../roadmap/phases/phase-b.md#flags-to-resolve-during-b5).
+
+## Approach
+
+_(Settled at the ADR level; detailed approach filled when the task moves to In Progress.)_ The vector entry mirrors [T-012](T-012-exception-and-irq-infrastructure.md)'s trampoline discipline (save GPRs to a frame, call Rust, restore, `ERET`); the dispatcher is a `match` over the decoded number into thin handlers over `ipc_send`/`ipc_recv`/`yield_now`/console/terminate; copy-from/to-user walks the active translation to bound-check before any access. The §Simulation tables in [ADR-0030](../../../decisions/0030-syscall-abi.md#simulation) and [ADR-0031](../../../decisions/0031-initial-syscall-set.md#simulation) are the row-by-row spec; this task discharges all rows except ADR-0030 row 3 (T-020's).
+
+## Definition of done
+
+All acceptance criteria checked; gates green (incl. Miri); audit-log entry added; `current.md` updated; **security-relevant** — flagged for explicit security review per CLAUDE.md.
+
+## Design notes
+
+### Module split (kernel ↔ BSP)
+
+The implementation deliberately splits along the HAL line ([P6](../../../standards/architectural-principles.md)):
+
+- **`tyrne-kernel`** (`kernel/src/syscall/`, architecture-agnostic, host-testable, panic-free):
+  - `error.rs` — `SyscallError` + `From<CapError>` / `From<IpcError>` + the stable numeric status encoding.
+  - `abi.rs` — `SyscallNumber` decode (with the debug-gate), the register frame types (`SyscallArgs` / `SyscallReturn` / `SyscallEffect`), and the value↔register packing (`Message`, outcomes, `Option<CapHandle>` with the null sentinel).
+  - `user_access.rs` — `UserAccessWindow` + `copy_from_user` / `copy_to_user`.
+  - `dispatch.rs` — the `dispatch` entry point, the per-syscall handlers, the `SyscallContext`, and the debug-console capability check.
+- **`tyrne-bsp-qemu-virt`** (hardware-facing):
+  - `vectors.s` — `tyrne_sync_trampoline`, installed at **both** `VBAR_EL1 + 0x200` (current-EL, the B5 path) and `+0x400` (lower-EL AArch64, the B6 EL0 path).
+  - `syscall.rs` — `SyscallTrapFrame` (`#[repr(C)]`) + `syscall_entry` (reads the frame, builds a `SyscallContext` from the BSP statics, calls `dispatch`, writes the result back).
+  - `main.rs` — `syscall_boundary_smoke` (the EL1 kernel-stub `SVC` caller) + the `SYSCALL_STUB_TABLE` static.
+
+### Debug-gate mechanism (chosen: `cfg!(debug_assertions)` match guard)
+
+`SyscallNumber::decode` recognises `console_write`'s number `5` only under `5 if cfg!(debug_assertions)`; in a release build it falls through to `None`, so the dispatcher returns `BadSyscallNumber` and the debug console is absent from the production surface even for a capability holder. Chosen over a Cargo feature because: (a) zero manifest wiring; (b) it matches the kernel's existing `debug_assertions` discipline (`debug_assert!` sites); (c) the `[profile.release]` in `Cargo.toml` leaves `debug-assertions` at its default (off in release, on in dev/host-test), so the gate is correct by construction; (d) `cfg!` (a runtime const-bool), **not** `#[cfg]`, keeps the `ConsoleWrite` match arm compiled and referenced in every build — so no dead-code warning arises in release. The two complementary tests `console_write_is_a_syscall_in_debug_builds` / `console_write_is_absent_in_release_builds` (and the six `#[cfg(debug_assertions)]`-gated functional `console_write` dispatch tests) pin both halves; `cargo test --release` exercises the release path.
+
+### Trap-frame layout (272 bytes, full register file)
+
+`SyscallTrapFrame` saves the **full** GPR set `x0`–`x30` plus `SP_EL0`, `ELR_EL1`, `SPSR_EL1` — 17 register pairs = 272 bytes, 16-byte aligned. This is deliberately larger than the IRQ `TrapFrame` (192 bytes, AAPCS64 caller-saved only): the syscall path must be a *complete* snapshot of the trapped context, the shape a real EL0 task (B6) and any future preemption arc require, and it must save `SP_EL0` (the EL0 stack for the `+0x400` path). The asm `stp` offsets in `vectors.s` mirror the `#[repr(C)]` field order; a `const _: () = assert!(size_of::<SyscallTrapFrame>() == 272)` guard fails the build on drift (mirrors the IRQ frame's guard). The handler writes only `x0`–`x7` (status + payload) back; the trampoline restores `x8`–`x30` + `SP_EL0` + `ELR_EL1` + `SPSR_EL1` to their trapped values, so the ABI-clobbered `x8`–`x18` are in fact preserved (a harmless superset). On `ESR_EL1.EC == 0x15` (SVC64) the trampoline calls `syscall_entry`; any other sync cause branches to the existing `panic_entry` (out of scope here).
+
+### Copy-from/to-user bound-check strategy (`UserAccessWindow`)
+
+`UserAccessWindow` models the active address space's user-accessible region as a single contiguous half-open VA window `[base, base + len)`. `copy_from_user` / `copy_to_user` call `validate(ptr, len)` first: a zero-length access is trivially OK (no bytes touched); a range whose end overflows `usize` is rejected (`checked_add`, the wrap case); a range not wholly contained in the window is rejected. Only on `Ok` is the pointer dereferenced (via `core::ptr::copy_nonoverlapping`), so the kernel never touches an unvalidated user pointer. `console_write` validates the **whole** range up front (so a faulting buffer emits nothing — no partial output) then copies + emits in 256-byte chunks through a kernel stack buffer (bounding stack footprint regardless of `len`). In v1 the deref relies on the bootstrap AS's identity map ([ADR-0027](../../../decisions/0027-kernel-virtual-memory-layout.md) §Decision outcome (a)); the **B6 forward path** ([ADR-0033](../../../decisions/0027-kernel-virtual-memory-layout.md) high-half placeholder) replaces the int-to-pointer deref with a per-page user-VA → kernel-VA translation and derives a tighter window from the EL0 task's mapped region — **without** changing the `copy_*` call-site signatures or the window-containment/wrap/zero-length logic. Host tests pin in-range / out-of-range / overrun / zero-length / wrap; the Miri-clean test pattern exposes a real host `Vec<u8>`'s provenance via `as usize` (matching `pmm.rs` / `task_loader.rs`).
+
+### Data-plane vs. control-plane (the `SyscallEffect` directive)
+
+`send` / `recv` / `console_write` are **data-plane**: they complete inside the dispatcher (over IPC arena/queues, the cap table, the console, and validated user memory) and produce `SyscallEffect::Resume(SyscallReturn)`. `task_yield` / `task_exit` are **control-plane**: they touch the scheduler, which is raw-pointer-wired and generic over the BSP CPU ([ADR-0021](../../../decisions/0021-raw-pointer-scheduler-ipc-bridge.md)), so the dispatcher returns a `Reschedule` / `Terminate(code)` *directive* instead of calling the scheduler directly. This keeps `dispatch` pure and host-testable without a live scheduler, and matches [ADR-0031](../../../decisions/0031-initial-syscall-set.md)'s "B5 lands the dispatch; real EL0 yield/termination is B6" split — in B5 the smoke runs the stub before `start()`, so the BSP glue treats both directives as documented stand-ins (write `Ok` status); the dispatcher-level routing (number → directive) is host-tested.
+
+### Debug-console capability (the new `CapObject` kind)
+
+`console_write` is gated on a new `CapObject::DebugConsole` (a **unit** variant — the debug console is a singleton with no arena-backed kernel object, so it carries no handle, the smallest object addition per [ADR-0031](../../../decisions/0031-initial-syscall-set.md)) plus a new `CapRights::CONSOLE_WRITE` bit (`1 << 7`, added to `KNOWN_BITS`). The check — `resolve → kind == DebugConsole → carries CONSOLE_WRITE` — mirrors the IPC `validate_ep_cap` order and returns the in-kernel `CapError` (`InvalidHandle` / `WrongKind` / `InsufficientRights`) which composes into `SyscallError::Cap`. The check runs in **all** builds (the [P1/P4](../../../standards/architectural-principles.md) authority gate); the debug-gate is the independent second gate.
+
+### Stable `SyscallError` status encoding
+
+`0` = `Ok` (reserved); `1`–`3` = the top-level variants (`BadSyscallNumber` / `BadArgument` / `FaultAddress`); `0x101`–`0x107` = `Cap(_)` (`0x100 | cap_code`); `0x201`–`0x207` = `Ipc(_)` (`0x200 | ipc_code`). The per-variant encoders match `CapError` / `IpcError` **exhaustively without a wildcard** (same crate, despite `#[non_exhaustive]`), so adding a variant to either is a compile error here until its stable code is assigned — the safeguard a stable ABI wants. Pinned by the `error.rs` host tests.
+
+### Two new `unsafe` audit entries
+
+- **[UNSAFE-2026-0029](../../../audits/unsafe-log.md#unsafe-2026-0029--svc-sync-trap-trampoline--syscall_entry-register-frame-access)** — the `SVC` sync trampoline asm + `syscall_entry`'s frame reads/writes (distinct from the IRQ path's UNSAFE-2026-0020: larger frame, sync cause + `ESR` decode, result write-back).
+- **[UNSAFE-2026-0030](../../../audits/unsafe-log.md#unsafe-2026-0030--validated-copy-fromto-user-byte-move-via-coreptrcopy_nonoverlapping)** — the validated copy-from/to-user byte move (distinct from the loader's UNSAFE-2026-0027: copy across the userspace trust boundary, gated by `UserAccessWindow::validate`).
+
+## Review history
+
+- **2026-05-29 — implementation landed (Draft → In Progress → In Review).** Lands across the kernel `syscall` module (4 files) + cap-system additions (`CapRights::CONSOLE_WRITE`, `CapObject::DebugConsole`, `CapHandle::from_raw`) + the BSP trap trampoline (`vectors.s` `tyrne_sync_trampoline` at `0x200`/`0x400`) + `syscall.rs` (`SyscallTrapFrame` + `syscall_entry`) + the `kernel_entry` `SVC` smoke. **Gates:** `cargo fmt --check`, `cargo host-clippy -D warnings`, `cargo kernel-clippy -D warnings`, `cargo kernel-build` all clean; **host tests 236** (was 196 — +40 syscall tests), 43 hal + 53 test-hal unchanged; `cargo test --release` green (the debug-gate release-path tests); `cargo miri test --workspace --exclude tyrne-bsp-qemu-virt` clean (permissive provenance, matching the kernel's established int-to-pointer test pattern). **QEMU smoke (debug):** the two new lines `tyrne: hello from the syscall boundary (console_write via SVC)` + `tyrne: syscall smoke ok (console_write status=0x0, bytes=63; bad-number status=0x1)` appear after the `timer ready` banner and before `starting cooperative scheduler`; `-d int,unimp,guest_errors` shows exactly **two** `SVC` exceptions taken at the current-EL vector (`from EL1 to EL1 ... with ESR 0x15/0x56000000` — EC = SVC64), each `ERET`ing cleanly, plus only the pre-existing PL011-disabled-UART warnings (no new fault class); the full demo still runs to `tyrne: all tasks complete`. Two new audit entries (UNSAFE-2026-0029 / 0030). **Security-relevant** — flagged for explicit security review per CLAUDE.md §non-negotiable #1 (the EL0→EL1 trust boundary).
+- **2026-05-29 — adversarial review-round + follow-up.** A multi-agent adversarial pass (actively trying to break the boundary) and a maintainer trace independently confirmed **no live B5 defect**: no register-supplied input crashes the kernel, bypasses a capability check, or dereferences an unvalidated pointer. The QEMU trace pinned exactly two `SVC`s at the current-EL `+0x200` vector (`ESR 0x15/0x56000000`, `EL1→EL1`), clean `ERET`, no new fault class. Of the findings, the actionable B5 items were applied in this follow-up:
+  - **Test coverage (4 new dispatch-level tests):** `send_with_transfer_cap_then_recv_returns_cap_in_x6` (the x5-decode→`ipc_send` cap-transfer and `ipc_recv`→`encode_recv_outcome` x6-pack wiring, previously untested through `dispatch`); `send_with_stale_transfer_handle_returns_invalid_transfer_cap` (status `0x205`); `recv_with_no_sender_returns_pending_packing` (Pending register packing — x1=pending, x2..x7 zeroed); `console_write_exactly_one_chunk_emits_all_bytes` (the `len == CONSOLE_WRITE_CHUNK` loop boundary, debug-gated). Host tests 236 → **240**.
+  - **Nit — unchecked payload index:** `SyscallReturn::with_payload` is now a **const-generic** `with_payload::<IDX>` with a `const { assert!(IDX < 7) }`, turning the (already unreachable-from-untrusted-input) runtime index panic into a **compile-time** error at the call site — matching the kernel's compile-time-guard idiom. Call sites updated to the `::<N>` turbofish.
+  - **Clarity:** the three scattered "unreachable re-validation" comments in `sys_console_write` consolidated into one inequality-chain proof at the loop head.
+  - **B6 carry-forward gates** (NOT B5 defects — the B5 stub proxy does not need them) recorded explicitly in [phase-b.md §B6 "T-021 carry-forward gates"](../../../roadmap/phases/phase-b.md#milestone-b6--first-userspace-hello): the per-task `console_write` window + per-page user-VA translation (return `FaultAddress`, never panic — the agent-suggested "panic on full-extent window" was **rejected** as a panic-free-contract violation), `SP_EL1` init on the `+0x400` entry, and the `SYSCALL_STUB_TABLE` → current-task-table swap. Two later-phase hazards (`ipc_send` `unreachable!()` under preemption; EL0 non-`SVC` fault containment) cross-referenced to ADR-0032/C3-009 and K3-4. All gates re-run green after the follow-up.
diff --git a/docs/architecture/README.md b/docs/architecture/README.md
index eeaf380..312d31b 100644
--- a/docs/architecture/README.md
+++ b/docs/architecture/README.md
@@ -15,7 +15,7 @@ The architecture is being written in phases. Many documents listed below are pla
 | [`hal.md`](hal.md) | Hardware Abstraction Layer: trait surfaces, board support packages, portability. | Accepted |
 | [`boot.md`](boot.md) | Boot flow from reset vector through kernel init to first userspace task. | Accepted (v0.0.1 — QEMU virt; T-013 EL drop landed) |
 | [`scheduler.md`](scheduler.md) | Cooperative FIFO scheduler: ready queue, idle task, raw-pointer IPC bridge, ContextSwitch trait. | Accepted (v0.0.1 — single-core, no preemption) |
-| [`ipc.md`](ipc.md) | Inter-process communication: synchronous send/recv, endpoint state machine, capability transfer, scheduler-bridge wrappers. | Accepted (v0.0.1 — depth-1 endpoints) |
+| [`ipc.md`](ipc.md) | Inter-process communication: synchronous send/recv, endpoint state machine, capability transfer, scheduler-bridge wrappers. | Accepted (v0.0.1 — depth-1 endpoints; `IpcError` taxonomy split per ADR-0030) |
 | [`exceptions.md`](exceptions.md) | Exception vector table, IRQ dispatch, GIC v2 driver, generic-timer IRQ wiring, idle WFI activation. | Accepted (v0.0.1 — T-012 Done 2026-04-28 via PR #10 merge; design + implementation match; maintainer-side QEMU smoke verification of the deliberate-deadline path remains pre-B1-closure work) |
 | [`memory-management.md`](memory-management.md) | Physical + virtual memory, MMU/paging, allocators, address-space objects, task loader. | Accepted (v0.0.1 — MMU/PMM/AddressSpace/loader; T-016..T-019) |
 | [`task-loader.md`](task-loader.md) | Task loader: raw-flat image → populated address space; rollback contract; audit-log surface. | Accepted (v0.0.1 — T-019) |
diff --git a/docs/architecture/exceptions.md b/docs/architecture/exceptions.md
index 535d53f..83c6481 100644
--- a/docs/architecture/exceptions.md
+++ b/docs/architecture/exceptions.md
@@ -55,7 +55,7 @@ flowchart TB
     VBAR --> Vectors
 ```
 
-`★` is the only entry that fires in v1. Tyrne runs at EL1 with `SPSel = 1` (per the EL drop's `SPSR_EL2 = 0x3c5` mode field, EL1h means EL1 + SP_EL1), so an IRQ taken from running kernel code lands at offset `+0x280`. The other 15 entries trampoline into a panic-class Rust handler that prints the source class and halts; v1 has no SVC handler (no userspace yet), no FIQ source, and no SError-recoverable scenario.
+`★` marks the entries that fire in v1. Tyrne runs at EL1 with `SPSel = 1` (per the EL drop's `SPSR_EL2 = 0x3c5` mode field, EL1h means EL1 + SP_EL1), so an IRQ taken from running kernel code lands at offset `+0x280`. **Since T-021 (B5), the two *sync* entries also fire:** the current-EL `+0x200` and lower-EL-AArch64 `+0x400` sync slots both route to the SVC sync trampoline (see §"Syscall dispatch" below) — on `ESR_EL1.EC == SVC64` they save the full register frame and call the Rust syscall dispatcher; any other sync cause falls through to the panic handler. In v1 only the `+0x200` path is exercised at runtime (an EL1 kernel-stub `SVC`); the `+0x400` (real EL0) path is wired now and runtime-verified in B6. The remaining entries — FIQ, SError, and sync on the unused SP_EL0 / AArch32 categories — trampoline into a panic-class Rust handler that prints the source class and halts (no FIQ source, no SError-recoverable scenario in v1).
 
 The table itself lives in a dedicated `.text.vectors` linker section; `linker.ld` aligns the section to a 2 KiB boundary so `VBAR_EL1` can address it directly. The asm trampolines are hand-written `naked_asm!`-style — the compiler does not generate prologue/epilogue code that would corrupt the saved register frame before the trampoline routes to Rust.
 
@@ -93,7 +93,46 @@ sequenceDiagram
 
 The trampoline saves the AAPCS64-caller-saved general-purpose registers — `x0..x18` plus the link register `x30` — into a 192-byte `#[repr(C)] TrapFrame` struct, plus `ELR_EL1` and `SPSR_EL1` so `eret` restores the interrupted PSTATE exactly. The callee-saved set (`x19..x29`) is **not** pushed by the trampoline; AAPCS64 makes the Rust callee (`irq_entry`) responsible for preserving any of those registers it touches, so saving them in the trampoline would be redundant work on every IRQ entry. The exact saved set is fixed by the asm `stp` sequence in `vectors.s` and mirrored by the `TrapFrame` field order in `exceptions.rs`; mismatches between asm and `repr(C)` are caught at first IRQ fire (saved values would land in the wrong slots), not at compile time.
 
-The non-IRQ entries (sync exception, FIQ, SError, every Lower-EL entry) all route to a dispatcher that prints `"unhandled exception <class>"` and halts. Sync exceptions become useful in Phase B5 when SVC syscalls land; FIQ remains unused unless a future BSP routes a high-priority interrupt to FIQ specifically; SError is the architecture's "things have gone wrong at the system level" signal and is treated as fatal in v1.
+The remaining non-IRQ entries (FIQ, SError, and sync on the unused categories) route to a dispatcher that prints `"unhandled exception <class>"` and halts. The two **sync** entries (`+0x200` / `+0x400`) became useful in Phase B5 — see §"Syscall dispatch (sync / SVC path)" below — when SVC syscalls landed (T-021); FIQ remains unused unless a future BSP routes a high-priority interrupt to FIQ specifically; SError is the architecture's "things have gone wrong at the system level" signal and is treated as fatal in v1.
+
+### Syscall dispatch (sync / SVC path) — T-021
+
+Phase B5 ([T-021](../analysis/tasks/phase-b/T-021-syscall-dispatch.md)) lit up the synchronous-exception path: an `SVC #0` traps to a sync vector, where the `tyrne_sync_trampoline` saves the caller's registers, routes on `ESR_EL1.EC`, and — for an SVC — hands a pointer to the saved frame to the Rust syscall dispatcher in [`tyrne_kernel::syscall`](../../kernel/src/syscall/). The convention is settled by [ADR-0030](../decisions/0030-syscall-abi.md) (`x8` = number, `x0`–`x5` = args, `x0` = status, `x1`–`x7` = payload, `SVC #0`) and the v1 set by [ADR-0031](../decisions/0031-initial-syscall-set.md).
+
+The trampoline is installed at **both** sync slots because the save → dispatch → `ERET` mechanism is privilege-entry-agnostic — only the vector slot and the mode `SPSR_EL1` restores differ:
+
+- **`+0x200` (current-EL with SP_ELx)** — an `SVC` issued at EL1 (the B5 kernel-stub) takes this slot. This is the path v1 exercises at runtime.
+- **`+0x400` (lower-EL AArch64)** — an `SVC` issued at EL0 (a real userspace task) takes this slot. Installed now; runtime-verified in B6 when the first EL0 task exists (the EL0↔EL1 transition + copy-user against a separate userspace `TTBR0_EL1` are B6's, per [ADR-0030 §Simulation](../decisions/0030-syscall-abi.md#simulation)).
+
+```mermaid
+sequenceDiagram
+    participant Caller as Caller (EL1 stub in B5 / EL0 task in B6)
+    participant Vec as Sync vector (+0x200 / +0x400)
+    participant Tramp as tyrne_sync_trampoline (asm)
+    participant Frame as SyscallTrapFrame (272 B)
+    participant Entry as syscall_entry (BSP Rust)
+    participant Disp as dispatch (kernel, panic-free)
+    Caller->>Vec: SVC #0; x8=nr, x0..x5=args
+    Vec->>Tramp: branch
+    Tramp->>Frame: stp x0..x30; mrs SP_EL0, ELR_EL1, SPSR_EL1
+    Tramp->>Tramp: decode ESR_EL1.EC
+    alt EC == 0x15 (SVC64)
+        Tramp->>Entry: bl syscall_entry(*mut SyscallTrapFrame)
+        Entry->>Disp: dispatch(ctx, {nr, args})
+        Note over Disp: decode nr → cap check → kernel primitive → encode
+        Disp-->>Entry: SyscallEffect (Resume{status,payload} / Reschedule / Terminate)
+        Entry->>Frame: write x0=status, x1..x7=payload
+        Entry-->>Tramp: return
+        Tramp->>Frame: ldp x0..x30; msr SP_EL0, ELR_EL1, SPSR_EL1
+        Tramp-->>Caller: eret
+    else other sync cause
+        Tramp->>Tramp: bl panic_entry (out of scope for T-021)
+    end
+```
+
+**Trap frame.** Unlike the IRQ `TrapFrame` (192 bytes, AAPCS64 caller-saved only), the syscall path saves the **full** register file `x0`–`x30` plus `SP_EL0`, `ELR_EL1`, and `SPSR_EL1` into a 272-byte `#[repr(C)] SyscallTrapFrame` ([`syscall.rs`](../../bsp-qemu-virt/src/syscall.rs)) — a complete snapshot of the trapped context, the shape a real EL0 task (B6) and any future preemption arc require. The asm `stp` offsets mirror the `#[repr(C)]` field order; a `const _: () = assert!(size_of::<SyscallTrapFrame>() == 272)` guard fails the build on drift (the same discipline as the 192-byte IRQ frame). The Rust handler writes only `x0`–`x7` (status + payload) back; the trampoline restores `x8`–`x30` + `SP_EL0` + `ELR_EL1` + `SPSR_EL1` to their trapped values.
+
+**Panic-free dispatch.** The kernel dispatcher is held to one rule: no register-supplied input may drive a `panic!` / `unwrap` / `expect`. A bad number (including `0` and, in release, the debug-gated `console_write`) returns `SyscallError::BadSyscallNumber`; every capability / pointer failure returns a typed `SyscallError` as a value. Every object-naming syscall performs a capability check before any effect ([P1/P4](../standards/architectural-principles.md)). Validated copy-from/to-user (`UserAccessWindow` + `copy_from_user` / `copy_to_user`) never dereferences a raw user pointer outside a range checked against the active address space. The hand-written trampoline asm + the validated byte move carry audit entries [UNSAFE-2026-0029](../audits/unsafe-log.md#unsafe-2026-0029--svc-sync-trap-trampoline--syscall_entry-register-frame-access) and [UNSAFE-2026-0030](../audits/unsafe-log.md#unsafe-2026-0030--validated-copy-fromto-user-byte-move-via-coreptrcopy_nonoverlapping).
 
 ### GIC v2 driver
 
diff --git a/docs/architecture/ipc.md b/docs/architecture/ipc.md
index d11b447..e80b0e8 100644
--- a/docs/architecture/ipc.md
+++ b/docs/architecture/ipc.md
@@ -93,13 +93,17 @@ The "park in endpoint state" step is what makes the transfer atomic: even if the
 ### `IpcError` taxonomy
 
 ```text
-IpcError::InvalidCapability     // ep_cap stale, wrong kind, or lacks the required right
+IpcError::StaleHandle           // cap did not resolve, or its object was destroyed
+IpcError::WrongObjectKind       // cap resolved but names the wrong kind of object for the op
+IpcError::MissingRight          // cap is the right kind but lacks SEND / RECV / NOTIFY
 IpcError::QueueFull              // a previous sender/receiver still occupies the endpoint
 IpcError::InvalidTransferCap    // transfer-handle stale or lacks TRANSFER
 IpcError::ReceiverTableFull     // pre-flight: receiver's cap table has no free slot
 IpcError::PendingAfterResume    // scheduler-bridge invariant violation; see scheduler.md
 ```
 
+The first three variants — `StaleHandle` / `WrongObjectKind` / `MissingRight` — replace the former single `InvalidCapability` per [ADR-0030](../decisions/0030-syscall-abi.md)'s **K2-5** split, so the syscall error space and the in-kernel error space agree once userspace can call IPC. Capability validation resolves in the order **resolve → type-check → authority-check** (`StaleHandle` → `WrongObjectKind` → `MissingRight`), mirroring [`CapError`](../../kernel/src/cap/mod.rs)'s `InvalidHandle` / `WrongKind` / `InsufficientRights`. Revealing *which* check failed is safe — a capability table is per-subject and unforgeable, so the failure mode is a fact about the caller's own handle, not a forgery aid (see [ADR-0030 §"Security of the taxonomy split"](../decisions/0030-syscall-abi.md)). The companion redaction of `Capability`'s `Debug` (K3-9) keeps the *object identity* hidden even as the failure mode becomes visible.
+
 The enum is annotated `#[non_exhaustive]`, which deliberately *opens* it for future extension: external matches must include a wildcard arm, so new variants can be added without silently breaking callers. `PendingAfterResume` is special among the variants — it is produced *only* by the scheduler bridge's resume path, never by the bare `ipc_recv` primitive, and it indicates a kernel-internal invariant violation rather than a userspace-reachable error. ADR-0022 §Revision notes (second rider) records why the typed return replaces a `debug_assert!` that was untestable.
 
 ### The scheduler-bridge wrappers
diff --git a/docs/architecture/security-model.md b/docs/architecture/security-model.md
index 298fa8d..a68cfbb 100644
--- a/docs/architecture/security-model.md
+++ b/docs/architecture/security-model.md
@@ -146,6 +146,7 @@ Two capability properties are load-bearing:
 
 - **Unforgeability.** Capability tokens are entirely inside the kernel's memory. Userspace never sees raw bits; it references its own table by handle.
 - **Non-transferability without consent.** A capability can be moved (via IPC) or duplicated (via a duplicate authority), but never silently copied or leaked.
+- **Redacted in diagnostics.** A `Capability`'s `Debug` impl shows its rights but **redacts the kernel object it names** (the typed handle's slot index + generation), so a userspace-reachable log path — such as the debug `console_write` syscall — can never disclose kernel-internal object identity. Capabilities follow the same "no unredacted `Debug`/`Display`" discipline cryptographic keys do (see §Cryptography). Per [ADR-0030](../decisions/0030-syscall-abi.md) (K3-9 / security review §6).
 
 #### Capability operations
 
@@ -253,7 +254,7 @@ The kernel has **no cryptographic primitives** in its initial form. This is deli
 - An ADR per primitive or primitive family.
 - No roll-your-own. Only well-known algorithms from audited crates.
 - A [security-review](../standards/security-review.md) pass on every introduction, separately from code review.
-- Keys are first-class types that do not implement unredacted `Debug` or `Display`. See [logging-and-observability.md](../standards/logging-and-observability.md).
+- Keys are first-class types that do not implement unredacted `Debug` or `Display` — the same discipline capabilities follow (see §Capabilities, "Redacted in diagnostics"). See [logging-and-observability.md](../standards/logging-and-observability.md).
 
 ### Supply chain
 
diff --git a/docs/audits/unsafe-log.md b/docs/audits/unsafe-log.md
index fcadaae..f5f70b5 100644
--- a/docs/audits/unsafe-log.md
+++ b/docs/audits/unsafe-log.md
@@ -625,3 +625,46 @@ Neither change touches the `copy_nonoverlapping` site itself; both correct contr
   - **Attribute the call-site unsafety to UNSAFE-2026-0010 + 0014.** Rejected (was the pre-fix state): 0010 (StaticCell `Sync`) and 0014 (momentary `&mut` to the just-initialised arena) cover the *surrounding* publish mechanics, not the `from_existing_root` operation itself (wrapping a non-zero-filled live root). The call-site SAFETY block now narrows 0010/0014 to the StaticCell/arena lines they actually cover and cites this entry for the wrap.
 - **Reviewed by:** @cemililik (+ Claude Opus 4.7 agent). Security-sensitive (boot + MMU root install) → second-reviewer required per [unsafe-policy §Review.4](../standards/unsafe-policy.md).
 - **Status:** Active. The contract is sound and the sole caller honours it (C7-P5 / X3-001 confirm `mmu_bootstrap` populates the exact frame and that `kernel_entry` runs post-bootstrap). Smoke-verified at runtime: the 2026-05-14 QEMU trace wraps the bootstrap root on boot and runs the demo to completion (`tyrne: all tasks complete`) with no Translation/Permission faults; this is an audit-trail-completeness fix, not a behaviour change.
+
+### UNSAFE-2026-0029 — `SVC` sync trap trampoline + `syscall_entry` register-frame access
+
+- **Introduced:** 2026-05-29, [T-021 — EL0→EL1 SVC dispatch](../analysis/tasks/phase-b/T-021-syscall-dispatch.md). New entry: the syscall trap path is a distinct mechanism from the IRQ trap path (UNSAFE-2026-0020) — a different vector slot pair, a larger full-register-file frame, a synchronous `SVC` cause rather than an asynchronous IRQ, and a frame the Rust handler *writes back* (the syscall result) rather than only reads. Per the [`justify-unsafe`](../../.agents/skills/justify-unsafe/SKILL.md) audit-tag scoping discipline, the honest record is a fresh entry, not an Amendment of 0020.
+- **Location:** [`bsp-qemu-virt/src/vectors.s`](../../bsp-qemu-virt/src/vectors.s) — `tyrne_sync_trampoline` (installed at `VBAR_EL1 + 0x200` current-EL-SPx and `+0x400` lower-EL-AArch64 sync slots); [`bsp-qemu-virt/src/syscall.rs`](../../bsp-qemu-virt/src/syscall.rs) — `SyscallTrapFrame` (`#[repr(C)]`) + `syscall_entry`'s `*mut SyscallTrapFrame` reads/writes; [`bsp-qemu-virt/src/main.rs`](../../bsp-qemu-virt/src/main.rs) — `syscall_boundary_smoke`'s two `core::arch::asm!("svc #0", ...)` blocks (the B5 EL1 kernel-stub caller).
+- **Operation:** On an `SVC`, the asm trampoline reserves a 272-byte frame and saves `x0`–`x30` + `SP_EL0` + `ELR_EL1` + `SPSR_EL1` (via `stp` / `mrs`), decodes `ESR_EL1.EC`, and — for SVC64 (`EC == 0x15`) — calls `extern "C" fn syscall_entry(frame: *mut SyscallTrapFrame)`. `syscall_entry` reads `x8` (number) + `x0`–`x5` (args) from the frame, dispatches through the kernel (`tyrne_kernel::syscall::dispatch`), and writes the status (`x0`) + payload (`x1`–`x7`) back into the frame; the trampoline then restores the full frame and `ERET`s. The smoke's `asm!("svc #0", ...)` blocks are the EL1 stub that issues the trap. Non-SVC sync causes branch to `panic_entry` (UNSAFE-2026-0020's panic path), out of scope for the syscall arc.
+- **Invariants relied on:**
+  - **Asm/Rust frame-layout agreement.** The `stp` offsets in `tyrne_sync_trampoline` mirror `SyscallTrapFrame`'s `#[repr(C)]` field order byte-for-byte; the `const _: () = assert!(size_of::<SyscallTrapFrame>() == 272)` guard in `syscall.rs` fails the build on any drift, before a mis-saved register can reach a syscall. Mirrors the 192-byte `TrapFrame` guard (UNSAFE-2026-0020).
+  - **Frame pointer validity.** `syscall_entry` receives `sp` (the frame base) constructed by the trampoline's `stp` sequence immediately before the `bl`; the pointer is valid and exclusively owned for the call's duration (the handler runs on the kernel stack, AAPCS64-preserves `sp` across the `bl`, and restores `sp` after returning).
+  - **No interleaving / no re-entrancy.** `SVC` is a synchronous exception; the ARM core masks `DAIF` on exception entry, and the handler does not re-enable interrupts, so no IRQ or peer can observe or mutate the frame or the borrowed kernel statics mid-handler. v1 is single-core cooperative.
+  - **Result-write touches only `x0`–`x7`.** `syscall_entry` writes the status + payload into the `x0`–`x7` slots; `x8`–`x30` + `SP_EL0` + `ELR_EL1` + `SPSR_EL1` are restored to their trapped values by the trampoline, so the caller's preserved registers and return PSTATE/PC survive the trap exactly (the ABI documents `x8`–`x18` as clobbered, so preserving them is a harmless superset).
+  - **Statics initialised before first `SVC`.** `syscall_entry`'s `assume_init_{mut,ref}` on `EP_ARENA` / `IPC_QUEUES` / `SYSCALL_STUB_TABLE` / `CONSOLE` are sound because `kernel_entry` writes all four before `syscall_boundary_smoke` issues any `SVC` (UNSAFE-2026-0010's write-once `StaticCell` contract); the momentary `&mut`s are scoped to the single `dispatch` call and do not cross a context switch (UNSAFE-2026-0014's discipline — the data-plane syscalls do not switch, and the control-plane directives are returned before any switch).
+- **Rejected alternatives:**
+  - **Reuse the IRQ trampoline / `TrapFrame` (UNSAFE-2026-0020).** Rejected: the IRQ frame saves only the AAPCS64 caller-saved set (`x0`–`x18` + `x30`, 192 bytes) because the Rust `irq_entry` preserves the callee-saved set across its own `bl`. The syscall path must snapshot the **full** register file + `SP_EL0` (the shape a real EL0 task in B6 and any future preemption arc require), is driven by a synchronous cause needing an `ESR_EL1.EC` decode the IRQ entry does not perform, and *writes results back* into the frame — three load-bearing differences. A shared frame would either under-save (corrupting EL0 state in B6) or muddle two distinct contracts.
+  - **Decode the syscall in asm.** Rejected: the dispatcher is panic-free Rust over kernel state (capabilities, IPC, console, user memory); hand-decoding it in asm would move the most security-sensitive logic out of the host-tested, borrow-checked layer for no gain.
+  - **Pass a `&mut SyscallTrapFrame` from the asm.** Impossible — asm has no Rust references; the `*mut` + scoped `&*frame`/`&mut *frame` reborrows are the only expressible shape, and they are bounded to the handler body.
+  - **A typed exception-frame crate / macro-generated vectors.** Rejected for the same reason UNSAFE-2026-0020 rejected it: hand-written trampolines are easier to audit than an over-abstract macro, and the saved-frame shape is a stable architectural concept guarded at compile time.
+- **Reviewed by:** @cemililik (+ Claude Opus 4.8 agent). Security-sensitive (the EL0→EL1 trust boundary — the single widest untrusted-input surface in the system) → second-reviewer required per [unsafe-policy §Review.4](../standards/unsafe-policy.md).
+- **Status:** Active. Smoke-verified at runtime: the 2026-05-29 QEMU trace (debug build) shows the EL1 kernel-stub's two `SVC`s taken at the current-EL `+0x200` sync vector — `Taking exception 2 [SVC] ... from EL1 to EL1 ... with ESR 0x15/0x56000000` (EC = SVC64, exactly the value the trampoline routes on) — each `ERET`ing cleanly back to EL1, with the `console_write` syscall emitting `tyrne: hello from the syscall boundary (console_write via SVC)` and the round-trip confirmation `console_write status=0x0, bytes=63; bad-number status=0x1`; `-d int,unimp,guest_errors` shows only the pre-existing PL011-disabled-UART warnings (no new fault class). **The lower-EL `+0x400` slot is installed but not yet exercised** — a real EL0 task taking it (with the EL0↔EL1 privilege transition) is B6's runtime verification per [ADR-0030 §Simulation row-to-verification mapping](../decisions/0030-syscall-abi.md#simulation); this status note lifts to cover the `+0x400` path via append-only Amendment when B6's first EL0 task runs.
+
+### UNSAFE-2026-0030 — validated copy-from/to-user byte move via `core::ptr::copy_nonoverlapping`
+
+- **Introduced:** 2026-05-29, [T-021 — EL0→EL1 SVC dispatch](../analysis/tasks/phase-b/T-021-syscall-dispatch.md). New entry rather than an Amendment of [UNSAFE-2026-0027](#unsafe-2026-0027--task-loader-frame-byte-copy-via-coreptrcopy_nonoverlapping-in-task_loaderload_image): 0027's scope is a *kernel-orchestrated* copy from a kernel-owned `.rodata` slice into a freshly-allocated PMM frame the loader fully controls; 0030's scope is a copy across the *userspace trust boundary* — the source/destination pointer is a **userspace-supplied integer** the kernel does not own a reference into, gated by a runtime range check against the active address space. The differing ownership-proof chain (caller-owned `PhysFrame` vs. validator-bounded untrusted VA) is the load-bearing axis the audit log discriminates on, so a fresh entry is the honest record.
+- **Location:** [`kernel/src/syscall/user_access.rs`](../../kernel/src/syscall/user_access.rs) — the single `unsafe { core::ptr::copy_nonoverlapping(...) }` block in each of `copy_from_user` (read from user) and `copy_to_user` (write to user). Reached in production via `console_write`'s buffer copy (`kernel/src/syscall/dispatch.rs::sys_console_write`); `copy_to_user` has no v1 syscall caller (the symmetric write-side primitive; see its doc) but shares the audited operation.
+- **Operation:** `core::ptr::copy_nonoverlapping(src, dst, len)` moving `len` bytes between a kernel-owned `&[u8]`/`&mut [u8]` slice and a userspace VA (`user_ptr as *const u8` for the read direction, `user_ptr as *mut u8` for the write direction), where:
+  - `len ∈ [1, isize::MAX]` — the zero-length case short-circuits to `Ok` before the `unsafe` block (no dereference).
+  - the user VA half (`user_ptr`) arrives as an integer register word (the ABI passes user pointers as `u64`); the kernel side is a genuine Rust slice with a valid borrow.
+- **Invariants relied on:**
+  - **Range validity — the load-bearing precondition.** `UserAccessWindow::validate(user_ptr, len)` runs **before** the `unsafe` block and proves `[user_ptr, user_ptr + len)` is wholly contained in the active address space's accessible window **and** does not wrap past `usize::MAX` (the wrap is rejected via `checked_add`, never silently truncated). Only on `Ok` is the pointer dereferenced; every failure path returns `SyscallError::FaultAddress` with **no** raw dereference. This is the [ADR-0030 §Simulation row 4](../decisions/0030-syscall-abi.md#simulation) "never dereference an unvalidated user pointer" guarantee.
+  - **v1 identity map.** Per [ADR-0027 §Decision outcome (a)](../decisions/0027-kernel-virtual-memory-layout.md), the bootstrap address space the B5 EL1 kernel-stub runs on identity-maps the managed extent, so a validated `user_ptr` is directly readable/writable by kernel code at `VA == PA`. This is the same identity-mapping dependence shared by every kernel-resident raw-pointer site (UNSAFE-2026-0025 / 0026 / 0027); the future [ADR-0033](../decisions/0027-kernel-virtual-memory-layout.md) high-half migration replaces the int-to-pointer dereference with a per-page user-VA → kernel-VA translation at this one site (the window-containment + wrap + zero-length logic is unchanged), the same project-wide sweep those entries name.
+  - **Kernel-slice validity + non-overlap.** The kernel side (`dst` for read, `src` for write) is a Rust slice, valid for `len` bytes by the slice invariant. The user buffer (in the active AS) and the kernel slice (a stack buffer in `sys_console_write`) are disjoint regions, so `copy_nonoverlapping`'s non-overlap precondition holds.
+  - **No interleaving.** v1 is single-core cooperative and the `SVC` handler runs with `DAIF` masked (exception entry), so no peer mutates either buffer mid-copy.
+  - **`len` overflow-free.** `len ≤ isize::MAX` on the targets (the validated range is bounded by the address space; `console_write` further chunks through a 256-byte buffer), so `copy_nonoverlapping`'s size arithmetic cannot overflow.
+  - **Provenance (host tests).** Under Miri's permissive-provenance mode the kernel's established pattern holds: a host `Vec<u8>` provides backing, its pointer is *exposed* via `as usize` when building the window, and the int-to-pointer dereference recovers that exposed provenance — so the success-path tests run UB-free, and the failure-path tests reject before any dereference. Mirrors `pmm.rs` / `task_loader.rs`'s test discipline.
+- **Rejected alternatives:**
+  - **`core::slice::from_raw_parts(_mut)` to borrow the user bytes.** Rejected: still `unsafe`, same provenance/identity-map requirement, and it advertises a `&[u8]`/`&mut [u8]` *borrow* of memory the kernel does not own (a userspace buffer that, in B6, lives in a separate `TTBR0_EL1` AS). The explicit `copy_nonoverlapping` is the honest "copy bytes the validator just bounded" — and the *copy* (kernel works on its own bytes) is the contract [ADR-0031](../decisions/0031-initial-syscall-set.md) wants for `console_write`, not a borrow.
+  - **`core::ptr::read_volatile` per byte.** Rejected: volatile semantics are for memory another agent observes between sequence points (DMA / peer CPU / MMIO). User RAM in v1's single-core cooperative kernel is plain memory; volatile buys nothing and would falsely advertise MMIO ordering at the audit surface (the same reasoning UNSAFE-2026-0027 records).
+  - **A HAL trait method (`Mmu::copy_user`).** Rejected: relocates the `unsafe` to the HAL surface without removing it. User-memory access is a kernel-*syscall* concern (the HAL never reads userspace), so the discipline (validate-range-then-copy) belongs at the syscall layer where the range check is local to the same function.
+  - **Skip the kernel-side copy and slice the user buffer directly into `Console::write_bytes`.** Rejected: would borrow user memory across the console call (a B6 cross-AS hazard) and bypasses the "copy through a bounded kernel buffer" property; chunking through the 256-byte stack buffer keeps the kernel working on its own validated copy.
+- **Reviewed by:** @cemililik (+ Claude Opus 4.8 agent). Security-sensitive (untrusted-pointer dereference at the userspace boundary) → second-reviewer required per [unsafe-policy §Review.4](../standards/unsafe-policy.md).
+- **Status:** Active. Host-tested (the `user_access` + `dispatch` `console_write` suites pin in-range / out-of-range / overrun / zero-length / wrap and the cap-gated emit) and Miri-clean under permissive provenance. Smoke-verified at runtime: the 2026-05-29 QEMU `console_write` `SVC` validates a 63-byte `.rodata` buffer against the identity-mapped RAM window and emits it (`bytes=63`, status `0x0`). `copy_to_user`'s `unsafe` block is host-tested + Miri-clean but has no runtime exerciser in v1 (no pointer-returning syscall yet); its first runtime exercise comes with B6+'s first user-pointer-returning syscall.
+
+**Amendment (2026-05-29, commit `2c713c0`, T-021 review-round follow-up): operation changed from `copy_nonoverlapping` to `core::ptr::copy` (memmove); the original §Operation `copy_nonoverlapping` wording, invariant (3), and the §Rejected-alternatives bullet that named `copy_nonoverlapping` as the chosen primitive are historical / superseded.** A review-round finding observed that the original invariant (3) — *"source and destination do not overlap (kernel `src`/`dst` vs. user buffer)"* — is **not proven** by `UserAccessWindow::validate`, which checks *bounds*, not *disjointness*. Both `unsafe` blocks now use `core::ptr::copy`. **Correction, verified empirically with Miri:** switching to `core::ptr::copy` does **not** make these functions "overlap-tolerant" (an earlier draft of this Amendment claimed so — that claim is itself corrected here). An *overlapping* `(user_ptr, kernel-slice)` pair is **UB regardless of the copy primitive**, because `copy_from_user`'s `dst: &mut [u8]` (resp. `copy_to_user`'s `src: &[u8]`) parameter is exclusive / shared, so an aliasing access through the exposed `user_ptr` violates that borrow — confirmed under Miri's Stacked Borrows (*"not granting access to tag &lt;wildcard&gt; because that would remove [Unique …] which is strongly protected"*). The **actual soundness basis is the user/kernel disjointness invariant**: `user_ptr` names *userspace* memory while the kernel slice is a *distinct allocation* (v1 — `console_write`'s fresh 256-byte stack buffer) / a *separate address space* (B6, per [ADR-0027 §Decision outcome (a)](../decisions/0027-kernel-virtual-memory-layout.md)), so `[user_ptr, user_ptr + len)` and the kernel slice never overlap. Under that invariant **both** `core::ptr::copy` and `copy_nonoverlapping` are sound; `core::ptr::copy` is retained as the conservative primitive (so the primitive itself imposes no overlap precondition on top of the disjointness invariant). **Invariant (3) is restated** as: *"Disjointness — the kernel slice (`dst`/`src`) and the userspace range `[user_ptr, user_ptr + len)` are disjoint by the user/kernel memory model; `validate` proves bounds, the address-space split proves disjointness; an overlapping pair would be UB via the parameter's borrow exclusivity (Miri-confirmed) and never occurs for a real caller."* The other invariants (range validity, the v1 identity map, no single-core interleaving) and the `from_raw_parts` / HAL-method rejected alternatives are unchanged. All current callers satisfy disjointness, so the host / Miri / QEMU evidence above still holds. The call-site SAFETY comments were updated to match.
diff --git a/docs/decisions/0017-ipc-primitive-set.md b/docs/decisions/0017-ipc-primitive-set.md
index 5389341..035f24b 100644
--- a/docs/decisions/0017-ipc-primitive-set.md
+++ b/docs/decisions/0017-ipc-primitive-set.md
@@ -214,6 +214,7 @@ The `notify` operation is non-blocking: it ORs bits into the `Notification` word
 - **2026-04-27 — pointer to architecture doc.** [T-008](../analysis/tasks/phase-b/T-008-architecture-docs.md) created [`docs/architecture/ipc.md`](../architecture/ipc.md), which synthesises this ADR (three-primitive set, endpoint state machine, capability-transfer pre-flight) with [ADR-0021](0021-raw-pointer-scheduler-ipc-bridge.md) (the scheduler-bridge wrappers). The ADR body is unchanged; this rider provides the bidirectional cross-reference T-008's DoD asks for ("ADRs cited from architecture docs are the same ADRs whose §References sections cite the new architecture docs").
 - **2026-05-07 — `ipc_cancel_recv` recovery primitive added (ADR-0032 / T-015).** [ADR-0032](0032-endpoint-rollback-and-cancel-recv.md) introduces `ipc_cancel_recv(ep_arena, queues, ep_cap, table)` — a fourth function in `kernel/src/ipc/mod.rs` that reverses an `Idle → RecvWaiting` transition for the calling task. **It is a recovery primitive, not an extension of the user-observable IPC surface this ADR enumerated.** The user-observable set remains `send` / `recv` / `notify`; `cancel_recv` is consumed exclusively by the scheduler bridge's `ipc_recv_and_yield` Deadlock-rollback branch in v1 (kernel-internal). When userspace destroy paths land (Phase B2+), they may invoke it as a "drain receivers" sweep, and the future syscall-ABI ADR (currently pencilled as ADR-0030) decides whether to expose it directly. The `EndpointState` machine itself is unchanged — `cancel_recv` is a single-edge `RecvWaiting → Idle` reverse of an existing arc, not a new state. ADR-0017's *Decision outcome* (three-primitive set) is therefore not superseded; this rider records the additive recovery primitive that lands alongside it.
 - **2026-05-22 — "ADR-0030" forward-reference is a reserved slot, not yet filed.** The "pencilled as ADR-0030" syscall-ABI reference in the 2026-05-07 rider above is a **reserved slot number** (the `phase-b.md` §B5 ADR ledger formally reserves ADR-0030 for the syscall ABI and ADR-0031 for the initial syscall set), not a claim that a file exists. No `docs/decisions/0030-*.md` file exists yet; the slot opens with B5 userspace work. If the syscall ABI eventually lands under a different number, this reference is the one to update. (Mirrors the ADR-0033/0034 named-but-unallocated placeholder pattern.)
+- **2026-05-29 — ADR-0030 filed (Accepted); `IpcError` taxonomy refined (additive split, not supersession).** [ADR-0030](0030-syscall-abi.md) (syscall ABI + userspace error taxonomy) is now `Accepted`, filling the reserved slot the 2026-05-22 rider flagged. As its **K2-5** bundle it splits `IpcError::InvalidCapability` into `StaleHandle` / `MissingRight` / `WrongObjectKind` ([T-020](../analysis/tasks/phase-b/T-020-syscall-error-taxonomy.md)). This **refines the error taxonomy** of the IPC operations this ADR enumerated; it does **not** change the three-primitive surface (`send` / `recv` / `notify`) or the endpoint state machine — ADR-0017's *Decision outcome* stands. [ADR-0031](0031-initial-syscall-set.md) (initial syscall set) chooses **not** to expose `notify` (nor `cancel_recv`) from EL0 in v1; the kernel-internal `ipc_notify` / `ipc_cancel_recv` are unchanged. Both ADRs are additive to this one.
 
 ## References
 
diff --git a/docs/decisions/0030-syscall-abi.md b/docs/decisions/0030-syscall-abi.md
new file mode 100644
index 0000000..264453d
--- /dev/null
+++ b/docs/decisions/0030-syscall-abi.md
@@ -0,0 +1,221 @@
+# 0030 — Syscall ABI and userspace error taxonomy
+
+- **Status:** Accepted
+- **Date:** 2026-05-29
+- **Deciders:** @cemililik
+
+## Context
+
+[Phase B § B5 — Syscall boundary](../roadmap/phases/phase-b.md#milestone-b5--syscall-boundary) opens the first synchronous entry path from EL0 (userspace) into EL1 (kernel). The EL-drop machinery ([ADR-0024](0024-el-drop-policy.md), T-013) and the exception-vector table ([T-012](../analysis/tasks/phase-b/T-012-exception-and-irq-infrastructure.md), [`exceptions.md`](../architecture/exceptions.md)) already exist; what is missing is the **contract** a userspace binary and the kernel agree on when control crosses that boundary: which register carries the syscall number, which registers carry arguments, how a result and an error are returned, and what the userspace-facing error space looks like.
+
+This ADR must be settled **before** any dispatcher or trap trampoline is written, because every later artefact rides on it: the EL0-side `SVC` stub in the future `tyrne-user` crate (B6), the EL1-side register save/restore frame, the dispatcher's argument decode, and the host-side ABI encoder/decoder tests. Choosing the convention after the trampoline lands means re-churning all of them. The same front-loading discipline that [ADR-0027](0027-kernel-virtual-memory-layout.md) (MMU activation) and [ADR-0029](0029-initial-userspace-image-format.md) (image format) applied to their boundaries applies here.
+
+A second, tightly-coupled question lands in this ADR by deliberate bundling (the **K2-5** roadmap item): the **userspace error taxonomy**. Today [`IpcError::InvalidCapability`](../../kernel/src/ipc/mod.rs) collapses three distinct failure modes — a stale/absent handle, a wrong-kind object, and a missing right — behind one variant. The [2026-04-21 Phase-A code review](../analysis/reviews/code-reviews/2026-04-21-tyrne-to-phase-a.md) flagged this as a future improvement; the [error-handling standard §"Error-type design checklist"](../standards/error-handling.md) says each variant must "represent a distinct case a caller could handle differently." The moment a syscall returns these errors to userspace is the moment the distinction becomes load-bearing — a language binding wants to map a stale handle (use-after-free; do not retry) differently from a missing right (permission denied; acquire the right) differently from a wrong-kind handle (a type error in the caller). Designing the syscall error space and splitting the in-kernel `IpcError` **in the same ADR** keeps the two spaces in agreement "from the start", which is exactly what the [phase-b §B5 sub-breakdown](../roadmap/phases/phase-b.md#milestone-b5--syscall-boundary) requires.
+
+The stakes of getting the ABI wrong are bounded but cross-cutting: the register convention is the widest interface in the system (every syscall, every userspace binding) and is hard to change once binaries depend on it. The stakes of getting the taxonomy wrong are lower (`IpcError` is `#[non_exhaustive]`, so it can grow), but the security review's redaction concern (the companion `Capability` `Debug` redaction — B5 sub-item 6 / K3-9 — landed in [T-020](../analysis/tasks/phase-b/T-020-syscall-error-taxonomy.md) and discussed under §"Security of the taxonomy split" below) means the error space is part of the userspace-observable surface and deserves a deliberate decision rather than incremental drift.
+
+## Decision drivers
+
+- **AAPCS64 alignment.** Userspace stubs and the kernel dispatcher are both compiled by the same Rust/LLVM aarch64 backend. A convention that reuses the procedure-call register roles (`x0`–`x7` argument/result, `x8` indirect-result/syscall slot by Linux precedent, `x19`–`x29` callee-saved) minimises impedance: the EL0 stub can be a thin `asm!` wrapper and the EL1 side can hand the saved frame to a normal Rust function. Fighting AAPCS64 costs hand-written shuffling on both sides.
+- **Panic-free return of every error.** The [dispatcher must be panic-free on every untrusted input](../roadmap/phases/phase-b.md#milestone-b5--syscall-boundary) (B0's hardening pattern). The error-return encoding must therefore be able to represent *every* failure as a value in a register — never as a trap, never as a sentinel that aliases a valid result. This rules out "return `-1` and read a thread-local errno later" style schemes that need extra state.
+- **Agreement between in-kernel and userspace error spaces.** The kernel already has granular per-module error enums ([`CapError`](../../kernel/src/cap/mod.rs) with `InvalidHandle` / `InsufficientRights` / `WrongKind`; [`IpcError`](../../kernel/src/ipc/mod.rs); `AddressSpaceError`; `LoadError`; `SchedError`). The syscall error space should *compose* from these via `From` impls per the [error-handling standard §3 / §7](../standards/error-handling.md), not re-invent a parallel flat space that drifts out of sync. The `IpcError` collapse is the one place where the in-kernel space is *less* granular than userspace needs, so it is split here.
+- **Result/value disambiguation.** A capability kernel routinely returns a fresh `CapHandle` (an opaque `u32`-ish index) or a byte count from a syscall. A Linux-style "negative = -errno, non-negative = value" scheme forces every such return through a signedness reinterpretation and steals the high bit from the value space. A capability handle or a length that happens to look like `-EFAULT` is a latent confusion. A *dedicated status register* removes that ambiguity at the cost of one register.
+- **Argument width.** The widest v1 syscall (`send`) needs an endpoint handle + a message label + three payload words + an optional transfer handle = up to six argument words. The convention must carry at least six arguments without spilling to the stack, because copy-from-user of a stack-spilled argument block is exactly the unvalidated-pointer hazard B5 sub-item 5 exists to prevent.
+- **Forward-portability.** The convention is chosen for aarch64 but should not bake in anything that a second architecture (a future RISC-V or x86-64 port) could not mirror with its own register file. "Syscall number in a general register, args in argument registers, status + payload in result registers, a synchronous trap instruction" is a shape every architecture can express; "syscall number in the `SVC` 16-bit immediate" is aarch64-specific.
+- **No information leak that aids forgery.** Splitting `InvalidCapability` reveals *which* validation step failed. For a capability system this is safe (see §Decision outcome → "Security of the taxonomy split"), but the decision must say *why* explicitly rather than assume it.
+
+## Considered options
+
+### Syscall-number location
+
+1. **Number in `x8`, args in `x0`–`x5`, `SVC #0`** (Linux-aarch64 shape). A general register carries the syscall number; the `SVC` immediate is always `0`.
+2. **Number in the `SVC` immediate (`SVC #n`), args in `x0`–`x7`.** The trap instruction itself encodes the syscall.
+3. **Hybrid: small "syscall class" in the `SVC` immediate, sub-number in `x8`.** Two-level dispatch.
+
+### Result / error encoding
+
+A. **Dedicated status register: `x0` = status word (0 = `Ok`, non-zero = stable error code), `x1`+ = payload.** Result and error never alias.
+B. **Signed `x0`: negative = `-errno`, non-negative = value** (Linux). One register carries both.
+C. **Condition-flag based: `PSTATE.C` set on error, `x0` = value-or-code.** The carry bit discriminates.
+
+## Decision outcome
+
+Chosen options: **Syscall-number Option 1** (`x8` = number, `x0`–`x5` = args, `SVC #0`) and **error-encoding Option A** (dedicated status register `x0`, payload in `x1`–`x7`), plus the **K2-5 `IpcError` split** and the **`SyscallError` composition type**.
+
+### Register calling convention (v1)
+
+| Register | On entry (EL0 → EL1) | On return (EL1 → EL0) |
+|----------|----------------------|------------------------|
+| `x8` | Syscall number (see [ADR-0031](0031-initial-syscall-set.md)) | clobbered |
+| `x0`–`x5` | Argument words 0–5 (syscall-specific; see ADR-0031) | `x0` = **status** (`0` = `Ok`; non-zero = `SyscallError` code), `x1`–`x7` = return payload (syscall-specific; v1 uses at most `x1`–`x6`, for `recv`) |
+| `x6`, `x7` | reserved (must be ignored by the kernel in v1) | clobbered |
+| `x9`–`x18` | caller-saved scratch (AAPCS64) | clobbered |
+| `x19`–`x29`, `SP_EL0`, `x30` (LR) | preserved by the kernel across the trap | preserved |
+| `PSTATE` | — | restored from `SPSR_EL1` by `ERET` |
+
+The trap instruction is **`SVC #0`**. The `SVC` immediate is not used to carry information in v1 — keeping it `0` leaves the immediate free for a future fast-path class split (Option 3) without re-encoding existing stubs. The kernel reads the syscall number from `x8`, the arguments from `x0`–`x5`, validates the caller's capabilities, performs the operation, writes `x0` (status) and `x1`–`x7` (payload), and `ERET`s. No syscall reads or writes userspace memory implicitly: any pointer passed in an argument register is validated by copy-from/to-user against the **active** address space (B5 sub-item 5, T-021) before the kernel touches the bytes.
+
+The concrete per-syscall argument and return-register layout, and the concrete syscall numbers, are settled by [ADR-0031](0031-initial-syscall-set.md); this ADR fixes only the *convention* those layouts instantiate.
+
+### Error-return encoding and the `SyscallError` space
+
+`x0` is the **status word**: `0` means `Ok` (read the payload from `x1`–`x7`, syscall-specific); any non-zero value is a stable `SyscallError` discriminant and the payload registers are undefined. The kernel-side error type is:
+
+```rust
+#[non_exhaustive]
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub enum SyscallError {
+    BadSyscallNumber,          // x8 named no syscall in the v1 set
+    BadArgument,               // an argument was structurally invalid (e.g. label width)
+    FaultAddress,              // a user pointer fell outside the active address space
+    Cap(CapError),             // capability-table failure (composed via From)
+    Ipc(IpcError),             // IPC failure (composed via From)
+    // address-space / loader variants land with their first syscall consumer
+}
+```
+
+`SyscallError` is built by `From<CapError>` / `From<IpcError>` impls per the [error-handling standard §7 "preserve root cause"](../standards/error-handling.md) — the dispatcher does not collapse distinct IPC failures into a generic "internal error". The flat numeric encoding (which non-zero integer each variant maps to) is a stable contract pinned by host ABI tests **when the dispatcher lands (T-021)**; this ADR fixes that the encoding *exists*, is stable, is composed (not re-invented), and that `0` is reserved for `Ok`. `SyscallError` is **not** introduced as dead code ahead of its first producer: the type lands in [T-021](../analysis/tasks/phase-b/T-021-syscall-dispatch.md) alongside the dispatcher that constructs it, consistent with the codebase's no-speculative-surface discipline ([`CapRights::from_raw`](../../kernel/src/cap/rights.rs) §"Forward-API note C1-007" is the analogous "land it with its first ABI consumer" precedent).
+
+### The K2-5 `IpcError` split (lands now, in T-020)
+
+The one in-kernel error that is *less* granular than the userspace space needs is split immediately, because it is pure-Rust and host-testable without any trampoline:
+
+`IpcError::InvalidCapability` → **`IpcError::StaleHandle`** + **`IpcError::MissingRight`** + **`IpcError::WrongObjectKind`**.
+
+The mapping at each validation site:
+
+- **`StaleHandle`** — the capability handle did not resolve in the table (`lookup` failed), or the named kernel object was destroyed (arena `get`/`get_mut` returned `None` after a generation bump). "The reference is dead; re-acquire, do not retry."
+- **`WrongObjectKind`** — the capability resolved but names the wrong kind of object for the operation (e.g. a `Notification` cap handed to `ipc_send`). "Programming error in the caller; you passed the wrong handle."
+- **`MissingRight`** — the capability resolved and is the right kind, but does not carry the right the operation requires (`SEND` / `RECV` / `NOTIFY`). "You hold the object but lack authority; obtain the right."
+
+The validation **order** is `StaleHandle → WrongObjectKind → MissingRight` (resolve → type-check → authority-check). This is the natural diagnostic precedence — a wrong-kind handle is a more fundamental error than a missing right — and it matches [`CapError`](../../kernel/src/cap/mod.rs)'s existing `InvalidHandle` / `WrongKind` / `InsufficientRights` shape so the two spaces read the same way. Re-ordering is observable only for a capability that is *both* wrong-kind and missing-right; all existing rights-failure tests use correct-kind capabilities and therefore continue to return `MissingRight` unchanged.
+
+There are **two distinct `StaleHandle` sources with different precedence**. The first — a *cap-table* `lookup` miss — is the resolve step and ranks first, ahead of kind and rights. The second — an *arena* staleness miss (the cap resolves and is the right kind, but the named kernel object was destroyed and `arena.get` returns `None`) — is structurally a *later* check: it needs an already-resolved, kind-checked, **rights-authorized** handle to index the arena, so in the operation bodies (`ipc_send` / `ipc_recv` / `ipc_notify` / `ipc_cancel_recv`) it runs *after* the rights check. Consequently a capability that is the right kind, lacks the right, **and** names a destroyed object reports `MissingRight`, not `StaleHandle`. This is intentional and harmless: both facts concern the caller's own handle, and "you don't hold the right" is the more actionable answer; the strict `StaleHandle`-first total order applies to the *resolve* step, not to the post-authorization arena-liveness re-check.
+
+`IpcError::InvalidTransferCap` is **not** split in this ADR. Its collapse (`InvalidHandle` vs `HasChildren`, documented as note C3-008 in [`ipc/mod.rs`](../../kernel/src/ipc/mod.rs)) is a separate, transfer-side distinction; `IpcError` is `#[non_exhaustive]`, so a `TransferCapHasChildren` variant can be added by a later ADR without a breaking change when a userspace transfer consumer needs it. Splitting it now would be speculative.
+
+### Security of the taxonomy split
+
+Collapsing the three failure modes was originally defended as attacker-resistance — the caller cannot learn *which* check failed. Splitting reverses that, so the decision must justify why it is safe:
+
+A capability table is **per-subject and unforgeable** ([ADR-0014](0014-capability-representation.md)). A task only ever sees handles into its **own** table; generation tags prevent a stale handle from aliasing a live one. The three new variants therefore reveal only facts about handles the caller already possesses and controls: that *its own* handle is stale, names the wrong kind, or lacks a right. None of this helps forge a capability, enumerate another subject's caps, or mount a confused-deputy attack — the information is about the caller's own authority, not the kernel's secrets. The diagnostic value (a genuine [error-handling §checklist](../standards/error-handling.md) "handleable distinction") therefore dominates the negligible residual leak. This is the explicit trade ADR-0030 accepts. (The *object identity* a capability names — the slot index / generation — remains redacted from `Capability`'s `Debug` impl per B5 sub-item 6 / K3-9, landed in T-020; the taxonomy split does not expose it.)
+
+### Simulation
+
+A worst-case EL0 `SVC` handshake through the chosen convention (`(state-pre, action, state-post, observable)`):
+
+| Step | State pre | Action | State post | Observable effect |
+|------|-----------|--------|------------|-------------------|
+| 0 | EL0 task running; `x8`=NR, `x0`–`x5`=args | `SVC #0` | `ELR_EL1`←PC+4, `SPSR_EL1`←PSTATE, `PSTATE.EL`←1, `PC`←`VBAR_EL1`+0x400 (lower-EL aarch64 sync) | trap into EL1 sync vector; **no kernel state mutated yet** |
+| 1 | EL1 sync vector; user GPRs live | save `x0`–`x30` + `SP_EL0` to the trap frame; read `ESR_EL1.EC`; `0b010101` (SVC64) → syscall dispatch, else → fault routing (B5 out-of-scope) | trap frame holds user regs; Rust dispatcher entered with `(nr=x8, args=x0..x5)` | dispatcher runs at EL1 on the kernel stack |
+| 2 | dispatcher; `nr` not in the v1 set | `decode(nr)` → `None` | `x0`←`SyscallError::BadSyscallNumber` code; payload registers undefined | **panic-free**; no capability touched; falls through to ERET |
+| 3 | dispatcher; `nr`=`send`; `ep_cap` stale / wrong-kind / missing `SEND` | `ipc_send` → `Err(IpcError::{StaleHandle\|WrongObjectKind\|MissingRight})` → `From` → `SyscallError::Ipc(_)` | `x0`←non-zero status; payload undefined; **endpoint + caller-table state unchanged** (pre-flight returns before mutation) | typed error, no panic, observable state byte-identical to pre-call |
+| 4 | dispatcher; `nr`=`console_write(cons_cap, ptr, len)`; `cons_cap` valid but `[ptr,ptr+len)` not mapped in the active AS | capability check on `cons_cap` passes (debug-console cap, per [ADR-0031](0031-initial-syscall-set.md)); then `copy_from_user` validates the range against the active translation → out of range | `x0`←`SyscallError::FaultAddress`; **no raw deref of `ptr`** | panic-free; capability-gated; the kernel never dereferences an unvalidated user pointer |
+| 5 | dispatcher; `nr`=`send`; ok | `ipc_send` → `Ok(outcome)`; restore frame | `x0`←`0` (`Ok`); `x1`←outcome encoding; `ERET` | return to EL0; `SPSR_EL1`/`ELR_EL1` restore PSTATE+PC; results in `x0`/`x1` |
+
+#### Simulation row-to-verification mapping
+
+Per the [`write-adr` skill §Procedure step 5 sub-bullet](../../.agents/skills/write-adr/SKILL.md), each row maps to a concrete verification artefact in an implementing task:
+
+- **Row 3 (IPC error taxonomy) → [T-020](../analysis/tasks/phase-b/T-020-syscall-error-taxonomy.md)** host tests: the per-variant `ipc_send`/`ipc_recv`/`ipc_notify`/`ipc_cancel_recv` tests pinning `StaleHandle` / `WrongObjectKind` / `MissingRight`, plus the `From<IpcError> for SyscallError` round-trip test (the latter lands with `SyscallError` in T-021). T-020 discharges this row **now**.
+- **Rows 0, 1 (`SVC` trap + register frame save/restore) — split across two milestones.** The dispatcher and trap-frame asm are **shared** code that is privilege-entry-agnostic; the *only* difference between the two entry paths is which `VBAR_EL1` slot the handler is installed at and which mode `SPSR_EL1` restores. The table's row 0 describes the **real EL0 ABI** path — an `SVC` from EL0 takes the **lower-EL-AArch64** sync vector at `VBAR_EL1 + 0x400` and `ERET`s back to EL0. **A real EL0 task cannot take this trap until B6** (it needs kernel mappings in its address space so the vector fetch translates, plus an EL0-ready context register file — both gated on the [ADR-0033 high-half placeholder](0027-kernel-virtual-memory-layout.md)). So **rows 0/1 are runtime-verified in B6**, not B5. **T-021's B5-reachable proxy** is an **EL1 kernel-stub** that issues `SVC #0`, which — because it executes at the *current* EL — takes the **current-EL-with-SPx** sync vector at `VBAR_EL1 + 0x200`, **not** the lower-EL vector. T-021 therefore installs the same dispatcher at *both* the `0x200` and `0x400` sync slots, host-tests the dispatcher logic directly, and smoke-tests the shared trap-frame-save → decode → `ERET` mechanism via the `0x200` self-`SVC` path (new `UNSAFE-YYYY-NNNN` audit entry). What the `0x200` proxy does **not** prove — the `0x400` vector entry itself, the EL0↔EL1 privilege transition, and copy-user against a *separate* userspace `TTBR0_EL1` AS — is exactly what B6's real EL0 round-trip closes.
+- **Row 2 (unknown number → `BadSyscallNumber`) → T-021**: host dispatcher decode test.
+- **Row 4 (capability check + copy-from-user bounds) → T-021**: host copy-from/to-user range-validation tests + the debug-console capability check ([ADR-0031](0031-initial-syscall-set.md)).
+- **Row 5 (success `ERET`) → T-021** for the `0x200` proxy round-trip (host ABI encode/decode + smoke); the real EL0 `0x400` round-trip → **B6**.
+
+T-020 discharges row 3 in this milestone. T-021 discharges rows 2/4 and the *mechanism* half of rows 0/1/5 (via the `0x200` current-EL proxy + host tests). The *real-EL0* half of rows 0/1/5 (the `0x400` lower-EL vector + privilege transition + userspace-AS copy-user) is runtime-verified in **B6**, when a real EL0 task first exists. No row is left without a named artefact, and no row's verification is over-claimed for the milestone it lands in (avoiding both the skill's "Simulation table without verification = documentation drift" anti-pattern and an over-stated B5 smoke).
+
+### Dependency chain
+
+For this decision to be **fully** in effect:
+
+```text
+1. Split IpcError::InvalidCapability → StaleHandle / MissingRight / WrongObjectKind
+   across ipc/mod.rs + sched/mod.rs + tests; redact Capability's Debug (K3-9). — T-020 (opens with this ADR)
+2. SyscallError composition type + From<CapError>/From<IpcError> impls.            — T-021 (opens with this ADR)
+3. EL0-sync exception-vector entry + user-register trap frame save/restore.       — T-021
+4. Panic-free syscall dispatcher (x8 decode → handler → x0/x1.. encode).          — T-021
+5. copy-from/to-user validated against the active address space.                  — T-021
+6. The concrete v1 syscall set + per-call register layout + numbers.              — ADR-0031 (opens with this ADR)
+7. Kernel mappings in the userspace AS + EL0-ready Task context register file
+   (so a real EL0 task can take the trap and the EL1 vector fetch translates).    — ADR-0033 (high-half;
+                                                                                     slot reserved, opens with
+                                                                                     the first per-task TTBR0 swap)
+8. tyrne-user safe syscall wrapper crate + first EL0 caller.                       — Phase B6 (deferred)
+```
+
+Steps 1–2 + 6 are grounded in tasks/ADRs opened in the same commit set as this ADR (T-020, T-021, ADR-0031), per [ADR-0025 §Rule 1](0025-adr-governance-amendments.md). Steps 3–5 are T-021's scope. Step 7 is the [ADR-0033 high-half placeholder](0027-kernel-virtual-memory-layout.md) (named-but-unallocated, the same forward-flag shape [ADR-0029](0029-initial-userspace-image-format.md) used for ADR-0034) — until it lands, the syscall path is exercised by an **EL1 kernel-stub caller** (B5 acceptance criterion #7), not a real EL0 task. Step 8 is the natural B6 work and is not opened today.
+
+## Consequences
+
+### Positive
+
+- **The widest interface in the system is settled once, before any code depends on it.** The EL0 stub, the EL1 frame, the dispatcher, the host ABI tests, and the `tyrne-user` crate all instantiate one written convention. No "decide the ABI by what the first trampoline happened to do" drift.
+- **Result and error never alias.** The dedicated status register means a `CapHandle`, a byte count, or a `Message` word returned in `x1` can take any bit pattern — including ones that would look like `-EFAULT` under a signed-errno scheme — without ambiguity. This removes a whole class of latent confusion that Linux's convention carries.
+- **The in-kernel and userspace error spaces agree from the start.** `SyscallError` composes from `CapError` / `IpcError` via `From`; the `IpcError` split removes the one place where the kernel was coarser than userspace needs. A binding can map every failure to a distinct, handleable cause.
+- **The taxonomy split is immediately useful and immediately testable.** Splitting `InvalidCapability` is pure-Rust; T-020 lands it with host tests in this milestone, well ahead of the trampoline, so the error space is exercised by the existing IPC test suite before the first syscall exists.
+- **AAPCS64 reuse keeps both sides thin.** The EL0 stub is a register-load + `SVC #0`; the EL1 side hands a saved frame to ordinary Rust. No bespoke marshalling.
+
+### Negative
+
+- **Six argument registers cap the v1 syscall arg width.** A syscall needing more than six word-sized arguments must pass a pointer to an argument block — which then needs copy-from-user validation. *Mitigation:* the v1 set ([ADR-0031](0031-initial-syscall-set.md)) is designed to fit in six registers (`send` is the widest at six). When a wider syscall surfaces (B6+), it uses the already-required copy-from-user path; no ABI change.
+- **One register spent on status.** Option B (signed errno) would free `x0` to carry a value. *We accept this cost* because the disambiguation it buys (no value/-errno aliasing) is worth one register in a 31-register file, and a capability kernel returns opaque handles constantly.
+- **The taxonomy split reveals which validation step failed.** A marginal information leak versus the prior collapse. *We accept this* on the §"Security of the taxonomy split" argument: the facts revealed are about the caller's own per-subject, unforgeable handles and aid no forgery or enumeration. The decision is explicit, not incidental.
+- **`SyscallError`'s concrete numeric encoding is deferred to T-021.** This ADR fixes the convention but not the integers. *Mitigation:* the integers are a stable contract the moment T-021's host ABI tests pin them; deferring avoids committing numbers before the dispatcher's shape is concrete, and `0 = Ok` (the only number userspace branches on structurally) is fixed here.
+
+### Neutral
+
+- **`SVC #0` leaves the immediate free.** A future fast-path "syscall class" split (Option 3) can use the `SVC` immediate without re-encoding v1 stubs, because v1 stubs all use `#0`.
+- **The convention is aarch64-shaped but architecture-portable in spirit.** "Number in a GPR, args in arg regs, status+payload in result regs, synchronous trap" is expressible on RISC-V (`ecall`, `a7`=nr, `a0`–`a5` args) and x86-64 (`syscall`, `rax`=nr) with the same structure; only the register names change. No second-architecture ADR is forced today.
+- **`x6`/`x7` reserved, not used.** v1 ignores them; reserving rather than repurposing keeps room for a seventh/eighth argument or a future flags word without a convention break.
+
+## Pros and cons of the options
+
+### Syscall-number Option 1 — number in `x8`, `SVC #0` (chosen)
+
+- **Pro:** Matches Linux-aarch64, so the mental model and any borrowed tooling/disassembly intuition transfer; `x0`–`x7` stay free for arguments/results.
+- **Pro:** The `SVC` immediate stays `0` and free for a future class split.
+- **Pro:** Architecture-portable shape (a GPR carries the number).
+- **Con:** Costs one register (`x8`) that a pure-immediate scheme would leave free for an argument.
+
+### Syscall-number Option 2 — number in the `SVC` immediate
+
+- **Pro:** Frees `x8`; the trap instruction self-documents the call in a disassembly.
+- **Con:** The `SVC` immediate is 16 bits and **aarch64-specific** — a second-architecture port cannot mirror it (RISC-V `ecall` / x86-64 `syscall` carry no immediate), forcing a divergent convention later.
+- **Con:** The number is baked into the instruction stream, so a syscall stub cannot compute its number at runtime (e.g. a generic `syscall(nr, ...)` shim) — every syscall needs its own hand-written `SVC #n`.
+
+### Syscall-number Option 3 — hybrid class + sub-number
+
+- **Pro:** Enables a fast-path class (e.g. a register-only `send`) without a table lookup.
+- **Con:** Two-level dispatch is premature for a five-syscall v1 set; pure over-engineering today. *Kept available* by Option 1's free `SVC` immediate.
+
+### Error-encoding Option A — dedicated status register (chosen)
+
+- **Pro:** Result and error never alias; payload registers carry any bit pattern.
+- **Pro:** Maps one-to-one onto Rust `Result<Payload, SyscallError>` on both sides.
+- **Con:** Spends one register on status.
+
+### Error-encoding Option B — signed `-errno` in `x0`
+
+- **Pro:** Frees a register; the universal Unix convention.
+- **Con:** Steals the high bit / negative range from every value return; a handle or length that aliases `-errno` is a latent bug. Bad fit for a kernel that returns opaque handles constantly.
+
+### Error-encoding Option C — condition-flag (`PSTATE.C`)
+
+- **Pro:** Frees `x0` entirely for the value.
+- **Con:** `PSTATE` is restored from `SPSR_EL1` by `ERET`; threading a result flag through the saved-PSTATE path is fragile and easy to clobber. Architecture-specific and error-prone. Rejected.
+
+## References
+
+- [Phase B §B5 — Syscall boundary](../roadmap/phases/phase-b.md#milestone-b5--syscall-boundary) — milestone scope, including the K2-5 bundle and the panic-free-dispatcher requirement.
+- [ADR-0024 — EL drop to EL1 policy](0024-el-drop-policy.md) — the EL0/EL1 privilege boundary this ABI crosses.
+- [ADR-0031 — Initial syscall set](0031-initial-syscall-set.md) — the concrete v1 syscalls + per-call register layout that instantiate this convention.
+- [ADR-0017 — IPC primitive set](0017-ipc-primitive-set.md) — the IPC operations whose error taxonomy is split here (see its §Revision notes rider).
+- [ADR-0014 — Capability representation](0014-capability-representation.md) — per-subject unforgeable handles; the basis for the taxonomy-split security argument.
+- [error-handling standard](../standards/error-handling.md) — §3/§7 `From`-composition, the design checklist's "handleable distinction" rule.
+- [`docs/architecture/exceptions.md`](../architecture/exceptions.md) — the EL1 vector table the syscall vector slots into.
+- [`docs/architecture/security-model.md`](../architecture/security-model.md) — the userspace→kernel trust boundary.
+- [Linux aarch64 syscall ABI](https://www.kernel.org/doc/html/latest/arm64/) — `x8`=number, `x0`–`x5` args, `x0` return (Option 1 / Option B prior art).
+- [ARM ARM §D1 "The AArch64 System Level Programmers' Model"](https://developer.arm.com/documentation/ddi0487/latest) — `SVC`, `ESR_EL1.EC`, `ELR_EL1` / `SPSR_EL1` / `ERET` semantics.
+- [Procedure Call Standard for the Arm 64-bit Architecture (AAPCS64)](https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst) — caller/callee-saved register roles.
+- [seL4 manual §"System Calls"](https://sel4.systems/Info/Docs/seL4-manual-latest.pdf) — message-register / dedicated-status-word prior art for a capability kernel.
diff --git a/docs/decisions/0031-initial-syscall-set.md b/docs/decisions/0031-initial-syscall-set.md
new file mode 100644
index 0000000..e81c59c
--- /dev/null
+++ b/docs/decisions/0031-initial-syscall-set.md
@@ -0,0 +1,163 @@
+# 0031 — Initial syscall set (B-phase)
+
+- **Status:** Accepted
+- **Date:** 2026-05-29
+- **Deciders:** @cemililik
+
+## Context
+
+[ADR-0030](0030-syscall-abi.md) settles *how* a syscall is made — the register calling convention (`x8` = number, `x0`–`x5` = arguments, `x0` = status, `x1`–`x7` = payload), the `SVC #0` trap, and the `SyscallError` space. This ADR settles *which* syscalls exist in the B-phase and the concrete per-call register layout each one instantiates.
+
+The set must be **small**. [Phase B § B5](../roadmap/phases/phase-b.md#milestone-b5--syscall-boundary) names the floor and the ceiling in one sentence: "At minimum: `send`, `recv`, `console_write` (debug-gated), `task_yield`, `task_exit`. No more in v1." The reasoning is the same "smallest shape that works now" discipline ADR-0029 (raw-flat image) and ADR-0035 (bitmap PMM) applied: every syscall is a permanent piece of the userspace ABI surface and a panic-free dispatch path the kernel must keep correct forever. Adding a syscall is cheap to write and expensive to ever remove, so v1 ships exactly the calls B6's first "hello" userspace task needs to do useful work and exercise the boundary — and not one more.
+
+What B6's first userspace task must be able to do: print to the serial console (`console_write`), exit cleanly so the kernel reclaims it (`task_exit`), and — to prove the IPC path works end-to-end across the privilege boundary, not just kernel-internally — send and receive on an endpoint (`send` / `recv`). `task_yield` rounds out cooperative multitasking from EL0. Capability-management syscalls (`cap_copy` / `cap_derive` / `cap_revoke`), `notify`, and address-space `map`/`unmap` are deliberately **not** exposed in v1 — no v1 userspace consumer needs them, and the kernel-internal surfaces remain reachable only from EL1.
+
+The stakes: a syscall number, once a userspace binary depends on it, is part of a stable contract. Getting the *set* wrong (too large) is unused attack surface in the dispatcher; getting it too small blocks B6. Getting a per-call layout wrong means re-churning the `tyrne-user` wrapper. The decision is bounded because the numbers and layouts are pinned by host ABI tests when the dispatcher lands ([T-021](../analysis/tasks/phase-b/T-021-syscall-dispatch.md)), so an error is caught mechanically rather than at runtime.
+
+## Decision drivers
+
+- **B6 sufficiency.** The set must be exactly enough for B6's "hello from userspace" + clean exit + an IPC round-trip, and no more. See [phase-b §B6](../roadmap/phases/phase-b.md#milestone-b6--first-userspace-hello).
+- **Panic-free dispatch surface.** Every syscall is a handler the dispatcher must keep panic-free on all untrusted input ([ADR-0030](0030-syscall-abi.md), B0 hardening). Fewer syscalls = smaller audited surface.
+- **Register-budget fit.** Each call's arguments must fit in `x0`–`x5` (six words) and its results in `x0`–`x7` per [ADR-0030](0030-syscall-abi.md), without spilling to a stack-passed block that would need its own copy-from-user validation. The widest call drives the budget.
+- **Reuse of existing kernel surfaces.** A syscall handler should be a thin validator + a call into an existing kernel primitive (`ipc_send` / `ipc_recv` / scheduler `yield_now` / the console HAL), not new subsystem logic. The syscall layer adds the EL0 boundary, not new capability semantics.
+- **Defence-in-depth on the number space.** An uninitialised `x8` (zero) must not accidentally name a real syscall; a release build must not expose a debug-only console.
+- **No capability authority widening.** The syscalls expose operations the caller's capabilities *already* authorise; the syscall layer is a gate, never a new grant. `console_write` is the one debug affordance and is gated accordingly.
+
+## Considered options
+
+1. **The phase-b floor set: `send`, `recv`, `console_write`, `task_yield`, `task_exit` (five).** Exactly what B6 needs.
+2. **A larger "useful from day one" set** adding `notify`, `cap_copy` / `cap_derive` / `cap_revoke`, and address-space `map` / `unmap` — so userspace can manage its own capabilities and memory without a later ABI bump.
+3. **An ultra-minimal set: `console_write` + `task_exit` (two).** The absolute floor to make B6's greeting + exit work, deferring even IPC from EL0 to a later milestone.
+
+## Decision outcome
+
+Chosen option: **Option 1 — the five-syscall phase-b floor set.**
+
+It is the smallest set that lets B6's first userspace task both *do* something observable (`console_write`, `task_exit`) and *exercise the boundary that B5 exists to build* (`send` / `recv` cross the EL0→EL1 line, proving capability-gated IPC works from userspace, not just kernel-internally). `task_yield` makes cooperative multitasking reachable from EL0 with a near-zero-cost handler. Option 3 is too small — it would ship a syscall boundary that never carries an IPC message, leaving the most security-relevant path (capability-gated `send`/`recv` from untrusted EL0) unexercised until a later milestone, which defeats the point of building the boundary now. Option 2's extra calls have **no v1 consumer**; each would be unused dispatch surface to keep panic-free, and `IpcError`/`CapError` are `#[non_exhaustive]`, so the set can grow without breaking the ABI when a real consumer appears.
+
+### Syscall table (v1)
+
+Numbers instantiate [ADR-0030](0030-syscall-abi.md)'s convention: `x8` = number, arguments in `x0`–`x5`, `x0` = status (`0` = `Ok`), payload in `x1`–`x7`. **Number `0` is reserved-invalid** (an uninitialised `x8` must fault, not dispatch) and always returns `SyscallError::BadSyscallNumber`. The integers `1`–`5` below are a **fixed decision**, not tentative: as an Accepted ABI ADR, this table *is* the contract. T-021's host tests **regression-verify** these numbers and layouts; they do not get to choose them.
+
+| `x8` | Name | Arguments (`x0`…) | Returns (`x0`=status, then payload) | Capability checked | Backing primitive |
+|------|------|-------------------|--------------------------------------|--------------------|-------------------|
+| `0` | *(reserved-invalid)* | — | always `BadSyscallNumber` | — | — |
+| `1` | `send` | `x0`=ep cap handle, `x1`=`msg.label`, `x2..x4`=`msg.params[0..3]`, `x5`=transfer cap handle (or the reserved **null-handle sentinel** = "no transfer") | `x1`=`SendOutcome` (`0`=Delivered, `1`=Enqueued) | endpoint cap (`SEND`) | [`ipc_send`](../../kernel/src/ipc/mod.rs) |
+| `2` | `recv` | `x0`=ep cap handle | `x1`=`RecvOutcome` (`0`=Received, `1`=Pending), `x2`=`msg.label`, `x3..x5`=`msg.params[0..3]`, `x6`=transferred cap handle (or null sentinel if none) | endpoint cap (`RECV`) | [`ipc_recv`](../../kernel/src/ipc/mod.rs) |
+| `3` | `task_yield` | — (args ignored) | *(no payload)* | self (current task) | scheduler `yield_now` |
+| `4` | `task_exit` | `x0`=exit code | **does not return** to the caller | self (current task) | scheduler task-termination (B6) |
+| `5` | `console_write` | `x0`=debug-console cap handle, `x1`=user VA of byte buffer, `x2`=length | `x1`=bytes written | debug-console cap (write) | console HAL `write_bytes`, via copy-from-user |
+
+Notes that bind the table:
+
+- **`send` / `recv` carry the `Message` in registers**, not via a user-pointer buffer. A `Message` is four words (`label` + three `params`); register-passing fits the [ADR-0030](0030-syscall-abi.md) budget (`send` uses `x0`–`x5` for args; `recv` returns in `x1`–`x6`) and avoids a copy-from/to-user round-trip on the common small-message path. When messages grow past the register budget (post-v1), a pointer-buffer variant lands without disturbing these numbers. The **null-handle sentinel** that means "no transfer" / "no cap received" is a reserved `CapHandle` value no live handle can take; its exact bit pattern is T-021's encoder detail (it must round-trip with `Option<CapHandle>`).
+- **Every syscall that names a *separate* object is capability-gated, per [P1 / P4](../standards/architectural-principles.md).** `send` / `recv` check the endpoint capability (`SEND` / `RECV`); `console_write` checks a **debug-console capability** (its first argument, `x0`). `task_yield` / `task_exit` act on the **caller's own task** — the kernel identifies the caller from its trusted current-task pointer (set at dispatch, not a forgeable argument). This is the caller's inherent authority over its own execution thread, not ambient authority over another object, so these two take no object-capability argument; the trust-boundary check P4 demands is "is there a valid current task?" (always true on the syscall path) plus the kernel never letting the caller name a *different* task. No syscall reaches a privileged effect on another object without a capability.
+- **`console_write` is capability-gated *and* debug-gated** — two independent gates. (1) **Capability gate (authority):** the caller must hold a debug-console capability (arg `x0`); the dispatcher validates it (resolves, kind = debug-console, carries the write right) before any output, returning a typed `SyscallError` otherwise — this is the [P1 / P4](../standards/architectural-principles.md)-mandated authority check, present in *all* builds. The concrete `CapObject` kind for the debug console and its grant-at-load wiring are [T-021](../analysis/tasks/phase-b/T-021-syscall-dispatch.md) (object + check) and B6 (grant to the first userspace task). (2) **Debug gate (defence-in-depth):** in a non-debug build the dispatcher additionally treats number `5` as unknown and returns `BadSyscallNumber`, so the debug console is *absent* from the production syscall surface even for a holder of the capability. The exact debug-gate mechanism (`cfg!(debug_assertions)` arm vs. a Cargo feature) is T-021's implementation choice; the two-gate *contract* is fixed here. **`console_write` is the only syscall that takes a user pointer**: its handler validates `[ptr, ptr+len)` against the **active** address space via copy-from-user before touching a byte (B5 sub-item 5); it never dereferences the raw pointer.
+- **`task_exit` does not return.** Control does not come back to the caller, so the ABI defines no return value for it. Its real semantics — mark the EL0 task terminated, drop its context, dispatch the next ready task — depend on the per-task EL0 context register file that does not exist until B6 (gated on the [ADR-0033 high-half placeholder](0027-kernel-virtual-memory-layout.md)). T-021 implements the dispatch and a kernel-stub stand-in; the real EL0-task termination lands with B6's first userspace task.
+- **`task_yield` always succeeds in v1** (status `Ok`); it is a thin EL0-reachable wrapper over the scheduler's cooperative `yield_now`, acting on the caller's own task.
+
+### Simulation
+
+Representative invocations walking the [ADR-0030](0030-syscall-abi.md) convention (`(state-pre, action, state-post, observable)`):
+
+| Step | State pre | Action | State post | Observable effect |
+|------|-----------|--------|------------|-------------------|
+| 0 | caller: `x8`=5 (`console_write`), `x0`=valid debug-console cap, `x1`=buf VA, `x2`=len; **debug build**; buf mapped in active AS | dispatch → **cap check on `x0` passes** → copy-from-user validates `[buf,buf+len)` → console `write_bytes` | bytes emitted on serial | `x0`←`0` (`Ok`), `x1`←len; **no raw user-ptr deref** |
+| 1 | caller: `x8`=5, `x0`=stale / wrong-kind / no-write debug-console cap | dispatch → **cap check on `x0` fails** before any output | unchanged | `x0`←typed `SyscallError` (`Cap`/`Ipc`-family); **console untouched — authority gate, all builds** |
+| 2 | caller: `x8`=5, `x0`=valid cap, `x1`=buf VA, `x2`=len; **buf not mapped** in active AS | cap check passes; copy-from-user range check fails | unchanged | `x0`←`FaultAddress`; kernel never read the buffer |
+| 3 | caller: `x8`=2 (`recv`), `x0`=ep cap; a sender already delivered `{label, params, cap}` | `ipc_recv` → `Ok(Received{msg, cap})`; install cap into caller table | endpoint `Idle`; cap in caller table | `x0`←`0`, `x1`←`0`(Received), `x2`←label, `x3..x5`←params, `x6`←new cap handle |
+| 4 | caller: `x8`=4 (`task_exit`), `x0`=code | mark caller (the current task) terminated; dispatch next ready task | caller gone; scheduler runs another task | **no return** to caller; kernel reports termination (B6) |
+
+The second, independent **release debug-gate** (number `5` → `BadSyscallNumber` in non-debug builds, even for a capability holder) is not a separate row — it short-circuits dispatch ahead of row 0's cap check and is covered in the binding note above.
+
+#### Simulation row-to-verification mapping
+
+Per the [`write-adr` skill §Procedure step 5 sub-bullet](../../.agents/skills/write-adr/SKILL.md), all rows are discharged by **[T-021](../analysis/tasks/phase-b/T-021-syscall-dispatch.md)** (the dispatcher task), because every row is a trampoline/dispatch behaviour:
+
+- Row 0 (`console_write` happy path, cap check passes) → T-021 host copy-from-user test + the QEMU kernel-stub-SVC smoke trace showing the emitted bytes.
+- Row 1 (debug-console **capability check fails**) → T-021 host dispatcher test asserting a stale/wrong-kind/no-write cap yields a typed `SyscallError` with no console output (the [P1 / P4](../standards/architectural-principles.md) authority gate).
+- Row 2 (`FaultAddress`) → T-021 host copy-from-user out-of-range test.
+- Row 3 (`recv` register unpack) → T-021 host ABI encode/decode round-trip test over `RecvOutcome` + `Message` + `Option<CapHandle>`.
+- Row 4 (`task_exit` no-return) → T-021 dispatcher test (kernel-stub stand-in); real EL0 termination → B6.
+- The release **debug-gate** → T-021 host dispatcher test asserting number `5` → `BadSyscallNumber` under `not(debug_assertions)`.
+
+The IPC *error-taxonomy* rows these syscalls inherit (a `send` to a stale/wrong-kind/no-`SEND` cap) are discharged by **[T-020](../analysis/tasks/phase-b/T-020-syscall-error-taxonomy.md)** per [ADR-0030 §Simulation row 3](0030-syscall-abi.md#simulation). The runtime EL0-vs-EL1 verification split (B5 kernel-stub via the current-EL `0x200` vector vs. B6 real EL0 via `0x400`) is recorded in [ADR-0030 §Simulation row-to-verification mapping](0030-syscall-abi.md#simulation).
+
+### Dependency chain
+
+For this decision to be **fully** in effect:
+
+```text
+1. Syscall calling convention + SyscallError space.                 — ADR-0030 (opens with this ADR)
+2. Panic-free dispatcher decoding x8 → one of {1..5}, else
+   BadSyscallNumber; number 0 reserved-invalid.                     — T-021 (opens with this ADR)
+3. Handlers wiring each syscall to its backing primitive
+   (ipc_send/ipc_recv/yield_now/console write_bytes/terminate).     — T-021
+4. Debug-console capability kind (CapObject) + the dispatcher's
+   capability check for console_write (the P1/P4 authority gate).   — T-021 (object + check)
+5. copy-from-user for console_write's buffer.                       — T-021
+6. The release debug-gate mechanism for console_write.              — T-021 (design-notes choice)
+7. EL0-ready Task context so task_exit/task_yield have a real EL0
+   task to terminate/reschedule.                                    — ADR-0033 (placeholder) + Phase B6
+8. Debug-console capability granted to the first userspace task.    — Phase B6
+9. tyrne-user safe wrappers exposing these five calls.              — Phase B6 (deferred)
+```
+
+Steps 1–6 are grounded in ADR-0030 + T-021, opened in the same commit set as this ADR per [ADR-0025 §Rule 1](0025-adr-governance-amendments.md). Steps 7–9 are explicit forward-flags (the [ADR-0033 high-half placeholder](0027-kernel-virtual-memory-layout.md) and B6), the same shape [ADR-0029](0029-initial-userspace-image-format.md) used for its deferred build-pipeline step. Until step 7 lands, the five syscalls are exercised by an EL1 kernel-stub caller (B5 acceptance criterion #7), not a real EL0 task.
+
+## Consequences
+
+### Positive
+
+- **The dispatch surface is minimal and fully audited.** Five real syscalls + one reserved-invalid number; every handler is a thin validator over an existing kernel primitive. Nothing to keep panic-free that no consumer needs.
+- **The boundary is exercised, not just built.** `send`/`recv` from EL0 prove capability-gated IPC across the privilege line — the highest-value B5 test — rather than deferring it.
+- **Every object-naming syscall is capability-gated; no ambient authority.** `send`/`recv` check the endpoint cap, `console_write` checks a debug-console cap, and `task_yield`/`task_exit` act only on the caller's own (trusted-current-task) identity — upholding [P1 / P4](../standards/architectural-principles.md) uniformly across the v1 set.
+- **`0`-reserved + the release debug-gate are defence-in-depth on top of the capability gate.** An uninitialised syscall number faults; production builds drop `console_write` from the surface entirely even for a capability holder.
+- **Register-passing keeps the common path allocation-free and copy-free.** Only `console_write` touches user memory, so only one handler carries the copy-from-user cost; `send`/`recv` stay register-only.
+- **`#[non_exhaustive]` error spaces mean the set can grow safely.** Adding `notify` or `cap_*` later is additive — new numbers, new `From` paths — with no break to the v1 five.
+
+### Negative
+
+- **No userspace capability management in v1.** A v1 EL0 task cannot `cap_copy`/`derive`/`revoke` its own caps; it works only with the caps the loader/parent granted. *Mitigation:* no v1 userspace needs this; the kernel-internal cap operations remain available, and the syscalls land when a real consumer (a multi-task userspace service, post-B6) surfaces.
+- **No `notify` from EL0.** An EL0 task cannot signal a notification. *We accept this* — v1's notification users are kernel-internal; the syscall is additive later.
+- **`Message` is register-bound to four words.** A larger payload needs a pointer-buffer variant. *Mitigation:* the four-word `Message` is fixed by [ADR-0017](0017-ipc-primitive-set.md); a wider message is a separate ADR with its own syscall number, leaving these layouts intact.
+- **`task_exit` semantics are only half-real in B5.** Until B6's EL0 context exists, `task_exit` is dispatcher-plumbing over a kernel-stub. *Mitigation:* the ABI shape ("does not return") is fixed now; the termination behaviour lands with the task it terminates.
+
+### Neutral
+
+- **Syscall numbers `0`–`5` are a fixed decision, not tentative.** As an Accepted ABI ADR, this table is the contract; T-021's host tests regression-verify the numbers and layouts, they do not choose them.
+- **The release debug-gate *mechanism* is left to T-021** (a `cfg!(debug_assertions)` arm vs. a Cargo feature) — but the gate's *existence* and the capability check are both fixed decisions here.
+- **A new `CapObject` kind (debug console) lands in T-021.** This is the smallest object addition that keeps `console_write` capability-gated; it is the first capability kind introduced by a syscall rather than by the kernel-object subsystem directly.
+- **The set maps one-to-one onto the future `tyrne-user` crate's public API.** B6's wrapper crate exposes exactly these five.
+
+## Pros and cons of the options
+
+### Option 1 — five-syscall floor set (chosen)
+
+- **Pro:** Exactly B6's needs; smallest panic-free dispatch surface.
+- **Pro:** Exercises the capability-gated IPC boundary from EL0 (the key B5 test).
+- **Pro:** Register-only for four of five calls; one copy-from-user path.
+- **Con:** No EL0 cap-management / `notify` in v1 (additive later; no v1 consumer).
+
+### Option 2 — larger "useful from day one" set
+
+- **Pro:** Userspace can manage its own caps + memory without a later ABI bump.
+- **Con:** Every added call is unused dispatch surface that must be kept panic-free with **no v1 consumer** to validate it — speculative ABI.
+- **Con:** Larger audited attack surface at the most security-sensitive boundary, for zero v1 benefit.
+- **Con:** `#[non_exhaustive]` already makes growth non-breaking, so the "avoid a later bump" pro is moot.
+
+### Option 3 — ultra-minimal `console_write` + `task_exit`
+
+- **Pro:** Absolute smallest path to B6's greeting + exit.
+- **Con:** Ships a syscall boundary that never carries an IPC message — the most security-relevant EL0→EL1 path (capability-gated `send`/`recv`) stays unexercised, defeating the purpose of building the boundary in B5.
+- **Con:** `task_yield` is near-free to add and makes cooperative EL0 multitasking reachable; omitting it is false economy.
+
+## References
+
+- [Phase B §B5 — Syscall boundary](../roadmap/phases/phase-b.md#milestone-b5--syscall-boundary) — the floor/ceiling sentence this ADR implements.
+- [Phase B §B6 — First userspace "hello"](../roadmap/phases/phase-b.md#milestone-b6--first-userspace-hello) — the consumer that justifies the set.
+- [ADR-0030 — Syscall ABI and userspace error taxonomy](0030-syscall-abi.md) — the convention these calls instantiate.
+- [ADR-0017 — IPC primitive set](0017-ipc-primitive-set.md) — `send`/`recv`/`notify` and the four-word `Message` shape.
+- [ADR-0014 — Capability representation](0014-capability-representation.md) — the `CapHandle` the null-sentinel reserves against.
+- [`docs/architecture/ipc.md`](../architecture/ipc.md) — the IPC operations `send`/`recv` wrap.
+- [seL4 manual §"System Calls"](https://sel4.systems/Info/Docs/seL4-manual-latest.pdf) — minimal syscall-set prior art for a capability kernel.
diff --git a/docs/decisions/README.md b/docs/decisions/README.md
index 3b5a615..319f57f 100644
--- a/docs/decisions/README.md
+++ b/docs/decisions/README.md
@@ -58,11 +58,13 @@ Each ADR contains:
 | 0027 | [Kernel virtual memory layout (B2 — identity-mapped MMU activation)](0027-kernel-virtual-memory-layout.md) | Accepted | 2026-05-08 |
 | 0028 | [Address-space data structure (B3 — kernel-object + capability-gated `Mmu::map` wrappers + activation-on-context-switch)](0028-address-space-data-structure.md) | Accepted | 2026-05-11 |
 | 0029 | [Initial userspace image format (B4 — raw flat binary)](0029-initial-userspace-image-format.md) | Accepted | 2026-05-14 |
+| 0030 | [Syscall ABI and userspace error taxonomy (B5)](0030-syscall-abi.md) | Accepted | 2026-05-29 |
+| 0031 | [Initial syscall set (B5 — `send`/`recv`/`console_write`/`task_yield`/`task_exit`)](0031-initial-syscall-set.md) | Accepted | 2026-05-29 |
 | 0032 | [Endpoint state rollback on `ipc_recv_and_yield` Deadlock + `ipc_cancel_recv` primitive](0032-endpoint-rollback-and-cancel-recv.md) | Accepted | 2026-05-07 |
 | 0035 | [Physical Memory Manager (B3 prerequisite — bitmap allocator)](0035-physical-memory-manager.md) | Accepted | 2026-05-09 |
 | 0036 | [QEMU virt is GICv2 / no-IOMMU in v1; corrects GICv3/SMMUv3 in ADR-0004/0006/0012](0036-qemu-virt-gicv2-no-iommu-v1.md) | Accepted | 2026-05-22 |
 
-> **Numbering gaps.** Slots **0030**, **0031**, **0033**, **0034** are intentionally reserved, not missing: 0030 (syscall ABI) and 0031 (initial syscall set / MMU follow-ups) are reserved for B5 per the `phase-b.md` §B5 ADR ledger; 0033 (high-half migration) and 0034 (kernel-image section permissions) are named-but-unallocated placeholders forward-flagged in ADR-0027/0028/0029. No files exist for these yet; they open when the corresponding work surfaces. ADR numbers are stable history and are never renumbered.
+> **Numbering gaps.** Slots **0033** and **0034** are intentionally reserved, not missing: 0033 (high-half migration) and 0034 (kernel-image section permissions) are named-but-unallocated placeholders forward-flagged in ADR-0027/0028/0029. No files exist for these yet; they open when the corresponding work surfaces. (Slots **0030** (syscall ABI) and **0031** (initial syscall set) were filed and `Accepted` on 2026-05-29 for B5 and are no longer gaps.) ADR numbers are stable history and are never renumbered.
 
 ## Creating a new ADR
 
diff --git a/docs/glossary.md b/docs/glossary.md
index c171bd7..1e1a708 100644
--- a/docs/glossary.md
+++ b/docs/glossary.md
@@ -36,6 +36,8 @@ Terminology used throughout Tyrne. Entries are alphabetical. If a term appears i
 
 **Cooperative scheduling.** A scheduling model in which the CPU is only taken from a running task when that task voluntarily yields. Tyrne v1 is cooperative and single-core; preemption arrives later in Phase B / Phase C.
 
+**EL0 / EL1 (Exception Levels).** ARM aarch64 privilege levels. EL0 is unprivileged (userspace); EL1 is the kernel/OS level. A task runs application code at EL0 and traps into the kernel at EL1 via an `SVC` (syscall) or an exception/interrupt. Tyrne drops to EL1 at boot ([ADR-0024](decisions/0024-el-drop-policy.md)) and exposes the EL0→EL1 syscall boundary in Phase B5 ([ADR-0030](decisions/0030-syscall-abi.md)). The higher levels (EL2 hypervisor, EL3 secure monitor) are not used by the kernel. See also *Syscall*, *SVC*.
+
 **Endpoint.** In seL4-style IPC, a kernel object used to rendezvous senders and receivers. Possessing a capability to an endpoint is what grants the right to send or receive.
 
 **Generation tag.** The counter stored alongside every arena slot that detects stale handles. When a slot is freed and reused, its generation increments; a handle carries the generation it was issued with, so lookup can distinguish "same slot, new object" from "same slot, same object". See [ADR-0016](decisions/0016-kernel-object-storage.md).
@@ -86,6 +88,12 @@ Terminology used throughout Tyrne. Entries are alphabetical. If a term appears i
 
 **StaticCell.** A BSP helper in [bsp-qemu-virt](../bsp-qemu-virt/src/main.rs) that wraps `UnsafeCell<MaybeUninit<T>>` to provide write-once-at-boot, share-afterwards static storage for kernel state. It exposes `as_mut_ptr` so callers can derive raw pointers without materialising a `&mut` (see [ADR-0021](decisions/0021-raw-pointer-scheduler-ipc-bridge.md)).
 
+**SVC (Supervisor Call).** The ARM aarch64 instruction a lower exception level uses to synchronously trap into a higher one. An `SVC` from EL0 takes the lower-EL synchronous exception vector at EL1; an `SVC` issued at EL1 takes the *current-EL* vector instead. Tyrne's syscall ABI uses `SVC #0` with the syscall number in `x8` ([ADR-0030](decisions/0030-syscall-abi.md)). See also *Syscall*, *EL0 / EL1*.
+
+**Syscall (system call).** The synchronous kernel entry point from userspace (EL0) into the kernel (EL1), made via an `SVC` instruction. The dispatcher validates the caller's capabilities and performs the operation, returning a typed result — and is panic-free on every untrusted input. Tyrne's v1 set is `send` / `recv` / `console_write` / `task_yield` / `task_exit` ([ADR-0031](decisions/0031-initial-syscall-set.md)). See also *Syscall ABI*, *SVC*.
+
+**Syscall ABI.** The register-level contract for a syscall: which register carries the syscall number (`x8`), which carry arguments (`x0`–`x5`), and how the status + payload return (`x0` = status word with `0` = `Ok`, `x1`–`x7` = payload). Fixed by [ADR-0030](decisions/0030-syscall-abi.md). A hardware-specific instance of an *ABI*.
+
 **TCB (Trusted Computing Base).** The set of components that must be correct for the system's security guarantees to hold — code whose compromise would compromise everything. Tyrne keeps the TCB deliberately small by running drivers, filesystems, and network stacks in userspace rather than in the kernel, so that adding a feature does not enlarge the trusted core unless it strictly must; the README frames this as "the entire trusted computing base can be audited line by line." The boundary of the TCB is drawn in [architecture/security-model.md](architecture/security-model.md). See also *Microkernel* and *Trust boundary*.
 
 **Trust boundary.** A line in the system at which assumptions about integrity, confidentiality, or availability change. Crossing a trust boundary should require an explicit capability check. Trust boundaries are drawn in [architecture/security-model.md](architecture/security-model.md).
diff --git a/docs/roadmap/current.md b/docs/roadmap/current.md
index 973f8c7..ae99007 100644
--- a/docs/roadmap/current.md
+++ b/docs/roadmap/current.md
@@ -4,6 +4,10 @@ A short pointer file updated as work progresses. For the full plan see [`phases/
 
 ---
 
+> **2026-05-29 update — T-021 (EL0→EL1 SVC dispatch) implemented; In Review on [PR #34](https://github.com/HodeTech/Tyrne/pull/34).** The security-critical hardware-facing half of B5 has landed. **PR #34** (base `main`, branch `t-021-syscall-dispatch`, 9 commits) bundles **T-020 + T-021** in one review per the maintainer's call — the commit map in the PR body delineates the two tasks (T-020 = the `IpcError` split + `Debug` redaction + ADR-0030/0031; T-021 = the SVC dispatch). A new architecture-agnostic, **panic-free** kernel `syscall` module ([`kernel/src/syscall/`](../../kernel/src/syscall/)) instantiates [ADR-0030](../decisions/0030-syscall-abi.md) (register ABI + `SyscallError` composing `CapError`/`IpcError` with a stable numeric status encoding, `0 = Ok`) and [ADR-0031](../decisions/0031-initial-syscall-set.md) (the five-syscall v1 set): `error.rs` (`SyscallError`), `abi.rs` (number decode + register packing + the null-handle sentinel), `user_access.rs` (`UserAccessWindow` + validated `copy_from_user`/`copy_to_user`), `dispatch.rs` (the dispatcher + handlers + the **debug-console capability** check). The BSP gained the **`SVC` sync trap trampoline** ([`vectors.s`](../../bsp-qemu-virt/src/vectors.s) `tyrne_sync_trampoline`) installed at **both** `VBAR_EL1+0x200` (the current-EL path B5 exercises) and `+0x400` (the real-EL0 path B6 verifies), saving the full `x0`–`x30`+`SP_EL0` frame and routing `ESR_EL1.EC == SVC64` to a Rust [`syscall_entry`](../../bsp-qemu-virt/src/syscall.rs). New cap surface: `CapObject::DebugConsole` (singleton, no handle) + `CapRights::CONSOLE_WRITE` (bit 7) + `CapHandle::from_raw` (ABI decode). The `console_write` syscall carries **two independent gates** — the capability check (all builds) and the release **debug-gate** (`cfg!(debug_assertions)`; number `5` → `BadSyscallNumber` in release). **Gates:** fmt / host-clippy / kernel-clippy / kernel-build clean; **host tests 236** (was 196, +40 syscall tests); `cargo test --release` green; `cargo miri test --workspace --exclude tyrne-bsp-qemu-virt` clean. **QEMU smoke (debug):** an EL1 kernel-stub issues two `SVC #0`s — `console_write` (emits a greeting via the syscall path; status `0x0`, 63 bytes) + a reserved-invalid number (status `0x1` = `BadSyscallNumber`); `-d int,unimp,guest_errors` shows exactly two `SVC` exceptions at the current-EL vector (`ESR 0x15/0x56000000` = SVC64, `EL1→EL1`), clean `ERET`, no new fault class; the cooperative demo still runs to `tyrne: all tasks complete`. Two new audit entries: [UNSAFE-2026-0029](../audits/unsafe-log.md#unsafe-2026-0029--svc-sync-trap-trampoline--syscall_entry-register-frame-access) (trap-frame asm) + [UNSAFE-2026-0030](../audits/unsafe-log.md#unsafe-2026-0030--validated-copy-fromto-user-byte-move-via-coreptrcopy_nonoverlapping) (copy-user). **Security-relevant — flagged for explicit security review.** This banner supersedes the 2026-05-29 B5-opened banner below.
+>
+> **2026-05-29 update — B5 opened: ADR-0030/0031 Accepted; T-020 (error taxonomy + Debug redaction) In Review; T-021 (SVC dispatch) Ready.** The B5 syscall boundary is now active on branch `t-020-syscall-error-taxonomy` (off `main`). [ADR-0030](../decisions/0030-syscall-abi.md) settles the syscall ABI (`x8` = number, `x0`–`x5` args, `x0` status + `x1`–`x7` payload, `SVC #0`) and the **K2-5** taxonomy split of `IpcError::InvalidCapability` → `StaleHandle` / `MissingRight` / `WrongObjectKind`; [ADR-0031](../decisions/0031-initial-syscall-set.md) fixes the five-syscall v1 set (`send` / `recv` / `console_write` / `task_yield` / `task_exit`; number `0` reserved-invalid; every object-naming syscall capability-gated per [P1/P4](../standards/architectural-principles.md)). Both **Accepted 2026-05-29** (Propose → careful-re-read + maintainer-review Accept). **[T-020](../analysis/tasks/phase-b/T-020-syscall-error-taxonomy.md)** — the pure-Rust foundation (the `IpcError` split + `Capability`/`CapObject` `Debug` redaction, K3-9) — is **In Review** (implementation complete, all gates green incl. Miri; kernel host tests 196); **[T-021](../analysis/tasks/phase-b/T-021-syscall-dispatch.md)** — the EL0→EL1 `SVC` trampoline + panic-free dispatcher + copy-from/to-user, the security-critical hardware-facing half — is opened **Ready**, deferred to its own arc per CLAUDE.md §6. A same-day maintainer review surfaced two items, folded into the ADR bodies **before Accept** (the ADRs were re-drafted at `Proposed` and Accepted in a separate commit, so no Accepted body was edited post-Accept): (a) the B5 kernel-stub `SVC` exercises the **current-EL** `VBAR_EL1+0x200` vector, not the lower-EL `+0x400` (EL0) vector — so the real-EL0 round-trip is runtime-verified in **B6**, not B5; (b) `console_write` is **capability-gated** on a debug-console capability (it was ambient authority, a P1/P4 violation). This banner supersedes the 2026-05-28 banner below.
+>
 > **2026-05-28 update — B4 CLOSED via the closure trio; B5 (syscall boundary) is next.** The B4 milestone (Task loader) is formally **Closed** via its closure trio — [business retrospective](../analysis/reviews/business-reviews/2026-05-28-B4-closure.md) + [security review](../analysis/reviews/security-reviews/2026-05-28-B4-closure.md) (**Approve**) + [performance baseline](../analysis/reviews/performance-optimization-reviews/2026-05-28-B4-closure.md) — **which is the canonical source for B4's closing metrics** (not duplicated here). The period also included the 2026-05-22 full-tree [master review](../analysis/reviews/master-review/2026-05-22-152729/consolidated.md) (APPROVE the kernel; findings clustered in CI/doc/ADR, 0 kernel-correctness/security Blockers) and remediation PR #32 which — with MR-009 closed at this closure — resolved **all 24** verified Blocker+Major findings. Headline: gates green at HEAD `3ab029f` (**286** host tests; QEMU smoke clean, 629 guest-errors all pre-existing PL011; release perf band 15.641 / 17.587 / 19.150 ms). This banner supersedes the 2026-05-16 banner below. **Next:** B5 — ADR-0030 (syscall ABI) + ADR-0031 (initial syscall set), then EL0→EL1 SVC dispatch.
 >
 > **2026-05-16 update — T-019 merged; B4 implementation-complete; closure trio pending.** PR #31 merged into `main` at commit `7f876af` ("Merge pull request #31 from cemililik/t-019-task-loader"), landing T-019 (task loader) on `main`. The branch arc continued past the review-round-4 commit named in the 2026-05-15 banner below with two further follow-up commits: `5078944` (review-round 5 — added one PMM host test, taking the suite to **260/260**) and `eb14c51` (review-round 6 — 5 valid findings). T-019 status flips `In Review → Done` (`date_done: 2026-05-16`). **Host-test count at HEAD: 260/260** (42 hal + 175 kernel + 43 test-hal); the 2026-05-15 banner's "259/259" was accurate when written, before the round-5 PMM test landed. B4 is now **implementation-complete**; the **B4 closure trio (business + security + performance reviews) has NOT yet fired** and is the next review trigger (the maintainer sequences it separately). This banner resolves the pre-merge "In Review" state recorded below — that banner is retained as a point-in-time record.
@@ -55,10 +59,10 @@ A short pointer file updated as work progresses. For the full plan see [`phases/
 
 - **Active phase:** B — opened 2026-04-21. **B0 closed 2026-04-27**; **B1 closed 2026-05-07**; **B2 closed 2026-05-09**; **B3 closed 2026-05-14** via PR #29's closure trio (business + security + performance baseline; merge commit `b425dc1`). All four closures lifted `Done` after a verbatim QEMU smoke trace + clean `-d guest_errors` count per the [business master-plan §Acceptance criteria](../analysis/reviews/business-reviews/master-plan.md#acceptance-criteria) rule. **The 2026-04-28 implementation-complete claim for B1 was rolled back on 2026-05-06 by the smoke regression and re-issued 2026-05-07 as a smoke-verified Done** — that remains the only re-open arc to date; B2 and B3 both closed cleanly on first attempt.
 - **Active milestone:** **B5 — Syscall boundary (opens next).** B4 (Task loader) was formally **Closed 2026-05-28** via its closure trio (see the top banner + the [B4 closure retrospective](../analysis/reviews/business-reviews/2026-05-28-B4-closure.md)). B5 per [phase-b.md §B5](phases/phase-b.md): ADR-0030 (syscall ABI + `IpcError::InvalidCapability` split into `StaleHandle` / `MissingRight` / `WrongObjectKind`) + ADR-0031 (initial syscall set: `send`, `recv`, `console_write`, `task_yield`, `task_exit`), then EL0→EL1 SVC dispatch, a panic-free syscall dispatcher, validated copy-from/to-user through the active AS, and `Capability` `Debug` redaction. B5 is the prerequisite for the deferred [`task_create_from_image`](phases/phase-b.md#milestone-b4--task-loader) wrapper (B4 §3) that turns a `LoadedImage` into a runnable `CapHandle{CapObject::Task(...)}`, then B6 (first userspace "hello").
-- **Active task:** none — B4 closed via the 2026-05-28 closure trio; B5 prep / first ADR (ADR-0030 syscall ABI) opens next. Per [ADR-0025 §Rule 1](../decisions/0025-adr-governance-amendments.md), the implementation task opens in the same commit as the first B5 ADR's *Dependency chain* section. **Last task Done: T-019 — Task loader, 2026-05-16** (PR #31, merge `7f876af`; branch `t-019-task-loader` retired): `pub fn load_image<M, const N, const R>(...) -> Result<LoadedImage, LoadError>` in `kernel/src/obj/task_loader.rs` produces a `LoadedImage { as_cap, entry_va, stack_top_va, image_bytes, stack_bytes }` of a freshly populated userspace AS — **not** a runnable `CapHandle{CapObject::Task(...)}` (runnability gates on B5/B6); 10-variant `LoadError`, leak-path-closure preflight chain, UNSAFE-2026-0027 byte-copy entry. DoD fully met (B5/B6 deferrals are §Out-of-scope, not unchecked DoD items).
-- **In review:** none. (The B4 closure trio fired 2026-05-28 and is committed/awaiting maintainer review; it is not an in-flight task.)
-- **In progress:** none.
-- **Working branch:** none / B5 prep opens next. Development branches off `main` per the PR pattern; no task branch is currently active and no rebase is pending.
+- **Active task:** **T-021 — EL0→EL1 SVC dispatch, In Review** on branch `t-021-syscall-dispatch` (off the `t-020-syscall-error-taxonomy` HEAD so it carries the T-020 `IpcError` split + `Debug` redaction it depends on; stacks on T-020's PR). Implementation complete, all gates green (fmt / host-clippy / kernel-clippy / kernel-build / host-test 236 / `test --release` / Miri); QEMU smoke shows the EL1-kernel-stub `SVC` round-trip (see the top banner). Lands the kernel `syscall` module + the BSP `SVC` trampoline + the debug-console capability + two audit entries (UNSAFE-2026-0029 / 0030). **Last task Done: T-019 — Task loader, 2026-05-16** (PR #31, merge `7f876af`; branch `t-019-task-loader` retired): `pub fn load_image<M, const N, const R>(...) -> Result<LoadedImage, LoadError>` in `kernel/src/obj/task_loader.rs` produces a `LoadedImage { as_cap, entry_va, stack_top_va, image_bytes, stack_bytes }` of a freshly populated userspace AS — **not** a runnable `CapHandle{CapObject::Task(...)}` (runnability gates on B5/B6); 10-variant `LoadError`, leak-path-closure preflight chain, UNSAFE-2026-0027 byte-copy entry.
+- **In review:** **T-021 — EL0→EL1 SVC dispatch** (on `t-021-syscall-dispatch`) **and T-020 — Syscall error taxonomy** (the `IpcError::InvalidCapability` → `StaleHandle`/`MissingRight`/`WrongObjectKind` split + `Capability`/`CapObject` `Debug` redaction, on `t-020-syscall-error-taxonomy`). Both implementation-complete with all gates green incl. Miri; T-021 stacks on T-020. Awaiting maintainer review/merge.
+- **In progress:** none (T-021 implementation complete → In Review).
+- **Working branch:** `t-021-syscall-dispatch` (based on `t-020-syscall-error-taxonomy` HEAD, itself off `main`; ADRs Accepted). Pushed to `origin`; **[PR #34](https://github.com/HodeTech/Tyrne/pull/34)** open against `main` carries **both T-020 + T-021** (9 commits) in one combined review — the maintainer chose the bundled-PR shape over stacked PRs. (`t-020-syscall-error-taxonomy` is **not** separately pushed; its commits ride in PR #34.) No rebase pending.
 - **Last completed milestone:** **B4 — Task loader, Closed 2026-05-28** via the closure trio ([business](../analysis/reviews/business-reviews/2026-05-28-B4-closure.md) + [security](../analysis/reviews/security-reviews/2026-05-28-B4-closure.md) Approve + [performance](../analysis/reviews/performance-optimization-reviews/2026-05-28-B4-closure.md) baseline). Required task Done: T-019 (2026-05-16, PR #31 `7f876af`). The trio is the **canonical source for B4's closing metrics**; headline: **286** host tests, QEMU smoke clean (629 guest-errors, all pre-existing PL011, zero fault classes), release perf band 15.641 / 17.587 / 19.150 ms, audit log 28 entries. The 2026-05-22 master review + PR #32 remediation (all 24 Blocker+Major findings resolved, MR-009 closed at this closure) landed in this period. **Previous closures:** **B3** 2026-05-14 (PR #29 `b425dc1`); **B2** 2026-05-09; **B1** 2026-05-07 (PR #15 `e9fa019` + PR #16 `95b15aa`); **B0** 2026-04-27 (PR #9 `9a66e8b`).
 - **Last completed tasks:** **T-019 — Done 2026-05-16, merged to `main` via PR #31** (branch `t-019-task-loader`, merge commit `7f876af`) — Task loader: `load_image` produces a `LoadedImage` descriptor of a freshly populated userspace AS (10-variant `LoadError`, leak-path-closure preflight chain, UNSAFE-2026-0027 byte-copy entry); does **not** mint a runnable `TaskCap` (B5/B6 prerequisite). **Earlier:** **T-018 — Done 2026-05-11, live on `main` 2026-05-14 via PR #28** (branch `t-018-address-space-kernel-object`, merge commit `47b0a86`). T-018 implementation: [`AddressSpace<M>`](../../kernel/src/mm/address_space.rs) kernel-object struct + per-type [`AddressSpaceArena`](../../kernel/src/mm/address_space.rs) (ADR-0016 pattern); `CapKind::AddressSpace` + `CapObject::AddressSpace(AddressSpaceHandle)` variants in [`kernel/src/cap/mod.rs`](../../kernel/src/cap/mod.rs); capability-gated wrappers `cap_create_address_space` / `cap_map` / `cap_unmap` with step-by-step preflights (DERIVE rights → no-widening → depth preflight → arena/cap-table capacity → PMM alloc → arena commit → `cap_derive` cap-table insert); `Task` struct extension with `address_space_handle`; activation-on-context-switch hook threaded through `yield_now` / `start` / `ipc_recv_and_yield` / `ipc_send_and_yield` (closure-as-parameter, fires only when outgoing and incoming task ASes differ — short-circuits in v1's bootstrap-shared topology); BSP wiring in [`bsp-qemu-virt/src/main.rs`](../../bsp-qemu-virt/src/main.rs) wraps the already-live bootstrap root via the new `QemuVirtAddressSpace::from_existing_root` `pub unsafe fn` companion. Cross-cutting additions during the review-round arc: `MmuError::BlockMapped` variant (commit `8b9f52e`) so unmap into a bootstrap block descriptor surfaces a distinct typed error from `AlreadyMapped`; `CapabilityTable::depth_of` `pub(crate)` preflight helper closing the PMM-leak path; UNSAFE-2026-0014 fifth Amendment scope-extends the umbrella to the activation hook + BSP-side activation closure (zero new audit entries — additive scope on the existing `&mut Scheduler<C>` momentary-borrow umbrella). Smoke trace gains one new line `tyrne: address-space-arena ready (1 / 8 slots used; bootstrap AS root = 0x4008d000)` immediately after `tyrne: pmm initialized (...)` and before `tyrne: timer ready (...)`. Full demo runs to `tyrne: all tasks complete`; `-d int,unimp,guest_errors` reports only the pre-existing PL011-disabled-UART noise (unchanged baseline). **Earlier:** T-017 — Done 2026-05-10 (PR #27, branch `t-017-physical-memory-manager`) — Physical Memory Manager (`Pmm<N, R>` bitmap allocator + `FrameProvider` trait + UNSAFE-2026-0026 zero-fill audit). **Earlier:** T-016 — Done 2026-05-08 (branch `t-016-mmu-activation`) — MMU activation, VMSAv8 descriptor encoders, `MapperFlush` flush-token, UNSAFE-2026-0022 / 0023 / 0024 / 0025 introduced. **Earlier:** T-015 — Done 2026-05-07 (PR #17, branch `t-015-endpoint-rollback-cancel-recv`) — `ipc_cancel_recv` recovery primitive + symmetric scheduler+endpoint rollback in `ipc_recv_and_yield`'s Phase 2 Deadlock branch (ADR-0032). **Earlier:** T-014 (2026-05-07 via PR #15), T-012 (2026-04-28 via PR #10), T-013 (2026-04-27 via PR #9).
 - **Last reviews:**
@@ -91,7 +95,7 @@ A short pointer file updated as work progresses. For the full plan see [`phases/
   - [ADR-0026 — Idle dispatch via separate fallback slot](../decisions/0026-idle-dispatch-fallback.md) — `Accepted` (2026-05-06). Supersedes ADR-0022's *idle-task-location* axis only (Option A → Option B: dedicated `Scheduler::idle: Option<TaskHandle>` slot, dispatched via `ready.dequeue().or(s.idle)` only when the ready queue is empty). ADR-0022's *typed-error* axis (Option G — `SchedError::Deadlock` + `IpcError::PendingAfterResume` + `start`'s panic) stands. Implemented by T-014 (Done 2026-05-07). Includes a queue-state simulation table that ADR-0022 lacked; this discipline (simulation tables on multi-step state-machine ADRs) is the central learning of the [B1 smoke-regression arc](../analysis/reviews/business-reviews/2026-05-06-B1-smoke-regression.md).
   - [ADR-0032 — Endpoint state rollback + `ipc_cancel_recv` primitive](../decisions/0032-endpoint-rollback-and-cancel-recv.md) — `Accepted` (2026-05-07). Adds a recovery primitive that reverses an `Idle → RecvWaiting` transition, called by `ipc_recv_and_yield`'s Phase 2 Deadlock branch so both *scheduler* and *endpoint* state restore to pre-call shape on `SchedError::Deadlock`. Kernel-internal in v1 (no userspace caller); future consumers are the userspace-driven endpoint destroy drain (B2+), multi-waiter wake (ADR-0019 §Open questions), and preemption-rollback (B5+). Implemented by T-015 (Done 2026-05-07). Includes a Phase-2 Deadlock simulation table; ADR-0017 §Revision notes rider records the additive recovery primitive (user-observable surface unchanged). The Accept commit is the first project-side application of [`write-adr` skill](../../.agents/skills/write-adr/SKILL.md) step 10's *careful re-read* discipline as a separate diff from the Propose commit.
   - [ADR-0027 — Kernel virtual memory layout (B2 — identity-mapped MMU activation)](../decisions/0027-kernel-virtual-memory-layout.md) — **`Accepted` (2026-05-08)**. B2 commits to identity-only mapping (kernel in `TTBR0_EL1`; `TTBR1_EL1` reserved with `EPD1=1` for future high-half ADR-0033 placeholder when B5 surfaces per-task `TTBR0_EL1` swap), 4 KiB granule + 48-bit VA + 4-level translation, MAIR indices 0/1 for device-nGnRnE / normal-cached, four bootstrap page-table frames in a new `.boot_pt` section, and a typed [`MapperFlush`](../../hal/src/mmu/mod.rs) flush-token discipline at the `Mmu` trait surface (additive change to `map`/`unmap` return types, recorded in ADR-0009 §Revision notes rider via T-016). Includes a five-row §Simulation table walking the SCTLR.M=1 transition (Steps 0–4). **First non-recovery-primitive state-machine ADR drafted under [`write-adr` skill §Simulation](../../.agents/skills/write-adr/SKILL.md) discipline** — ADR-0026's table was the empirical retro-source; ADR-0032's table was the first application but its subject is a recovery primitive; ADR-0027 is the first productive-design state machine to use the rule. Implementation: T-016 (Draft, opens with the Propose commit). Accept landed as a separate commit (`bb0a6ba`) per `write-adr` §10.
-- **Next task to open:** **B5 — Syscall boundary: ADR-0030 (syscall ABI) + ADR-0031 (initial syscall set).** ADR-0030 settles the register calling convention + error-return convention + the K2-5 `IpcError::InvalidCapability` split (`StaleHandle` / `MissingRight` / `WrongObjectKind`); ADR-0031 settles the initial syscall set (`send`, `recv`, `console_write`, `task_yield`, `task_exit` — no more in v1). Then EL0→EL1 SVC dispatch + a panic-free dispatcher + validated copy-from/to-user + `Capability` `Debug` redaction (K3-9). ADR numbers tentative per [ADR-0013](../decisions/0013-roadmap-and-planning.md). B5 is the prerequisite for the deferred [`task_create_from_image`](phases/phase-b.md#milestone-b4--task-loader) wrapper, then B6 (first userspace "hello"). The [phase-b.md §B5](phases/phase-b.md) plan describes the milestone shape. **(The B4-closure §Adjustments — MR-009's "Miri green = Phase-B exit prerequisite" line in phase-b.md and the `current.md` 260→286 count fix — were applied as part of this closure.)**
+- **Next task to open:** the deferred [`task_create_from_image`](phases/phase-b.md#milestone-b4--task-loader) wrapper (B4 §3) that turns a `LoadedImage` into a runnable `CapHandle{CapObject::Task(...)}`, then **B6 (first userspace "hello")** — where the real EL0 round-trip through the lower-EL `VBAR_EL1+0x400` vector (EL0↔EL1 transition + copy-user against a separate userspace `TTBR0_EL1`) is finally runtime-verified (T-021's B5 proxy only drove the current-EL `+0x200` path; the `+0x400` handler is installed but unexercised). B6 also grants the debug-console capability to the first EL0 task and wires the real `task_yield` / `task_exit` semantics. The [phase-b.md §B6](phases/phase-b.md#milestone-b6--first-userspace-hello) plan describes the milestone shape. **T-020 + T-021 (both In Review) must merge to `main` first.**
 - **Next review trigger:** **B5 closure trio** — produced when the first B5 milestone reaches `In Review`. (The B4 closure trio fired 2026-05-28.) Possible interim triggers: a mini-retro if EL0/syscall bring-up surfaces a learning worth capturing mid-arc; a maintainer-initiated review or a second on-demand full-tree master review if the corpus drifts again before B5 closes. Forward-flag audit notes: UNSAFE-2026-0025 / 0026's `Pending QEMU smoke verification` notes were lifted by T-019 (first post-bootstrap `cap_map` / `cap_create_address_space` runtime exerciser); UNSAFE-2026-0019 / 0020 / 0021 continue to gate on the first deadline-arming caller (B5+).
 
 ## Notes
diff --git a/docs/roadmap/phases/phase-b.md b/docs/roadmap/phases/phase-b.md
index f754242..034aaba 100644
--- a/docs/roadmap/phases/phase-b.md
+++ b/docs/roadmap/phases/phase-b.md
@@ -201,6 +201,8 @@ Load a userspace binary into an address space. For B4 the binary is statically e
 
 Traps from EL0 into EL1 via `SVC` (or the chosen mechanism). Syscall dispatch validates the caller's capabilities. Establish the initial syscall set and the calling convention.
 
+**Status (2026-05-29): implementation in review.** [ADR-0030](../../decisions/0030-syscall-abi.md) (syscall ABI + the K2-5 `IpcError` taxonomy split) and [ADR-0031](../../decisions/0031-initial-syscall-set.md) (the five-syscall v1 set) are **Accepted**. **[T-020](../../analysis/tasks/phase-b/T-020-syscall-error-taxonomy.md)** (the `IpcError::InvalidCapability` → `StaleHandle`/`MissingRight`/`WrongObjectKind` split + `Capability`/`CapObject` `Debug` redaction — sub-breakdown §6) is **In Review**. **[T-021](../../analysis/tasks/phase-b/T-021-syscall-dispatch.md)** (the EL0→EL1 `SVC` trap trampoline + panic-free dispatcher + copy-from/to-user + the debug-console capability + `SyscallError` — sub-breakdown §§3–5 + 7) is **In Review** on branch `t-021-syscall-dispatch`: a new architecture-agnostic kernel `syscall` module + the BSP `SVC` sync trampoline (installed at `VBAR_EL1+0x200` and `+0x400`), exercised at B5 by an EL1 kernel-stub `SVC` (current-EL `+0x200` path) with all gates green (host tests 236; `test --release`; Miri clean; QEMU smoke shows the round-trip + `console_write` emitted bytes). The **real EL0 `+0x400` round-trip** is carried to B6 per the acceptance criteria below. Remaining after T-020/T-021 merge: the deferred [`task_create_from_image`](#milestone-b4--task-loader) wrapper, then B6.
+
 ### Sub-breakdown
 
 1. **ADR-0030 — Syscall ABI.** Register calling convention (which regs carry syscall number vs. arguments vs. return); maximum arg count; error-return convention (register + flag vs. `Result`-like encoding); asynchronous vs. synchronous semantics. **Bundle K2-5:** design the full userspace error taxonomy as part of this ADR — split `IpcError::InvalidCapability` into `StaleHandle` / `MissingRight` / `WrongObjectKind` (code review §Correctness IPC bullet 4) so the syscall error space and the in-kernel error space agree from the start.
@@ -213,12 +215,12 @@ Traps from EL0 into EL1 via `SVC` (or the chosen mechanism). Syscall dispatch va
 
 ### Acceptance criteria
 
-- ADR-0030 and ADR-0031 Accepted.
-- Syscall entry works from EL0 back to EL1 and back; register state is preserved correctly.
-- Invalid syscalls (bad number, missing capability, out-of-bounds pointer) return typed errors without panicking.
-- Copy-from-user never dereferences raw user pointers outside the validated mapping.
-- `IpcError` variants are split per ADR-0030's taxonomy; all call sites and tests updated.
-- `Capability` `Debug` output redacts security-sensitive fields.
+- ✅ ADR-0030 and ADR-0031 Accepted (2026-05-29).
+- The syscall **dispatch mechanism** works and preserves register state: the dispatcher is installed at both the current-EL (`VBAR_EL1+0x200`) and lower-EL (`+0x400`) sync vectors, and the round-trip is exercised at B5 via an **EL1 kernel-stub `SVC`** that takes the current-EL `0x200` vector (per [ADR-0030 §Simulation](../../decisions/0030-syscall-abi.md#simulation), an `SVC` issued at EL1 cannot take the lower-EL vector). The **real EL0 round-trip through the `0x400` vector** — with the EL0↔EL1 privilege transition and copy-user against a separate userspace `TTBR0_EL1` — requires kernel mappings in the userspace AS + an EL0 context register file (gated on the ADR-0033 high-half placeholder) and is therefore a **B6 acceptance criterion**, not B5. *(Done — T-021; the `0x200` proxy round-trip is QEMU-smoke-verified, the `0x400` handler is installed but its runtime exercise is B6's.)*
+- Invalid syscalls (bad number, missing/stale/wrong-kind capability, out-of-bounds pointer) return typed errors without panicking; every object-naming syscall performs a capability check (P1/P4). *(Done — T-021.)*
+- Copy-from-user never dereferences raw user pointers outside the validated mapping. *(Done — T-021.)*
+- `IpcError` variants are split per ADR-0030's taxonomy (`StaleHandle` / `WrongObjectKind` / `MissingRight`); all call sites and tests updated. *(Done — T-020.)*
+- `Capability` (and `CapObject`) `Debug` output redacts the named kernel object. *(Done — T-020.)*
 
 ### Flags to resolve during B5
 
@@ -244,11 +246,22 @@ A real userspace task, loaded by B4, running in EL0 in its own address space, ma
 ### Acceptance criteria
 
 - Userspace "hello from userspace" appears on the serial console after the kernel's greeting.
+- **The real EL0→EL1 syscall round-trip is exercised at runtime** (carried over from B5): a true EL0 task takes the lower-EL sync vector (`VBAR_EL1+0x400`), the dispatcher copies the `console_write` buffer from the userspace `TTBR0_EL1` address space, and `ERET` returns to EL0 — the half B5's EL1 kernel-stub proxy could not prove (see [ADR-0030 §Simulation](../../decisions/0030-syscall-abi.md#simulation)).
 - Userspace can call `task_exit` cleanly; the kernel reports task termination.
 - Guide: `docs/guides/first-userspace.md` committed.
 - Performance review recording IPC round-trip and context-switch numbers against the A6 baseline.
 - Business review recording Phase B retrospective.
 
+### T-021 carry-forward gates (must close *before* a real EL0 task runs)
+
+The [T-021](../../analysis/tasks/phase-b/T-021-syscall-dispatch.md) review-round (2026-05-29) confirmed **no live B5 defect** but identified three forward-gates that the B5 EL1-kernel-stub proxy did not need and that B6 **must** close when it wires the first real EL0 task. They are intentionally B6 work; tracked here so they are not missed:
+
+1. 🚩 **`console_write` user-window + deref (the single most important gate).** In B5 the window is the whole identity-mapped RAM extent and the copy is a direct int-to-pointer deref ([`bsp-qemu-virt/src/syscall.rs`](../../../bsp-qemu-virt/src/syscall.rs) `SYSCALL_USER_WINDOW_LEN`) — harmless because only the *trusted* EL1 stub calls it, on the identity map. If B6 wires `syscall_entry` to a real EL0 task **unchanged**, an EL0 holder of a debug-console capability could read arbitrary kernel memory via `console_write(ptr)`. B6 must (a) derive a **per-task** window from the EL0 task's actually-mapped region (not the RAM extent) and (b) replace the int-to-pointer deref with a per-page user-VA → kernel-VA translation (the forward path documented in [`user_access.rs`](../../../kernel/src/syscall/user_access.rs) module docs + [`crate::mm::phys_frame_kernel_ptr`](../../../kernel/src/mm/mod.rs)). **The window/translation failure must return `SyscallError::FaultAddress`, never panic** (the panic-free contract holds across the migration).
+2. 🚩 **`SP_EL1` initialisation for the `+0x400` entry.** The sync trampoline's first `sub sp, sp, #272` runs on `SP_EL1`, which the CPU does **not** auto-initialise on an EL0→EL1 trap. B6's per-task EL0 context-init must set `SP_EL1` to a valid kernel stack before any EL0 task is schedulable (and should assert it). Subsumed by the "EL0-ready context register file" work (ADR-0033 placeholder) but named here explicitly.
+3. 🚩 **`SYSCALL_STUB_TABLE` → scheduler current-task table.** `syscall_entry` resolves capabilities in the dedicated kernel-stub table in B5; B6 must swap it for the *running EL0 task's* capability table (looked up from the scheduler's current task). Fail-closed if forgotten (handles resolve to `InvalidHandle`, never over-grant), but functionally required for a real task to name its own caps.
+
+Two further hazards are later-phase (already tracked, not B6): `ipc_send`'s `unreachable!()` becomes a release panic-from-userspace only under **preemption/SMP** (harden to `Err(QueueFull)` when preemption lands — ADR-0032 / note C3-009); and **fault containment** for an EL0 non-`SVC` sync fault (illegal instruction, unmapped deref) is Phase E / flag K3-4 (the dispatcher itself is already panic-free).
+
 ### Flags to resolve during B6
 
 - 🚩 **CI rollout (K3-7).** If a CI pipeline exists by B6, wire the QEMU smoke as a regression gate (`qemu-system-aarch64 ... | grep "all tasks complete"`). If CI is still absent, defer to Phase C.
diff --git a/kernel/src/cap/mod.rs b/kernel/src/cap/mod.rs
index 3a11338..fe39aec 100644
--- a/kernel/src/cap/mod.rs
+++ b/kernel/src/cap/mod.rs
@@ -70,6 +70,18 @@ pub enum CapKind {
     ///
     /// [adr-0028]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0028-address-space-data-structure.md
     AddressSpace,
+    /// Refers to the **debug console** — the singleton best-effort serial
+    /// diagnostic sink ([`tyrne_hal::Console`]). Introduced by the
+    /// `console_write` syscall ([T-021][t021] / [ADR-0031][adr-0031]) as the
+    /// smallest object addition that keeps `console_write` capability-gated
+    /// ([P1 / P4][principles]). Unlike the arena-backed kinds above, the
+    /// debug console is a singleton with no per-instance kernel-object
+    /// storage, so [`CapObject::DebugConsole`] carries **no handle**.
+    ///
+    /// [t021]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md
+    /// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+    /// [principles]: https://github.com/HodeTech/Tyrne/blob/main/docs/standards/architectural-principles.md
+    DebugConsole,
     /// Refers to a physical memory region (Phase B4+).
     MemoryRegion,
 }
@@ -85,7 +97,16 @@ pub enum CapKind {
 /// T-018 (per [ADR-0028][adr-0028]).
 ///
 /// [adr-0028]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0028-address-space-data-structure.md
-#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+///
+/// `Debug` is a **hand-written, redacting** impl (not derived): it prints the
+/// object *kind* but redacts the wrapped typed handle (slot index +
+/// generation). This is the same kernel-internal-identity hazard the
+/// [`Capability`] redaction (K3-9 / [ADR-0030][adr-0030cap]) addresses —
+/// closed here at the source so a `CapObject` formatted directly (e.g. into a
+/// future error or a userspace-reachable log) cannot leak the handle either.
+///
+/// [adr-0030cap]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+#[derive(Copy, Clone, Eq, PartialEq)]
 pub enum CapObject {
     /// Capability naming a [`Task`][crate::obj::Task] kernel object.
     Task(TaskHandle),
@@ -98,6 +119,16 @@ pub enum CapObject {
     ///
     /// [adr-0028]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0028-address-space-data-structure.md
     AddressSpace(AddressSpaceHandle),
+    /// Capability naming the singleton **debug console** (per
+    /// [ADR-0031][adr-0031]; [T-021][t021]). Carries no handle — there is
+    /// exactly one debug console and it has no per-instance kernel-object
+    /// storage. The bearer's authority to write is conferred by holding this
+    /// capability with the [`CapRights::CONSOLE_WRITE`] right; the
+    /// `console_write` syscall validates both before emitting any byte.
+    ///
+    /// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+    /// [t021]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md
+    DebugConsole,
 }
 
 impl CapObject {
@@ -109,10 +140,26 @@ impl CapObject {
             Self::Endpoint(_) => CapKind::Endpoint,
             Self::Notification(_) => CapKind::Notification,
             Self::AddressSpace(_) => CapKind::AddressSpace,
+            Self::DebugConsole => CapKind::DebugConsole,
         }
     }
 }
 
+impl core::fmt::Debug for CapObject {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        // Show the kind (benign, useful for diagnostics) but redact the
+        // wrapped typed handle (slot index + generation) — kernel-internal
+        // identity per K3-9 / ADR-0030. The wrapped handle types keep their
+        // derived `Debug` for kernel-internal traces (scheduler, arena) where
+        // the slot/generation is the useful information and never crosses to
+        // userspace; `CapObject` is redacted because it is the type a
+        // capability (or a future error) carries toward a log boundary.
+        f.debug_struct("CapObject")
+            .field("kind", &self.kind())
+            .finish()
+    }
+}
+
 /// A capability.
 ///
 /// Deliberately **not** `Copy` and **not** `Clone`. Duplication happens
@@ -120,14 +167,34 @@ impl CapObject {
 /// to hold the [`CapRights::DUPLICATE`] authority on the source. The
 /// Rust type system enforces the move-only discipline by construction.
 ///
-/// `Debug` is derived so that test assertions can format capabilities;
-/// the derived impl exposes typed handles but no other unforgeable bits.
-#[derive(Debug)]
+/// `Debug` is a **hand-written, redacting** impl (not derived): it prints
+/// the `rights` (authority bits — useful for diagnostics and not
+/// unforgeable) but redacts the named object as `<redacted>`. The object
+/// names a kernel object by typed handle (slot index + generation), which
+/// is kernel-internal identity that must never leak across a
+/// userspace-reachable log path such as the future `console_write` syscall.
+/// Per [ADR-0030][adr-0030] §"Security of the taxonomy split" and B5
+/// sub-item 6 (K3-9 — security review §6).
+///
+/// [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
 pub struct Capability {
     rights: CapRights,
     object: CapObject,
 }
 
+impl core::fmt::Debug for Capability {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        // Redact the named object; keep rights visible. `format_args!`
+        // (rather than a `&str`) emits the placeholder without surrounding
+        // quotes, so the output reads `object: <redacted>`, not
+        // `object: "<redacted>"`.
+        f.debug_struct("Capability")
+            .field("rights", &self.rights)
+            .field("object", &format_args!("<redacted>"))
+            .finish()
+    }
+}
+
 impl Capability {
     /// Construct a capability with the given rights over `object`. The
     /// [`CapKind`] is derived from the `object`'s variant, so
@@ -192,3 +259,60 @@ pub enum CapError {
     /// `AddressSpaceError::CapError(_)` passthrough.
     WrongKind,
 }
+
+#[cfg(test)]
+mod tests {
+    use super::{CapObject, CapRights, Capability};
+    use crate::obj::TaskHandle;
+
+    #[test]
+    fn debug_redacts_named_object_but_keeps_rights() {
+        // K3-9 (ADR-0030 §"Security of the taxonomy split"): a `Capability`'s
+        // `Debug` must not leak the kernel object it names — no kind, no slot
+        // index, no generation — but may show the (non-unforgeable) rights.
+        let cap = Capability::new(
+            CapRights::SEND | CapRights::RECV,
+            CapObject::Task(TaskHandle::test_handle(0xAB, 7)),
+        );
+        let shown = format!("{cap:?}");
+
+        // The named object is redacted.
+        assert!(
+            shown.contains("object: <redacted>"),
+            "object must be redacted, got: {shown}"
+        );
+        assert!(
+            !shown.contains("Task"),
+            "object kind must not leak, got: {shown}"
+        );
+        assert!(
+            !shown.contains("171"),
+            "handle index (0xAB = 171) must not leak, got: {shown}"
+        );
+        // Rights stay visible for diagnostics (`CapRights` derives `Debug`).
+        assert!(
+            shown.contains("rights"),
+            "rights field must be shown, got: {shown}"
+        );
+    }
+
+    #[test]
+    fn capobject_debug_redacts_handle_but_shows_kind() {
+        // Defense-in-depth: even formatting a bare `CapObject` (not wrapped in
+        // a `Capability`) must not leak the handle's slot index / generation.
+        let obj = CapObject::Task(TaskHandle::test_handle(0xAB, 7));
+        let shown = format!("{obj:?}");
+
+        // The kind is shown (benign, useful for diagnostics)...
+        assert!(shown.contains("Task"), "kind should be shown, got: {shown}");
+        // ...but the wrapped handle's identity is redacted.
+        assert!(
+            !shown.contains("171"),
+            "handle index (0xAB = 171) must not leak, got: {shown}"
+        );
+        assert!(
+            !shown.contains("SlotId") && !shown.contains("generation"),
+            "handle internals must not leak, got: {shown}"
+        );
+    }
+}
diff --git a/kernel/src/cap/rights.rs b/kernel/src/cap/rights.rs
index ce18dfa..391a3f6 100644
--- a/kernel/src/cap/rights.rs
+++ b/kernel/src/cap/rights.rs
@@ -32,6 +32,17 @@ impl CapRights {
     pub const RECV: Self = Self(1 << 5);
     /// The bearer may call `ipc_notify` on the notification this capability names.
     pub const NOTIFY: Self = Self(1 << 6);
+    /// The bearer may write bytes to the **debug console** this capability
+    /// names. Carried by a [`super::CapObject::DebugConsole`] capability and
+    /// checked by the `console_write` syscall *before any output* (per
+    /// [ADR-0031][adr-0031] — `console_write` is capability-gated **and**
+    /// debug-gated). This is the first right introduced by a syscall rather
+    /// than by a kernel-object subsystem; it gates the one debug affordance
+    /// the v1 syscall set exposes ([T-021][t021]).
+    ///
+    /// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+    /// [t021]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md
+    pub const CONSOLE_WRITE: Self = Self(1 << 7);
 
     /// Union of every bit defined by this version of the rights bitfield.
     ///
@@ -57,7 +68,8 @@ impl CapRights {
             | Self::TRANSFER.0
             | Self::SEND.0
             | Self::RECV.0
-            | Self::NOTIFY.0,
+            | Self::NOTIFY.0
+            | Self::CONSOLE_WRITE.0,
     );
 
     /// Construct an empty flag set.
diff --git a/kernel/src/cap/table.rs b/kernel/src/cap/table.rs
index 8e21522..9c745b4 100644
--- a/kernel/src/cap/table.rs
+++ b/kernel/src/cap/table.rs
@@ -44,19 +44,43 @@ pub struct CapHandle {
 }
 
 impl CapHandle {
-    /// Return the raw index component. Kernel-internal; used by tests.
+    /// Return the raw index component. Kernel-internal; used by tests and by
+    /// the syscall ABI layer ([`crate::syscall`]) to pack a handle into a
+    /// register word.
     #[must_use]
     #[doc(hidden)]
     pub const fn index(self) -> u16 {
         self.index
     }
 
-    /// Return the raw generation component. Kernel-internal; used by tests.
+    /// Return the raw generation component. Kernel-internal; used by tests and
+    /// by the syscall ABI layer ([`crate::syscall`]) to pack a handle into a
+    /// register word.
     #[must_use]
     #[doc(hidden)]
     pub const fn generation(self) -> u32 {
         self.generation
     }
+
+    /// Reconstruct a handle from raw `(index, generation)` components.
+    ///
+    /// This is the **ABI-decode constructor**: the syscall layer
+    /// ([`crate::syscall`], [T-021][t021]) unpacks a userspace-supplied
+    /// register word into its components and rebuilds the `CapHandle` here.
+    /// The reconstructed handle is **not trusted** — every `CapHandle` is
+    /// validated against the live slot's generation by
+    /// [`CapabilityTable::lookup`] before any use, so a forged, stale, or
+    /// out-of-range `(index, generation)` simply fails lookup with
+    /// [`CapError::InvalidHandle`]; it can never alias a live capability.
+    /// Mirrors [`CapRights::from_raw`][crate::cap::CapRights::from_raw]'s
+    /// "land the ABI-boundary constructor with its first consumer"
+    /// discipline (Forward-API note C1-007).
+    ///
+    /// [t021]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md
+    #[must_use]
+    pub const fn from_raw(index: u16, generation: u32) -> Self {
+        Self { index, generation }
+    }
 }
 
 /// A slot in the [`CapabilityTable`]. Either holds a populated
diff --git a/kernel/src/ipc/mod.rs b/kernel/src/ipc/mod.rs
index 1311e83..5190723 100644
--- a/kernel/src/ipc/mod.rs
+++ b/kernel/src/ipc/mod.rs
@@ -80,12 +80,37 @@ pub struct Message {
 }
 
 /// Errors returned by IPC operations.
+///
+/// The capability-validation failure modes are split into three distinct,
+/// handleable variants per [ADR-0030][adr-0030]'s K2-5 bundle (replacing the
+/// former single `InvalidCapability`). Validation resolves in the order
+/// `StaleHandle → WrongObjectKind → MissingRight` (resolve, then type-check,
+/// then authority-check), mirroring [`CapError`][caperr]'s
+/// `InvalidHandle` / `WrongKind` / `InsufficientRights` shape so the in-kernel
+/// and userspace error spaces read the same way. Revealing *which* check
+/// failed is safe for a per-subject, unforgeable capability table — see
+/// [ADR-0030 §"Security of the taxonomy split"][adr-0030].
+///
+/// [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+/// [caperr]: crate::cap::CapError
 #[non_exhaustive]
 #[derive(Copy, Clone, Debug, Eq, PartialEq)]
 pub enum IpcError {
-    /// The endpoint or notification capability is invalid, stale, or the
-    /// caller lacks the required right (`SEND`, `RECV`, or `NOTIFY`).
-    InvalidCapability,
+    /// The capability handle did not resolve in the caller's table, or the
+    /// kernel object it named has been destroyed (the arena slot's
+    /// generation moved past the handle's). The reference is dead — the
+    /// caller should re-acquire it, not retry.
+    StaleHandle,
+    /// The capability resolved but names the wrong kind of object for this
+    /// operation (e.g. a `Notification` capability handed to `ipc_send`, or
+    /// an `Endpoint` capability handed to `ipc_notify`). A programming
+    /// error in the caller: the wrong handle was passed.
+    WrongObjectKind,
+    /// The capability resolved and is the right kind, but does not carry the
+    /// right this operation requires (`SEND` for `ipc_send`, `RECV` for
+    /// `ipc_recv` / `ipc_cancel_recv`, `NOTIFY` for `ipc_notify`). The caller
+    /// holds the object but lacks the authority — it must obtain the right.
+    MissingRight,
     /// The endpoint's waiter queue is at capacity (depth 1 in v1): a second
     /// blocked sender arrived while the first is still pending, or a second
     /// receiver registered before the first was served.
@@ -269,7 +294,9 @@ impl IpcQueues {
 ///
 /// # Errors
 ///
-/// - [`IpcError::InvalidCapability`] — `ep_cap` is stale or lacks `SEND`.
+/// - [`IpcError::StaleHandle`] — `ep_cap` did not resolve, or its endpoint
+///   was destroyed; [`IpcError::WrongObjectKind`] — `ep_cap` does not name an
+///   endpoint; [`IpcError::MissingRight`] — `ep_cap` lacks `SEND`.
 /// - [`IpcError::InvalidTransferCap`] — `transfer` handle is stale.
 /// - [`IpcError::QueueFull`] — a previous send is still pending (or a
 ///   delivery for a waiting receiver is uncollected).
@@ -298,7 +325,7 @@ pub fn ipc_send(
     // Confirm the endpoint handle is still live in the arena.
     ep_arena
         .get(ep_handle.slot())
-        .ok_or(IpcError::InvalidCapability)?;
+        .ok_or(IpcError::StaleHandle)?;
 
     // Pre-flight: queue-full check. Peek state non-destructively before any
     // cap manipulation so that a QueueFull return leaves both the endpoint
@@ -360,7 +387,9 @@ pub fn ipc_send(
 ///
 /// # Errors
 ///
-/// - [`IpcError::InvalidCapability`] — `ep_cap` is stale or lacks `RECV`.
+/// - [`IpcError::StaleHandle`] — `ep_cap` did not resolve, or its endpoint
+///   was destroyed; [`IpcError::WrongObjectKind`] — `ep_cap` does not name an
+///   endpoint; [`IpcError::MissingRight`] — `ep_cap` lacks `RECV`.
 /// - [`IpcError::ReceiverTableFull`] — the receiver's table has no free slot
 ///   for the capability carried with the pending message. Free a slot first.
 /// - [`IpcError::QueueFull`] — a receiver is already registered on this endpoint.
@@ -374,7 +403,7 @@ pub fn ipc_recv(
 
     ep_arena
         .get(ep_handle.slot())
-        .ok_or(IpcError::InvalidCapability)?;
+        .ok_or(IpcError::StaleHandle)?;
 
     // Pre-flight: if the pending state carries a capability, ensure the
     // receiver's table has room before committing the state transition. This
@@ -441,7 +470,10 @@ pub fn ipc_recv(
 ///
 /// # Errors
 ///
-/// [`IpcError::InvalidCapability`] — `notif_cap` is stale or lacks `NOTIFY`.
+/// [`IpcError::StaleHandle`] — `notif_cap` did not resolve, or its
+/// notification was destroyed; [`IpcError::WrongObjectKind`] — `notif_cap`
+/// does not name a notification; [`IpcError::MissingRight`] — `notif_cap`
+/// lacks `NOTIFY`.
 pub fn ipc_notify(
     notif_arena: &mut NotificationArena,
     notif_cap: CapHandle,
@@ -451,7 +483,7 @@ pub fn ipc_notify(
     let notif_handle = validate_notif_cap(caller_table, notif_cap)?;
     let notif = notif_arena
         .get_mut(notif_handle.slot())
-        .ok_or(IpcError::InvalidCapability)?;
+        .ok_or(IpcError::StaleHandle)?;
     notif.set(bits);
     Ok(())
 }
@@ -520,9 +552,10 @@ pub fn ipc_notify(
 ///
 /// # Errors
 ///
-/// [`IpcError::InvalidCapability`] — `ep_cap` is stale, refers to a
-/// non-endpoint object, or lacks `RECV`. The endpoint state is not
-/// touched on this error.
+/// [`IpcError::StaleHandle`] — `ep_cap` did not resolve, or its endpoint
+/// was destroyed; [`IpcError::WrongObjectKind`] — `ep_cap` refers to a
+/// non-endpoint object; [`IpcError::MissingRight`] — `ep_cap` lacks `RECV`.
+/// The endpoint state is not touched on any of these errors.
 ///
 /// [adr-0032]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0032-endpoint-rollback-and-cancel-recv.md
 /// [ADR-0017]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0017-ipc-primitive-set.md
@@ -537,7 +570,7 @@ pub fn ipc_cancel_recv(
 
     ep_arena
         .get(ep_handle.slot())
-        .ok_or(IpcError::InvalidCapability)?;
+        .ok_or(IpcError::StaleHandle)?;
 
     let state = queues.state_of(ep_handle);
     if matches!(state, EndpointState::RecvWaiting) {
@@ -548,37 +581,38 @@ pub fn ipc_cancel_recv(
 
 // ── Helpers ─────────────────────────────────────────────────────────────────
 
+// Resolve → type-check → authority-check, in that order, per ADR-0030's
+// `StaleHandle → WrongObjectKind → MissingRight` taxonomy. The order is
+// observable only for a capability that is *both* the wrong kind and
+// missing the right; checking kind first reports the more fundamental
+// error ("you passed the wrong handle") ahead of the authority error.
 fn validate_ep_cap(
     table: &CapabilityTable,
     ep_cap: CapHandle,
     required: CapRights,
 ) -> Result<EndpointHandle, IpcError> {
-    let cap = table
-        .lookup(ep_cap)
-        .map_err(|_| IpcError::InvalidCapability)?;
+    let cap = table.lookup(ep_cap).map_err(|_| IpcError::StaleHandle)?;
+    let CapObject::Endpoint(handle) = cap.object() else {
+        return Err(IpcError::WrongObjectKind);
+    };
     if !cap.rights().contains(required) {
-        return Err(IpcError::InvalidCapability);
-    }
-    match cap.object() {
-        CapObject::Endpoint(h) => Ok(h),
-        _ => Err(IpcError::InvalidCapability),
+        return Err(IpcError::MissingRight);
     }
+    Ok(handle)
 }
 
 fn validate_notif_cap(
     table: &CapabilityTable,
     notif_cap: CapHandle,
 ) -> Result<NotificationHandle, IpcError> {
-    let cap = table
-        .lookup(notif_cap)
-        .map_err(|_| IpcError::InvalidCapability)?;
+    let cap = table.lookup(notif_cap).map_err(|_| IpcError::StaleHandle)?;
+    let CapObject::Notification(handle) = cap.object() else {
+        return Err(IpcError::WrongObjectKind);
+    };
     if !cap.rights().contains(CapRights::NOTIFY) {
-        return Err(IpcError::InvalidCapability);
-    }
-    match cap.object() {
-        CapObject::Notification(h) => Ok(h),
-        _ => Err(IpcError::InvalidCapability),
+        return Err(IpcError::MissingRight);
     }
+    Ok(handle)
 }
 
 /// Take the cap at `handle` (if any) out of `table` for in-flight transfer.
@@ -899,7 +933,8 @@ mod tests {
                 None
             )
             .unwrap_err(),
-            IpcError::InvalidCapability
+            // Correct kind (endpoint), missing the SEND right → MissingRight.
+            IpcError::MissingRight
         );
     }
 
@@ -911,7 +946,125 @@ mod tests {
         let (_, ep_cap) = setup_ep(&mut table, &mut ep_arena, CapRights::SEND);
         assert_eq!(
             ipc_recv(&mut ep_arena, &mut queues, ep_cap, &mut table).unwrap_err(),
-            IpcError::InvalidCapability
+            // Correct kind (endpoint), missing the RECV right → MissingRight.
+            IpcError::MissingRight
+        );
+    }
+
+    // ── error taxonomy: WrongObjectKind + StaleHandle (ADR-0030 K2-5) ─────────
+    //
+    // These pin the two split variants that the pre-existing rights-failure
+    // tests above (now `MissingRight`) do not reach. The `WrongObjectKind`
+    // tests use a wrong-kind cap that ALSO lacks the operation's right —
+    // the *only* input that discriminates the kind-before-rights ordering
+    // ADR-0030 §K2-5 specifies. Under the chosen order (kind → rights) the
+    // result is `WrongObjectKind`; under a hypothetical rights-first
+    // regression the same cap would return `MissingRight`. So a flip to
+    // rights-first would flip the asserted variant and fail these tests
+    // (a cap that *carries* the right would be ordering-agnostic and prove
+    // nothing). `StaleHandle` is exercised on both the table-lookup-miss
+    // path (a dropped cap handle) and the arena-staleness path (a destroyed
+    // endpoint whose cap still resolves in the table).
+
+    #[test]
+    fn send_with_wrong_object_kind_returns_wrong_object_kind() {
+        let mut table = CapabilityTable::new();
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        // A Task cap (wrong kind) that also lacks SEND. Kind-first → the
+        // result is WrongObjectKind; a rights-first order would return
+        // MissingRight, so this discriminates the ADR-0030 ordering.
+        let cap_h = table
+            .insert_root(Capability::new(CapRights::empty(), task_object(1)))
+            .unwrap();
+        assert_eq!(
+            ipc_send(
+                &mut ep_arena,
+                &mut queues,
+                cap_h,
+                &mut table,
+                test_msg(0),
+                None
+            )
+            .unwrap_err(),
+            IpcError::WrongObjectKind
+        );
+    }
+
+    #[test]
+    fn recv_with_wrong_object_kind_returns_wrong_object_kind() {
+        let mut table = CapabilityTable::new();
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        // Wrong kind (Task) and lacks RECV → WrongObjectKind under kind-first,
+        // MissingRight under rights-first; the assertion pins kind-first.
+        let cap_h = table
+            .insert_root(Capability::new(CapRights::empty(), task_object(1)))
+            .unwrap();
+        assert_eq!(
+            ipc_recv(&mut ep_arena, &mut queues, cap_h, &mut table).unwrap_err(),
+            IpcError::WrongObjectKind
+        );
+    }
+
+    #[test]
+    fn notify_with_wrong_object_kind_returns_wrong_object_kind() {
+        let mut table = CapabilityTable::new();
+        let mut notif_arena = NotificationArena::default();
+        // Wrong kind (Task) and lacks NOTIFY → WrongObjectKind under kind-first,
+        // MissingRight under rights-first; the assertion pins kind-first.
+        let cap_h = table
+            .insert_root(Capability::new(CapRights::empty(), task_object(2)))
+            .unwrap();
+        assert_eq!(
+            ipc_notify(&mut notif_arena, cap_h, &table, 0xFF).unwrap_err(),
+            IpcError::WrongObjectKind
+        );
+    }
+
+    #[test]
+    fn send_with_dropped_cap_handle_returns_stale_handle() {
+        // Table-lookup-miss path: the cap handle no longer resolves.
+        let mut table = CapabilityTable::new();
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let (_, ep_cap) = setup_ep(&mut table, &mut ep_arena, all_ep_rights());
+        table.cap_drop(ep_cap).unwrap();
+        assert_eq!(
+            ipc_send(
+                &mut ep_arena,
+                &mut queues,
+                ep_cap,
+                &mut table,
+                test_msg(0),
+                None
+            )
+            .unwrap_err(),
+            IpcError::StaleHandle
+        );
+    }
+
+    #[test]
+    fn send_to_destroyed_endpoint_returns_stale_handle() {
+        // Arena-staleness path: the cap still resolves (right kind + right),
+        // but its endpoint object was destroyed, so the arena `get` fails.
+        use crate::obj::endpoint::destroy_endpoint;
+        let mut table = CapabilityTable::new();
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let (ep_handle, ep_cap) = setup_ep(&mut table, &mut ep_arena, all_ep_rights());
+        destroy_endpoint(&mut ep_arena, ep_handle).unwrap();
+        assert_eq!(
+            ipc_send(
+                &mut ep_arena,
+                &mut queues,
+                ep_cap,
+                &mut table,
+                test_msg(0),
+                None
+            )
+            .unwrap_err(),
+            IpcError::StaleHandle
         );
     }
 
@@ -1098,7 +1251,8 @@ mod tests {
         let cap_h = table.insert_root(cap).unwrap();
         assert_eq!(
             ipc_notify(&mut notif_arena, cap_h, &table, 0xFF).unwrap_err(),
-            IpcError::InvalidCapability
+            // Correct kind (notification), missing the NOTIFY right → MissingRight.
+            IpcError::MissingRight
         );
     }
 
@@ -1108,10 +1262,12 @@ mod tests {
         // `stale_queue_state_reset_on_slot_reuse`. A cap whose underlying
         // notification was destroyed (and a new one re-allocated in the same
         // slot with a bumped generation) must make `ipc_notify` return
-        // `InvalidCapability` via the arena `get_mut(...).ok_or(...)` branch —
-        // the realistic adversarial case where the cap's rights check still
-        // passes but the handle is stale. The endpoint side already pins this;
-        // this closes the notification-side gap at the `ipc_notify` boundary.
+        // `StaleHandle` via the arena `get_mut(...).ok_or(...)` branch —
+        // the realistic adversarial case where the cap's rights/kind checks
+        // still pass but the handle is stale. The endpoint side already pins
+        // this; this closes the notification-side gap at the `ipc_notify`
+        // boundary. (Post-ADR-0030: this path now returns the granular
+        // `StaleHandle` rather than the former collapsed `InvalidCapability`.)
         let mut table = CapabilityTable::new();
         let mut notif_arena = NotificationArena::default();
 
@@ -1125,12 +1281,12 @@ mod tests {
 
         // The cap still satisfies the rights/kind check (it was minted with
         // NOTIFY), so the failure must come from the arena staleness lookup,
-        // not the rights gate — proving the `ok_or(InvalidCapability)` mapping
+        // not the rights gate — proving the `ok_or(StaleHandle)` mapping
         // at the IPC boundary fires. (No cap_drop is even needed to provoke it.)
         assert_eq!(
             ipc_notify(&mut notif_arena, notif_cap, &table, 0xFF).unwrap_err(),
-            IpcError::InvalidCapability,
-            "ipc_notify on a stale notification handle must return InvalidCapability"
+            IpcError::StaleHandle,
+            "ipc_notify on a stale notification handle must return StaleHandle"
         );
 
         // Re-allocating reuses the slot with a bumped generation; the stale
@@ -1138,7 +1294,7 @@ mod tests {
         let _new_handle = create_notification(&mut notif_arena, Notification::new(1)).unwrap();
         assert_eq!(
             ipc_notify(&mut notif_arena, notif_cap, &table, 0xFF).unwrap_err(),
-            IpcError::InvalidCapability,
+            IpcError::StaleHandle,
             "stale cap must still fail after the slot is reused by a new notification"
         );
     }
@@ -1428,7 +1584,8 @@ mod tests {
         let (_, ep_cap) = setup_ep(&mut table, &mut ep_arena, CapRights::SEND);
         assert_eq!(
             ipc_cancel_recv(&mut ep_arena, &mut queues, ep_cap, &table).unwrap_err(),
-            IpcError::InvalidCapability,
+            // Correct kind (endpoint), missing the RECV right → MissingRight.
+            IpcError::MissingRight,
         );
     }
 
@@ -1448,6 +1605,39 @@ mod tests {
         assert!(matches!(outcome, RecvOutcome::Pending));
     }
 
+    #[test]
+    fn cancel_recv_with_wrong_object_kind_returns_wrong_object_kind() {
+        // Symmetric to the send/recv wrong-kind tests: a Task cap (wrong kind)
+        // that also lacks RECV. Kind-first → WrongObjectKind; a rights-first
+        // order would return MissingRight, so this discriminates the ordering.
+        let mut table = CapabilityTable::new();
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let cap_h = table
+            .insert_root(Capability::new(CapRights::empty(), task_object(1)))
+            .unwrap();
+        assert_eq!(
+            ipc_cancel_recv(&mut ep_arena, &mut queues, cap_h, &table).unwrap_err(),
+            IpcError::WrongObjectKind
+        );
+    }
+
+    #[test]
+    fn cancel_recv_to_destroyed_endpoint_returns_stale_handle() {
+        // Arena-staleness path for cancel: the cap resolves with RECV, but its
+        // endpoint object was destroyed, so the arena `get` fails.
+        use crate::obj::endpoint::destroy_endpoint;
+        let mut table = CapabilityTable::new();
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let (ep_handle, ep_cap) = setup_ep(&mut table, &mut ep_arena, all_ep_rights());
+        destroy_endpoint(&mut ep_arena, ep_handle).unwrap();
+        assert_eq!(
+            ipc_cancel_recv(&mut ep_arena, &mut queues, ep_cap, &table).unwrap_err(),
+            IpcError::StaleHandle
+        );
+    }
+
     // ── reset_if_stale_generation guard tests (T-011) ─────────────────────────
     //
     // `IpcQueues::reset_if_stale_generation` (used by `state_of` /
diff --git a/kernel/src/lib.rs b/kernel/src/lib.rs
index 1629e27..ea5c2c0 100644
--- a/kernel/src/lib.rs
+++ b/kernel/src/lib.rs
@@ -33,6 +33,10 @@
 //!   ADR-0028) with its `cap_map` / `cap_unmap` wrappers.
 //! - [`sched`] — cooperative scheduler (Phase A5 / [T-004]): bounded FIFO
 //!   ready queue, per-task state, and IPC bridge.
+//! - [`syscall`] — the EL0→EL1 syscall boundary's kernel-side half (Phase B5 /
+//!   [T-021]): the panic-free dispatcher, the register ABI (ADR-0030), the v1
+//!   syscall set (ADR-0031), and validated copy-from/to-user. The hardware
+//!   trap trampoline lives in the BSP.
 //!
 //! [T-001]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-a/T-001-capability-table-foundation.md
 //! [T-002]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-a/T-002-kernel-object-storage.md
@@ -41,6 +45,7 @@
 //! [T-017]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-017-physical-memory-manager.md
 //! [T-018]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-018-address-space-kernel-object.md
 //! [T-019]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-019-task-loader.md
+//! [T-021]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md
 
 #![cfg_attr(not(test), no_std)]
 // Kernel-specific stricter lints — these layer onto `[workspace.lints]`
@@ -65,3 +70,4 @@ pub mod ipc;
 pub mod mm;
 pub mod obj;
 pub mod sched;
+pub mod syscall;
diff --git a/kernel/src/sched/mod.rs b/kernel/src/sched/mod.rs
index eeb52eb..0c28a96 100644
--- a/kernel/src/sched/mod.rs
+++ b/kernel/src/sched/mod.rs
@@ -371,12 +371,16 @@ impl<C: ContextSwitch + Cpu> Scheduler<C> {
         caller_table: &CapabilityTable,
         ep_cap: CapHandle,
     ) -> Result<EndpointHandle, SchedError> {
+        // Resolve → type-check, mapping each failure to ADR-0030's granular
+        // variant: a missing handle is `StaleHandle`, a non-endpoint object is
+        // `WrongObjectKind`. (The rights check lives inside `ipc_send` /
+        // `ipc_recv`, which surface `MissingRight`.)
         let cap = caller_table
             .lookup(ep_cap)
-            .map_err(|_| SchedError::Ipc(IpcError::InvalidCapability))?;
+            .map_err(|_| SchedError::Ipc(IpcError::StaleHandle))?;
         match cap.object() {
             CapObject::Endpoint(h) => Ok(h),
-            _ => Err(SchedError::Ipc(IpcError::InvalidCapability)),
+            _ => Err(SchedError::Ipc(IpcError::WrongObjectKind)),
         }
     }
 
@@ -1232,9 +1236,10 @@ pub unsafe fn ipc_recv_and_yield<C: ContextSwitch + Cpu>(
         // `Idle → RecvWaiting` transition so the caller observes the
         // same endpoint state it had before the bridge was called.
         // Phase 1 just validated `ep_cap` with RECV; the cancel cannot
-        // surface a new InvalidCapability under v1's single-thread
-        // cooperative invariant, so the result is asserted in debug
-        // and discarded in release.
+        // surface a new capability error (the ADR-0030 split variants
+        // StaleHandle / WrongObjectKind / MissingRight) under v1's
+        // single-thread cooperative invariant, so the result is asserted
+        // in debug and discarded in release.
         // SAFETY: caller contract — `ep_arena`, `queues`, `caller_table`
         // valid + distinct for this momentary block; `ep_arena` and
         // `queues` are exclusively owned (`&mut` reborrows below),
@@ -2790,8 +2795,9 @@ mod tests {
     fn ipc_send_and_yield_send_error_preserves_scheduler_state() {
         // Setup: h0 (current), h1 (Ready in queue). The endpoint cap
         // grants RECV but not SEND, so `ipc_send` fails its rights check
-        // with `IpcError::InvalidCapability`. The bridge must surface
-        // this typed error and leave the scheduler exactly as it was.
+        // with `IpcError::MissingRight` (ADR-0030: correct kind, missing
+        // right). The bridge must surface this typed error and leave the
+        // scheduler exactly as it was.
         // Symmetric to T-007's `ipc_recv_and_yield_returns_deadlock_…`
         // state-restore guarantee.
         let cpu = FakeCpu::new();
@@ -2859,8 +2865,8 @@ mod tests {
         };
 
         assert!(
-            matches!(result, Err(SchedError::Ipc(IpcError::InvalidCapability))),
-            "expected Err(Ipc(InvalidCapability)), got {result:?}"
+            matches!(result, Err(SchedError::Ipc(IpcError::MissingRight))),
+            "expected Err(Ipc(MissingRight)), got {result:?}"
         );
         // Scheduler state must be untouched.
         assert_eq!(sched.current, prior_current);
diff --git a/kernel/src/syscall/abi.rs b/kernel/src/syscall/abi.rs
new file mode 100644
index 0000000..ccad3e8
--- /dev/null
+++ b/kernel/src/syscall/abi.rs
@@ -0,0 +1,486 @@
+//! The syscall register ABI: number decode, argument/return register frames,
+//! the dispatch effect, and the value↔register packing helpers.
+//!
+//! This module instantiates [ADR-0030][adr-0030]'s calling convention (`x8` =
+//! number, `x0`–`x5` = arguments, `x0` = status, `x1`–`x7` = payload) and
+//! [ADR-0031][adr-0031]'s concrete v1 syscall numbers and per-call layouts. It
+//! is **pure, host-testable Rust** — no hardware, no `unsafe`: the trap frame
+//! save/restore and the EL0↔EL1 transition live in the BSP trampoline, and the
+//! validated user-memory access lives in [`super::user_access`]. Everything
+//! here is register *shuffling* over `u64` words, which is exactly what the
+//! host ABI tests pin.
+//!
+//! [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+//! [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+
+use crate::cap::CapHandle;
+use crate::ipc::{Message, RecvOutcome, SendOutcome};
+
+use super::error::SyscallError;
+
+/// The reserved handle word meaning "no capability" (`Option::<CapHandle>::None`).
+///
+/// Used for `send`'s transfer-handle argument (`x5`) and `recv`'s
+/// transferred-cap return (`x6`). A live [`CapHandle`] packs into the low 48
+/// bits (a `u16` index in bits `0..16`, a `u32` generation in bits `16..48`),
+/// so bits `48..64` are always clear for a real handle. `u64::MAX` therefore
+/// has its top bits set and **can never collide** with a real packed handle —
+/// the property [ADR-0031][adr-0031]'s null-handle sentinel note requires.
+///
+/// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+pub const NULL_CAP_HANDLE: u64 = u64::MAX;
+
+// Lock the sentinel-collision-freedom invariant at compile time. `encode_cap_handle`
+// packs `(generation as u64) << 16 | (index as u64)`; with the current
+// `CapHandle` component widths (`generation: u32`, `index: u16`) the widest
+// packable word is `(u32::MAX << 16) | u16::MAX` = bits 0..48 set. The sentinel
+// (`u64::MAX`) sets bits 48..64, so the two can never collide. If a future
+// `CapHandle` widening (or a change to the packing shift) pushes a packed word
+// up to or past the sentinel, this assertion fails the build — so the
+// "sentinel can never alias a live handle" guarantee cannot regress silently.
+const _: () = assert!(
+    NULL_CAP_HANDLE > (((u32::MAX as u64) << 16) | (u16::MAX as u64)),
+    "NULL_CAP_HANDLE must exceed every packable CapHandle word (see encode_cap_handle)"
+);
+
+/// The v1 syscall set, decoded from the `x8` register, per [ADR-0031][adr-0031].
+///
+/// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub enum SyscallNumber {
+    /// `1` — `ipc_send` on an endpoint capability (`SEND`).
+    Send,
+    /// `2` — `ipc_recv` on an endpoint capability (`RECV`).
+    Recv,
+    /// `3` — cooperative `task_yield` on the caller's own task.
+    TaskYield,
+    /// `4` — `task_exit` on the caller's own task (does not return).
+    TaskExit,
+    /// `5` — `console_write` through a debug-console capability. **Debug-gated**:
+    /// [`SyscallNumber::decode`] only recognises it under `debug_assertions`.
+    ConsoleWrite,
+}
+
+impl SyscallNumber {
+    /// Decode the raw `x8` value into a v1 syscall, or `None` if it names no
+    /// syscall (number `0` reserved-invalid, any number above the v1 ceiling,
+    /// or `console_write`'s number `5` in a **non-debug build**).
+    ///
+    /// The release **debug-gate** is implemented here as a `cfg!(debug_assertions)`
+    /// match guard (the mechanism [ADR-0031][adr-0031] left to T-021): in a
+    /// non-debug build, number `5` falls through to `None`, so the dispatcher
+    /// returns [`SyscallError::BadSyscallNumber`] and the debug console is
+    /// *absent* from the production syscall surface even for a holder of the
+    /// debug-console capability. `cfg!` (not `#[cfg]`) keeps the
+    /// [`SyscallNumber::ConsoleWrite`] arm compiled and referenced in every
+    /// build, so no dead-code arises in release.
+    ///
+    /// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+    #[must_use]
+    pub const fn decode(raw: u64) -> Option<Self> {
+        match raw {
+            1 => Some(Self::Send),
+            2 => Some(Self::Recv),
+            3 => Some(Self::TaskYield),
+            4 => Some(Self::TaskExit),
+            // Debug-gate: number 5 is only a syscall in a debug build.
+            5 if cfg!(debug_assertions) => Some(Self::ConsoleWrite),
+            // 0 (reserved-invalid), out-of-range, and 5-in-release → no syscall.
+            _ => None,
+        }
+    }
+
+    /// The raw `x8` number a userspace stub loads to invoke this syscall — the
+    /// inverse of [`SyscallNumber::decode`] for the recognised arms. Pinned by
+    /// the host tests so the integers cannot drift from [ADR-0031][adr-0031].
+    ///
+    /// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+    #[must_use]
+    pub const fn as_u64(self) -> u64 {
+        match self {
+            Self::Send => 1,
+            Self::Recv => 2,
+            Self::TaskYield => 3,
+            Self::TaskExit => 4,
+            Self::ConsoleWrite => 5,
+        }
+    }
+}
+
+/// The registers a syscall is invoked with: `x8` = number, `x0`–`x5` = args.
+///
+/// The BSP trampoline reads these from the saved trap frame and hands them to
+/// [`super::dispatch::dispatch`]; argument interpretation is syscall-specific
+/// per [ADR-0031][adr-0031]. `x6` / `x7` are reserved on entry and not carried.
+///
+/// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub struct SyscallArgs {
+    /// The syscall number from `x8`.
+    pub number: u64,
+    /// Argument words `x0`–`x5` (index `0` = `x0`).
+    pub args: [u64; 6],
+}
+
+/// The registers a syscall returns: `x0` = status, `x1`–`x7` = payload.
+///
+/// `status` is `0` ([`super::error::OK_STATUS`]) on success or a
+/// [`SyscallError::as_status`] code otherwise; `payload[i]` maps to register
+/// `x{i + 1}`. v1 uses at most `payload[0..6]` (`x1`–`x6`, for `recv`).
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub struct SyscallReturn {
+    /// The status word written to `x0`.
+    pub status: u64,
+    /// Payload words `x1`–`x7` (index `0` = `x1`).
+    pub payload: [u64; 7],
+}
+
+impl SyscallReturn {
+    /// A successful return with a zeroed payload (`x0 = 0`, `x1`–`x7 = 0`).
+    #[must_use]
+    pub const fn ok() -> Self {
+        Self {
+            status: super::error::OK_STATUS,
+            payload: [0; 7],
+        }
+    }
+
+    /// A failure return carrying `e`'s stable status in `x0` and a zeroed
+    /// payload (the payload registers are undefined on error per
+    /// [ADR-0030][adr-0030]; zeroing them is deterministic and leaks nothing).
+    ///
+    /// [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+    #[must_use]
+    pub const fn error(e: SyscallError) -> Self {
+        Self {
+            status: e.as_status(),
+            payload: [0; 7],
+        }
+    }
+
+    /// Set payload word `x{IDX + 1}` to `val`, returning the updated frame.
+    ///
+    /// `IDX` is a **const generic** bounded to `0..7` (the seven payload
+    /// registers `x1`–`x7`) by the `const { assert!(IDX < 7) }` below: an
+    /// out-of-range index is a **compile error at the call site**, not a
+    /// runtime panic — so this builder cannot panic on any input, matching the
+    /// kernel's compile-time-guard discipline (cf. `SchedQueue::new`'s
+    /// `const { assert!(N > 0) }` and the `SyscallTrapFrame` `size_of` guard).
+    /// Every caller passes a literal `::<N>`, so the indexing is provably
+    /// in-bounds. (Closes the T-021 review-round nit on unchecked indexing.)
+    #[must_use]
+    pub const fn with_payload<const IDX: usize>(mut self, val: u64) -> Self {
+        const { assert!(IDX < 7, "SyscallReturn payload index must be < 7 (x1..x7)") };
+        self.payload[IDX] = val;
+        self
+    }
+}
+
+/// What the dispatcher decided the trampoline should do after a syscall.
+///
+/// The data-plane syscalls (`send` / `recv` / `console_write`) complete inside
+/// the dispatcher and produce [`SyscallEffect::Resume`]. The two control-plane
+/// syscalls return a *directive* the BSP glue acts on, because they touch the
+/// scheduler — which is raw-pointer-wired per [ADR-0021][adr-0021] and lives
+/// outside the dispatcher's pure data-plane surface. Keeping them as directives
+/// keeps the dispatcher host-testable without a live scheduler.
+///
+/// [adr-0021]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0021-raw-pointer-scheduler-ipc-bridge.md
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub enum SyscallEffect {
+    /// Write these registers into the trap frame and `ERET` back to the caller.
+    Resume(SyscallReturn),
+    /// `task_yield` (number `3`): the caller should run the cooperative
+    /// scheduler yield, then resume with status `Ok`. v1's BSP glue treats
+    /// this as plumbing — the real `yield_now` wiring lands in B6 when the
+    /// caller is a real EL0 scheduler task (ADR-0031).
+    Reschedule,
+    /// `task_exit` (number `4`) with the caller's exit code: terminate the
+    /// calling task; control does not return to it. v1's BSP glue is a
+    /// kernel-stub stand-in — real EL0-task termination lands in B6 once an
+    /// EL0 context register file exists (ADR-0031).
+    Terminate(u64),
+}
+
+// ── Capability-handle packing ─────────────────────────────────────────────────
+
+/// Pack an optional capability handle into a single register word.
+///
+/// `None` becomes the [`NULL_CAP_HANDLE`] sentinel; `Some(h)` packs the
+/// generation into bits `16..48` and the index into bits `0..16`. Used for
+/// `send`'s transfer handle and `recv`'s transferred-cap return.
+#[must_use]
+pub const fn encode_cap_handle(handle: Option<CapHandle>) -> u64 {
+    match handle {
+        None => NULL_CAP_HANDLE,
+        Some(h) => ((h.generation() as u64) << 16) | (h.index() as u64),
+    }
+}
+
+/// Unpack a register word into an optional capability handle.
+///
+/// The [`NULL_CAP_HANDLE`] sentinel decodes to `None`; any other word decodes
+/// to `Some(handle)` by splitting the low 48 bits into `(index, generation)`.
+/// The reconstructed handle is **not trusted** — [`crate::cap::CapabilityTable::lookup`]
+/// validates it against the live slot's generation, so a malformed or stale
+/// word simply fails lookup (see [`CapHandle::from_raw`]).
+#[must_use]
+#[allow(
+    clippy::cast_possible_truncation,
+    reason = "intentional ABI unpack: `word as u16` takes the index bits 0..16; \
+              `(word >> 16) as u32` takes the generation bits 16..48"
+)]
+pub const fn decode_cap_handle(word: u64) -> Option<CapHandle> {
+    if word == NULL_CAP_HANDLE {
+        None
+    } else {
+        let index = word as u16;
+        let generation = (word >> 16) as u32;
+        Some(CapHandle::from_raw(index, generation))
+    }
+}
+
+/// Unpack a register word as a **required** capability handle (no `None` case).
+///
+/// Used for arguments that always name a real object — `send` / `recv`'s
+/// endpoint handle (`x0`) and `console_write`'s debug-console handle (`x0`).
+/// A caller that passes the [`NULL_CAP_HANDLE`] sentinel (or any garbage) gets
+/// a handle that fails [`crate::cap::CapabilityTable::lookup`]: the sentinel's
+/// `index == 0xFFFF` is far past any table's capacity, so it resolves to
+/// `InvalidHandle` rather than aliasing a live slot.
+#[must_use]
+#[allow(
+    clippy::cast_possible_truncation,
+    reason = "intentional ABI unpack: `word as u16` takes the index bits 0..16; \
+              `(word >> 16) as u32` takes the generation bits 16..48"
+)]
+pub const fn decode_required_cap_handle(word: u64) -> CapHandle {
+    let index = word as u16;
+    let generation = (word >> 16) as u32;
+    CapHandle::from_raw(index, generation)
+}
+
+// ── Outcome packing ────────────────────────────────────────────────────────────
+
+/// `send`'s `x1` payload code for [`SendOutcome::Delivered`].
+pub const SEND_OUTCOME_DELIVERED: u64 = 0;
+/// `send`'s `x1` payload code for [`SendOutcome::Enqueued`].
+pub const SEND_OUTCOME_ENQUEUED: u64 = 1;
+/// `recv`'s `x1` payload code for a message having been received.
+pub const RECV_OUTCOME_RECEIVED: u64 = 0;
+/// `recv`'s `x1` payload code for no sender being ready (receiver registered).
+pub const RECV_OUTCOME_PENDING: u64 = 1;
+
+/// Encode a [`SendOutcome`] into `send`'s `x1` payload word.
+#[must_use]
+pub const fn encode_send_outcome(outcome: SendOutcome) -> u64 {
+    match outcome {
+        SendOutcome::Delivered => SEND_OUTCOME_DELIVERED,
+        SendOutcome::Enqueued => SEND_OUTCOME_ENQUEUED,
+    }
+}
+
+/// Encode a successful [`RecvOutcome`] into `recv`'s return registers.
+///
+/// Layout per [ADR-0031][adr-0031]: `x1` = outcome code, `x2` = `msg.label`,
+/// `x3`–`x5` = `msg.params[0..3]`, `x6` = transferred cap handle (or the
+/// [`NULL_CAP_HANDLE`] sentinel). `Pending` carries no message: `x1` = pending
+/// code and `x2`–`x6` are zeroed (deterministic; the ABI leaves them undefined).
+///
+/// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+#[must_use]
+pub const fn encode_recv_outcome(outcome: RecvOutcome) -> SyscallReturn {
+    match outcome {
+        RecvOutcome::Received { msg, cap } => SyscallReturn::ok()
+            .with_payload::<0>(RECV_OUTCOME_RECEIVED) // x1
+            .with_payload::<1>(msg.label) // x2
+            .with_payload::<2>(msg.params[0]) // x3
+            .with_payload::<3>(msg.params[1]) // x4
+            .with_payload::<4>(msg.params[2]) // x5
+            .with_payload::<5>(encode_cap_handle(cap)), // x6
+        RecvOutcome::Pending => SyscallReturn::ok().with_payload::<0>(RECV_OUTCOME_PENDING),
+    }
+}
+
+/// Decode the four-word [`Message`] body `send` carries in `x1`–`x4`.
+///
+/// `args` is the full `x0`–`x5` argument array; the message is `x1` = label,
+/// `x2`–`x4` = params. (The endpoint handle in `x0` and the transfer handle in
+/// `x5` are decoded separately by the dispatcher.)
+#[must_use]
+pub const fn decode_send_message(args: [u64; 6]) -> Message {
+    Message {
+        label: args[1],
+        params: [args[2], args[3], args[4]],
+    }
+}
+
+#[cfg(test)]
+#[allow(
+    clippy::unwrap_used,
+    clippy::expect_used,
+    clippy::panic,
+    reason = "tests may use pragmas forbidden in production kernel code"
+)]
+mod tests {
+    use super::{
+        decode_cap_handle, decode_required_cap_handle, decode_send_message, encode_cap_handle,
+        encode_recv_outcome, encode_send_outcome, SyscallNumber, SyscallReturn, NULL_CAP_HANDLE,
+        RECV_OUTCOME_PENDING, RECV_OUTCOME_RECEIVED, SEND_OUTCOME_DELIVERED, SEND_OUTCOME_ENQUEUED,
+    };
+    use crate::cap::CapHandle;
+    use crate::ipc::{Message, RecvOutcome, SendOutcome};
+
+    // ── number decode ────────────────────────────────────────────────────────
+
+    #[test]
+    fn decode_maps_v1_numbers() {
+        assert_eq!(SyscallNumber::decode(1), Some(SyscallNumber::Send));
+        assert_eq!(SyscallNumber::decode(2), Some(SyscallNumber::Recv));
+        assert_eq!(SyscallNumber::decode(3), Some(SyscallNumber::TaskYield));
+        assert_eq!(SyscallNumber::decode(4), Some(SyscallNumber::TaskExit));
+    }
+
+    #[test]
+    fn decode_zero_is_reserved_invalid() {
+        // Number 0 must never name a syscall — an uninitialised x8 faults.
+        assert_eq!(SyscallNumber::decode(0), None);
+    }
+
+    #[test]
+    fn decode_out_of_range_is_none() {
+        assert_eq!(SyscallNumber::decode(6), None);
+        assert_eq!(SyscallNumber::decode(99), None);
+        assert_eq!(SyscallNumber::decode(u64::MAX), None);
+    }
+
+    #[test]
+    fn as_u64_round_trips_recognised_numbers() {
+        for n in [
+            SyscallNumber::Send,
+            SyscallNumber::Recv,
+            SyscallNumber::TaskYield,
+            SyscallNumber::TaskExit,
+        ] {
+            assert_eq!(SyscallNumber::decode(n.as_u64()), Some(n));
+        }
+        // console_write's number round-trips only where it is a syscall.
+        assert_eq!(SyscallNumber::ConsoleWrite.as_u64(), 5);
+    }
+
+    #[test]
+    #[cfg(debug_assertions)]
+    fn console_write_is_a_syscall_in_debug_builds() {
+        assert_eq!(SyscallNumber::decode(5), Some(SyscallNumber::ConsoleWrite));
+    }
+
+    #[test]
+    #[cfg(not(debug_assertions))]
+    fn console_write_is_absent_in_release_builds() {
+        // The release debug-gate: number 5 names no syscall, so the dispatcher
+        // returns BadSyscallNumber even for a debug-console capability holder.
+        assert_eq!(SyscallNumber::decode(5), None);
+    }
+
+    // ── capability-handle packing ────────────────────────────────────────────
+
+    #[test]
+    fn none_round_trips_through_null_sentinel() {
+        assert_eq!(encode_cap_handle(None), NULL_CAP_HANDLE);
+        assert_eq!(decode_cap_handle(NULL_CAP_HANDLE), None);
+    }
+
+    #[test]
+    fn some_handle_round_trips() {
+        let h = CapHandle::from_raw(0x1234, 0xDEAD_BEEF);
+        let word = encode_cap_handle(Some(h));
+        // Top 16 bits stay clear, so the sentinel can never collide.
+        assert_eq!(word >> 48, 0);
+        let decoded = decode_cap_handle(word).expect("non-sentinel word decodes to Some");
+        assert_eq!(decoded.index(), 0x1234);
+        assert_eq!(decoded.generation(), 0xDEAD_BEEF);
+    }
+
+    #[test]
+    fn required_handle_decode_ignores_sentinel_semantics() {
+        // A required-handle slot never means "none"; decoding the sentinel
+        // yields an out-of-range handle (index 0xFFFF) that fails lookup.
+        let h = decode_required_cap_handle(NULL_CAP_HANDLE);
+        assert_eq!(h.index(), 0xFFFF);
+        assert_eq!(h.generation(), 0xFFFF_FFFF);
+    }
+
+    // ── outcome packing ──────────────────────────────────────────────────────
+
+    #[test]
+    fn send_outcome_codes() {
+        assert_eq!(
+            encode_send_outcome(SendOutcome::Delivered),
+            SEND_OUTCOME_DELIVERED
+        );
+        assert_eq!(
+            encode_send_outcome(SendOutcome::Enqueued),
+            SEND_OUTCOME_ENQUEUED
+        );
+    }
+
+    #[test]
+    fn recv_received_packs_message_and_cap() {
+        let msg = Message {
+            label: 0xAA,
+            params: [0xB0, 0xB1, 0xB2],
+        };
+        let cap = CapHandle::from_raw(7, 3);
+        let r = encode_recv_outcome(RecvOutcome::Received {
+            msg,
+            cap: Some(cap),
+        });
+        assert_eq!(r.status, 0);
+        assert_eq!(r.payload[0], RECV_OUTCOME_RECEIVED); // x1
+        assert_eq!(r.payload[1], 0xAA); // x2 label
+        assert_eq!(r.payload[2], 0xB0); // x3 param0
+        assert_eq!(r.payload[3], 0xB1); // x4 param1
+        assert_eq!(r.payload[4], 0xB2); // x5 param2
+        assert_eq!(decode_cap_handle(r.payload[5]), Some(cap)); // x6 cap
+    }
+
+    #[test]
+    fn recv_received_without_cap_packs_null_sentinel() {
+        let msg = Message::default();
+        let r = encode_recv_outcome(RecvOutcome::Received { msg, cap: None });
+        assert_eq!(r.payload[0], RECV_OUTCOME_RECEIVED);
+        assert_eq!(r.payload[5], NULL_CAP_HANDLE);
+        assert_eq!(decode_cap_handle(r.payload[5]), None);
+    }
+
+    #[test]
+    fn recv_pending_packs_pending_code_and_zeroes_rest() {
+        let r = encode_recv_outcome(RecvOutcome::Pending);
+        assert_eq!(r.status, 0);
+        assert_eq!(r.payload[0], RECV_OUTCOME_PENDING);
+        // x2..x7 zeroed for determinism.
+        assert_eq!(&r.payload[1..], &[0, 0, 0, 0, 0, 0]);
+    }
+
+    #[test]
+    fn decode_send_message_reads_label_and_params() {
+        let args = [0xEEEE, 0x11, 0x22, 0x33, 0x44, NULL_CAP_HANDLE];
+        let msg = decode_send_message(args);
+        assert_eq!(msg.label, 0x11); // x1
+        assert_eq!(msg.params, [0x22, 0x33, 0x44]); // x2..x4
+    }
+
+    #[test]
+    fn syscall_return_with_payload_sets_indexed_word() {
+        let r = SyscallReturn::ok().with_payload::<2>(0x99);
+        assert_eq!(r.payload[2], 0x99);
+        assert_eq!(r.status, 0);
+        // Builder chains compose; each `::<IDX>` is a compile-time-bounded index
+        // (an out-of-range `::<7>` would fail to compile, not panic).
+        let r2 = SyscallReturn::ok()
+            .with_payload::<0>(0x11)
+            .with_payload::<6>(0x77);
+        assert_eq!(r2.payload[0], 0x11);
+        assert_eq!(r2.payload[6], 0x77);
+    }
+}
diff --git a/kernel/src/syscall/dispatch.rs b/kernel/src/syscall/dispatch.rs
new file mode 100644
index 0000000..6eb8ef5
--- /dev/null
+++ b/kernel/src/syscall/dispatch.rs
@@ -0,0 +1,1017 @@
+//! The panic-free syscall dispatcher.
+//!
+//! [`dispatch`] decodes the `x8` syscall number, validates the caller's
+//! capabilities, performs the operation through an existing kernel primitive,
+//! and produces a [`SyscallEffect`] for the BSP trampoline to apply. It is the
+//! single most security-sensitive control-flow join in the kernel, so it is
+//! held to one hard rule from [ADR-0030][adr-0030] / B0's hardening pattern:
+//!
+//! > **No path may `panic!` / `unwrap` / `expect` on any register-supplied
+//! > input.** Every failure — bad number, missing/stale/wrong-kind capability,
+//! > out-of-bounds pointer — returns a typed [`SyscallError`] as a value.
+//!
+//! The dispatcher operates on the **data plane** (capabilities, IPC, console,
+//! user memory) and is pure, host-testable Rust over kernel state references.
+//! The two **control-plane** syscalls (`task_yield` / `task_exit`) return a
+//! [`SyscallEffect`] directive instead of touching the scheduler directly,
+//! because the scheduler is raw-pointer-wired per [ADR-0021][adr-0021] and
+//! generic over the BSP CPU — keeping them as directives keeps `dispatch`
+//! testable without a live scheduler and matches [ADR-0031][adr-0031]'s "B5
+//! lands the dispatch; real EL0 yield/termination is B6" split.
+//!
+//! Every object-naming syscall performs a capability check before any effect
+//! ([P1 / P4][principles]): `send` / `recv` validate the endpoint capability
+//! inside [`ipc_send`] / [`ipc_recv`]; `console_write` validates a debug-console
+//! capability here before a single byte is emitted. `task_yield` / `task_exit`
+//! act only on the trusted current-task identity (no object-capability argument).
+//!
+//! [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+//! [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+//! [adr-0021]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0021-raw-pointer-scheduler-ipc-bridge.md
+//! [principles]: https://github.com/HodeTech/Tyrne/blob/main/docs/standards/architectural-principles.md
+
+use tyrne_hal::Console;
+
+use crate::cap::{CapError, CapHandle, CapKind, CapRights, CapabilityTable};
+use crate::ipc::{ipc_recv, ipc_send, IpcQueues};
+use crate::obj::EndpointArena;
+
+use super::abi::{
+    decode_required_cap_handle, decode_send_message, encode_recv_outcome, encode_send_outcome,
+    SyscallArgs, SyscallEffect, SyscallNumber, SyscallReturn,
+};
+use super::error::SyscallError;
+use super::user_access::{copy_from_user, UserAccessWindow};
+
+/// Maximum bytes `console_write` stages through its kernel stack buffer per
+/// chunk. The handler validates the whole `[ptr, ptr + len)` range up front,
+/// then copies and emits in chunks of this size — bounding the kernel-stack
+/// footprint regardless of the userspace length argument.
+const CONSOLE_WRITE_CHUNK: usize = 256;
+
+/// The kernel state a single syscall dispatch reads and mutates.
+///
+/// The BSP trampoline builds this from its statics (the active task's IPC
+/// arena / queues, the caller's capability table, the console, and the active
+/// address space's user-access window) and hands it to [`dispatch`] for the
+/// duration of one syscall. The borrows live only across the dispatch call —
+/// they never cross a context switch, honouring the [ADR-0021][adr-0021]
+/// no-`&mut`-across-switch discipline (the data-plane syscalls do not switch;
+/// the control-plane ones return a directive *before* any switch happens).
+///
+/// `caller_table` is the **current task's** capability table. In B5 the only
+/// `SVC` comes from an EL1 kernel-stub, so the BSP passes a dedicated stub
+/// table; B6 wires the scheduler's current-task table once a real EL0 task
+/// exists. Either way the dispatcher never lets a syscall name a capability
+/// outside this one table — the per-subject unforgeability [ADR-0014][adr-0014]
+/// guarantees.
+///
+/// [adr-0021]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0021-raw-pointer-scheduler-ipc-bridge.md
+/// [adr-0014]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0014-capability-representation.md
+pub struct SyscallContext<'a> {
+    /// The endpoint kernel-object arena `send` / `recv` resolve handles against.
+    pub ep_arena: &'a mut EndpointArena,
+    /// The IPC waiter-state queues `send` / `recv` advance.
+    pub queues: &'a mut IpcQueues,
+    /// The calling task's capability table — the only table any syscall in this
+    /// dispatch may name a capability in.
+    pub caller_table: &'a mut CapabilityTable,
+    /// The debug console `console_write` emits to after its capability check.
+    pub console: &'a dyn Console,
+    /// The active address space's user-accessible window, validated against by
+    /// `console_write`'s copy-from-user.
+    pub user_window: UserAccessWindow,
+}
+
+/// Decode and execute one syscall, returning the trampoline's next action.
+///
+/// **Panic-free on every input.** An unrecognised number (including `0` and the
+/// debug-gated `console_write` in release) yields
+/// [`SyscallError::BadSyscallNumber`]; every capability / pointer failure yields
+/// a typed [`SyscallError`] as a value. No register-supplied value can drive
+/// this function to `panic!` / `unwrap` / `expect`.
+#[must_use]
+pub fn dispatch(ctx: &mut SyscallContext<'_>, args: SyscallArgs) -> SyscallEffect {
+    let Some(number) = SyscallNumber::decode(args.number) else {
+        // Number 0 (reserved-invalid), out-of-range, or console_write in a
+        // non-debug build (the release debug-gate): no capability is touched.
+        return SyscallEffect::Resume(SyscallReturn::error(SyscallError::BadSyscallNumber));
+    };
+    match number {
+        SyscallNumber::Send => SyscallEffect::Resume(sys_send(ctx, args.args)),
+        SyscallNumber::Recv => SyscallEffect::Resume(sys_recv(ctx, args.args)),
+        // Control-plane: act on the caller's own task; see SyscallEffect.
+        SyscallNumber::TaskYield => SyscallEffect::Reschedule,
+        SyscallNumber::TaskExit => SyscallEffect::Terminate(args.args[0]),
+        SyscallNumber::ConsoleWrite => SyscallEffect::Resume(sys_console_write(ctx, args.args)),
+    }
+}
+
+/// `send` (number `1`): `ipc_send` on the endpoint capability in `x0`.
+///
+/// `x0` = endpoint cap handle, `x1` = `msg.label`, `x2`–`x4` = `msg.params`,
+/// `x5` = transfer cap handle (or the null sentinel). The endpoint capability
+/// check (`SEND` right, right kind, live object) happens inside [`ipc_send`];
+/// its [`IpcError`][crate::ipc::IpcError] composes into [`SyscallError::Ipc`].
+fn sys_send(ctx: &mut SyscallContext<'_>, args: [u64; 6]) -> SyscallReturn {
+    let ep_cap = decode_required_cap_handle(args[0]);
+    let msg = decode_send_message(args);
+    let transfer = super::abi::decode_cap_handle(args[5]);
+    // Disjoint field reborrows: ep_arena / queues / caller_table are distinct
+    // fields, so the three `&mut` reborrows do not alias.
+    match ipc_send(
+        &mut *ctx.ep_arena,
+        &mut *ctx.queues,
+        ep_cap,
+        &mut *ctx.caller_table,
+        msg,
+        transfer,
+    ) {
+        Ok(outcome) => SyscallReturn::ok().with_payload::<0>(encode_send_outcome(outcome)),
+        Err(e) => SyscallReturn::error(SyscallError::from(e)),
+    }
+}
+
+/// `recv` (number `2`): `ipc_recv` on the endpoint capability in `x0`.
+///
+/// `x0` = endpoint cap handle. On success the message + optional transferred
+/// capability pack into `x1`–`x6` per [`encode_recv_outcome`]. The endpoint
+/// capability check (`RECV` right, right kind, live object) happens inside
+/// [`ipc_recv`]; its error composes into [`SyscallError::Ipc`].
+fn sys_recv(ctx: &mut SyscallContext<'_>, args: [u64; 6]) -> SyscallReturn {
+    let ep_cap = decode_required_cap_handle(args[0]);
+    match ipc_recv(
+        &mut *ctx.ep_arena,
+        &mut *ctx.queues,
+        ep_cap,
+        &mut *ctx.caller_table,
+    ) {
+        Ok(outcome) => encode_recv_outcome(outcome),
+        Err(e) => SyscallReturn::error(SyscallError::from(e)),
+    }
+}
+
+/// `console_write` (number `5`, debug-gated): emit a user buffer to the console.
+///
+/// `x0` = debug-console cap handle, `x1` = user VA of the buffer, `x2` = length.
+/// Two independent gates, in order: (1) the **capability gate** — the cap must
+/// resolve, be [`CapKind::DebugConsole`], and carry [`CapRights::CONSOLE_WRITE`]
+/// (all builds; the [P1 / P4][principles] authority check); (2) the **debug
+/// gate** — number `5` only reaches here in a debug build ([`SyscallNumber::decode`]
+/// returns `None` for it in release). Only after the capability check passes is
+/// the buffer range validated and copied through [`copy_from_user`]; the raw
+/// user pointer is never dereferenced before both the cap check and the range
+/// check succeed.
+///
+/// [principles]: https://github.com/HodeTech/Tyrne/blob/main/docs/standards/architectural-principles.md
+#[allow(
+    clippy::cast_possible_truncation,
+    reason = "Tyrne targets are 64-bit (aarch64 kernel / x86-64 host tests); \
+              usize == u64, so the u64 register words → usize casts are lossless"
+)]
+fn sys_console_write(ctx: &mut SyscallContext<'_>, args: [u64; 6]) -> SyscallReturn {
+    let cons_cap = decode_required_cap_handle(args[0]);
+    let ptr = args[1] as usize;
+    let len = args[2] as usize;
+
+    // Gate 1 — capability (authority). Validate before any output or any read
+    // of the user buffer; a stale / wrong-kind / no-CONSOLE_WRITE cap returns a
+    // typed Cap-family error with the console untouched.
+    if let Err(e) = validate_debug_console_cap(&*ctx.caller_table, cons_cap) {
+        return SyscallReturn::error(SyscallError::from(e));
+    }
+
+    // Validate the WHOLE range up front so a faulting buffer emits *nothing*
+    // (no partial output before the fault is detected).
+    if let Err(e) = ctx.user_window.validate(ptr, len) {
+        return SyscallReturn::error(e);
+    }
+
+    // Copy + emit in bounded chunks through a kernel stack buffer.
+    //
+    // Unreachability of the three defensive error arms below (kept for totality,
+    // never hit on this path): the up-front `validate(ptr, len)` proved that
+    // `ptr + len` does not overflow `usize` AND that `[ptr, ptr + len)` is wholly
+    // inside the active window. The loop invariant `0 <= offset < len` then gives
+    // `ptr + offset <= ptr + len` (no overflow → `checked_add` is `Some`) and
+    // `[chunk_ptr, chunk_ptr + chunk) ⊆ [ptr, ptr + len)` (a sub-range of the
+    // validated whole → `copy_from_user`'s re-validation is `Ok`), and
+    // `offset + chunk <= len` (no overflow → `checked_add` is `Some`). The arms
+    // exist only so the function is total even if a future refactor weakens the
+    // up-front check.
+    let mut buf = [0u8; CONSOLE_WRITE_CHUNK];
+    let mut offset: usize = 0;
+    while offset < len {
+        // `wrapping_sub` cannot wrap (offset < len) and satisfies the
+        // arithmetic-side-effects lint; `min` bounds the chunk to the buffer.
+        let remaining = len.wrapping_sub(offset);
+        let chunk = core::cmp::min(remaining, CONSOLE_WRITE_CHUNK);
+        let Some(chunk_ptr) = ptr.checked_add(offset) else {
+            return SyscallReturn::error(SyscallError::FaultAddress);
+        };
+        if let Err(e) = copy_from_user(&ctx.user_window, chunk_ptr, &mut buf[..chunk]) {
+            return SyscallReturn::error(e);
+        }
+        ctx.console.write_bytes(&buf[..chunk]);
+        let Some(next) = offset.checked_add(chunk) else {
+            return SyscallReturn::error(SyscallError::FaultAddress);
+        };
+        offset = next;
+    }
+
+    // x1 = bytes written (all of them, on success).
+    SyscallReturn::ok().with_payload::<0>(len as u64)
+}
+
+/// Validate that `cons_cap` authorises a console write: it must resolve in the
+/// caller's table, name the [`CapKind::DebugConsole`] singleton, and carry the
+/// [`CapRights::CONSOLE_WRITE`] right.
+///
+/// Returns the in-kernel [`CapError`] so the caller composes it into
+/// [`SyscallError::Cap`]; the resolve → kind → rights order mirrors the IPC
+/// capability-validation order ([ADR-0030][adr-0030]'s taxonomy).
+///
+/// # Errors
+///
+/// - [`CapError::InvalidHandle`] — the handle did not resolve (stale / absent).
+/// - [`CapError::WrongKind`] — the capability is not a debug-console capability.
+/// - [`CapError::InsufficientRights`] — it lacks [`CapRights::CONSOLE_WRITE`].
+///
+/// [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+fn validate_debug_console_cap(
+    table: &CapabilityTable,
+    cons_cap: CapHandle,
+) -> Result<(), CapError> {
+    let cap = table.lookup(cons_cap)?;
+    if cap.kind() != CapKind::DebugConsole {
+        return Err(CapError::WrongKind);
+    }
+    if !cap.rights().contains(CapRights::CONSOLE_WRITE) {
+        return Err(CapError::InsufficientRights);
+    }
+    Ok(())
+}
+
+#[cfg(test)]
+#[allow(
+    clippy::unwrap_used,
+    clippy::expect_used,
+    clippy::panic,
+    clippy::arithmetic_side_effects,
+    clippy::cast_possible_truncation,
+    reason = "tests may use pragmas forbidden in production kernel code"
+)]
+mod tests {
+    use super::{dispatch, SyscallContext, CONSOLE_WRITE_CHUNK};
+    use crate::cap::{CapHandle, CapObject, CapRights, Capability, CapabilityTable};
+    use crate::ipc::IpcError;
+    use crate::ipc::IpcQueues;
+    use crate::obj::endpoint::{create_endpoint, Endpoint, EndpointArena};
+    use crate::syscall::abi::{
+        decode_cap_handle, encode_cap_handle, SyscallArgs, SyscallEffect, SyscallNumber,
+        NULL_CAP_HANDLE, RECV_OUTCOME_PENDING, RECV_OUTCOME_RECEIVED, SEND_OUTCOME_ENQUEUED,
+    };
+    use crate::syscall::error::SyscallError;
+    use crate::syscall::user_access::UserAccessWindow;
+    use tyrne_test_hal::FakeConsole;
+
+    // ── fixtures ─────────────────────────────────────────────────────────────
+
+    /// Mint a debug-console capability with `CONSOLE_WRITE` in a fresh table,
+    /// returning `(table, handle)`.
+    fn table_with_console_cap() -> (CapabilityTable, CapHandle) {
+        let mut table = CapabilityTable::new();
+        let h = table
+            .insert_root(Capability::new(
+                CapRights::CONSOLE_WRITE,
+                CapObject::DebugConsole,
+            ))
+            .unwrap();
+        (table, h)
+    }
+
+    /// A `SyscallArgs` whose number is `n` and whose arg words are `args`.
+    fn call(n: SyscallNumber, args: [u64; 6]) -> SyscallArgs {
+        SyscallArgs {
+            number: n.as_u64(),
+            args,
+        }
+    }
+
+    // ── number decode ────────────────────────────────────────────────────────
+
+    #[test]
+    fn bad_number_zero_returns_bad_syscall_number_touching_nothing() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        let effect = dispatch(
+            &mut ctx,
+            SyscallArgs {
+                number: 0,
+                args: [0; 6],
+            },
+        );
+        match effect {
+            SyscallEffect::Resume(r) => {
+                assert_eq!(r.status, SyscallError::BadSyscallNumber.as_status());
+            }
+            other => panic!("expected Resume(BadSyscallNumber), got {other:?}"),
+        }
+        assert!(console.captured().is_empty());
+    }
+
+    #[test]
+    fn out_of_range_number_returns_bad_syscall_number() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        let effect = dispatch(
+            &mut ctx,
+            SyscallArgs {
+                number: 99,
+                args: [0; 6],
+            },
+        );
+        assert_eq!(
+            effect,
+            SyscallEffect::Resume(super::SyscallReturn::error(SyscallError::BadSyscallNumber))
+        );
+    }
+
+    // ── control-plane routing ────────────────────────────────────────────────
+
+    #[test]
+    fn task_yield_routes_to_reschedule() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        assert_eq!(
+            dispatch(&mut ctx, call(SyscallNumber::TaskYield, [0; 6])),
+            SyscallEffect::Reschedule
+        );
+    }
+
+    #[test]
+    fn task_exit_routes_to_terminate_with_code() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        assert_eq!(
+            dispatch(
+                &mut ctx,
+                call(SyscallNumber::TaskExit, [0x2A, 0, 0, 0, 0, 0])
+            ),
+            SyscallEffect::Terminate(0x2A)
+        );
+    }
+
+    // ── send / recv ──────────────────────────────────────────────────────────
+
+    #[test]
+    fn send_with_no_receiver_enqueues_and_returns_ok() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        let ep = create_endpoint(&mut ep_arena, Endpoint::new(0)).unwrap();
+        let ep_cap = table
+            .insert_root(Capability::new(
+                CapRights::SEND | CapRights::RECV,
+                CapObject::Endpoint(ep),
+            ))
+            .unwrap();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        let cap_word = encode_cap_handle(Some(ep_cap));
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::Send,
+                [cap_word, 0xAB, 1, 2, 3, encode_cap_handle(None)],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => {
+                assert_eq!(r.status, 0, "send must succeed");
+                assert_eq!(r.payload[0], SEND_OUTCOME_ENQUEUED);
+            }
+            other => panic!("expected Resume, got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn send_without_send_right_returns_typed_ipc_missing_right() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        let ep = create_endpoint(&mut ep_arena, Endpoint::new(0)).unwrap();
+        // RECV only — no SEND. ipc_send → MissingRight → SyscallError::Ipc.
+        let ep_cap = table
+            .insert_root(Capability::new(CapRights::RECV, CapObject::Endpoint(ep)))
+            .unwrap();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        let cap_word = encode_cap_handle(Some(ep_cap));
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::Send,
+                [cap_word, 0, 0, 0, 0, encode_cap_handle(None)],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => assert_eq!(
+                r.status,
+                SyscallError::Ipc(crate::ipc::IpcError::MissingRight).as_status()
+            ),
+            other => panic!("expected Resume(error), got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn recv_of_enqueued_message_unpacks_into_registers() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        let ep = create_endpoint(&mut ep_arena, Endpoint::new(0)).unwrap();
+        let ep_cap = table
+            .insert_root(Capability::new(
+                CapRights::SEND | CapRights::RECV,
+                CapObject::Endpoint(ep),
+            ))
+            .unwrap();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        let cap_word = encode_cap_handle(Some(ep_cap));
+        // Enqueue a message via the send syscall.
+        let _ = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::Send,
+                [cap_word, 0x55, 7, 8, 9, encode_cap_handle(None)],
+            ),
+        );
+        // Receive it back.
+        let effect = dispatch(
+            &mut ctx,
+            call(SyscallNumber::Recv, [cap_word, 0, 0, 0, 0, 0]),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => {
+                assert_eq!(r.status, 0);
+                assert_eq!(r.payload[0], RECV_OUTCOME_RECEIVED); // x1
+                assert_eq!(r.payload[1], 0x55); // x2 label
+                assert_eq!(r.payload[2], 7); // x3 param0
+                assert_eq!(r.payload[3], 8); // x4 param1
+                assert_eq!(r.payload[4], 9); // x5 param2
+            }
+            other => panic!("expected Resume(Received), got {other:?}"),
+        }
+    }
+
+    // ── review-round follow-up: end-to-end transfer + Pending + chunk boundary ─
+    //
+    // These close the dispatch-level coverage gaps the T-021 review-round
+    // surfaced: the transfer-cap wiring (x5 decode → ipc_send cap_take, and
+    // ipc_recv install → x6 pack) had no through-dispatch test, nor did the
+    // RecvOutcome::Pending register packing or the exact one-chunk boundary.
+
+    #[test]
+    fn send_with_transfer_cap_then_recv_returns_cap_in_x6() {
+        // Exercises the x5 transfer-handle decode → `ipc_send` `cap_take` AND the
+        // `ipc_recv` → `encode_recv_outcome` x6 cap-pack, end-to-end through
+        // `dispatch` — wiring no existing dispatch test covered (every other send
+        // test passes the null sentinel; the recv test never asserts x6).
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        // ep1: the comm endpoint (SEND|RECV). ep2: the object whose cap we move.
+        let ep1 = create_endpoint(&mut ep_arena, Endpoint::new(0)).unwrap();
+        let ep2 = create_endpoint(&mut ep_arena, Endpoint::new(1)).unwrap();
+        let ep_cap = table
+            .insert_root(Capability::new(
+                CapRights::SEND | CapRights::RECV,
+                CapObject::Endpoint(ep1),
+            ))
+            .unwrap();
+        // The transferred cap needs the TRANSFER right (ipc_send enforces it).
+        let xfer_cap = table
+            .insert_root(Capability::new(
+                CapRights::TRANSFER,
+                CapObject::Endpoint(ep2),
+            ))
+            .unwrap();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        let ep_word = encode_cap_handle(Some(ep_cap));
+
+        // send with the transfer handle in x5.
+        let send_effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::Send,
+                [ep_word, 0x77, 0, 0, 0, encode_cap_handle(Some(xfer_cap))],
+            ),
+        );
+        assert!(
+            matches!(send_effect, SyscallEffect::Resume(r) if r.status == 0),
+            "send-with-transfer must succeed, got {send_effect:?}"
+        );
+        // The transferred cap left the sender's table (cap_take).
+        assert!(
+            ctx.caller_table.lookup(xfer_cap).is_err(),
+            "transferred cap must be taken out of the sender's table"
+        );
+
+        // recv collects the message AND the transferred cap (x6).
+        let recv_effect = dispatch(
+            &mut ctx,
+            call(SyscallNumber::Recv, [ep_word, 0, 0, 0, 0, 0]),
+        );
+        let SyscallEffect::Resume(r) = recv_effect else {
+            panic!("expected Resume from recv, got {recv_effect:?}");
+        };
+        assert_eq!(r.status, 0);
+        assert_eq!(r.payload[0], RECV_OUTCOME_RECEIVED); // x1
+        assert_eq!(r.payload[1], 0x77); // x2 label
+                                        // x6 carries the transferred cap as a non-null handle that resolves.
+        assert_ne!(r.payload[5], NULL_CAP_HANDLE, "x6 must carry a real handle");
+        let received = decode_cap_handle(r.payload[5]).expect("x6 decodes to Some(handle)");
+        assert!(
+            ctx.caller_table.lookup(received).is_ok(),
+            "the transferred cap must be installed in the receiver's table"
+        );
+    }
+
+    #[test]
+    fn send_with_stale_transfer_handle_returns_invalid_transfer_cap() {
+        // A valid endpoint cap but a transfer handle (x5) that resolves to
+        // nothing: `ipc_send`'s transfer pre-flight returns `InvalidTransferCap`,
+        // composing into `SyscallError::Ipc(InvalidTransferCap)` (status 0x205).
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        let ep = create_endpoint(&mut ep_arena, Endpoint::new(0)).unwrap();
+        let ep_cap = table
+            .insert_root(Capability::new(CapRights::SEND, CapObject::Endpoint(ep)))
+            .unwrap();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        // x5 = a handle naming no live slot (index far past CAP_TABLE_CAPACITY).
+        let stale_xfer = encode_cap_handle(Some(CapHandle::from_raw(50, 7)));
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::Send,
+                [encode_cap_handle(Some(ep_cap)), 0, 0, 0, 0, stale_xfer],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => assert_eq!(
+                r.status,
+                SyscallError::Ipc(IpcError::InvalidTransferCap).as_status()
+            ),
+            other => panic!("expected Resume(InvalidTransferCap), got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn recv_with_no_sender_returns_pending_packing() {
+        // recv on an endpoint with no waiting sender returns RecvOutcome::Pending:
+        // status Ok, x1 = pending code, x2..x7 zeroed (deterministic).
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        let ep = create_endpoint(&mut ep_arena, Endpoint::new(0)).unwrap();
+        let ep_cap = table
+            .insert_root(Capability::new(CapRights::RECV, CapObject::Endpoint(ep)))
+            .unwrap();
+        let console = FakeConsole::new();
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::empty(),
+        };
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::Recv,
+                [encode_cap_handle(Some(ep_cap)), 0, 0, 0, 0, 0],
+            ),
+        );
+        let SyscallEffect::Resume(r) = effect else {
+            panic!("expected Resume(Pending), got {effect:?}");
+        };
+        assert_eq!(r.status, 0);
+        assert_eq!(r.payload[0], RECV_OUTCOME_PENDING); // x1
+        assert_eq!(
+            &r.payload[1..],
+            &[0, 0, 0, 0, 0, 0],
+            "x2..x7 must be zeroed on Pending"
+        );
+    }
+
+    #[test]
+    #[cfg(debug_assertions)] // console_write number 5 is debug-gated
+    fn console_write_exactly_one_chunk_emits_all_bytes() {
+        // Boundary: len == CONSOLE_WRITE_CHUNK exercises the `offset < len` loop
+        // termination exactly — one chunk, then offset == len, no spurious extra
+        // chunk / off-by-one.
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let (mut table, cons_cap) = table_with_console_cap();
+        let console = FakeConsole::new();
+        let backing: Vec<u8> = (0..CONSOLE_WRITE_CHUNK).map(|i| (i % 251) as u8).collect();
+        let base = backing.as_ptr() as usize;
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::new(base, backing.len()),
+        };
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::ConsoleWrite,
+                [
+                    encode_cap_handle(Some(cons_cap)),
+                    base as u64,
+                    backing.len() as u64,
+                    0,
+                    0,
+                    0,
+                ],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => assert_eq!(r.payload[0], CONSOLE_WRITE_CHUNK as u64),
+            other => panic!("expected Resume(ok), got {other:?}"),
+        }
+        assert_eq!(console.captured(), backing);
+    }
+
+    // ── console_write: capability gate ───────────────────────────────────────
+
+    #[test]
+    #[cfg(debug_assertions)] // console_write number 5 is debug-gated; release path tested separately
+    fn console_write_with_no_cap_returns_cap_invalid_handle_no_output() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new(); // empty: handle resolves to nothing
+        let console = FakeConsole::new();
+        let backing = b"hello".to_vec();
+        let base = backing.as_ptr() as usize;
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::new(base, backing.len()),
+        };
+        let bogus = encode_cap_handle(Some(CapHandle::from_raw(0, 0)));
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::ConsoleWrite,
+                [bogus, base as u64, backing.len() as u64, 0, 0, 0],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => assert_eq!(
+                r.status,
+                SyscallError::Cap(crate::cap::CapError::InvalidHandle).as_status()
+            ),
+            other => panic!("expected Resume(Cap error), got {other:?}"),
+        }
+        assert!(
+            console.captured().is_empty(),
+            "no byte may be emitted when the capability check fails"
+        );
+    }
+
+    #[test]
+    #[cfg(debug_assertions)] // console_write number 5 is debug-gated; release path tested separately
+    fn console_write_with_wrong_kind_cap_returns_cap_wrong_kind() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        // An endpoint cap where a debug-console cap is required.
+        let ep = create_endpoint(&mut ep_arena, Endpoint::new(0)).unwrap();
+        let wrong = table
+            .insert_root(Capability::new(
+                CapRights::CONSOLE_WRITE, // even with the right bit, wrong kind
+                CapObject::Endpoint(ep),
+            ))
+            .unwrap();
+        let console = FakeConsole::new();
+        let backing = b"hi".to_vec();
+        let base = backing.as_ptr() as usize;
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::new(base, backing.len()),
+        };
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::ConsoleWrite,
+                [
+                    encode_cap_handle(Some(wrong)),
+                    base as u64,
+                    backing.len() as u64,
+                    0,
+                    0,
+                    0,
+                ],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => assert_eq!(
+                r.status,
+                SyscallError::Cap(crate::cap::CapError::WrongKind).as_status()
+            ),
+            other => panic!("expected Resume(WrongKind), got {other:?}"),
+        }
+        assert!(console.captured().is_empty());
+    }
+
+    #[test]
+    #[cfg(debug_assertions)] // console_write number 5 is debug-gated; release path tested separately
+    fn console_write_without_write_right_returns_insufficient_rights() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let mut table = CapabilityTable::new();
+        // Debug-console cap WITHOUT the CONSOLE_WRITE right.
+        let cap = table
+            .insert_root(Capability::new(CapRights::empty(), CapObject::DebugConsole))
+            .unwrap();
+        let console = FakeConsole::new();
+        let backing = b"hi".to_vec();
+        let base = backing.as_ptr() as usize;
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::new(base, backing.len()),
+        };
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::ConsoleWrite,
+                [
+                    encode_cap_handle(Some(cap)),
+                    base as u64,
+                    backing.len() as u64,
+                    0,
+                    0,
+                    0,
+                ],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => assert_eq!(
+                r.status,
+                SyscallError::Cap(crate::cap::CapError::InsufficientRights).as_status()
+            ),
+            other => panic!("expected Resume(InsufficientRights), got {other:?}"),
+        }
+        assert!(console.captured().is_empty());
+    }
+
+    // ── console_write: happy path + fault ────────────────────────────────────
+
+    #[test]
+    #[cfg(debug_assertions)] // console_write number 5 is debug-gated; release path tested separately
+    fn console_write_emits_buffer_and_returns_byte_count() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let (mut table, cons_cap) = table_with_console_cap();
+        let console = FakeConsole::new();
+        let message = b"tyrne: hello via console_write\n";
+        let backing = message.to_vec();
+        let base = backing.as_ptr() as usize; // expose provenance
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::new(base, backing.len()),
+        };
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::ConsoleWrite,
+                [
+                    encode_cap_handle(Some(cons_cap)),
+                    base as u64,
+                    backing.len() as u64,
+                    0,
+                    0,
+                    0,
+                ],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => {
+                assert_eq!(r.status, 0);
+                assert_eq!(r.payload[0], backing.len() as u64); // x1 = bytes written
+            }
+            other => panic!("expected Resume(ok), got {other:?}"),
+        }
+        assert_eq!(console.captured(), backing);
+    }
+
+    #[test]
+    #[cfg(debug_assertions)] // console_write number 5 is debug-gated; release path tested separately
+    fn console_write_spanning_multiple_chunks_emits_all_bytes() {
+        // Exercise the chunking loop: a buffer larger than one chunk.
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let (mut table, cons_cap) = table_with_console_cap();
+        let console = FakeConsole::new();
+        let len = CONSOLE_WRITE_CHUNK * 2 + 7;
+        let backing: Vec<u8> = (0..len).map(|i| (i % 251) as u8).collect();
+        let base = backing.as_ptr() as usize;
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::new(base, backing.len()),
+        };
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::ConsoleWrite,
+                [
+                    encode_cap_handle(Some(cons_cap)),
+                    base as u64,
+                    backing.len() as u64,
+                    0,
+                    0,
+                    0,
+                ],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => assert_eq!(r.payload[0], len as u64),
+            other => panic!("expected Resume(ok), got {other:?}"),
+        }
+        assert_eq!(console.captured(), backing);
+    }
+
+    #[test]
+    #[cfg(debug_assertions)] // console_write number 5 is debug-gated; release path tested separately
+    fn console_write_out_of_range_buffer_faults_without_output() {
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let (mut table, cons_cap) = table_with_console_cap();
+        let console = FakeConsole::new();
+        let backing = b"unreachable".to_vec();
+        let base = backing.as_ptr() as usize;
+        // Window covers a different region than the buffer pointer.
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::new(base.wrapping_add(0x1_0000), backing.len()),
+        };
+        let effect = dispatch(
+            &mut ctx,
+            call(
+                SyscallNumber::ConsoleWrite,
+                [
+                    encode_cap_handle(Some(cons_cap)),
+                    base as u64,
+                    backing.len() as u64,
+                    0,
+                    0,
+                    0,
+                ],
+            ),
+        );
+        match effect {
+            SyscallEffect::Resume(r) => {
+                assert_eq!(r.status, SyscallError::FaultAddress.as_status());
+            }
+            other => panic!("expected Resume(FaultAddress), got {other:?}"),
+        }
+        assert!(
+            console.captured().is_empty(),
+            "a faulting buffer must emit nothing — the cap check passed but the range did not"
+        );
+    }
+
+    // ── release debug-gate ───────────────────────────────────────────────────
+
+    #[test]
+    #[cfg(not(debug_assertions))]
+    fn console_write_number_is_bad_syscall_in_release_build() {
+        // In a release build the debug-gate drops console_write from the
+        // surface entirely, even for a holder of a valid debug-console cap.
+        let mut ep_arena = EndpointArena::default();
+        let mut queues = IpcQueues::new();
+        let (mut table, cons_cap) = table_with_console_cap();
+        let console = FakeConsole::new();
+        let backing = b"nope".to_vec();
+        let base = backing.as_ptr() as usize;
+        let mut ctx = SyscallContext {
+            ep_arena: &mut ep_arena,
+            queues: &mut queues,
+            caller_table: &mut table,
+            console: &console,
+            user_window: UserAccessWindow::new(base, backing.len()),
+        };
+        // Number 5 directly (SyscallNumber::ConsoleWrite::as_u64() == 5).
+        let effect = dispatch(
+            &mut ctx,
+            SyscallArgs {
+                number: 5,
+                args: [
+                    encode_cap_handle(Some(cons_cap)),
+                    base as u64,
+                    backing.len() as u64,
+                    0,
+                    0,
+                    0,
+                ],
+            },
+        );
+        match effect {
+            SyscallEffect::Resume(r) => {
+                assert_eq!(r.status, SyscallError::BadSyscallNumber.as_status());
+            }
+            other => panic!("expected Resume(BadSyscallNumber), got {other:?}"),
+        }
+        assert!(console.captured().is_empty());
+    }
+}
diff --git a/kernel/src/syscall/error.rs b/kernel/src/syscall/error.rs
new file mode 100644
index 0000000..cddded2
--- /dev/null
+++ b/kernel/src/syscall/error.rs
@@ -0,0 +1,250 @@
+//! The userspace-facing syscall error space, [`SyscallError`].
+//!
+//! Per [ADR-0030][adr-0030], a syscall returns a **status word** in `x0`: `0`
+//! means `Ok` (the payload registers carry the result), any non-zero value is
+//! a stable [`SyscallError`] discriminant. `SyscallError` **composes** from the
+//! in-kernel error spaces ([`CapError`] and [`IpcError`]) via `From` impls per
+//! the [error-handling standard §7 "preserve root cause"][err] — the dispatcher
+//! never collapses a distinct cap/IPC failure into a generic "internal error".
+//!
+//! ## Stable numeric status encoding
+//!
+//! [`SyscallError::as_status`] is the canonical encoder the dispatcher uses to
+//! fill `x0`. The integers it produces are a **stable ABI contract** pinned by
+//! the host tests in this module; a future `tyrne-user` crate (Phase B6) decodes
+//! them. The layout is blocked so the composed spaces stay visually distinct:
+//!
+//! | Range          | Meaning                                            |
+//! |----------------|----------------------------------------------------|
+//! | `0`            | `Ok` (reserved — never a `SyscallError`)           |
+//! | `1`–`3`        | top-level [`SyscallError`] variants                |
+//! | `0x101`–`0x1FF`| [`SyscallError::Cap`] — `0x100 \| `[`CapError`] code |
+//! | `0x201`–`0x2FF`| [`SyscallError::Ipc`] — `0x200 \| `[`IpcError`] code  |
+//!
+//! Because [`CapError`] / [`IpcError`] are `#[non_exhaustive]` *but defined in
+//! this same crate*, the per-variant encoders below match them **exhaustively
+//! without a wildcard** — adding a variant to either is a compile error here
+//! until its stable code is assigned, which is exactly the safeguard a stable
+//! ABI wants.
+//!
+//! [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+//! [err]: https://github.com/HodeTech/Tyrne/blob/main/docs/standards/error-handling.md
+
+use crate::cap::CapError;
+use crate::ipc::IpcError;
+
+/// The status word value reserved for a successful syscall (`x0 == 0`).
+///
+/// Userspace branches structurally on this single value: `x0 == OK_STATUS`
+/// means "read the payload from `x1`–`x7`", any other value is a
+/// [`SyscallError`] discriminant. Fixed by [ADR-0030][adr-0030].
+///
+/// [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+pub const OK_STATUS: u64 = 0;
+
+/// High bit-block of a [`SyscallError::Cap`] status code (`0x100 | cap_code`).
+const CAP_STATUS_BASE: u64 = 0x100;
+/// High bit-block of a [`SyscallError::Ipc`] status code (`0x200 | ipc_code`).
+const IPC_STATUS_BASE: u64 = 0x200;
+
+/// The error half of a syscall's `Result`-shaped return, per [ADR-0030][adr-0030].
+///
+/// `#[non_exhaustive]` so address-space / loader variants can land additively
+/// with their first syscall consumer (Phase B6+) without a breaking change. The
+/// `Cap` / `Ipc` variants **compose** the in-kernel error spaces rather than
+/// re-inventing a parallel flat space, keeping the userspace-facing and
+/// in-kernel taxonomies in agreement (the K2-5 motivation in [ADR-0030][adr-0030]).
+///
+/// [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+#[non_exhaustive]
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub enum SyscallError {
+    /// `x8` named no syscall in the v1 set — number `0` (reserved-invalid), a
+    /// number above the v1 ceiling, or a debug-gated number (`console_write`)
+    /// in a non-debug build. See [ADR-0031][adr-0031].
+    ///
+    /// [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+    BadSyscallNumber,
+    /// An argument was structurally invalid in a way the syscall could detect
+    /// before performing its operation (reserved for future v1 syscalls that
+    /// validate argument shape; no v1 producer today).
+    BadArgument,
+    /// A user pointer (or `[ptr, ptr + len)` range) fell outside the active
+    /// address space's accessible region, or the range wrapped past
+    /// `usize::MAX`. Produced by `copy_from_user` / `copy_to_user`; the kernel
+    /// never dereferenced the pointer.
+    FaultAddress,
+    /// A capability-table failure, composed from [`CapError`] via [`From`].
+    /// Carries the exact cap-side variant (e.g. a `console_write` debug-console
+    /// capability that is stale / wrong-kind / lacks `CONSOLE_WRITE`).
+    Cap(CapError),
+    /// An IPC failure, composed from [`IpcError`] via [`From`]. Carries the
+    /// exact IPC-side variant (`StaleHandle` / `WrongObjectKind` /
+    /// `MissingRight` / ...) for `send` / `recv`.
+    Ipc(IpcError),
+}
+
+impl SyscallError {
+    /// Encode this error as the stable non-zero `x0` status word.
+    ///
+    /// The inverse of the conceptual `tyrne-user` decoder (Phase B6). Never
+    /// returns [`OK_STATUS`] (`0`) — that value is reserved for success. The
+    /// concrete integers are the stable ABI contract pinned by this module's
+    /// host tests; see the module-level table.
+    #[must_use]
+    pub const fn as_status(self) -> u64 {
+        match self {
+            Self::BadSyscallNumber => 1,
+            Self::BadArgument => 2,
+            Self::FaultAddress => 3,
+            Self::Cap(e) => CAP_STATUS_BASE | cap_error_code(e),
+            Self::Ipc(e) => IPC_STATUS_BASE | ipc_error_code(e),
+        }
+    }
+}
+
+impl From<CapError> for SyscallError {
+    fn from(e: CapError) -> Self {
+        Self::Cap(e)
+    }
+}
+
+impl From<IpcError> for SyscallError {
+    fn from(e: IpcError) -> Self {
+        Self::Ipc(e)
+    }
+}
+
+/// Stable per-variant code for [`CapError`], OR-ed into [`CAP_STATUS_BASE`].
+///
+/// Exhaustive without a wildcard (same crate): a new [`CapError`] variant
+/// breaks the build here until it is assigned a code — the intended ABI guard.
+const fn cap_error_code(e: CapError) -> u64 {
+    match e {
+        CapError::CapsExhausted => 1,
+        CapError::InvalidHandle => 2,
+        CapError::WidenedRights => 3,
+        CapError::InsufficientRights => 4,
+        CapError::DerivationTooDeep => 5,
+        CapError::HasChildren => 6,
+        CapError::WrongKind => 7,
+    }
+}
+
+/// Stable per-variant code for [`IpcError`], OR-ed into [`IPC_STATUS_BASE`].
+///
+/// Exhaustive without a wildcard (same crate): a new [`IpcError`] variant
+/// breaks the build here until it is assigned a code — the intended ABI guard.
+const fn ipc_error_code(e: IpcError) -> u64 {
+    match e {
+        IpcError::StaleHandle => 1,
+        IpcError::WrongObjectKind => 2,
+        IpcError::MissingRight => 3,
+        IpcError::QueueFull => 4,
+        IpcError::InvalidTransferCap => 5,
+        IpcError::ReceiverTableFull => 6,
+        IpcError::PendingAfterResume => 7,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::{SyscallError, OK_STATUS};
+    use crate::cap::CapError;
+    use crate::ipc::IpcError;
+
+    #[test]
+    fn ok_status_is_zero_and_no_error_encodes_to_it() {
+        assert_eq!(OK_STATUS, 0);
+        // Every error must encode to a non-zero status; `0` is reserved for Ok.
+        let all = [
+            SyscallError::BadSyscallNumber,
+            SyscallError::BadArgument,
+            SyscallError::FaultAddress,
+            SyscallError::Cap(CapError::InvalidHandle),
+            SyscallError::Ipc(IpcError::StaleHandle),
+        ];
+        for e in all {
+            assert_ne!(e.as_status(), OK_STATUS, "{e:?} must not encode to Ok");
+        }
+    }
+
+    #[test]
+    fn top_level_status_codes_are_stable() {
+        assert_eq!(SyscallError::BadSyscallNumber.as_status(), 1);
+        assert_eq!(SyscallError::BadArgument.as_status(), 2);
+        assert_eq!(SyscallError::FaultAddress.as_status(), 3);
+    }
+
+    #[test]
+    fn cap_error_from_round_trips_and_encodes_in_cap_block() {
+        // `From<CapError>` preserves the root cause (no flattening).
+        assert_eq!(
+            SyscallError::from(CapError::WrongKind),
+            SyscallError::Cap(CapError::WrongKind)
+        );
+        // Stable codes in the 0x100 block.
+        assert_eq!(
+            SyscallError::Cap(CapError::CapsExhausted).as_status(),
+            0x101
+        );
+        assert_eq!(
+            SyscallError::Cap(CapError::InvalidHandle).as_status(),
+            0x102
+        );
+        assert_eq!(
+            SyscallError::Cap(CapError::WidenedRights).as_status(),
+            0x103
+        );
+        assert_eq!(
+            SyscallError::Cap(CapError::InsufficientRights).as_status(),
+            0x104
+        );
+        assert_eq!(
+            SyscallError::Cap(CapError::DerivationTooDeep).as_status(),
+            0x105
+        );
+        assert_eq!(SyscallError::Cap(CapError::HasChildren).as_status(), 0x106);
+        assert_eq!(SyscallError::Cap(CapError::WrongKind).as_status(), 0x107);
+    }
+
+    #[test]
+    fn ipc_error_from_round_trips_and_encodes_in_ipc_block() {
+        // `From<IpcError>` preserves the root cause (no flattening).
+        assert_eq!(
+            SyscallError::from(IpcError::MissingRight),
+            SyscallError::Ipc(IpcError::MissingRight)
+        );
+        // Stable codes in the 0x200 block.
+        assert_eq!(SyscallError::Ipc(IpcError::StaleHandle).as_status(), 0x201);
+        assert_eq!(
+            SyscallError::Ipc(IpcError::WrongObjectKind).as_status(),
+            0x202
+        );
+        assert_eq!(SyscallError::Ipc(IpcError::MissingRight).as_status(), 0x203);
+        assert_eq!(SyscallError::Ipc(IpcError::QueueFull).as_status(), 0x204);
+        assert_eq!(
+            SyscallError::Ipc(IpcError::InvalidTransferCap).as_status(),
+            0x205
+        );
+        assert_eq!(
+            SyscallError::Ipc(IpcError::ReceiverTableFull).as_status(),
+            0x206
+        );
+        assert_eq!(
+            SyscallError::Ipc(IpcError::PendingAfterResume).as_status(),
+            0x207
+        );
+    }
+
+    #[test]
+    fn cap_and_ipc_status_blocks_do_not_collide() {
+        // The two composed spaces occupy disjoint numeric blocks, so a decoder
+        // can route a status to the right sub-space by its high bits.
+        let cap = SyscallError::Cap(CapError::WrongKind).as_status();
+        let ipc = SyscallError::Ipc(IpcError::WrongObjectKind).as_status();
+        assert_ne!(cap, ipc);
+        assert_eq!(cap & 0xF00, 0x100);
+        assert_eq!(ipc & 0xF00, 0x200);
+    }
+}
diff --git a/kernel/src/syscall/mod.rs b/kernel/src/syscall/mod.rs
new file mode 100644
index 0000000..361c668
--- /dev/null
+++ b/kernel/src/syscall/mod.rs
@@ -0,0 +1,52 @@
+//! Syscall subsystem — the EL0→EL1 boundary's kernel-side half (Phase B5 / [T-021]).
+//!
+//! This module is the **architecture-agnostic, panic-free, host-testable** core
+//! of the syscall path: it decodes the register ABI, validates the caller's
+//! capabilities, performs each operation through an existing kernel primitive,
+//! and encodes a typed result. It owns no hardware — the `SVC` trap trampoline,
+//! the register save/restore frame, and the EL0↔EL1 transition live in the BSP
+//! (`bsp-qemu-virt/src/vectors.s` + `syscall.rs`), which builds a
+//! [`SyscallContext`] from its statics and calls [`dispatch`].
+//!
+//! It instantiates two Accepted ADRs:
+//!
+//! - [ADR-0030][adr-0030] — the calling convention (`x8` = number, `x0`–`x5` =
+//!   arguments, `x0` = status, `x1`–`x7` = payload, `SVC #0`) and the
+//!   [`error::SyscallError`] space that composes [`crate::cap::CapError`] /
+//!   [`crate::ipc::IpcError`].
+//! - [ADR-0031][adr-0031] — the five-syscall v1 set (`send` / `recv` /
+//!   `task_yield` / `task_exit` / `console_write`), number `0` reserved-invalid,
+//!   every object-naming syscall capability-gated ([P1 / P4][principles]).
+//!
+//! ## Module layout
+//!
+//! - [`error`] — [`SyscallError`] + `From<CapError>` / `From<IpcError>` + the
+//!   stable numeric status encoding ([`SyscallError::as_status`]).
+//! - [`abi`] — the register frame types ([`SyscallArgs`] / [`SyscallReturn`] /
+//!   [`SyscallEffect`]), the [`SyscallNumber`] decode (with the release
+//!   debug-gate), and the value↔register packing (`Message`, outcomes,
+//!   `Option<CapHandle>` with the null sentinel).
+//! - [`user_access`] — [`UserAccessWindow`] + [`copy_from_user`] /
+//!   [`copy_to_user`]: validated, never-raw-deref access to user memory.
+//! - [`dispatch`] — the [`dispatch`] entry point + the per-syscall handlers +
+//!   the debug-console capability check.
+//!
+//! [T-021]: https://github.com/HodeTech/Tyrne/blob/main/docs/analysis/tasks/phase-b/T-021-syscall-dispatch.md
+//! [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+//! [adr-0031]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0031-initial-syscall-set.md
+//! [principles]: https://github.com/HodeTech/Tyrne/blob/main/docs/standards/architectural-principles.md
+
+pub mod abi;
+pub mod dispatch;
+pub mod error;
+pub mod user_access;
+
+pub use abi::{
+    decode_cap_handle, decode_required_cap_handle, decode_send_message, encode_cap_handle,
+    encode_recv_outcome, encode_send_outcome, SyscallArgs, SyscallEffect, SyscallNumber,
+    SyscallReturn, NULL_CAP_HANDLE, RECV_OUTCOME_PENDING, RECV_OUTCOME_RECEIVED,
+    SEND_OUTCOME_DELIVERED, SEND_OUTCOME_ENQUEUED,
+};
+pub use dispatch::{dispatch, SyscallContext};
+pub use error::{SyscallError, OK_STATUS};
+pub use user_access::{copy_from_user, copy_to_user, UserAccessWindow};
diff --git a/kernel/src/syscall/user_access.rs b/kernel/src/syscall/user_access.rs
new file mode 100644
index 0000000..3e197b9
--- /dev/null
+++ b/kernel/src/syscall/user_access.rs
@@ -0,0 +1,366 @@
+//! Validated copy-from / copy-to user memory.
+//!
+//! A syscall handler must never dereference a raw user pointer without first
+//! proving the requested `[ptr, ptr + len)` byte range lies inside the active
+//! address space's user-accessible region ([ADR-0030 §Simulation row 4][adr-0030],
+//! [P4][principles]). [`UserAccessWindow`] models that region; [`copy_from_user`]
+//! / [`copy_to_user`] validate against it and only then move bytes.
+//!
+//! ## v1 window model and forward path
+//!
+//! v1 models the active address space's accessible region as a **single
+//! contiguous half-open VA window** `[base, base + len)` and performs the byte
+//! move under the kernel's identity map ([ADR-0027 §Decision outcome (a)][adr-0027]:
+//! every PA in the managed extent is reachable at `VA == PA` from kernel code).
+//! This is the granularity v1 can express — the [`Mmu`][mmu] trait exposes no
+//! translation-walk query, and the only `SVC` B5 runs comes from an **EL1
+//! kernel-stub** on the identity-mapped bootstrap AS (so `user VA == kernel VA`).
+//!
+//! When a real EL0 task runs against a *separate* userspace `TTBR0_EL1` (Phase
+//! B6, gated on the [ADR-0033 high-half placeholder][adr-0027]), this validator
+//! tightens in two forward-compatible ways that **do not** change the
+//! [`copy_from_user`] / [`copy_to_user`] call-site signatures: (1) the window is
+//! derived from the EL0 task's actually-mapped image+stack region rather than
+//! the identity-mapped RAM extent, and (2) the int-to-pointer dereference is
+//! replaced by a per-page translation of the user VA to a kernel-reachable VA
+//! (the same single-helper-body migration [`crate::mm::phys_frame_kernel_ptr`]
+//! documents). The window-containment check, the wrap rejection, and the
+//! zero-length short-circuit below are unchanged by that migration.
+//!
+//! [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+//! [adr-0027]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0027-kernel-virtual-memory-layout.md
+//! [mmu]: tyrne_hal::Mmu
+//! [principles]: https://github.com/HodeTech/Tyrne/blob/main/docs/standards/architectural-principles.md
+
+use super::error::SyscallError;
+
+/// A validated view of the active address space's user-accessible bytes.
+///
+/// v1 carries a single contiguous half-open VA window `[base, base + len)`; see
+/// the module docs for the window model and the B6 forward path. A copy whose
+/// `[ptr, ptr + len)` range is not wholly contained in the window — or that
+/// wraps past `usize::MAX` — is rejected with [`SyscallError::FaultAddress`]
+/// **before** any pointer is dereferenced.
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub struct UserAccessWindow {
+    base: usize,
+    len: usize,
+}
+
+impl UserAccessWindow {
+    /// Construct a window covering the half-open VA range `[base, base + len)`.
+    #[must_use]
+    pub const fn new(base: usize, len: usize) -> Self {
+        Self { base, len }
+    }
+
+    /// Construct an empty window that accepts only zero-length accesses.
+    ///
+    /// The dispatcher uses this as a safe default when no active user region is
+    /// known (e.g. a context with no mapped userspace); any non-zero copy
+    /// against it returns [`SyscallError::FaultAddress`].
+    #[must_use]
+    pub const fn empty() -> Self {
+        Self { base: 0, len: 0 }
+    }
+
+    /// Validate that `[ptr, ptr + len)` lies wholly within this window.
+    ///
+    /// A zero-length access is always accepted (it touches no bytes, so no
+    /// containment is required). A range that wraps past `usize::MAX`, or that
+    /// falls partly or wholly outside `[base, base + len)`, is rejected.
+    ///
+    /// # Errors
+    ///
+    /// [`SyscallError::FaultAddress`] if the range wraps or is not contained.
+    pub fn validate(&self, ptr: usize, len: usize) -> Result<(), SyscallError> {
+        if len == 0 {
+            // Empty range touches no bytes; trivially in-bounds.
+            return Ok(());
+        }
+        // `checked_add` (not `+`) both satisfies `clippy::arithmetic_side_effects`
+        // and is the actual wrap check: a request whose end overflows `usize`
+        // is a fault, never a silently-wrapped in-range access.
+        let Some(end) = ptr.checked_add(len) else {
+            return Err(SyscallError::FaultAddress);
+        };
+        let Some(window_end) = self.base.checked_add(self.len) else {
+            return Err(SyscallError::FaultAddress);
+        };
+        if ptr >= self.base && end <= window_end {
+            Ok(())
+        } else {
+            Err(SyscallError::FaultAddress)
+        }
+    }
+}
+
+/// Copy `dst.len()` bytes **from** user memory at `user_ptr` into `dst`.
+///
+/// Validates `[user_ptr, user_ptr + dst.len())` against `window` first; on any
+/// failure the user pointer is **not** dereferenced. A zero-length `dst` is a
+/// no-op that always succeeds.
+///
+/// # Errors
+///
+/// [`SyscallError::FaultAddress`] if the range is out of the window or wraps.
+pub fn copy_from_user(
+    window: &UserAccessWindow,
+    user_ptr: usize,
+    dst: &mut [u8],
+) -> Result<(), SyscallError> {
+    let len = dst.len();
+    window.validate(user_ptr, len)?;
+    if len > 0 {
+        // SAFETY: the byte copy reads `len` bytes from the user VA `user_ptr`
+        // into the kernel-owned `dst` slice.
+        //
+        // **Why `unsafe` is required.** `user_ptr` arrives as an integer
+        // register word (the ABI passes user pointers as `u64`); reconstructing
+        // a `*const u8` from it and reading through it cannot be expressed in
+        // safe Rust — there is no safe `&[u8]` to borrow because the bytes live
+        // in the caller's (userspace's) address space, named only by an integer
+        // the kernel does not own a reference into.
+        //
+        // **Invariants upheld.** (1) **Range validity.** `window.validate`
+        // above proved `[user_ptr, user_ptr + len)` is wholly contained in the
+        // active address space's accessible window and does not wrap, so every
+        // one of the `len` source bytes is a readable address in the active AS.
+        // (2) **Identity map (v1).** Per [ADR-0027 §Decision outcome (a)] the
+        // bootstrap AS the B5 EL1 kernel-stub runs on identity-maps the managed
+        // extent, so `user_ptr` is directly readable by kernel code at `VA == PA`
+        // (the B6 forward path replaces this with a per-page translation — see
+        // the module docs — without changing this call site's contract).
+        // (3) **Disjointness — the soundness basis.** `dst` is a valid Rust
+        // slice (good for `len` writes by the slice invariant). Soundness
+        // requires `[user_ptr, user_ptr + len)` and `dst` to be **disjoint**,
+        // which holds structurally: `user_ptr` names *userspace* memory while
+        // `dst` is a *kernel* buffer — distinct allocations in v1 (e.g.
+        // `console_write`'s fresh 256-byte stack buffer), separate address
+        // spaces in B6. `validate` proves *bounds*, not disjointness;
+        // disjointness comes from the user/kernel memory model. An aliasing
+        // `user_ptr` would be **UB regardless of the copy primitive**: `dst` is
+        // `&mut` (exclusive), so an overlapping read through `user_ptr` violates
+        // that exclusivity — empirically confirmed under Miri's Stacked Borrows
+        // ("strongly protected" `Unique` tag). `core::ptr::copy` (memmove) is
+        // used as the conservative primitive; it is *not* a licence to alias —
+        // disjointness, not the primitive, is load-bearing. (`copy_nonoverlapping`
+        // would be equally sound under that same disjointness invariant; `copy`
+        // is kept so the primitive adds no overlap precondition of its own.)
+        // (4) **No interleaving.** v1 is single-core cooperative and the SVC
+        // handler runs with interrupts masked (exception entry masks `DAIF`),
+        // so no peer mutates the source mid-copy.
+        //
+        // **Why safer alternatives were rejected.** `core::slice::from_raw_parts`
+        // would borrow the user bytes as a `&[u8]` — still `unsafe`, same
+        // provenance requirement, and it would advertise a borrow of memory the
+        // kernel does not own; the explicit `core::ptr::copy` is the honest
+        // expression of "read bytes the validator just bounded". A HAL trait
+        // method would relocate the `unsafe` to the HAL surface without removing
+        // it; user-memory access is a kernel-syscall concern, so the discipline
+        // (validated-range-then-copy under the disjointness invariant) belongs here.
+        //
+        // Audit: UNSAFE-2026-0030.
+        unsafe {
+            core::ptr::copy(user_ptr as *const u8, dst.as_mut_ptr(), len);
+        }
+    }
+    Ok(())
+}
+
+/// Copy `src.len()` bytes **to** user memory at `user_ptr` from `src`.
+///
+/// The symmetric write-side primitive to [`copy_from_user`]: validates the
+/// range against `window` first, then moves bytes. No v1 syscall returns data
+/// through a user pointer (`recv` returns its message in registers), so this
+/// has no v1 caller yet — it is the natural completion of the validated
+/// user-access primitive ([ADR-0030][adr-0030] dependency-chain step 5 names
+/// "copy-from/to-user") and the first pointer-returning syscall (Phase B6+)
+/// uses it without re-deriving the validation. Shares [`UserAccessWindow::validate`]
+/// with [`copy_from_user`], so it is not speculative surface.
+///
+/// # Errors
+///
+/// [`SyscallError::FaultAddress`] if the range is out of the window or wraps.
+///
+/// [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
+pub fn copy_to_user(
+    window: &UserAccessWindow,
+    user_ptr: usize,
+    src: &[u8],
+) -> Result<(), SyscallError> {
+    let len = src.len();
+    window.validate(user_ptr, len)?;
+    if len > 0 {
+        // SAFETY: the byte copy writes `len` bytes from the kernel-owned `src`
+        // slice to the user VA `user_ptr`. The invariants from [`copy_from_user`]
+        // hold with the direction reversed — range validity (just proven by
+        // `window.validate`), the v1 identity map ([ADR-0027 §Decision outcome (a)]),
+        // and no single-core interleaving under the interrupts-masked SVC handler.
+        // The **soundness basis is again disjointness**: `src` (a kernel buffer)
+        // and the userspace destination `[user_ptr, user_ptr + len)` are disjoint
+        // by the user/kernel memory model. An aliasing pair would be UB regardless
+        // of the copy primitive — `src` is `&` (shared, read-only for its
+        // lifetime), so writing through `user_ptr` into bytes `src` covers
+        // violates that borrow (Miri-confirmed). `core::ptr::copy` (memmove) is
+        // the conservative primitive, not a licence to alias. Same
+        // rejected-alternatives reasoning as `copy_from_user` (`from_raw_parts_mut`
+        // relocates rather than removes the `unsafe`; a HAL method moves the audit
+        // point off the syscall layer).
+        // Audit: UNSAFE-2026-0030.
+        unsafe {
+            core::ptr::copy(src.as_ptr(), user_ptr as *mut u8, len);
+        }
+    }
+    Ok(())
+}
+
+#[cfg(test)]
+#[allow(
+    clippy::unwrap_used,
+    clippy::expect_used,
+    clippy::panic,
+    clippy::arithmetic_side_effects,
+    clippy::cast_possible_truncation,
+    reason = "tests may use pragmas forbidden in production kernel code"
+)]
+mod tests {
+    use super::{copy_from_user, copy_to_user, UserAccessWindow};
+    use crate::syscall::error::SyscallError;
+
+    // Host tests follow the kernel's established Miri-clean pattern (see
+    // `kernel/src/mm/pmm.rs::tests` + `task_loader::tests`): a real host
+    // `Vec<u8>` provides backing memory, its pointer is *exposed* via
+    // `as usize` when constructing the window, and the validated copy's
+    // int-to-pointer dereference recovers that exposed provenance under
+    // Miri's permissive-provenance mode. The integer the syscall ABI passes
+    // is therefore a genuine, in-bounds host address in every success path;
+    // the failure paths reject before any dereference, so they never need a
+    // valid pointer at all.
+
+    // ── range validation: in-range ───────────────────────────────────────────
+
+    #[test]
+    fn copy_from_user_in_range_moves_bytes() {
+        let backing: Vec<u8> = (0..16u8).collect();
+        let base = backing.as_ptr() as usize; // expose provenance
+        let window = UserAccessWindow::new(base, backing.len());
+
+        let mut dst = [0u8; 8];
+        copy_from_user(&window, base, &mut dst).expect("in-range copy must succeed");
+        assert_eq!(dst, [0, 1, 2, 3, 4, 5, 6, 7]);
+
+        // An interior, in-range sub-slice also succeeds.
+        let mut dst2 = [0u8; 4];
+        copy_from_user(&window, base + 8, &mut dst2).expect("in-range interior copy");
+        assert_eq!(dst2, [8, 9, 10, 11]);
+    }
+
+    #[test]
+    fn copy_to_user_in_range_moves_bytes() {
+        let mut backing: Vec<u8> = vec![0u8; 16];
+        let base = backing.as_mut_ptr() as usize; // expose provenance
+        let window = UserAccessWindow::new(base, backing.len());
+
+        let src = [0xAAu8, 0xBB, 0xCC, 0xDD];
+        copy_to_user(&window, base + 2, &src).expect("in-range copy_to_user");
+        assert_eq!(&backing[2..6], &[0xAA, 0xBB, 0xCC, 0xDD]);
+        // Bytes outside the written range are untouched.
+        assert_eq!(backing[0], 0);
+        assert_eq!(backing[6], 0);
+    }
+
+    // ── range validation: out-of-range ───────────────────────────────────────
+
+    #[test]
+    fn copy_from_user_out_of_range_faults_without_deref() {
+        let backing: Vec<u8> = vec![0u8; 16];
+        let base = backing.as_ptr() as usize;
+        // Window covers a *different* region than the pointer we will read.
+        let window = UserAccessWindow::new(base + 0x1000, 16);
+
+        let mut dst = [0u8; 8];
+        // `base` is below the window → fault, and the dereference never happens
+        // (the assertion that this is safe is the whole point of the test).
+        assert_eq!(
+            copy_from_user(&window, base, &mut dst),
+            Err(SyscallError::FaultAddress)
+        );
+    }
+
+    #[test]
+    fn copy_from_user_overrun_past_window_end_faults() {
+        let backing: Vec<u8> = vec![0u8; 16];
+        let base = backing.as_ptr() as usize;
+        // Window is shorter than the requested read: [base, base+4) but read 8.
+        let window = UserAccessWindow::new(base, 4);
+        let mut dst = [0u8; 8];
+        assert_eq!(
+            copy_from_user(&window, base, &mut dst),
+            Err(SyscallError::FaultAddress)
+        );
+    }
+
+    #[test]
+    fn copy_to_user_out_of_range_faults() {
+        let mut backing: Vec<u8> = vec![0u8; 16];
+        let base = backing.as_mut_ptr() as usize;
+        let window = UserAccessWindow::new(base, 4);
+        let src = [1u8, 2, 3, 4, 5, 6, 7, 8];
+        assert_eq!(
+            copy_to_user(&window, base, &src),
+            Err(SyscallError::FaultAddress)
+        );
+        assert!(
+            backing.iter().all(|&b| b == 0),
+            "no byte may be written on fault"
+        );
+    }
+
+    // ── range validation: zero-length ────────────────────────────────────────
+
+    #[test]
+    fn zero_length_copy_is_ok_even_for_unmapped_pointer() {
+        // A zero-length copy touches no bytes, so it succeeds regardless of the
+        // pointer — no dereference occurs. Use an empty window + an arbitrary
+        // (never-dereferenced) address to prove the short-circuit.
+        let window = UserAccessWindow::empty();
+        let mut dst: [u8; 0] = [];
+        assert_eq!(copy_from_user(&window, 0xDEAD_0000, &mut dst), Ok(()));
+        let src: [u8; 0] = [];
+        assert_eq!(copy_to_user(&window, 0xDEAD_0000, &src), Ok(()));
+    }
+
+    // ── range validation: wrap ───────────────────────────────────────────────
+
+    #[test]
+    fn wrapping_range_faults() {
+        // A pointer near usize::MAX with a non-trivial length wraps; the
+        // validator rejects it instead of computing a smaller wrapped end.
+        let window = UserAccessWindow::new(0, usize::MAX);
+        assert_eq!(
+            window.validate(usize::MAX - 2, 8),
+            Err(SyscallError::FaultAddress)
+        );
+        // And the copy entry points reject it before any dereference.
+        let mut dst = [0u8; 8];
+        assert_eq!(
+            copy_from_user(&window, usize::MAX - 2, &mut dst),
+            Err(SyscallError::FaultAddress)
+        );
+    }
+
+    #[test]
+    fn validate_exact_window_fit_is_ok() {
+        // [base, base+len) fitting the window exactly (end == window_end) is in
+        // bounds — the half-open boundary is inclusive of the last byte.
+        let window = UserAccessWindow::new(0x1000, 0x100);
+        assert_eq!(window.validate(0x1000, 0x100), Ok(()));
+        assert_eq!(window.validate(0x1080, 0x80), Ok(()));
+        // One byte past the end faults.
+        assert_eq!(
+            window.validate(0x1000, 0x101),
+            Err(SyscallError::FaultAddress)
+        );
+    }
+}