ADR-0039 + T-027 — userland build pipeline (userland/hello + tyrne-user, B6 step 5)

[cemililik]

ADR-0039 + T-027 — userland build pipeline (B6 step 5)

Tyrne's first real userspace program, built from Rust source and embedded into the kernel image, replacing the hand-coded mov w0, #42; ret placeholder. This is B6 step 5 of the dependency-ordered sequence; running it in EL0 (the +0x400 round-trip) is T-028.

ADR-0039 (Accepted)

Settles the build orchestration ADR-0029 deferred ("exact path lands with B6"). Decision: a tools/build-userland.sh step + rust-objcopy from the pinned llvm-tools-preview (no Cargo dep) + include_bytes! of a git-ignored .bin; userland crates as default-members-excluded workspace members; a Rust-side base-VA source-of-truth. cargo xtask is the named B7+ multi-binary upgrade. Two review rounds before Accept: a relayed 8-fix round + an adversarial 5-lens / 81-agent pass (37 of 38 findings refuted; the one confirmed → the CI build-ordering fix below).

What landed (T-027)

• userland/tyrne-user (#![no_std] lib): safe console_write(cap, buf) / task_exit(code) wrappers over the svc #0 ABI (x8=number, x0..x5=args; ConsoleWrite=5, TaskExit=4). HELLO_CONSOLE_CAP = 0 — the T-027↔T-028 cap-handle interface (root cap of a fresh table). The two svc shims are the first userspace unsafe → UNSAFE-2026-0033.
• userland/hello (#![no_std] #![no_main] bin): _start (in .text._start, offset 0) → console_write(greeting) → task_exit(0); panic_handler → task_exit. hello.ld fixes the entry at 0x0080_0000, ASSERTs no .data/.bss (image maps USER|EXECUTE, no WRITE).
• tools/build-userland.sh: cargo build → rust-objcopy -O binary → git-ignored userland/hello/hello.bin.
• Workspace: both crates added to members, excluded from default-members (host commands skip them — mirrors bsp-qemu-virt).
• BSP: USERSPACE_IMAGE → include_bytes!(hello.bin); build.rs assert!s the .bin exists (run build-userland.sh first).
• tools/smoke.sh now builds userland + kernel (one-command); .github/workflows/ci.yml installs llvm-tools-preview + builds userland before kernel-build (the adversarial-confirmed fix — else the clean-checkout kernel-build job hits the missing-.bin assert!).

Verification

The 117-byte .bin disassembles at offset 0 to: _start prologue → x0 = 0 (HELLO_CONSOLE_CAP) → adr x1 (greeting) → w2 = 0x15 (21 = len of "hello from userspace\n") → bl console_write → x0 = 0 → bl task_exit. The real image loads dormant under the smoke (entry = 0x800000, image bytes 117, stack bytes 4096); it is not run in EL0 — that's T-028.

Gates (all green)

• cargo fmt --all --check ✅
• host + kernel + userland clippy -D warnings ✅ (cargo clippy --target aarch64-unknown-none -p tyrne-userland-hello -p tyrne-user)
• host tests 46 hal / 258 kernel / 58 test-hal / 3 doc ✅ (unchanged — userland is bare-metal, outside the host set)
• cargo kernel-build ✅
• tools/smoke.sh --int PASS — image loads, all tasks complete, 2 expected EL1-stub SVCs, zero new fault class ✅
• Miri unaffected (no kernel/host logic changed — only the embedded USERSPACE_IMAGE bytes + build infra)

Audit

UNSAFE-2026-0033 — the tyrne-user svc #0 shims (the user→kernel call side; the kernel→user trust boundary is audited under 0029/0014/0030/0032 and reviewed for T-028's first real run).

Out of scope (T-028)

Loading the image into a real EL0 task (task_create_from_image → seed a DebugConsole cap at HELLO_CONSOLE_CAP → add_user_task), the +0x400 round-trip smoke, and the explicit EL0-boundary security review.

🤖 Generated with Claude Code

Summary by Sourcery

Embed a real Rust-based userspace hello program into the kernel image via a new userland build pipeline and replace the previous hand-coded placeholder image.

New Features:

• Introduce a tyrne-user no_std userspace library providing safe syscall wrappers for console output and task exit.
• Add a tyrne-userland-hello no_std/no_main userspace binary that prints a greeting via the syscall ABI and then exits.
• Define a userspace linker script to produce a raw flat hello image with entry at offset 0 and no writable sections.

Enhancements:

• Replace the BSP’s hardcoded userspace placeholder blob with an include_bytes!-backed hello.bin produced from the userland build.
• Add a build-userland.sh tool and integrate userland image generation into the smoke script and workspace configuration while excluding userland crates from default workspace members.
• Update ADRs, roadmap tasks, and unsafe audit documentation to describe the userland build pipeline, syscall shims, and EL0 wire-up plan.

CI:

• Extend CI to install llvm-tools-preview and run the userland build step before kernel build to satisfy the new embedded image dependency.

Tests:

• Ensure userland crates are covered by clippy in the aarch64 bare-metal configuration and that existing smoke tests validate successful loading of the embedded hello image.

Summary by CodeRabbit

• New Features

  • Userspace build pipeline added and first bare-metal "hello" image embedded in the BSP; workspace includes two new userland crates.

• Documentation

  • Added ADR, design/task docs, roadmap updates, and an unsafe-audit entry for userspace syscall shims and acceptance criteria.

• Chores

  • CI/tooling updated to install llvm-tools-preview and build userland before kernel jobs; new build/smoke orchestration scripts added.

• Bug Fixes

  • Pre-build check prevents kernel builds from failing when the userspace binary is missing; coverage tooling excludes userland stubs.

[sourcery-ai]

Reviewer's Guide

Implements ADR-0039 / T-027 by introducing a no_std userspace syscall wrapper library and a hello-world userland binary, adding a shell-based userland build pipeline that produces a raw-flat hello image embedded into the BSP via include_bytes!, and wiring smoke/CI and documentation to require the userland image to be built before kernel builds.

Flow diagram for the new userland build pipeline and BSP embed

flowchart TD
    Dev["Developer / CI"] --> SmokeOrCI
    SmokeOrCI["tools/smoke.sh or CI 'build userland image' step"] --> BuildScript
    BuildScript["tools/build-userland.sh"] --> CargoBuild
    CargoBuild["cargo build -p tyrne-userland-hello --target aarch64-unknown-none"] --> HelloElf
    HelloElf["target/.../hello (ELF)"] --> Objcopy
    Objcopy["rust-objcopy -O binary"] --> HelloBin
    HelloBin["userland/hello/hello.bin"] --> BSPBuildRs
    BSPBuildRs["bsp-qemu-virt/build.rs assert!(hello.bin exists)"] --> BSPMain
    BSPMain["bsp-qemu-virt/src/main.rs USERSPACE_IMAGE = include_bytes!(hello.bin)"]

Loading

File-Level Changes

Change	Details	Files
Embed a real userland hello image into the BSP instead of the placeholder and enforce its presence at build time.	Replace the hard-coded placeholder USERSPACE_IMAGE bytes with include_bytes! of the objcopy-produced hello.bin. Extend the BSP build script to watch hello.bin for changes and assert with a clear message if the file is missing, instructing developers to run the userland build script first. Adjust BSP documentation comments around USERSPACE_IMAGE to describe the real hello image, its build dependency, and that it is not yet executed in T-027.	bsp-qemu-virt/src/main.rs bsp-qemu-virt/build.rs
Introduce a no_std userspace syscall wrapper crate and first hello-world userland program wired to the syscall ABI and build as a raw-flat image.	Add tyrne-user crate providing safe console_write and task_exit wrappers over svc #0 with inline asm, including HELLO_CONSOLE_CAP and a SyscallError type. Add tyrne-userland-hello crate with a no_std, no_main entry _start that prints a greeting via console_write then exits via task_exit, plus a panic handler that exits; configure its build script and hello.ld linker script to place _start at offset 0, map at 0x0080_0000, and forbid .data/.bss. Register both userland crates as workspace members but exclude them from default-members so host builds and tests ignore them.	userland/tyrne-user/src/lib.rs userland/tyrne-user/Cargo.toml userland/hello/src/main.rs userland/hello/Cargo.toml userland/hello/build.rs userland/hello/hello.ld Cargo.toml
Add a shell-based userland build pipeline that produces the raw-flat hello binary and integrate it into local smoke and CI workflows.	Create tools/build-userland.sh to cargo build tyrne-userland-hello for the bare-metal target and invoke rust-objcopy from llvm-tools-preview to emit userland/hello/hello.bin, supporting debug and release profiles. Update tools/smoke.sh to, when no explicit kernel ELF is passed, run the userland build script (honoring --release) and then cargo kernel-build so the single entrypoint builds both userland and kernel. Modify the CI workflow to install llvm-tools-preview and invoke tools/build-userland.sh before cargo kernel-build to satisfy the BSP build.rs assertion about the presence of hello.bin.	tools/build-userland.sh tools/smoke.sh .github/workflows/ci.yml
Document ADR-0039 and T-027, including unsafe usage and roadmap updates for the new userland build pipeline.	Add ADR-0039 describing the userland build pipeline decision, options considered, and tradeoffs for using a tools/build-userland.sh + rust-objcopy + include_bytes! flow. Log UNSAFE-2026-0033 in unsafe-log.md to audit the userspace svc #0 shims in tyrne-user, including invariants and rejected alternatives. Add T-027 and T-028 task-analysis documents and update roadmap/current.md, phase-b.md, and ADR index to reflect B6 step 5 completion and the upcoming EL0 wire-up work.	docs/decisions/0039-userland-build-pipeline.md docs/audits/unsafe-log.md docs/analysis/tasks/phase-b/T-027-userland-build-pipeline.md docs/analysis/tasks/phase-b/T-028-el0-userspace-wireup.md docs/roadmap/current.md docs/roadmap/phases/phase-b.md docs/decisions/README.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9fec4f98-a9e1-46d6-b65d-10be7a216b9d

📥 Commits

Reviewing files that changed from the base of the PR and between ce25727 and 68f07ec.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• userland/hello/build.rs

🚧 Files skipped from review as they are similar to previous changes (1)

• userland/hello/build.rs

---

📝 Walkthrough

Walkthrough

This PR implements the complete Phase B Milestone B6 Step 5 userland build pipeline: a no_std Rust syscall wrapper crate (tyrne-user) with EL0 svc #0`` shims, a "hello" userspace program using those wrappers, a tools/build-userland.sh orchestration script producing a raw-flat binary image, BSP integration embedding the image at compile time with existence checks, and CI/workflow updates to ensure correct build sequencing.

Changes

Userland Build Pipeline and EL0 Integration

Layer / File(s)	Summary
Userland EL0 Syscall Wrappers userland/tyrne-user/Cargo.toml, userland/tyrne-user/src/lib.rs, docs/audits/unsafe-log.md	Introduces tyrne-user as a #![no_std] crate providing safe wrappers (console_write, task_exit) around confined unsafe svc #0`` inline-asm shims. Exports HELLO_CONSOLE_CAP constant and `SyscallError` type; audit entry `UNSAFE-2026-0033` documents the syscall ABI and register usage.
Hello Userland Program Implementation userland/hello/Cargo.toml, userland/hello/build.rs, userland/hello/hello.ld, userland/hello/src/main.rs	Implements a #![no_std] #![no_main] userspace program with _start at offset 0 (via linker script), writes a greeting via console_write, exits via task_exit(0), and includes a panic handler. Linker script enforces empty .data/.bss and discards metadata for raw-flat image production.
Build Script and BSP Embedding tools/build-userland.sh, Cargo.toml, bsp-qemu-virt/build.rs, bsp-qemu-virt/src/main.rs	tools/build-userland.sh compiles userland for aarch64-unknown-none and uses rust-objcopy -O binary to produce hello.bin. Workspace Cargo.toml adds userland crates (excluded from default-members). BSP build.rs emits rerun-if-changed for hello.bin and asserts its presence; src/main.rs embeds the real binary via include_bytes! instead of the prior placeholder.
CI/Workflow and Smoke Testing .github/workflows/ci.yml, tools/smoke.sh	CI now installs llvm-tools-preview and runs tools/build-userland.sh before cargo kernel-build. smoke.sh supports one-command integration: when no explicit ELF is provided, it builds userland then kernel before running QEMU smoke test.
Task Specs, ADRs, and Roadmap docs/analysis/tasks/phase-b/T-027-*.md, docs/analysis/tasks/phase-b/T-028-*.md, docs/decisions/0039-*.md, docs/decisions/README.md, docs/roadmap/*	Adds T-027 documentation specifying the build pipeline (constraints, integration points, verification). Introduces ADR-0039 (Accepted) formalizing the tools/build-userland.sh + include_bytes! approach. Adds T-028 draft for EL0 wire-up. Updates roadmap to reflect B6 step 5 landing and next steps.

Sequence Diagram

sequenceDiagram
  participant Dev as Developer
  participant CI as CI (GitHub Actions)
  participant BuildSH as tools/build-userland.sh
  participant Cargo as cargo build (hello)
  participant ObjCopy as rust-objcopy -O binary
  participant BSPBuild as bsp build.rs / include_bytes!
  participant KernelBuild as cargo kernel-build
  participant QEMU as QEMU Loader
  participant StartEL0 as hello _start (EL0)

  alt Local smoke.sh (no ELF arg)
    Dev->>BuildSH: ./tools/smoke.sh
    BuildSH->>Cargo: build hello (aarch64)
    Cargo->>ObjCopy: rust-objcopy -> hello.bin
  end

  CI->>CI: Install llvm-tools-preview
  CI->>BuildSH: Run build-userland.sh
  BuildSH->>Cargo: Build hello
  Cargo->>ObjCopy: Produce ELF -> objcopy
  ObjCopy->>BSPBuild: Write hello.bin
  CI->>KernelBuild: cargo kernel-build
  KernelBuild->>BSPBuild: Compile BSP (include_bytes! + assert)
  KernelBuild->>KernelBuild: link kernel

  alt Smoke Test
    CI->>QEMU: Run kernel in QEMU
    QEMU->>QEMU: Load hello.bin at 0x00800000
    QEMU->>StartEL0: Jump to _start (offset 0)
    StartEL0->>StartEL0: console_write (greeting)
    StartEL0->>StartEL0: task_exit(0)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• HodeTech/Tyrne#31: Implements the task_loader::load_image function that the BSP changes feed the real hello.bin image into; directly related to the T-019 loader smoke integration.

Poem

A rabbit hops through userland so bright,
With svc shims singing in the night,
Objcopy flattens ELF to bin,
The BSP embeds the build within.
Kernel waits — hello will begin. 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: implementing the userland build pipeline (ADR-0039) and the first real userspace program (T-027, userland/hello + tyrne-user).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch t-027-userland-build-pipeline

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In tools/build-userland.sh, resolving rust-objcopy by find-ing the entire sysroot can be brittle and slow; consider deriving the path via $(rustc --print target-libdir)/../bin/rust-objcopy (or similar) to avoid unexpected matches and make the lookup more deterministic.
• The BSP build.rs hardcodes the hello image path as ../userland/hello/hello.bin; you could derive this from the workspace root (e.g., via CARGO_MANIFEST_DIR plus a known relative) or a shared constant to make future workspace layout changes less fragile.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `tools/build-userland.sh`, resolving `rust-objcopy` by `find`-ing the entire sysroot can be brittle and slow; consider deriving the path via `$(rustc --print target-libdir)/../bin/rust-objcopy` (or similar) to avoid unexpected matches and make the lookup more deterministic.
- The BSP `build.rs` hardcodes the hello image path as `../userland/hello/hello.bin`; you could derive this from the workspace root (e.g., via `CARGO_MANIFEST_DIR` plus a known relative) or a shared constant to make future workspace layout changes less fragile.

## Individual Comments

### Comment 1
<location path="docs/analysis/tasks/phase-b/T-027-userland-build-pipeline.md" line_range="25" />
<code_context>
+- [x] **Userland `unsafe` audit** (security policy applies to userspace too): the `tyrne-user` `svc #0` shims are `unsafe` (inline asm); per [unsafe-policy §Scope](../../../standards/unsafe-policy.md) ("the rules apply equally in kernel, HAL, and userspace code") **and** [CLAUDE.md non-negotiable #2](../../../../CLAUDE.md), each `unsafe` block carries a `// SAFETY:` comment (why the asm upholds the ABI contract — args in `x0..x5`/`x8`, the clobber list, no UB) **and** a dated [`docs/audits/unsafe-log.md`](../../../audits/unsafe-log.md) entry (`UNSAFE-2026-NNNN`). The workspace `clippy::undocumented_unsafe_blocks` / `missing_safety_doc` denies enforce the comment; the audit entry is the policy obligation.
</code_context>
<issue_to_address>
**issue (typo):** Clarify the phrase "denies enforce" in the Clippy sentence.

The clause "the workspace `clippy::undocumented_unsafe_blocks` / `missing_safety_doc` denies enforce the comment" is ungrammatical. Consider something like: "the workspace `clippy::undocumented_unsafe_blocks` / `missing_safety_doc` lints (set to `deny`) require this comment" or similar.

```suggestion
- [x] **Userland `unsafe` audit** (security policy applies to userspace too): the `tyrne-user` `svc #0` shims are `unsafe` (inline asm); per [unsafe-policy §Scope](../../../standards/unsafe-policy.md) ("the rules apply equally in kernel, HAL, and userspace code") **and** [CLAUDE.md non-negotiable #2](../../../../CLAUDE.md), each `unsafe` block carries a `// SAFETY:` comment (why the asm upholds the ABI contract — args in `x0..x5`/`x8`, the clobber list, no UB) **and** a dated [`docs/audits/unsafe-log.md`](../../../audits/unsafe-log.md) entry (`UNSAFE-2026-NNNN`). The workspace `clippy::undocumented_unsafe_blocks` and `clippy::missing_safety_doc` lints (set to `deny`) require this comment; the audit entry is the policy obligation.
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request implements the first real userspace program and its build pipeline (ADR-0039) by introducing the tyrne-user and tyrne-userland-hello crates, along with a tools/build-userland.sh script to generate a raw-flat binary. Feedback focuses on improving build robustness and platform independence, such as supporting CARGO_TARGET_DIR in the build script, using std::path::Path for platform-independent path construction in build scripts, and asserting that .got sections are empty in the linker script. Additionally, reviewers suggested enhancing userspace debuggability by printing a diagnostic message in the panic handler and implementing Display for SyscallError.

[gemini-code-assist]

The script hardcodes the target/ directory, which will fail if a custom target directory is configured via the CARGO_TARGET_DIR environment variable. Supporting CARGO_TARGET_DIR improves build robustness in nested or CI environments.

Suggested change

	ELF="target/aarch64-unknown-none/${PROFILE}/hello"
	TARGET_DIR="${CARGO_TARGET_DIR:-target}"
	ELF="${TARGET_DIR}/aarch64-unknown-none/${PROFILE}/hello"

[cemililik]

Fixed in ce25727 — rust-objcopy is now resolved deterministically via $(rustc --print target-libdir)/../bin/rust-objcopy (with a sysroot find fallback), and the ELF path respects CARGO_TARGET_DIR.

[gemini-code-assist]

Path concatenation using format! with hardcoded / separators is not platform-independent. Using std::path::Path and PathBuf is more idiomatic and robust across different host platforms.

    let hello_bin = std::path::Path::new(&manifest_dir)
        .parent()
        .unwrap()
        .join("userland")
        .join("hello")
        .join("hello.bin");
    let hello_bin_str = hello_bin.to_str().unwrap();
    println!("cargo:rerun-if-changed={}", hello_bin_str);
    assert!(
        hello_bin.exists(),
        "userland image not built: {} is missing.\n       \
         Run tools/build-userland.sh before cargo kernel-build \
         (ADR-0039); tools/smoke.sh and CI do this automatically.",
        hello_bin_str
    );

[cemililik]

Skipped — the format! path with / works on Tyrne's Unix-only dev/CI (macOS + ubuntu, per .github/workflows + the platform); it is not a bug. Path::join is an idiomatic nicety; deferred to keep the change minimal (no Windows target exists).

[gemini-code-assist]

Path concatenation using / is not platform-independent. Using std::path::Path to construct the path to the linker script is more robust and idiomatic.

    let manifest_dir = std::env::var("CARGO_MANIFEST_DIR")
        .expect("CARGO_MANIFEST_DIR must be set by Cargo when running build scripts");
    let linker_script = std::path::Path::new(&manifest_dir).join("hello.ld");

    println!("cargo:rustc-link-arg=-T{}", linker_script.display());
    println!("cargo:rerun-if-changed=hello.ld");
    println!("cargo:rerun-if-changed=build.rs");

[cemililik]

Skipped — same as the BSP build.rs thread (Unix-only paths; minimal-change; no Windows target).

[gemini-code-assist]

The panic handler currently exits silently with code 101. Writing a static diagnostic message to the console before exiting will greatly aid debugging when a userspace panic occurs.

Suggested change

	#[panic_handler]
	fn panic(_info: &core::panic::PanicInfo) -> ! {
	task_exit(101)
	}
	#[panic_handler]
	fn panic(_info: &core::panic::PanicInfo) -> ! {
	let _ = console_write(HELLO_CONSOLE_CAP, b"userspace panic\n");
	task_exit(101)
	}

[cemililik]

Skipped — for the trivial v1 hello the panic path is effectively unreachable (the only fallible call, console_write, is intentionally ignored); the distinct exit code (101) + the kernel's task-termination report are the signal. A console write inside the panic handler (needing the cap + a possibly-bad state) is over-engineering for v1.

[gemini-code-assist]

The linker script asserts that .data and .bss are empty, but does not check for .got or .got.plt sections. If position-independent code or dynamic linking artifacts are accidentally generated, they could silently slip into the raw-flat binary. Adding an assertion for .got ensures full robustness.

    /* v1 forbids writable data (image is USER|EXECUTE, no WRITE). Collect any
     * stray .data/.bss/.got so the ASSERTs can prove they are empty. */
    .data : { *(.data .data.*) }
    .bss  : { *(.bss .bss.* COMMON) }
    .got  : { *(.got .got.plt) }

    ASSERT(SIZEOF(.data) == 0,
        "userland hello: .data must be empty (image maps USER|EXECUTE, no WRITE)")
    ASSERT(SIZEOF(.bss) == 0,
        "userland hello: .bss must be empty (image maps USER|EXECUTE, no WRITE)")
    ASSERT(SIZEOF(.got) == 0,
        "userland hello: .got must be empty (image maps USER|EXECUTE, no WRITE)")

[cemililik]

Fixed in ce25727 — added a .got : { *(.got .got.plt) } collection + ASSERT(SIZEOF(.got) == 0, …) (v1 is non-PIC / fixed-VA). Good belt-and-suspenders against a stray PIC artifact.

[gemini-code-assist]

SyscallError does not implement core::fmt::Display. Implementing Display is a standard Rust idiom for custom error types, allowing them to be formatted cleanly in userspace programs.

Suggested change

	#[derive(Copy, Clone, Debug, Eq, PartialEq)]
	pub struct SyscallError(
	/// The raw kernel status word (`x0`); the low/high blocks encode the
	/// kernel's `SyscallError` taxonomy ([ADR-0030][adr-0030]).
	///
	/// [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
	pub u64,
	);
	#[derive(Copy, Clone, Debug, Eq, PartialEq)]
	pub struct SyscallError(
	/// The raw kernel status word (x0); the low/high blocks encode the
	/// kernel's SyscallError taxonomy ([ADR-0030][adr-0030]).
	///
	/// [adr-0030]: https://github.com/HodeTech/Tyrne/blob/main/docs/decisions/0030-syscall-abi.md
	pub u64,
	);
	impl core::fmt::Display for SyscallError {
	fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
	write!(f, "SyscallError({:#x})", self.0)
	}
	}

[cemililik]

Skipped — SyscallError is never formatted in v1 (hello ignores the result via let _ =). Adding an unused Display impl runs against the 'smallest shape that works' ethos; trivial to add when a userspace program actually needs to format it.

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/analysis/tasks/phase-b/T-027-userland-build-pipeline.md`:
- Line 58: Update the future-dated history entry "2026-06-01 — implemented (→ In
Review)" to a correct past/neutral value: either replace the date with the
actual implementation date or change the phrasing to "planned", "forthcoming",
or "implemented (date TBD)"; edit the line containing the phrase `2026-06-01 —
implemented (→ In Review)` (and any identical timestamped entries) so the
timeline is accurate and not future-dated.

In `@docs/audits/unsafe-log.md`:
- Line 745: The audit entry currently lists "Introduced: 2026-06-01" which is a
future date; locate the "Introduced: 2026-06-01" string in
docs/audits/unsafe-log.md (the audit entry describing the userspace inline-asm
wrappers / T-027 and ADR-0039) and change that date to a non-future date (for
example the PR date or any prior date such as 2026-05-31) so the audit
chronology remains valid.

In `@docs/roadmap/current.md`:
- Around line 7-8: The banner header date "2026-06-01 update" is future-dated;
update it to the actual posting date (e.g., "2026-05-31 update") or explicitly
label it as a planned/future update (e.g., "Planned — 2026-06-01 update") in the
banner text; locate and edit the banner line that references ADR-0039 / T-027
(and surrounding mentions of tools/build-userland.sh, build.rs, tools/smoke.sh)
to replace the date accordingly.

In `@docs/roadmap/phases/phase-b.md`:
- Line 254: The milestone text incorrectly marks the `tyrne-user` /
`userland/hello/` step as "landed (2026-06-01)" which is a future date; update
the sentence in the Phase B doc to either replace the future date with the
actual landing date or change the phrasing to indicate it is scheduled (e.g.,
"scheduled for 2026-06-01" or "targeted 2026-06-01") so the status and date for
the `tools/build-userland.sh`, `build.rs`/`include_bytes!` pipeline and
UNSAFE-2026-0033 reference are consistent.

In `@userland/tyrne-user/src/lib.rs`:
- Line 23: The file unconditionally imports and uses core::arch::asm and
contains inline-asm blocks that reference aarch64 registers (causing CI failures
on non-aarch64 hosts); wrap the asm import and every inline asm block with
#[cfg(target_arch = "aarch64")] and provide host-safe fallbacks (e.g.,
pure-Rust/no-op or Result::Err stubs) for the functions that currently use asm
so non-aarch64 builds (coverage/miri) compile; specifically gate the `use
core::arch::asm;` line and the inline-asm sections mentioned (around the asm
usages and the blocks at the cited ranges) and add #[cfg(not(target_arch =
"aarch64"))] implementations for the same function names to preserve API
surface.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 28abfa35-dd5a-46bb-9879-2f9180f97cc8

📥 Commits

Reviewing files that changed from the base of the PR and between a8ce11e and 443634b.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (19)

• .github/workflows/ci.yml
• Cargo.toml
• bsp-qemu-virt/build.rs
• bsp-qemu-virt/src/main.rs
• docs/analysis/tasks/phase-b/T-027-userland-build-pipeline.md
• docs/analysis/tasks/phase-b/T-028-el0-userspace-wireup.md
• docs/audits/unsafe-log.md
• docs/decisions/0039-userland-build-pipeline.md
• docs/decisions/README.md
• docs/roadmap/current.md
• docs/roadmap/phases/phase-b.md
• tools/build-userland.sh
• tools/smoke.sh
• userland/hello/Cargo.toml
• userland/hello/build.rs
• userland/hello/hello.ld
• userland/hello/src/main.rs
• userland/tyrne-user/Cargo.toml
• userland/tyrne-user/src/lib.rs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use an introduction date that is not in the future for this audit entry.

Line 745 records Introduced: 2026-06-01, which is future-dated relative to this PR context and weakens audit chronology integrity.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/audits/unsafe-log.md` at line 745, The audit entry currently lists
"Introduced: 2026-06-01" which is a future date; locate the "Introduced:
2026-06-01" string in docs/audits/unsafe-log.md (the audit entry describing the
userspace inline-asm wrappers / T-027 and ADR-0039) and change that date to a
non-future date (for example the PR date or any prior date such as 2026-05-31)
so the audit chronology remains valid.

[cemililik]

Same as the T-027 thread — 2026-06-01 is today's date (verified via date), not future-dated. No change.

[coderabbitai]

@cemililik — Understood, my apologies for the noise. My system context was slightly behind (May 2026), so I incorrectly flagged 2026-06-01 as future-dated. Since you've confirmed via date that it is today's date, the entry's chronology is accurate. No change needed.

🐇

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Correct the banner date to avoid future-dated status reporting.

The banner is labeled “2026-06-01 update,” which is in the future relative to today (May 31, 2026). Please use the actual posting date or explicitly mark this as a planned update.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/roadmap/current.md` around lines 7 - 8, The banner header date
"2026-06-01 update" is future-dated; update it to the actual posting date (e.g.,
"2026-05-31 update") or explicitly label it as a planned/future update (e.g.,
"Planned — 2026-06-01 update") in the banner text; locate and edit the banner
line that references ADR-0039 / T-027 (and surrounding mentions of
tools/build-userland.sh, build.rs, tools/smoke.sh) to replace the date
accordingly.

[cemililik]

Same as the T-027 thread — 2026-06-01 is today's date, not future-dated. No change.

[coderabbitai]

@cemililik — Understood, thanks for the clarification. 2026-06-01 is the correct current date; my concern doesn't apply here. No change needed.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Avoid future-dated “landed” status in the milestone sequence.

Line 254 says step 5 “landed (2026-06-01)”, which is a future date relative to May 31, 2026. Please update to the actual landing date or change wording to indicate it is scheduled.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/roadmap/phases/phase-b.md` at line 254, The milestone text incorrectly
marks the `tyrne-user` / `userland/hello/` step as "landed (2026-06-01)" which
is a future date; update the sentence in the Phase B doc to either replace the
future date with the actual landing date or change the phrasing to indicate it
is scheduled (e.g., "scheduled for 2026-06-01" or "targeted 2026-06-01") so the
status and date for the `tools/build-userland.sh`, `build.rs`/`include_bytes!`
pipeline and UNSAFE-2026-0033 reference are consistent.

[cemililik]

Same as the T-027 thread — 2026-06-01 is today's date, not future-dated. No change.

[coderabbitai]

@cemililik, understood — if 2026-06-01 is today's date, the "landed" status and date are accurate and my flag was a false positive. No change needed.

[cemililik]

Review-round resolution (ce25727)

Verified each finding against source; 3 fixed, 1 the headline catch, the rest skipped with reason.

Fixed

• (Critical) Gate the AArch64 asm for --workspace builds (coderabbit) → cfg-gated the svc asm + no_std/no_main to target_arch = "aarch64" with degenerate host stubs. This was a real regression my original "Miri unaffected" note missed: cargo check --workspace --exclude tyrne-bsp-qemu-virt (and the maintainer's Miri command) failed on the userland asm. Now both host-compile + Miri passes 0 UB with the userland crates included. Thanks — load-bearing catch.
• .got assertion (gemini) → hello.ld now ASSERTs .got empty (non-PIC, fixed-VA).
• build-userland.sh robustness (gemini) → rust-objcopy resolved deterministically via rustc --print target-libdir (was a brittle sysroot find); ELF path respects CARGO_TARGET_DIR.
• Typo "denies enforce" (sourcery) → reworded.

Skipped (with reason)

• The four "future-dated 2026-06-01" findings (coderabbit) → today is 2026-06-01 (verified); the dates are accurate (ADR/earlier docs 2026-05-31; implementation entries 2026-06-01, matching the commit timeline) — not future-dated.
• format!→Path::join in both build.rs (gemini) → the / paths work on Tyrne's Unix-only dev/CI (macOS + ubuntu); an idiomatic nicety, not a bug — deferred (no Windows target).
• Console message in the panic handler (gemini) → over-engineering for the trivial v1 hello (panic path effectively unreachable; the exit code + the kernel's termination report are the signal).
• SyscallError: Display (gemini) → unused in v1 (hello ignores the result); deferred per 'smallest shape'.

Gates re-run green: fmt; host + kernel + userland clippy -D warnings; host tests 46/258/58/3; kernel build; tools/smoke.sh --int PASS (image loads, all tasks complete, 2 stub SVCs, zero new fault); Miri --workspace --exclude tyrne-bsp-qemu-virt 0 UB (now compiling the userland crates).