@guangnao/agent-os 1.0.0

package/dist/kernel/account.d.ts

@@ -0,0 +1,34 @@
+import type { Quota } from '../abi/index';
+export type Meter = 'tokens' | 'toolCalls' | 'usd' | 'children';
+declare const METERS: readonly Meter[];
+export declare class QuotaExceeded extends Error {
+    readonly resource: keyof Quota;
+    constructor(resource: keyof Quota);
+}
+export declare class Account {
+    private readonly now;
+    private readonly parent;
+    private readonly rem;
+    private readonly spent;
+    private readonly wallMs?;
+    readonly mem?: number;
+    readonly maxMailbox?: number;
+    readonly bornAt: number;
+    constructor(quota?: Quota, now?: () => number, parent?: Account | null);
+    /** Charge n of a meter against this account AND every ancestor (atomic: all-or-nothing). */
+    charge(meter: Meter, n: number): void;
+    /** Throw if wall-clock lifetime exceeded (per-process, not bubbled). */
+    checkWall(): void;
+    /** Give resources back up the chain (refunds never fail — no pre-check). */
+    private refund;
+    /** A child account in the tree. Spawning counts 1 against the chain's `children` budget. */
+    child(quota: Quota): Account;
+    /** Called when the owning process exits: free the one `children` slot it occupies in its parent's
+     *  subtree. `children` is a CONCURRENT cap (cgroup pids.max) — live count, not a lifetime total —
+     *  so a supervisor that spawns and reaps in a loop keeps working. (tokens/usd stay cumulative.) */
+    release(): void;
+    remaining(): Quota;
+    /** Aggregate usage of this node and everything below it (charges bubbled up to here). */
+    usage(): Record<Meter, number>;
+}
+export { METERS };

package/dist/kernel/captable.d.ts

@@ -0,0 +1,38 @@
+import type { Pid, CapRef } from '../abi/index';
+import type { Resource, Right, Capability, Caveat } from '../abi/capability';
+export declare class CapError extends Error {
+    constructor(msg: string);
+}
+export declare class CapTable {
+    private readonly now;
+    private readonly caps;
+    private readonly derived;
+    private readonly parentOf;
+    private readonly byOwner;
+    /** `now` is injected (the kernel clock) so caveat expiry is deterministic/replayable, not wall-time. */
+    constructor(now?: () => number);
+    private own;
+    private disown;
+    /** A cap is live unless revoked OR a caveat is unsatisfied (e.g. it has expired). */
+    private satisfied;
+    /** Kernel-internal: create authority. Not reachable from userland. */
+    mint(owner: Pid, resource: Resource, rights: Iterable<Right>, caveats?: readonly Caveat[]): CapRef;
+    /** Userland: weaken a cap you own to a subset of its rights, for least-privilege delegation. */
+    derive(owner: Pid, parent: CapRef, rights: Iterable<Right>): CapRef;
+    /** Userland: weaken a cap you own — a subset of rights AND/OR added caveats (e.g. an expiry). Both only ever
+     *  RESTRICT: rights must be a subset, and the child inherits ALL the parent's caveats plus the new ones, so a
+     *  caveat (a TTL, say) can't be stripped by re-deriving. The result is a fresh cap revoked with the parent. */
+    attenuate(owner: Pid, parent: CapRef, rights: Iterable<Right> | undefined, caveats: readonly Caveat[]): CapRef;
+    /** Hand ownership to another process (delegation rides on IPC, like fd-passing). */
+    transfer(ref: CapRef, to: Pid): void;
+    lookup(ref: CapRef): Capability | undefined;
+    /** Does this process hold any cap over a resource of the given kind? (gates ambient-looking syscalls like spawn) */
+    ownsKind(pid: Pid, kind: Resource['kind']): boolean;
+    /** Look up + assert the holder owns it and it grants `right`. The gate every privileged syscall passes. */
+    require(holder: Pid, ref: CapRef, right: Right): Capability;
+    /** Revoke a cap and, transitively, everything derived from it. Frees it from the table (and the
+     *  owner index) — the flag stays set too, so any lingering Capability reference still reads revoked. */
+    revoke(ref: CapRef): void;
+    /** On process exit: drop all authority it held — O(caps it owned), not O(caps ever minted). */
+    revokeOwnedBy(pid: Pid): void;
+}

package/dist/kernel/clock.d.ts

@@ -0,0 +1,30 @@
+export interface Timer {
+    fire: number;
+    readonly cb: () => void;
+    cancelled?: boolean;
+}
+export interface Clock {
+    readonly virtual: boolean;
+    now(): number;
+    after(ms: number, cb: () => void): Timer;
+    cancel(t: Timer): void;
+    /** Advance to the next pending event when idle; fires it. Returns false if nothing is pending. */
+    advance(): boolean;
+}
+export declare class RealClock implements Clock {
+    readonly virtual = false;
+    private readonly handles;
+    now(): number;
+    after(ms: number, cb: () => void): Timer;
+    cancel(t: Timer): void;
+    advance(): boolean;
+}
+export declare class VirtualClock implements Clock {
+    readonly virtual = true;
+    private t;
+    private pending;
+    now(): number;
+    after(ms: number, cb: () => void): Timer;
+    cancel(t: Timer): void;
+    advance(): boolean;
+}

package/dist/kernel/journal.d.ts

@@ -0,0 +1,25 @@
+import type { Pid, DriverResult } from '../abi/index';
+export type KernelMode = 'live' | 'record' | 'replay' | 'recover';
+/** A journaled driver op: either its result, OR the error it threw. Recording the FAILURE too is what lets a
+ *  run that hit a driver error (e.g. an LLM HTTP failure) replay faithfully — otherwise replay would miss the
+ *  op entirely and abort with "no journal entry" instead of reproducing the original throw. */
+export type Journaled = DriverResult | {
+    readonly error: string;
+};
+interface Entry {
+    readonly pid: Pid;
+    readonly op: number;
+    readonly result: Journaled;
+}
+export declare class Journal {
+    private readonly io;
+    private readonly seq;
+    private static key;
+    record(pid: Pid, op: number, result: Journaled): void;
+    get(pid: Pid, op: number): Journaled | undefined;
+    get size(): number;
+    /** Serialize a recorded run so it can be persisted and replayed later. */
+    toJSON(): readonly Entry[];
+    static fromJSON(seq: readonly Entry[]): Journal;
+}
+export {};

package/dist/kernel/kernel.d.ts

@@ -0,0 +1,227 @@
+import type { Pid, CapRef, Segment, Pager, Message, ProcessImage, Quota, ExitReason, LogLevel, Driver } from '../abi/index';
+import { type Meter } from './account';
+import { type StampedEvent } from './log';
+import { type Recaller } from './memory';
+import { Journal, type KernelMode } from './journal';
+import { type Clock } from './clock';
+import { type Store } from './store';
+import { type SealedEnvelope } from './transport';
+export declare class KernelError extends Error {
+    constructor(msg: string);
+}
+export interface KernelConfig {
+    readonly logCap?: number;
+    readonly logSink?: (e: StampedEvent) => void;
+    readonly onLog?: (pid: Pid, level: LogLevel, msg: string, fields?: Record<string, unknown>) => void;
+    /** Paging policy for context memory. Default evicts LRU + leaves a placeholder; inject one with an LLM summarizer. */
+    readonly pager?: Pager;
+    /** Record/replay driver I/O for reproducible runs. 'live' (default) = no journaling. */
+    readonly mode?: KernelMode;
+    readonly journal?: Journal;
+    /** Time source. Default RealClock; pass a VirtualClock for instant, fully-deterministic runs. */
+    readonly clock?: Clock;
+    /** Per-process recall strategy for paged-out context. Default keyword; pass `() => new VectorRecaller(embed)`. */
+    readonly recaller?: () => Recaller;
+    /** Append-only store for event-sourcing: events (audit) + driver I/O (replay) are written here. */
+    readonly store?: Store;
+    /** Shared secret for authenticated cross-node ingress. Set it to accept sealed envelopes via `ingress()`. */
+    readonly transportKey?: string;
+    /** This node's identity. Scopes egress nonces so two nodes never collide; required to dial/send remotely. */
+    readonly nodeId?: string;
+}
+export interface BootOptions<A = unknown> {
+    readonly args?: A;
+    readonly quota?: Quota;
+    readonly grant?: readonly string[];
+}
+/** A process's durable, serializable state (everything but the JS stack + kernel-local caps). */
+export interface ProcessSnapshot {
+    readonly abi: number;
+    readonly image: string;
+    readonly args: unknown;
+    readonly priority: number;
+    readonly deadline: number | null;
+    readonly stopped?: boolean;
+    readonly account: Quota;
+    readonly mailbox: readonly Message[];
+    readonly context: readonly {
+        body: unknown;
+        tokens: number;
+        pinned: boolean;
+    }[];
+}
+/** The boot message init (pid 1) receives first, carrying its initial capabilities. */
+export interface BootGrant {
+    readonly $: 'boot';
+    readonly spawn: CapRef;
+    readonly devices: Readonly<Record<string, CapRef>>;
+    readonly reply?: CapRef;
+}
+export declare class Kernel {
+    private readonly proc;
+    private readonly caps;
+    private readonly log;
+    private readonly drivers;
+    private readonly onLog?;
+    private readonly pager;
+    private readonly mode;
+    private readonly journal;
+    private readonly clock;
+    private readonly mkRecaller;
+    private readonly store?;
+    private readonly transportKey?;
+    private readonly nodeId;
+    private readonly peers;
+    private egressSeq;
+    private readonly images;
+    private readonly pendingSpawns;
+    private readonly remoteMonitors;
+    private readonly freshWindowMs;
+    private readonly nonces;
+    private runQueue;
+    private qHead;
+    private special;
+    private enqSeq;
+    private current;
+    private shutdownFlag;
+    private readonly exitWaiters;
+    private readonly exitHooks;
+    private readonly reaped;
+    private readonly registry;
+    private initPid;
+    constructor(cfg?: KernelConfig);
+    /** The I/O journal (record mode populates it; persist via journal.toJSON()). */
+    get io(): Journal;
+    /** Run a driver op through record/replay: replay returns the journaled result; record logs the live one. */
+    private journaled;
+    /** Register a driver (LLM, tools, KV, gateway, WASM, worker) so the kernel
+     *  can hand its device capabilities to processes at boot/grant time. */
+    registerDriver(driver: Driver): void;
+    /** Crash recovery: build a kernel that REPLAYS persisted driver I/O from a store. Re-running the
+     *  same images reproduces the original run exactly — every read/write returns its journaled result,
+     *  so no live driver is touched. The event-sourcing log IS the recovery mechanism. */
+    static replayFrom(store: Store, cfg?: Omit<KernelConfig, 'mode' | 'journal'>): Kernel;
+    /** Partial crash recovery: REPLAY the persisted prefix (no live I/O), then — when a process runs past the
+     *  point the journal reaches (the original run crashed mid-flight) — RESUME it live, appending the new ops to
+     *  the same store. Unlike replayFrom (strict reproduce; aborts on a missing op), this lets a long-running run
+     *  pick up where it died. Keeps the store so the resumed tail is durable and a second crash is recoverable too. */
+    static recoverFrom(store: Store, cfg?: Omit<KernelConfig, 'mode' | 'journal' | 'store'>): Kernel;
+    /** Boot the system: create pid 1 (init) with the given image, optional root
+     *  quota, and a set of driver names it may open. Init receives a `BootGrant`
+     *  as its first message, carrying a `spawn` cap and `devices` record. */
+    boot<A>(init: ProcessImage<A>, opts?: BootOptions<A>): Promise<Pid>;
+    /** Resolve when a process terminates (test/orchestration helper). */
+    waitExit(pid: Pid): Promise<ExitReason>;
+    /** Query a snapshot of live processes: pid, name, status, mailbox depth,
+     *  remaining budget, usage, and memory stats — the userland `ps` analogue. */
+    ps(): {
+        pid: Pid;
+        name: string;
+        parent: Pid | null;
+        status: import("./pcb").ProcStatus;
+        stopped: boolean;
+        mailbox: number;
+        budget: Quota;
+        used: Record<Meter, number>;
+        mem: {
+            resident: number;
+            swapped: number;
+            size: number;
+            ceiling: number | undefined;
+        };
+    }[];
+    /** Tail the last N stamped events from the kernel event log (audit trail). */
+    trace(n?: number): readonly StampedEvent[];
+    /** Monitoring snapshot: live process count + running aggregates over the whole event history. */
+    metrics(): {
+        processes: number;
+        events: number;
+        spawns: number;
+        exits: number;
+        sends: number;
+        scheds: number;
+        faults: number;
+        exitsByReason: Record<string, number>;
+        charged: Record<string, number>;
+    };
+    /** Prometheus text-exposition of the same counters — scrape it straight into a TSDB. */
+    metricsText(): string;
+    /** Inspect the resident context (working set) of a live process — the
+     *  segments currently visible to its LLM. For observability / debugging. */
+    inspect(pid: Pid): readonly Segment[];
+    /** Transport ingress: inject a message into a local process from OUTSIDE the kernel
+     *  (a gateway/transport bridging another node). Returns false if no such live process. */
+    deliverExternal(pid: Pid, body: unknown): boolean;
+    /** Register a route to a peer node: `send` will egress envelopes addressed to it (a dialTcp.send, or any
+     *  sink for tests). The matching transportKey must be shared with the peer, whose ingress() verifies them. */
+    connect(node: string, egress: (env: SealedEnvelope) => boolean): void;
+    /** Publish an image that PEER nodes may spawn by name (a ProcessImage holds closures → it can't cross the
+     *  wire; the host already has it, so remote spawn is "spawn the image you registered as N"). `grant` lists
+     *  the driver devices the spawned process may open. */
+    registerImage(name: string, image: ProcessImage, grant?: readonly string[]): void;
+    /** Egress a Down to a peer node's watcher pid (a normal data envelope; ingress delivers it to the mailbox). */
+    private sendDown;
+    /** Control-channel envelope (addressed to pid 0): a remote-spawn request/reply, or a remote-monitor request. */
+    private handleControl;
+    /** Spawn a peer-requested image locally, granting it a spawn cap, its allowed devices, and a `reply` proxy
+     *  cap back to the requester (so the two can talk). Orphans reparent to init like any process. */
+    private hostRemote;
+    /** AUTHENTICATED transport ingress: the trust boundary for messages off the wire.
+     *  Verifies the HMAC (constant-time) and rejects replays before anything reaches a
+     *  process; a bad MAC, a reused nonce, or a dead target are all dropped (→ false).
+     *  Capabilities never cross — a verified sender can address a pid, not forge authority. */
+    ingress(env: SealedEnvelope): boolean;
+    /**
+     * Snapshot a process's DURABLE state (context + mailbox + budget + sched).
+     * The JS execution stack is not serializable, so restore resumes by re-running
+     * the image against the restored state — sound for context-driven agents whose
+     * state IS their context. Capabilities are kernel-local authority and are NOT
+     * captured; the restorer re-grants them.
+     */
+    snapshot(pid: Pid): ProcessSnapshot;
+    /** Restore a snapshot into THIS kernel as a fresh process running `image`. */
+    restore(snap: ProcessSnapshot, image: ProcessImage, opts?: {
+        parent?: Pid;
+    }): Promise<Pid>;
+    /** Graceful system shutdown: kill every live process with the given reason
+     *  (default 'shutdown'), flush the event log, and stop scheduling. */
+    shutdown(reason?: ExitReason): Promise<void>;
+    private enqueue;
+    private makeRunnable;
+    /** SIGSTOP — pause a process: it stays alive but is never dispatched until resumed. Descheduled now if
+     *  running; dropped from the ready queue if runnable (re-enqueued on resume); a parked recv just stays parked. */
+    private suspendProc;
+    /** SIGCONT — resume a stopped process. Safe even if it has nothing to do: a parked recv re-parks on an
+     *  empty mailbox, so a spurious wake is a no-op. */
+    private resumeProc;
+    /** SIGTERM — a graceful, CATCHABLE stop request: deliver a `{ $: 'term' }` message the process can
+     *  handle in its recv loop (clean up, then exit). Unlike kill/signal it never force-terminates; the
+     *  handler IS the recv loop. (A stopped target gets it queued; it's seen on resume.) */
+    private termProc;
+    /** Pick the highest-priority runnable; ties broken by earliest deadline (EDF), then FIFO.
+     *  Fast path (no priority/deadline in play): a plain FIFO dequeue, O(1) amortized — the
+     *  general scan is taken only while a special process is queued. Both yield identical order. */
+    private pickNext;
+    private higher;
+    private dispatch;
+    /** Arm (or re-arm) a deadline: kill the process if it hasn't finished by then. */
+    private armDeadline;
+    /** Await an external promise (driver I/O) WITHOUT holding the CPU: the process parks so other
+     *  processes run meanwhile; it's rescheduled when the promise settles. Enables true concurrency
+     *  during I/O (e.g. a worker-thread offload runs in parallel while the kernel keeps scheduling). */
+    /** The single blocking primitive: park the running process (status→waiting, yield the CPU) until its
+     *  `cont` is fired by a wake. recv, send-backpressure and parkOn all build their wait loops on this. */
+    private block;
+    private parkOn;
+    /** Park the running process and hand control to the scheduler (re-enters the ready set). */
+    private reschedule;
+    /** End-of-syscall fairness point: charge reductions; yield if the quantum is spent. */
+    private tick;
+    private runCleanups;
+    private startMain;
+    private deliver;
+    private terminate;
+    private chargeDriver;
+    private req;
+    private sysFor;
+}

package/dist/kernel/log.d.ts

@@ -0,0 +1,71 @@
+import type { Pid, ExitReason } from '../abi/index';
+import type { Meter } from './account';
+export type KEvent = {
+    readonly t: 'boot';
+} | {
+    readonly t: 'shutdown';
+    readonly reason: string;
+} | {
+    readonly t: 'spawn';
+    readonly pid: Pid;
+    readonly parent: Pid | null;
+    readonly name: string;
+} | {
+    readonly t: 'exit';
+    readonly pid: Pid;
+    readonly reason: ExitReason;
+} | {
+    readonly t: 'send';
+    readonly from: Pid;
+    readonly to: Pid;
+} | {
+    readonly t: 'recv';
+    readonly pid: Pid;
+} | {
+    readonly t: 'sched';
+    readonly pid: Pid;
+} | {
+    readonly t: 'charge';
+    readonly pid: Pid;
+    readonly meter: Meter;
+    readonly n: number;
+} | {
+    readonly t: 'fault';
+    readonly pid: Pid;
+    readonly error: string;
+} | {
+    readonly t: 'restart';
+    readonly pid: Pid;
+    readonly by: Pid;
+} | {
+    readonly t: 'signal';
+    readonly pid: Pid;
+    readonly sig: 'stop' | 'cont' | 'term';
+};
+export type StampedEvent = KEvent & {
+    readonly seq: number;
+    readonly ts: number;
+};
+/** Running aggregates over the WHOLE event history (the ring is bounded, so counts can't be
+ *  recomputed from it — they're tallied at emit time). The seed for metrics()/monitoring. */
+export interface LogStats {
+    readonly byType: Record<string, number>;
+    readonly exitsByReason: Record<string, number>;
+    readonly charged: Record<string, number>;
+}
+export declare class EventLog {
+    private readonly cap;
+    private readonly sink?;
+    private readonly now;
+    private readonly buf;
+    private seq;
+    private readonly byType;
+    private readonly exitsByReason;
+    private readonly charged;
+    constructor(cap?: number, sink?: ((e: StampedEvent) => void) | undefined, now?: () => number);
+    emit(e: KEvent): void;
+    tail(n?: number): readonly StampedEvent[];
+    stats(): LogStats;
+    get count(): number;
+    clear(): void;
+}

package/dist/kernel/memory.d.ts

@@ -0,0 +1,97 @@
+import type { SegId, Segment, Pager } from '../abi/index';
+/** Deterministic token estimate: ≈1.5 tokens per CJK char, ≈4 latin chars per token. Inject a real
+ *  tokenizer via the pager if you need exactness; this only needs to not under-count (→ no surprise OOM). */
+export declare const estTokens: (body: unknown) => number;
+/** Default pager: evict LRU unpinned segments to free `need` tokens, leaving one summary in their place.
+ *  Pass a `summarize` (e.g. an LLM call) for real gists; the default leaves a deterministic placeholder. */
+export declare class DefaultPager implements Pager {
+    private readonly summarize?;
+    constructor(summarize?: ((segs: readonly Segment[]) => Promise<{
+        body: unknown;
+        tokens: number;
+    }>) | undefined);
+    pageOut(resident: readonly Segment[], need: number): Promise<{
+        evict: readonly SegId[];
+        summary?: Omit<Segment, 'id'>;
+    }>;
+}
+/** Ranks swapped segments against a query. Indexes on page-out, drops on page-in/forget. */
+export interface Recaller {
+    index(id: SegId, body: unknown): void;
+    remove(id: SegId): void;
+    search(query: string, candidates: ReadonlySet<SegId>, k: number): SegId[];
+}
+/** Default recaller: keyword (term-overlap) match — no model, deterministic. */
+export declare class KeywordRecaller implements Recaller {
+    private readonly text;
+    index(id: SegId, body: unknown): void;
+    remove(id: SegId): void;
+    search(query: string, candidates: ReadonlySet<SegId>, k: number): SegId[];
+}
+/** BM25 recaller: ranks swapped segments by Okapi BM25 (term frequency · inverse document frequency ·
+ *  length normalization) — far better than KeywordRecaller's raw term-overlap count, yet still
+ *  deterministic and dependency-free (no embedding model). The default for context page-in. */
+export declare class Bm25Recaller implements Recaller {
+    private readonly docs;
+    private readonly df;
+    private totalLen;
+    private readonly k1;
+    private readonly b;
+    index(id: SegId, body: unknown): void;
+    remove(id: SegId): void;
+    search(query: string, candidates: ReadonlySet<SegId>, k: number): SegId[];
+}
+export type EmbedFn = (text: string) => readonly number[];
+/** Vector recaller: embed each segment, rank by cosine similarity. Pass a real embedding model;
+ *  `hashEmbed()` gives a deterministic, dependency-free default for tests/demos. */
+export declare class VectorRecaller implements Recaller {
+    private readonly embed;
+    private readonly vecs;
+    constructor(embed: EmbedFn);
+    index(id: SegId, body: unknown): void;
+    remove(id: SegId): void;
+    search(query: string, candidates: ReadonlySet<SegId>, k: number): SegId[];
+}
+/** Deterministic hashed bag-of-words embedding, L2-normalized. No dependencies. */
+export declare function hashEmbed(dim?: number): EmbedFn;
+export declare class Context {
+    private readonly ceiling;
+    private readonly pager;
+    private readonly recaller;
+    private readonly resident;
+    private readonly swap;
+    size: number;
+    constructor(ceiling: number | undefined, pager: Pager, recaller?: Recaller);
+    private get watermark();
+    remember(body: unknown, tokens: number, pinned: boolean): Promise<SegId>;
+    workingSet(): readonly Segment[];
+    recall(query: string, k: number): Promise<readonly Segment[]>;
+    pin(id: SegId, on: boolean): void;
+    forget(id: SegId): void;
+    stats(): {
+        resident: number;
+        swapped: number;
+        size: number;
+        ceiling: number | undefined;
+    };
+    /** Serialize the durable state of the context (for snapshot/migration). */
+    dump(): {
+        body: unknown;
+        tokens: number;
+        pinned: boolean;
+    }[];
+    /** Rebuild a context from a dump, then page down under the watermark if over ceiling (e.g.
+     *  restored on a kernel with a smaller memory cap). Throws QuotaExceeded if the pinned working
+     *  set alone surpasses the ceiling. */
+    static from(ceiling: number | undefined, pager: Pager, segs: readonly {
+        body: unknown;
+        tokens: number;
+        pinned: boolean;
+    }[], recaller?: Recaller): Promise<Context>;
+    /** Resident segments coldest-first. The Map's insertion order already tracks recency — remember
+     *  appends, recall re-inserts (swap→resident) at the end, and no resident key is re-set in place —
+     *  so iteration is LRU-ascending with no sort. (Keep that invariant if you touch resident.set.) */
+    private lru;
+    /** Page out until under the watermark (or only pinned remain); OOM if the pinned set busts the ceiling. */
+    private relieve;
+}

package/dist/kernel/pcb.d.ts

@@ -0,0 +1,60 @@
+import type { Pid, CapRef, Message, ProcessImage, ExitReason, DriverHandle } from '../abi/index';
+import { Account } from './account';
+import type { Context } from './memory';
+import type { Timer } from './clock';
+export type ProcStatus = 'new' | 'runnable' | 'running' | 'waiting' | 'dead';
+/** FIFO inbox with O(1) amortized dequeue: a head index + lazy prefix compaction, so draining a
+ *  deep mailbox (fan-in / aggregation) stays linear instead of Array.shift()'s O(n)-per-pop. */
+export declare class Mailbox<T> {
+    private q;
+    private head;
+    get len(): number;
+    push(m: T): void;
+    shift(): T | undefined;
+    drain(): T[];
+}
+/** Thrown by sys.exit() to unwind the process body cleanly (not a fault). */
+export declare class ExitSignal extends Error {
+    readonly reason: ExitReason;
+    constructor(reason: ExitReason);
+}
+export interface PCB {
+    readonly pid: Pid;
+    readonly name: string;
+    parent: Pid | null;
+    readonly image: ProcessImage<unknown>;
+    readonly args: unknown;
+    readonly account: Account;
+    readonly context: Context;
+    status: ProcStatus;
+    stopped: boolean;
+    age: number;
+    reductions: number;
+    op: number;
+    recovered: boolean;
+    priority: number;
+    deadline: number | null;
+    enq: number;
+    /** Resolver of the promise the process is currently parked on (yield / recv-block / sleep). */
+    cont: (() => void) | null;
+    timer: Timer | null;
+    deadlineTimer: Timer | null;
+    exitReason: ExitReason | null;
+    readonly mailbox: Mailbox<Message>;
+    readonly mailboxWaiters: Array<() => void>;
+    readonly links: Set<Pid>;
+    readonly monitors: Set<Pid>;
+    readonly handles: Map<CapRef, DriverHandle>;
+    readonly cleanups: Array<() => void>;
+}
+export declare function makePCB(pid: Pid, parent: Pid | null, image: ProcessImage<unknown>, args: unknown, account: Account, context: Context): PCB;
+export declare class ProcTable {
+    private readonly map;
+    private seq;
+    alloc(): Pid;
+    add(pcb: PCB): void;
+    get(pid: Pid): PCB | undefined;
+    remove(pid: Pid): void;
+    all(): IterableIterator<PCB>;
+    get count(): number;
+}

package/dist/kernel/store.d.ts

@@ -0,0 +1,36 @@
+import type { Pid } from '../abi/index';
+import type { StampedEvent } from './log';
+import { Journal, type Journaled } from './journal';
+export type StoreRecord = {
+    readonly kind: 'event';
+    readonly data: StampedEvent;
+} | {
+    readonly kind: 'io';
+    readonly data: {
+        readonly pid: Pid;
+        readonly op: number;
+        readonly result: Journaled;
+    };
+};
+export interface Store {
+    append(rec: StoreRecord): void;
+    load(): readonly StoreRecord[];
+}
+/** In-memory store (tests / ephemeral). */
+export declare class MemoryStore implements Store {
+    private readonly recs;
+    append(rec: StoreRecord): void;
+    load(): readonly StoreRecord[];
+}
+/** Append-only JSONL file store — survives process restarts. */
+export declare class FileStore implements Store {
+    private readonly path;
+    constructor(path: string);
+    append(rec: StoreRecord): void;
+    load(): readonly StoreRecord[];
+    reset(): void;
+}
+/** Rebuild a replay journal from persisted I/O records. */
+export declare function journalFromStore(records: readonly StoreRecord[]): Journal;
+/** Read just the audit trail (events) back from a store. */
+export declare function eventsFromStore(records: readonly StoreRecord[]): StampedEvent[];

package/dist/kernel/transport.d.ts

@@ -0,0 +1,26 @@
+/** A message as it crosses the trust boundary: addressing + payload + the MAC that authenticates all of it. */
+export interface SealedEnvelope {
+    readonly to: number;
+    readonly nonce: string;
+    readonly ts: number;
+    readonly body: unknown;
+    readonly mac: string;
+}
+/** A fresh nonce: monotone counter + entropy, so two sends never collide even within a tick. */
+export declare function freshNonce(rand: () => string): string;
+/** Seal a message for transport. The returned envelope is safe to ship over a hostile wire. `ts` (seal
+ *  time) is stamped now by default and folded into the MAC, so the receiver can reject stale replays. */
+export declare function seal(key: string, to: number, body: unknown, nonce: string, ts?: number): SealedEnvelope;
+/** Verify an envelope's MAC in constant time. False ⇒ forged or tampered — drop it. */
+export declare function verify(key: string, env: SealedEnvelope): boolean;
+/** Replay guard scoped to a freshness WINDOW: a nonce is accepted at most once while it's fresh. Entries
+ *  past the window are pruned — a replay that old is already caught by ingress's timestamp check, so the
+ *  cache only has to cover the window (no count-eviction hole the old bounded set had). cap is a flood backstop. */
+export declare class NonceGuard {
+    private readonly windowMs;
+    private readonly cap;
+    private readonly seen;
+    constructor(windowMs?: number, cap?: number);
+    /** True the first time a nonce is seen within the window; false on replay. `now` is the kernel clock. */
+    admit(nonce: string, now: number): boolean;
+}

package/dist/net/tcp.d.ts

@@ -0,0 +1,22 @@
+import type { SealedEnvelope } from '../kernel/transport';
+/** Listen for sealed envelopes; hand each verified-by-the-handler line to `onEnvelope`. */
+export declare function serveTcp(onEnvelope: (env: SealedEnvelope) => boolean, opts?: {
+    port?: number;
+    host?: string;
+    maxLine?: number;
+}): Promise<{
+    port: number;
+    close: () => Promise<void>;
+}>;
+/** Dial a peer with a SELF-HEALING socket: it reconnects (capped exponential backoff) after a drop and
+ *  flushes a bounded backlog on (re)connect. `send` is HONEST — true means accepted (sent or queued),
+ *  false means refused: the dialer is closed, or the backlog is full (so it never grows unbounded and
+ *  never claims success it can't keep). */
+export declare function dialTcp(host: string, port: number, opts?: {
+    maxPending?: number;
+    backoffMs?: number;
+    maxBackoffMs?: number;
+}): {
+    send: (env: SealedEnvelope) => boolean;
+    close: () => void;
+};