Development

[cemililik]

Summary by Sourcery

Introduce the kernel object subsystem with typed arenas and handles, and rewire capabilities to reference these concrete objects while updating roadmap and planning docs for milestones A2 and A3.

New Features:

• Add a generic, fixed-capacity Arena storage type for kernel objects with generation-tagged SlotId handles.
• Introduce Task, Endpoint, and Notification kernel object types with typed handles, per-kind arenas, and create/destroy/query APIs.
• Rework CapObject into a typed enum over TaskHandle, EndpointHandle, and NotificationHandle, and derive capability kind from the object variant.
• Expose CapabilityTable::references_object to support ADR-0016 reachability checks before object destruction.

Enhancements:

• Simplify Capability by removing the explicit CapKind field and deriving kind from the associated CapObject.
• Adjust capability-table tests to use typed CapObject task handles instead of opaque identifiers.
• Document the new kernel object storage design in ADR-0016 and reference it from the capability and roadmap documentation.
• Update roadmap, tasks, and business review docs to mark A2 complete, open T-002 for A3, and describe the kernel-object subsystem in the crate-level docs.

Documentation:

• Add ADR-0016 describing kernel object storage and its rationale, including typed handles and per-type arenas.
• Update Phase A roadmap, current status, task listings, and business review docs to reflect A2 completion and A3/T-002 activation, and to document the new kernel-object subsystem in the kernel crate docs.

Tests:

• Add unit tests for the generic Arena, and for Task, Endpoint, and Notification arenas and their handle semantics.
• Extend capability-table tests to cover the new references_object helper and the typed CapObject representation.

Summary by CodeRabbit

Release Notes

• New Features

  • Kernel object storage system with typed handles for Task, Endpoint, and Notification objects
  • Capability table now supports typed object references and reachability checking

• Refactor

  • Capability system updated to use typed enum variants instead of opaque identifiers

• Documentation

  • Added business review for Phase A2 completion
  • Added architectural decision record for kernel object storage design
  • Updated roadmap and task tracking for ongoing and upcoming phases

[sourcery-ai]

Reviewer's Guide

Implements the Phase A3 kernel-object subsystem and rewires capabilities to point to typed kernel objects instead of an opaque u64, using a shared generic arena pattern; also adds a reachability helper for destroy paths and advances roadmap, tasks, and ADR documentation for milestones A2 and A3.

Sequence diagram for destroy_task with capability reachability check

sequenceDiagram
    actor Caller
    participant TaskArena as TaskArena
    participant CapTable as CapabilityTable
    participant Obj as ObjModule

    Caller->>CapTable: references_object(target: CapObject::Task(handle))
    CapTable-->>Caller: bool has_ref

    alt has_ref == true
        Caller-->>Caller: abort destroy (ObjError::StillReachable)
    else has_ref == false
        Caller->>Obj: destroy_task(arena: TaskArena, handle: TaskHandle)
        Obj->>TaskArena: free(handle.slot())
        TaskArena-->>Obj: Task or None
        Obj-->>Caller: Result(Task, ObjError::InvalidHandle)
    end

Loading

Class diagram for updated capability and CapObject model

classDiagram
    class CapRights {
    }

    class CapKind {
        <<enum>>
        Task
        Endpoint
        Notification
        MemoryRegion
    }

    class TaskHandle {
        +index: u16
        +generation: u32
    }

    class EndpointHandle {
        +index: u16
        +generation: u32
    }

    class NotificationHandle {
        +index: u16
        +generation: u32
    }

    class CapObject {
        <<enum>>
        +Task(handle: TaskHandle)
        +Endpoint(handle: EndpointHandle)
        +Notification(handle: NotificationHandle)
        +kind() CapKind
    }

    class Capability {
        -rights: CapRights
        -object: CapObject
        +new(rights: CapRights, object: CapObject) Capability
        +kind() CapKind
        +rights() CapRights
        +object() CapObject
    }

    class CapHandle {
        +index: u16
        +generation: u32
    }

    class CapabilityTable {
        +cap_copy(src: CapHandle, new_rights: CapRights) CapHandle~Result~
        +cap_derive(src: CapHandle, new_rights: CapRights, new_object: CapObject) CapHandle~Result~
        +cap_revoke(src: CapHandle) CapError~Result~
        +cap_drop(src: CapHandle) CapError~Result~
        +lookup(handle: CapHandle) Capability~Result~
        +references_object(target: CapObject) bool
    }

    class CapError {
        <<enum>>
        WidenedRights
        InsufficientRights
        DerivationTooDeep
        HasChildren
        InvalidHandle
    }

    Capability o-- CapObject : object
    Capability --> CapRights : rights
    CapObject --> CapKind : derives
    CapObject --> TaskHandle
    CapObject --> EndpointHandle
    CapObject --> NotificationHandle

    CapabilityTable "*" o-- Capability : slots
    CapabilityTable --> CapHandle
    CapabilityTable --> CapError
    CapabilityTable --> CapRights

Loading

Class diagram for kernel object subsystem and generic arena

classDiagram
    class SlotId {
        -index: u16
        -generation: u32
        +index() u16
        +generation() u32
        +from_parts(index: u16, generation: u32) SlotId
    }

    class Slot_T_ {
        -entry: Option~T~
        -generation: u32
        -next_free: Option~u16~
    }

    class Arena_T_N_ {
        -slots: Slot_T_[N]
        -free_head: Option~u16~
        +new() Arena_T_N_
        +allocate(value: T) Option~SlotId~
        +free(id: SlotId) Option~T~
        +get(id: SlotId) Option~T&~
        +get_mut(id: SlotId) Option~T&~
        +contains(id: SlotId) bool
    }

    class ObjError {
        <<non_exhaustive enum>>
        ArenaFull
        InvalidHandle
        StillReachable
    }

    class Task {
        -id: u32
        +new(id: u32) Task
        +id() u32
    }

    class TaskHandle {
        -slot: SlotId
        +from_slot(slot: SlotId) TaskHandle
        +slot() SlotId
        +test_handle(index: u16, generation: u32) TaskHandle
    }

    class Endpoint {
        -id: u32
        +new(id: u32) Endpoint
        +id() u32
    }

    class EndpointHandle {
        -slot: SlotId
        +from_slot(slot: SlotId) EndpointHandle
        +slot() SlotId
        +test_handle(index: u16, generation: u32) EndpointHandle
    }

    class Notification {
        -word: u64
        +new(word: u64) Notification
        +word() u64
        +set(bits: u64) void
        +consume() u64
    }

    class NotificationHandle {
        -slot: SlotId
        +from_slot(slot: SlotId) NotificationHandle
        +slot() SlotId
        +test_handle(index: u16, generation: u32) NotificationHandle
    }

    class TaskArena {
        <<type alias>>
        = Arena_T_N_~Task, TASK_ARENA_CAPACITY~
    }

    class EndpointArena {
        <<type alias>>
        = Arena_T_N_~Endpoint, ENDPOINT_ARENA_CAPACITY~
    }

    class NotificationArena {
        <<type alias>>
        = Arena_T_N_~Notification, NOTIFICATION_ARENA_CAPACITY~
    }

    class ObjModule {
        <<module>>
        +TASK_ARENA_CAPACITY: usize
        +ENDPOINT_ARENA_CAPACITY: usize
        +NOTIFICATION_ARENA_CAPACITY: usize
        +create_task(arena: TaskArena, task: Task) TaskHandle~Result~
        +destroy_task(arena: TaskArena, handle: TaskHandle) Task~Result~
        +get_task(arena: TaskArena, handle: TaskHandle) Task&~Option~
        +create_endpoint(arena: EndpointArena, endpoint: Endpoint) EndpointHandle~Result~
        +destroy_endpoint(arena: EndpointArena, handle: EndpointHandle) Endpoint~Result~
        +get_endpoint(arena: EndpointArena, handle: EndpointHandle) Endpoint&~Option~
        +create_notification(arena: NotificationArena, notification: Notification) NotificationHandle~Result~
        +destroy_notification(arena: NotificationArena, handle: NotificationHandle) Notification~Result~
        +get_notification(arena: NotificationArena, handle: NotificationHandle) Notification&~Option~
    }

    Arena_T_N_ o-- Slot_T_ : slots
    Slot_T_ --> SlotId : generation uses

    TaskHandle --> SlotId
    EndpointHandle --> SlotId
    NotificationHandle --> SlotId

    TaskArena --> Arena_T_N_
    EndpointArena --> Arena_T_N_
    NotificationArena --> Arena_T_N_

    ObjModule --> TaskArena
    ObjModule --> EndpointArena
    ObjModule --> NotificationArena
    ObjModule --> TaskHandle
    ObjModule --> EndpointHandle
    ObjModule --> NotificationHandle
    ObjModule --> ObjError

Loading

File-Level Changes

Change	Details	Files
Adjust capability table to derive kind from CapObject and add a reachability helper used by destroy paths.	Remove explicit CapKind field from Capability and stop snapshotting kind in cap_copy/cap_derive, deriving kind from CapObject instead. Update Capability::new signature and call sites to no longer pass a kind value. Add CapabilityTable::references_object to scan slots for any capability naming a given CapObject, with corresponding test to ensure it only considers live entries. Refactor tests to construct CapObject values using task handles instead of the old CapObject::new(u64) placeholder API.	kernel/src/cap/table.rs kernel/src/cap/mod.rs
Introduce a generic, bounded, generation-tagged Arena used as the backing store for all kernel-object kinds.	Define SlotId and Slot types plus Arena<T, N> with allocate/free/get/get_mut/contains using a free-list and generation counter to prevent stale-handle use. Add comprehensive unit tests covering allocation, reuse/generation bumping, exhaustion behaviour, middle-slot reuse, mutation through get_mut, and zero-capacity arenas.	kernel/src/obj/arena.rs
Add concrete kernel-object types (Task, Endpoint, Notification) with typed handles, per-type arenas, and create/destroy APIs.	Define Task, Endpoint, and Notification structs with minimal v1 fields and safe methods (e.g., Notification::set/consume). Create TaskHandle, EndpointHandle, and NotificationHandle wrapper types over SlotId, including test-only constructors, and type aliases for TaskArena/EndpointArena/NotificationArena using the generic Arena. Implement create_/destroy_ and get_* helper functions for each kind that wrap Arena operations and map allocation/free failures to ObjError variants. Add unit tests for each object kind covering create/lookup/destroy semantics, arena exhaustion, handle invalidation, and basic Notification word semantics.	kernel/src/obj/mod.rs kernel/src/obj/task.rs kernel/src/obj/endpoint.rs kernel/src/obj/notification.rs
Rewire CapObject to a typed enum over kernel-object handles and simplify Capability accordingly.	Change CapObject from an opaque u64 newtype to an enum with Task/Endpoint/Notification variants that each carry the appropriate typed handle. Add CapObject::kind to compute CapKind from the variant, and update Capability to drop its stored kind field and derive kind from object.kind(). Update documentation comments to describe the new typed CapObject model and the Phase B plan for MemoryRegion. Adjust all Capability construction and tests to use the new Capability::new(rights, object) and CapObject variants built from TaskHandle::test_handle in tests.	kernel/src/cap/mod.rs kernel/src/cap/table.rs
Introduce the kernel-object subsystem API surface and shared error type.	Add obj::ObjError as a non_exhaustive enum with ArenaFull, InvalidHandle, and StillReachable variants to standardize kernel-object error reporting. Define per-kind arena capacity constants for tasks, endpoints, and notifications, exported from obj::mod. Document subsystem status, invariants, and its relationship to ADR-0014 and ADR-0016 in module-level docs.	kernel/src/obj/mod.rs
Capture the kernel-object storage design in a new ADR and wire roadmap/task docs to the new subsystem and milestones.	Add ADR-0016 describing per-type arenas with typed handles, explicit destruction, and CapObject rewiring, including rationale and tradeoffs vs alternatives. Update roadmap/current, phase-a, and task index docs to mark A2/T-001 as Done, introduce A3/T-002 as In Review, and mention the new obj subsystem and ADR-0016. Create the T-002 task file specifying acceptance criteria and design notes for kernel object storage, referencing ADR-0016 and the new obj module. Update decisions index and business review index, and add a business review document for A2 completion that references T-002 and ADR-0016. Touch kernel/src/lib.rs docs to list the new obj subsystem alongside cap.	docs/decisions/0016-kernel-object-storage.md docs/decisions/README.md docs/roadmap/current.md docs/roadmap/phases/phase-a.md docs/analysis/tasks/phase-a/T-001-capability-table-foundation.md docs/analysis/tasks/phase-a/T-002-kernel-object-storage.md docs/analysis/tasks/phase-a/README.md docs/analysis/reviews/business-reviews/README.md docs/analysis/reviews/business-reviews/2026-04-21-A2-completion.md kernel/src/lib.rs

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Warning

Rate limit exceeded

@cemililik has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 41 minutes and 9 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 41 minutes and 9 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 50c00562-77bd-46a5-a4cd-2deb5dca9318

📥 Commits

Reviewing files that changed from the base of the PR and between d1d4a1f and fa21f16.

📒 Files selected for processing (8)

• docs/analysis/reviews/business-reviews/2026-04-21-A2-completion.md
• docs/analysis/tasks/phase-a/T-001-capability-table-foundation.md
• docs/decisions/0016-kernel-object-storage.md
• kernel/src/cap/table.rs
• kernel/src/lib.rs
• kernel/src/obj/arena.rs
• kernel/src/obj/mod.rs
• kernel/src/obj/notification.rs

📝 Walkthrough

Walkthrough

The PR marks milestone A2 (capability table foundation) as completed via business review documentation and advances to A3 (kernel object storage). It refactors CapObject from an opaque u64 placeholder to a typed enum carrying concrete handle types (TaskHandle, EndpointHandle, NotificationHandle). A new kernel::obj module is introduced, implementing generation-tagged arena-based storage for three kernel object kinds with deterministic lifecycle and stale-handle invalidation semantics.

Changes

Cohort / File(s)	Summary
Business Review & Planning Documentation docs/analysis/reviews/business-reviews/2026-04-21-A2-completion.md, docs/analysis/reviews/business-reviews/README.md, docs/analysis/tasks/phase-a/README.md, docs/analysis/tasks/phase-a/T-001-capability-table-foundation.md, docs/analysis/tasks/phase-a/T-002-kernel-object-storage.md, docs/roadmap/current.md, docs/roadmap/phases/phase-a.md	Completes A2 milestone, records review outcomes, marks T-001 as Done, introduces new T-002 task document, and advances active roadmap pointer from A2 to A3.
Architecture Decision Record docs/decisions/0016-kernel-object-storage.md, docs/decisions/README.md	Formalizes kernel object storage design (per-kind fixed-size arenas with generation-tagged typed handles), documents ADR-0016 acceptance, and captures open design questions.
Capability Module Refactoring kernel/src/cap/mod.rs, kernel/src/cap/table.rs	Transforms CapObject from struct wrapping opaque u64 to typed enum carrying TaskHandle/EndpointHandle/NotificationHandle variants. Removes kind field from Capability struct; Capability::new signature changes from (kind, rights, object) to (rights, object). Updates cap_copy/cap_derive call sites. Adds CapabilityTable::references_object reachability check method.
Kernel Object Storage Subsystem kernel/src/lib.rs, kernel/src/obj/mod.rs, kernel/src/obj/arena.rs, kernel/src/obj/task.rs, kernel/src/obj/endpoint.rs, kernel/src/obj/notification.rs	Introduces new kernel::obj module with generation-tagged Arena<T, N> generic container, three kernel object types (Task, Endpoint, Notification), corresponding typed handles, and lifecycle functions (create_*/destroy_*/get_*). Arena enforces O(1) allocation/deallocation via free-list and stale-id invalidation via generation bumping.

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly Related PRs

• Development #1: Directly related—continues capability subsystem modifications, implements the CapObject type transformation, updates Capability::new signature, and adjusts table derivation/copy logic referenced in this PR.

Poem

A rabbit hops through arenas vast,
With handles stamped to outlast,
Typed objects dance, no u64 more,
Generation guards each kernel door! 🐰✨
From A to B, the journey's set,
A kernel storage we won't forget.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Development' is vague and generic, providing no meaningful information about the changeset's primary purpose or scope.	Provide a descriptive title that summarizes the main change, such as 'Implement kernel object storage foundation (T-002)' or 'Add Arena-based Task, Endpoint, and Notification kernel objects'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch development

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• ADR-0016 describes destroy_* operations performing the reachability check and returning ObjError::StillReachable, but the current implementations leave reachability entirely to callers; either wire CapabilityTable::references_object into the destroy paths or update the ADR/docs to match the implemented semantics.
• The obj module publicly re-exports Arena and SlotId, which lets external code bypass the typed *Handle wrappers; if you want to enforce the handle abstraction, consider keeping Arena/SlotId private to obj and only exposing the typed create/get/destroy APIs.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- ADR-0016 describes `destroy_*` operations performing the reachability check and returning `ObjError::StillReachable`, but the current implementations leave reachability entirely to callers; either wire `CapabilityTable::references_object` into the destroy paths or update the ADR/docs to match the implemented semantics.
- The `obj` module publicly re-exports `Arena` and `SlotId`, which lets external code bypass the typed `*Handle` wrappers; if you want to enforce the handle abstraction, consider keeping `Arena`/`SlotId` private to `obj` and only exposing the typed create/get/destroy APIs.

## Individual Comments

### Comment 1
<location path="kernel/src/obj/arena.rs" line_range="123-138" />
<code_context>
+    /// that refers to the allocation until it is freed.
+    ///
+    /// Returns `None` when every slot is in use.
+    pub fn allocate(&mut self, value: T) -> Option<SlotId> {
+        let head = self.free_head?;
+        let slot = self.slots.get_mut(head as usize)?;
+        let next_free = slot.next_free;
+        slot.entry = Some(value);
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Treat `free_head` pointing out of bounds as an internal invariant violation rather than a silent `None`.

`free_head` is maintained internally and `new()` guarantees any `Some(i)` satisfies `i < N`. If that invariant is violated, `get_mut(..)?` will just return `None`, making the arena look full instead of exposing the bug.

For kernel-internal code, consider asserting the invariant in debug builds:

```rust
let head = self.free_head?;
debug_assert!((head as usize) < N);
let slot = &mut self.slots[head as usize];
```

This preserves release behavior when the invariant holds, while surfacing logic errors during development.

```suggestion
    /// Allocate a new slot, storing `value` in it. Returns a [`SlotId`]
    /// that refers to the allocation until it is freed.
    ///
    /// Returns `None` when every slot is in use.
    pub fn allocate(&mut self, value: T) -> Option<SlotId> {
        let head = self.free_head?;
        debug_assert!((head as usize) < N);
        let slot = &mut self.slots[head as usize];
        let next_free = slot.next_free;
        slot.entry = Some(value);
        slot.next_free = None;
        self.free_head = next_free;
        Some(SlotId {
            index: head,
            generation: slot.generation,
        })
    }
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request completes Milestone A2 and initiates Milestone A3 by introducing the kernel-object subsystem. Key changes include the implementation of a generic, generation-tagged Arena for object storage and the definition of Task, Endpoint, and Notification kernel objects. The CapObject type has been transitioned from an opaque placeholder to a typed enum, and the capability system now supports reachability checks to prevent the destruction of objects still referenced by capabilities. Feedback focuses on potential efficiency improvements for object destruction, the manual nature of reachability checks in the current implementation, and the scalability of linear scans in the capability table.

[gemini-code-assist]

The free method implementation is robust against double-free and stale handles. However, it returns Option<T> by value. While modern Rust compilers are efficient with moves, for larger kernel objects this might involve unnecessary copying. Consider if returning a reference or using a closure for cleanup would be more efficient as the kernel objects grow in complexity.

[gemini-code-assist]

The destroy_task implementation currently lacks the reachability check described in ADR-0016. While the documentation acknowledges this as a v1 limitation, the ObjError::StillReachable variant is defined but unused here. To maintain consistency with the architectural decision, the caller must manually perform the check using CapabilityTable::references_object before calling this function, which is a potential source of bugs if forgotten.

[gemini-code-assist]

The references_object method performs a linear scan of the capability table. While acceptable for the current CAP_TABLE_CAPACITY of 64, this will become a performance bottleneck if the table size increases significantly in future phases. Consider adding a per-object reference count or a more efficient lookup mechanism when scaling beyond Phase A.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (4)

kernel/src/cap/table.rs (2)

750-778: Nice coverage of the empty/populated/post-drop states.

references_object_sees_live_caps_only exercises the three meaningful states (empty table, matching live cap, post-cap_drop). One small gap worth considering as a follow-up: a test that cap_revoke on a parent also clears references_object(child_target). Not required, but it would tie references_object to the revocation path that actually drives the ADR-0016 destroy check.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kernel/src/cap/table.rs` around lines 750 - 778, Add a test to ensure
revoking a parent capability clears references to its child target: in the same
test module (near references_object_sees_live_caps_only) create a parent
capability that names a child target (e.g., insert_root(Capability::new(...,
parent_target)) where that parent implies or points to child_target), call
t.cap_revoke(parent_handle).unwrap(), and then assert that
t.references_object(child_target) is false; this ties references_object to the
revocation path exercised by cap_revoke and verifies ADR-0016 behavior for
parent->child revocation.

---

227-247: Docstring on cap_derive is stale after the ADR-0016 rewire.

The comment still says "v1 passes scope narrowing through the opaque new_object since kernel objects do not yet carry typed scope." That’s no longer true — new_object is now the typed CapObject enum carrying TaskHandle / EndpointHandle / NotificationHandle. Worth rewording so future readers don’t chase a mismatch between docs and the actual type.

📝 Suggested wording

-    /// Install a child capability — one whose parent is `src`. Typically
-    /// used when narrowing the capability's *scope*; v1 passes scope
-    /// narrowing through the opaque `new_object` since kernel objects do
-    /// not yet carry typed scope.
+    /// Install a child capability — one whose parent is `src`. Typically
+    /// used when narrowing the capability's *scope*; `new_object` is a
+    /// typed [`CapObject`] naming the (possibly new) kernel object the
+    /// derived capability points at.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kernel/src/cap/table.rs` around lines 227 - 247, Update the cap_derive
docstring to remove the outdated “v1 passes scope narrowing through the opaque
`new_object`” wording and instead state that `new_object` is the typed
`CapObject` enum carrying specific handles (e.g. `TaskHandle`, `EndpointHandle`,
`NotificationHandle`), and adjust the description to reflect that scope/typed
information is now encoded in `CapObject`; edit the comment above the `pub fn
cap_derive(&mut self, src: CapHandle, new_rights: CapRights, new_object:
super::CapObject, ...)` signature accordingly so it no longer references the
legacy v1 behavior.

kernel/src/obj/mod.rs (1)

56-68: ObjError::StillReachable has no in-crate producer.

Worth calling out in the variant doc: unlike ArenaFull / InvalidHandle, StillReachable is never returned by any function in kernel::obj; it is produced by callers after consulting CapabilityTable::references_object. The current wording ("Destruction was refused …") reads as if the destroy functions emit it, which isn’t the case today. A one-liner ("returned by callers that layer a reachability check on top of destroy_*") would prevent confusion while the kernel still lacks a table registry.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kernel/src/obj/mod.rs` around lines 56 - 68, Update the doc for the
ObjError::StillReachable variant to clarify that it is not produced by functions
inside kernel::obj but is returned by callers that perform a reachability check
on top of the destroy_* functions; mention CapabilityTable::references_object as
the mechanism callers consult and use concise wording such as "returned by
callers that layer a reachability check (via CapabilityTable::references_object)
on top of destroy_*" so readers won't assume destroy_* emits this variant.

kernel/src/obj/notification.rs (1)

140-146: Add a stale-handle-after-reallocation assertion.

This test proves the freed handle is invalid immediately after destroy, but generation-tagged storage should also keep that stale handle invalid after another notification is allocated.

Test coverage improvement

 fn destroy_invalidates_handle() {
     let mut arena = NotificationArena::default();
     let handle = create_notification(&mut arena, Notification::new(0)).unwrap();
     destroy_notification(&mut arena, handle).unwrap();
     assert!(get_notification(&arena, handle).is_none());
+
+    let new_handle = create_notification(&mut arena, Notification::new(0b10)).unwrap();
+    assert!(get_notification(&arena, handle).is_none());
+    assert_eq!(
+        get_notification(&arena, new_handle).map(Notification::word),
+        Some(0b10)
+    );
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kernel/src/obj/notification.rs` around lines 140 - 146, Update the
destroy_invalidates_handle test to also verify a freed handle remains invalid
after a reallocation: after calling destroy_notification(&mut arena, handle),
allocate a new notification via create_notification(&mut arena,
Notification::new(...)) and assert the new handle is not equal to the old handle
(or at least allocation occurred) and that get_notification(&arena, handle)
still returns None for the stale handle; reference NotificationArena,
create_notification, destroy_notification, get_notification and ensure the
additional allocation happens before the final stale-handle assertion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/analysis/reviews/business-reviews/2026-04-21-A2-completion.md`:
- Line 29: Clarify whether ADR-0016 and T-002 statuses in the A2 snapshot are
point-in-time by either (a) adding a qualifier like "Snapshot as of 2026-04-21"
or "Status at time of review" near the ADR-0016/T-002 mentions, or (b) update
the ADR-0016 and T-002 status labels to match the rest of the PR; specifically
adjust the lines referencing "ADR-0016 — Kernel object storage (Proposed
2026-04-21)" and the T-002 status entries (and the same wording in the block
covering lines 70-77) so the document unambiguously indicates whether these
states are historical or current.

In `@docs/analysis/tasks/phase-a/T-001-capability-table-foundation.md`:
- Line 5: The task header T-001 currently shows a **Status: Done** but its
acceptance criteria and Definition of Done checkboxes remain unchecked; update
the document T-001-capability-table-foundation (task ID T-001) so the checklist
state matches the status by marking completed acceptance criteria/DoD checkboxes
as checked, or if those checkboxes are intentionally preserved as the original
baseline, add a short clarifying note below the status explaining that the
checklist is intentionally left unchecked for baseline/history purposes.

In `@docs/decisions/0016-kernel-object-storage.md`:
- Around line 139-143: The ADR's destroy_* sketch must be brought into alignment
with the implemented APIs: update the ADR entry for destroy_task (and
destroy_endpoint/destroy_notification if present) to show the actual signature
used in code—destroy_task(arena, handle) -> Result<Task, ObjError> (i.e., return
the freed value) and briefly note why the returned value is useful (e.g., allows
teardown/destructors for stored fields); alternatively, if you prefer the ADR's
original shape, state that a follow-up ADR will change the implementations and
leave a TODO reference—ensure the ADR references the concrete function names
destroy_task/destroy_endpoint/destroy_notification so readers can find the
implementations.

In `@docs/roadmap/current.md`:
- Around line 8-20: The doc incorrectly calls T-002 “shipped” while also saying
it is In Review; update the wording so T-002 is consistently described as
"implementation landed on development and awaiting maintainer PR review" (or
similar) instead of "shipped", change the sentence that currently reads "T-002
introduced obj::{Arena, Task, Endpoint, Notification}..." to indicate these
symbols were implemented on the development branch (not shipped), and adjust the
"Next review trigger" wording to reflect that the code+security review is the
current pending action for T-002 while business review still waits for A6;
ensure references to CapObject, Capability::new, and CapKind remain factual but
not described as shipped.

In `@kernel/src/lib.rs`:
- Around line 21-22: Update the rustdoc for the `obj` subsystem to fix the
awkward phrase "entities capabilities name" — change it to a clear relative
phrase such as "entities that capabilities name" or, better, "entities the
capabilities name" (e.g., replace the line mentioning `obj` — kernel-object
subsystem with wording like: "kernel-object subsystem (Phase A3 / [T-002]):
per-type arenas holding the concrete entities the capabilities name."). Ensure
the change targets the crate-level doc comment mentioning `obj` so the meaning
is unambiguous.

---

Nitpick comments:
In `@kernel/src/cap/table.rs`:
- Around line 750-778: Add a test to ensure revoking a parent capability clears
references to its child target: in the same test module (near
references_object_sees_live_caps_only) create a parent capability that names a
child target (e.g., insert_root(Capability::new(..., parent_target)) where that
parent implies or points to child_target), call
t.cap_revoke(parent_handle).unwrap(), and then assert that
t.references_object(child_target) is false; this ties references_object to the
revocation path exercised by cap_revoke and verifies ADR-0016 behavior for
parent->child revocation.
- Around line 227-247: Update the cap_derive docstring to remove the outdated
“v1 passes scope narrowing through the opaque `new_object`” wording and instead
state that `new_object` is the typed `CapObject` enum carrying specific handles
(e.g. `TaskHandle`, `EndpointHandle`, `NotificationHandle`), and adjust the
description to reflect that scope/typed information is now encoded in
`CapObject`; edit the comment above the `pub fn cap_derive(&mut self, src:
CapHandle, new_rights: CapRights, new_object: super::CapObject, ...)` signature
accordingly so it no longer references the legacy v1 behavior.

In `@kernel/src/obj/mod.rs`:
- Around line 56-68: Update the doc for the ObjError::StillReachable variant to
clarify that it is not produced by functions inside kernel::obj but is returned
by callers that perform a reachability check on top of the destroy_* functions;
mention CapabilityTable::references_object as the mechanism callers consult and
use concise wording such as "returned by callers that layer a reachability check
(via CapabilityTable::references_object) on top of destroy_*" so readers won't
assume destroy_* emits this variant.

In `@kernel/src/obj/notification.rs`:
- Around line 140-146: Update the destroy_invalidates_handle test to also verify
a freed handle remains invalid after a reallocation: after calling
destroy_notification(&mut arena, handle), allocate a new notification via
create_notification(&mut arena, Notification::new(...)) and assert the new
handle is not equal to the old handle (or at least allocation occurred) and that
get_notification(&arena, handle) still returns None for the stale handle;
reference NotificationArena, create_notification, destroy_notification,
get_notification and ensure the additional allocation happens before the final
stale-handle assertion.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dedc8391-6859-4b7f-8d2e-9997c54b81f9

📥 Commits

Reviewing files that changed from the base of the PR and between 61e6af4 and d1d4a1f.

📒 Files selected for processing (17)

• docs/analysis/reviews/business-reviews/2026-04-21-A2-completion.md
• docs/analysis/reviews/business-reviews/README.md
• docs/analysis/tasks/phase-a/README.md
• docs/analysis/tasks/phase-a/T-001-capability-table-foundation.md
• docs/analysis/tasks/phase-a/T-002-kernel-object-storage.md
• docs/decisions/0016-kernel-object-storage.md
• docs/decisions/README.md
• docs/roadmap/current.md
• docs/roadmap/phases/phase-a.md
• kernel/src/cap/mod.rs
• kernel/src/cap/table.rs
• kernel/src/lib.rs
• kernel/src/obj/arena.rs
• kernel/src/obj/endpoint.rs
• kernel/src/obj/mod.rs
• kernel/src/obj/notification.rs
• kernel/src/obj/task.rs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avoid calling T-002 “shipped” while it is still In Review.

Line 9 says T-002 is awaiting maintainer PR review, but Line 18 says the subsystem “shipped,” and Line 14 describes the review trigger as a future event even though the task has already reached In Review.

Proposed status wording cleanup

-- **Next review trigger:** code + security review of T-002's implementation when it reaches `In Review`; business review waits for A6 per [phase-a.md closure](phases/phase-a.md).
+- **Next review trigger:** code + security review of T-002's implementation now that it is `In Review`; business review waits for A6 per [phase-a.md closure](phases/phase-a.md).

-- The capability subsystem (T-001) and kernel-object subsystem (T-002) both shipped with zero `unsafe` and no heap. Neither is wired into `run` yet; that is Phase-A later-milestone work.
+- The capability subsystem (T-001) shipped with zero `unsafe` and no heap; the kernel-object subsystem (T-002) currently does the same in review. Neither is wired into `run` yet; that is Phase-A later-milestone work.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- **Active milestone:** A3 — Kernel objects.
	- **Active task:** [T-002 — Kernel object storage foundation](../analysis/tasks/phase-a/T-002-kernel-object-storage.md) (status: **In Review** — implementation landed on `development`, awaiting maintainer PR review).
	- **Working branch:** `development`.
	- **Last completed milestone:** A1 — Bootable skeleton, on 2026-04-20 (commit `2944e7d`).
	- **Last review:** none yet; the first business review will accompany A2 completion.
	- **Next review trigger:** maintainer PR review → if merged, T-001 moves to `Done` and A2 milestone review follows.
	- **Last completed milestone:** A2 — Capability table foundation, on 2026-04-21 (PR #1 merged to `main`).
	- **Last completed task:** [T-001 — Capability table foundation](../analysis/tasks/phase-a/T-001-capability-table-foundation.md) — `Done` 2026-04-21.
	- **Last review:** [A2 completion business review](../analysis/reviews/business-reviews/2026-04-21-A2-completion.md) — 2026-04-21.
	- **Next review trigger:** code + security review of T-002's implementation when it reaches `In Review`; business review waits for A6 per [phase-a.md closure](phases/phase-a.md).
	## Notes
	- T-001 implementation landed on `development`; see the task file for evidence and test coverage: [T-001](../analysis/tasks/phase-a/T-001-capability-table-foundation.md).
	- [ADR-0014](../decisions/0014-capability-representation.md) Accepted; the kernel now exposes `cap::CapabilityTable`, `cap::CapHandle`, `cap::CapRights`, `cap::Capability`, and `cap::CapError`.
	- The new module is not yet wired into `run`.
	- The capability subsystem (T-001) and kernel-object subsystem (T-002) both shipped with zero `unsafe` and no heap. Neither is wired into `run` yet; that is Phase-A later-milestone work.
	- [ADR-0014](../decisions/0014-capability-representation.md) and [ADR-0016](../decisions/0016-kernel-object-storage.md) both Accepted.
	- T-002 introduced `obj::{Arena, Task, Endpoint, Notification}` with typed handles and rewired `CapObject` to a typed enum paralleling `CapKind`. `Capability::new` lost its redundant `kind` parameter (kind is now derived from the object's variant). All 77 host tests green.
	- **Active milestone:** A3 — Kernel objects.
	- **Active task:** [T-002 — Kernel object storage foundation](../analysis/tasks/phase-a/T-002-kernel-object-storage.md) (status: **In Review** — implementation landed on `development`, awaiting maintainer PR review).
	- **Working branch:** `development`.
	- **Last completed milestone:** A2 — Capability table foundation, on 2026-04-21 (PR `#1` merged to `main`).
	- **Last completed task:** [T-001 — Capability table foundation](../analysis/tasks/phase-a/T-001-capability-table-foundation.md) — `Done` 2026-04-21.
	- **Last review:** [A2 completion business review](../analysis/reviews/business-reviews/2026-04-21-A2-completion.md) — 2026-04-21.
	- **Next review trigger:** code + security review of T-002's implementation now that it is `In Review`; business review waits for A6 per [phase-a.md closure](phases/phase-a.md).
	## Notes
	- The capability subsystem (T-001) shipped with zero `unsafe` and no heap; the kernel-object subsystem (T-002) currently does the same in review. Neither is wired into `run` yet; that is Phase-A later-milestone work.
	- [ADR-0014](../decisions/0014-capability-representation.md) and [ADR-0016](../decisions/0016-kernel-object-storage.md) both Accepted.
	- T-002 introduced `obj::{Arena, Task, Endpoint, Notification}` with typed handles and rewired `CapObject` to a typed enum paralleling `CapKind`. `Capability::new` lost its redundant `kind` parameter (kind is now derived from the object's variant). All 77 host tests green.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/roadmap/current.md` around lines 8 - 20, The doc incorrectly calls T-002
“shipped” while also saying it is In Review; update the wording so T-002 is
consistently described as "implementation landed on development and awaiting
maintainer PR review" (or similar) instead of "shipped", change the sentence
that currently reads "T-002 introduced obj::{Arena, Task, Endpoint,
Notification}..." to indicate these symbols were implemented on the development
branch (not shipped), and adjust the "Next review trigger" wording to reflect
that the code+security review is the current pending action for T-002 while
business review still waits for A6; ensure references to CapObject,
Capability::new, and CapKind remain factual but not described as shipped.