Phase Checklist¶

Release lock: no release tag is allowed until all phases are complete and parity is measured at 100%. Historical note: milestone validation counts below are preserved as captured at the time of each slice; current project-wide test gate is refreshed after each strict hosted-phase signoff. Latest edge release: v0.2.0-zig-edge.29 is published with binaries, parity evidence, SBOM/provenance, npm tarball, wheel, and sdist attached. Registry status: - npm public publish still requires npm-side scope/package permission or NPM_TOKEN; GitHub release asset + GitHub Packages fallback are available now. - PyPI public publish still requires a matching trusted publisher or PYPI_API_TOKEN; workflow claim shape is now confirmed as repo:adybag14-cyber/ZAR-Zig-Agent-Runtime:environment:pypi. - scripts/package-registry-status.ps1 now checks public npmjs/PyPI visibility correctly even when called with only -ReleaseTag, so local release diagnostics no longer silently skip the unresolved registry state. - release evidence now also includes release-status.json + release-status.md, which snapshot package visibility plus the latest zig-ci / docs-pages / release-preview / npm-release / python-release workflow state for the target tag. - FS5.6 repo-wide license refresh is now strict-closed locally: root/package license files, release evidence, package metadata, and Linux-style SPDX headers now use GPL-2.0-only to match the Linux-derived RTL8139 slice. - FS5.5 framebuffer/console strict closure is now reached locally: src/baremetal/framebuffer_console.zig programs a real Bochs/QEMU BGA linear-framebuffer path with bounded mode support for 640x400, 800x600, 1024x768, 1280x720, and 1280x1024, src/baremetal/pci.zig discovers the selected PCI display adapter as structured metadata, exposes the framebuffer BAR, and enables decode on that function, src/baremetal/edid.zig, src/baremetal/display_output.zig, and src/baremetal/virtio_gpu.zig now add the first real EDID-backed controller path over virtio-gpu-pci including exported capability flags for digital input, preferred timing, CEA, DisplayID, HDMI-vendor-data, and basic-audio metadata when present plus EDID-derived connector inference and bounded resource-create/attach/set-scanout/flush behavior, src/pal/framebuffer.zig exposes the surface plus supported-mode enumeration and display-output state through the PAL, host regressions in src/baremetal/framebuffer_console.zig, src/baremetal/virtio_gpu.zig, src/baremetal_main.zig, and src/baremetal/display_output.zig prove framebuffer state, display-output state, adapter metadata, supported-mode enumeration, glyph pixel updates, bounded mode switching, present counters, non-zero scanout pixels, and connector inference from EDID capability flags, and the live QEMU+GDB proofs scripts/baremetal-qemu-framebuffer-console-probe-check.ps1 and scripts/baremetal-qemu-virtio-gpu-display-probe-check.ps1 now read back real MMIO banner pixels plus BGA adapter metadata and real virtio-gpu-pci EDID/controller capability state with non-zero scanout pixels over the freestanding PVH artifact; real HDMI/DisplayPort connector-specific scanout paths remain future depth and are not claimed here. - FS5.5 keyboard/mouse strict closure is now reached locally: src/baremetal/ps2_input.zig has a real x86 port-I/O backed PS/2 controller path (0x60 / 0x64 status/data/command handling, config programming, output-buffer drain, mouse-byte packet assembly), the PAL input surface remains wired through src/pal/input.zig, host regressions in src/baremetal_main.zig assert IRQ-driven queue/payload semantics, and the live QEMU+GDB proof plus wrappers (scripts/baremetal-qemu-ps2-input-probe-check.ps1, scripts/baremetal-qemu-ps2-input-baseline-probe-check.ps1, scripts/baremetal-qemu-ps2-keyboard-event-payload-probe-check.ps1, scripts/baremetal-qemu-ps2-keyboard-modifier-queue-probe-check.ps1, scripts/baremetal-qemu-ps2-mouse-accumulator-state-probe-check.ps1, and scripts/baremetal-qemu-ps2-mouse-packet-payload-probe-check.ps1) now fail directly on the mailbox baseline, keyboard payloads, modifier/queue state, mouse accumulator state, and mouse packet payload invariants over the freestanding PVH artifact. - FS5.5 storage/disk strict closure is now reached locally: src/baremetal/storage_backend.zig provides the shared backend selector, src/baremetal/ata_pio_disk.zig provides a real ATA PIO IDENTIFY / READ / WRITE / FLUSH path plus bounded multi-partition MBR/GPT discovery/export, first-usable-MBR and protective-MBR GPT partition mounting with logical LBA translation, src/pal/storage.zig plus src/baremetal/tool_layout.zig route through that shared backend, src/pal/storage.zig now also exports logical base-LBA plus bounded partition count/info/select on the mounted storage view, src/baremetal_main.zig exposes that same partition-aware storage seam through the oc_storage_* ABI exports, partition selection now invalidates stale tool-layout/filesystem state and is paired with explicit oc_tool_layout_format plus oc_filesystem_format control on the selected partition, src/baremetal/disk_installer.zig seeds the canonical persisted install layout (/boot, /system, /runtime/install, bootstrap package) on the active backend, hosted/host regressions prove backend preference, identify-backed capacity, ATA mock-device read/write/flush behavior, multi-partition MBR/GPT discovery plus explicit selection, logical base-LBA translation, installer-layout persistence, ATA-backed export reporting, direct oc_storage_* partition export/selection behavior, rebind-safe tool-layout/filesystem invalidation, and per-partition persistence after switching between primary and secondary MBR partitions, and the live QEMU proofs scripts/baremetal-qemu-ata-storage-probe-check.ps1 and scripts/baremetal-qemu-ata-gpt-installer-probe-check.ps1 now boot real MBR and protective-MBR GPT raw images and prove raw ATA block mutation + readback, secondary-partition export/selection through the exported seam, secondary-partition tool-layout formatting + payload persistence, secondary-partition filesystem formatting + superblock persistence, ATA-backed tool-layout persistence, ATA-backed filesystem persistence, GPT-backed installer layout seeding, and persisted bootstrap package execution over the freestanding PVH artifact. - FS5.5 Ethernet-driver strict closure is now reached locally: src/baremetal/rtl8139.zig provides the real RTL8139 PCI-discovered bring-up, MAC readout, RX ring programming, TX slot programming, and loopback-friendly datapath validation, src/baremetal/pci.zig discovers the I/O BAR + IRQ line and enables I/O plus bus mastering on the selected PCI function, src/pal/net.zig and src/baremetal_main.zig expose the same raw-frame PAL/export seam, host regressions prove mock-device init/send/receive behavior, and the live QEMU proof scripts/baremetal-qemu-rtl8139-probe-check.ps1 now proves MAC readout, TX, RX loopback, payload validation, and TX/RX counter advance over the freestanding PVH artifact. - FS5.5 TCP/IP strict closure is now reached locally: src/protocol/ethernet.zig and src/protocol/arp.zig provide Ethernet/ARP framing plus ARP reply encode/decode, src/protocol/ipv4.zig and src/protocol/udp.zig provide IPv4/UDP framing plus checksum handling, src/protocol/tcp.zig now provides strict TCP framing plus a minimal client/server session state machine for SYN -> SYN-ACK -> ACK, established payload exchange, bounded four-way teardown, bounded SYN/payload/FIN retransmission recovery, bounded multi-flow session-table management, bounded cumulative-ACK advancement across multiple in-flight payload chunks, strict remote-window enforcement for bounded sequential payload chunking, zero-window blocking until a pure ACK reopens the remote window, and bounded sender congestion-window growth after ACK plus payload-timeout collapse on the chunked send path, src/protocol/dhcp.zig now provides strict DHCP discover encode/decode, src/protocol/dns.zig now provides strict DNS query and A-response encode/decode plus caller-owned decode storage on the freestanding path, src/pal/tls_client_light.zig now provides the bounded freestanding TLS client used by the PAL network path plus precise last-certificate-error reporting, src/pal/net.zig exposes sendArpRequest / pollArpPacket, sendIpv4Frame / pollIpv4PacketStrict, sendUdpPacket / pollUdpPacketStrictInto, sendTcpPacket / pollTcpPacketStrictInto, sendDnsQuery / pollDnsPacketStrictInto, DHCP send/poll helpers, routed networking helpers (configureIpv4Route, configureIpv4RouteFromDhcp, resolveNextHop, learnArpPacket, sendUdpPacketRouted), explicit DNS server configuration (configureDnsServers, configureDnsServersFromDhcp), a real freestanding bounded http:// POST path, and a real freestanding bounded https:// POST transport path with deterministic filesystem-backed CA-bundle verification, src/baremetal/tool_service.zig now exposes the bounded typed framed request/response shim used by the bare-metal TCP proof with CMD / EXEC / GET / PUT / STAT / LIST / INSTALL / MANIFEST / PKG / PKGLIST / PKGINFO / PKGRUN / PKGAPP / PKGDISPLAY / PKGPUT / PKGLS / PKGGET / PKGDELETE / APPLIST / APPINFO / APPSTATE / APPHISTORY / APPSTDOUT / APPSTDERR / APPTRUST / APPCONNECTOR / APPRUN / APPDELETE / DISPLAYINFO / DISPLAYMODES / DISPLAYSET / TRUSTPUT / TRUSTLIST / TRUSTINFO / TRUSTACTIVE / TRUSTSELECT / TRUSTDELETE plus bounded batched request parsing/execution on one flow, host regressions prove ARP, IPv4, UDP, TCP handshake/payload, bounded four-way close, dropped-first-SYN retransmission recovery, dropped-first-payload retransmission recovery, dropped-first-FIN retransmission recovery on both close sides, bounded multi-flow session isolation, bounded cumulative-ACK advancement through multiple in-flight chunks, bounded sender congestion-window growth/collapse on the chunked send path, DHCP, DNS, DHCP-driven route configuration, gateway ARP learning, routed off-subnet UDP delivery, direct-subnet UDP bypass, zero-window block/reopen, bounded sequential payload chunking, framed multi-request command-service exchange, structured EXEC service behavior, bounded typed batch request multiplexing, typed PUT/GET/STAT/LIST service behavior, typed INSTALL / MANIFEST runtime-layout service behavior, typed PKG / PKGLIST / PKGINFO / PKGRUN / PKGAPP / PKGDISPLAY / PKGPUT / PKGLS / PKGGET / PKGDELETE package-service behavior, typed APPLIST / APPINFO / APPSTATE / APPHISTORY / APPSTDOUT / APPSTDERR / APPTRUST / APPCONNECTOR / APPRUN / APPDELETE app-lifecycle behavior, typed DISPLAYINFO / DISPLAYMODES / DISPLAYSET display behavior, typed TRUSTPUT / TRUSTLIST / TRUSTINFO / TRUSTACTIVE / TRUSTSELECT / TRUSTDELETE trust-store behavior, persisted run-script execution over the mock RTL8139 device, hostname-resolved plain-HTTP POST/response exchange over the freestanding PAL network path, bundle-trust configuration from an embedded root, and TLS ClientHello emission through the same mock RTL8139 seam, the PVH boot stack was expanded to 128 KiB to cover the real DNS + TCP + HTTP + HTTPS + service path, and the live QEMU proofs scripts/baremetal-qemu-rtl8139-arp-probe-check.ps1, scripts/baremetal-qemu-rtl8139-ipv4-probe-check.ps1, scripts/baremetal-qemu-rtl8139-udp-probe-check.ps1, scripts/baremetal-qemu-rtl8139-tcp-probe-check.ps1, scripts/baremetal-qemu-rtl8139-dhcp-probe-check.ps1, scripts/baremetal-qemu-rtl8139-dns-probe-check.ps1, scripts/baremetal-qemu-rtl8139-gateway-probe-check.ps1, scripts/baremetal-qemu-rtl8139-http-post-probe-check.ps1, and scripts/baremetal-qemu-rtl8139-https-post-probe-check.ps1 now prove ARP, IPv4, UDP, TCP handshake/payload exchange, bounded four-way close, bounded SYN/payload/FIN retransmission recovery, bounded two-flow session isolation, zero-window block/reopen, bounded sequential payload chunking, bounded sender congestion-window growth after ACK plus payload-timeout collapse, framed multi-request command-service exchange, structured EXEC request/response exchange, bounded typed batch request multiplexing on one flow with concatenated framed responses, typed TCP PUT upload with direct filesystem readback over attached disk media, typed INSTALL / MANIFEST runtime-layout service exchange with /boot/loader.cfg readback, typed TCP PKG / PKGLIST / PKGINFO / PKGRUN / PKGAPP / PKGDISPLAY package-service exchange, typed PKGPUT / PKGLS / PKGGET / PKGDELETE package-asset and uninstall exchange, typed APPLIST / APPINFO / APPSTATE / APPHISTORY / APPSTDOUT / APPSTDERR / APPTRUST / APPCONNECTOR / APPRUN / APPDELETE app-lifecycle exchange with persisted runtime-state readback, persisted history-log readback, persisted stdout/stderr readback, and uninstall cleanup, typed DISPLAYINFO / DISPLAYMODES / DISPLAYSET display exchange, typed TRUSTPUT / TRUSTLIST / TRUSTINFO / TRUSTACTIVE / TRUSTSELECT / TRUSTDELETE trust-store exchange, selected trust-bundle query/path readback, trust-bundle deletion, post-delete remaining-list readback, package manifest readback, package app-manifest readback, package display-profile persistence, package-directory listing, package output readback, live run-package display-mode application, explicit DISPLAYSET mode change/readback, DHCP discover framing/decode, DNS query/A-response transport, ARP-cache learning, gateway-routed UDP delivery, direct-subnet gateway bypass, hostname-resolved plain-HTTP POST/response exchange, and live TLS-backed HTTPS request/response exchange against a deterministic self-hosted harness over direct-IP transport with fixed probe time and filesystem-backed CA-bundle trust, and TX/RX counter advance over the freestanding PVH artifact. - FS5.5 filesystem usage strict closure is now reached locally: src/baremetal/filesystem.zig now provides a real path-based filesystem layer above the shared storage backend, src/pal/fs.zig routes the freestanding PAL through that layer, src/baremetal_main.zig exports filesystem state/entries, and both hosted + bare-metal host regressions prove path-based persistence over RAM-disk and ATA PIO (/runtime/state/agent.json, /tools/cache/tool.txt, /tools/scripts/bootstrap.oc, /tools/script/output.txt). - FS5.5 bare-metal tool execution strict closure is now reached locally: src/baremetal/tool_exec.zig now provides the real freestanding builtin command substrate including persisted run-script execution, canonical run-package, package-verify, package-app, package-display, package-ls, package-cat, app-list, app-info, app-state, app-history, app-stdout, app-stderr, app-trust, app-connector, app-run, display-info, display-modes, and display-set, src/baremetal/package_store.zig now provides the canonical persisted package layout under /packages/<name>/bin/main.oc, /packages/<name>/meta/package.txt, /packages/<name>/meta/app.txt, and /packages/<name>/assets/... plus manifest script_checksum, app_manifest_checksum, and asset_tree_checksum fields, src/pal/proc.zig exposes explicit freestanding capture through runCaptureFreestanding(...), src/baremetal/tool_service.zig now exposes the bounded typed request/response shim used by the bare-metal TCP proof including typed PKGVERIFY, the storage/filesystem dependency chain closes through src/baremetal/filesystem.zig, src/pal/fs.zig, and the shared storage backend, host/module validation proves the builtin dispatch path plus typed TCP file-service behavior, typed package-service behavior, typed package-app/package-display service behavior, typed app-lifecycle service behavior, typed app stdout/stderr service behavior, typed package-asset and display-query/control behavior, ATA-backed package persistence, persisted package display profiles, deterministic package-integrity mismatch reporting on script tamper via field=script_checksum, persisted app runtime-state receipts, persisted app stdout/stderr receipts, and canonical run-package / app-run execution on top of the same filesystem layer, and the live QEMU proof scripts/baremetal-qemu-tool-exec-probe-check.ps1 now proves help, mkdir, write-file, cat, stat, run-script, direct filesystem readback, persisted script readback after filesystem reset/re-init, and echo over the freestanding PVH artifact with attached disk media while the live RTL8139 TCP proof now covers persisted app-state and stdout/stderr readback plus the typed PKGVERIFY success receipt on the live package tree. - Latest FS5.5 autorun slice: src/baremetal/app_runtime.zig now persists /runtime/apps/autorun.txt, src/baremetal/tool_exec.zig now exposes app-autorun-list, app-autorun-add, app-autorun-remove, and app-autorun-run, src/baremetal/tool_service.zig now exposes APPAUTORUNLIST, APPAUTORUNADD, APPAUTORUNREMOVE, and APPAUTORUNRUN, host/module validation proves RAM-disk and ATA-backed autorun registry persistence plus autorun execution receipts, src/baremetal/filesystem.zig now carries a 64-entry filesystem budget so the deeper FS5.5 package/trust/app/autorun runtime state fits on the persisted surface, and the live RTL8139 TCP proof now covers autorun add/list/run/remove plus /runtime/apps/autorun.txt, /runtime/apps/aux/last_run.txt, and /runtime/apps/aux/stdout.log readback. - Latest FS5.5 package-release slice: src/baremetal/package_store.zig now snapshots, reports, deletes, prunes, and reactivates persisted package releases under /packages/<name>/releases/<release>/... with deterministic saved_seq / saved_tick metadata, src/baremetal/tool_exec.zig now exposes package-release-list, package-release-info, package-release-save, package-release-activate, package-release-delete, and package-release-prune, src/baremetal/tool_service.zig now exposes PKGRELEASELIST, PKGRELEASEINFO, PKGRELEASESAVE, PKGRELEASEACTIVATE, PKGRELEASEDELETE, and PKGRELEASEPRUNE, host/module validation proves RAM-disk and ATA-backed release info/delete/prune behavior with deterministic newest-release retention plus restored canonical script and asset readback, and the live RTL8139 TCP proof now covers save -> mutate -> info -> list -> activate -> delete -> prune plus restored PKGRUN, /packages/<name>/bin/main.oc, config/app.json, and asset readback. - mirror-aware Zig toolchain evidence is now part of the release lane: - scripts/zig-github-mirror-release-check.ps1 snapshots the adybag14-cyber/zig release target/digest for the rolling latest-master lane. - scripts/zig-bootstrap-from-github-mirror.ps1 provides the Windows bootstrap path for both latest-master and immutable upstream-<sha> releases. - scripts/zig-codeberg-master-check.ps1 now compares Codeberg master, the local Zig binary, and the GitHub mirror release in one report.

Full-Stack Replacement Track (FS0..FS7)¶

[x] FS0 - Scope lock + baseline freeze (docs/zig-port/FULL_STACK_REPLACEMENT_MATRIX.md, issue #2)
[x] FS1 - Runtime/core consolidation
Strict FS1 closure reached on 2026-03-12:
- node.pending.enqueue and node.pending.drain are implemented in the registry + dispatcher using the locked upstream contract.
- docs/rpc-reference.md includes both methods.
- parity gate reports zero missing methods against Go, stable, and beta baselines.
- local validation is green:
- zig build test --summary all -> 205/205
- bare-metal host -> 116/116
- the strict execution order advanced from FS1 to FS4.
Latest delivered slice:
- status now includes the Go-visible summary keys Zig can expose without widening the handler surface:
- status
- version
- phase
- supportedMethods
- count
- sessions.count
- Zig keeps the older runtime/security compatibility fields on the same receipt, so existing Zig callers do not lose the richer telemetry.
- regression coverage added:
- dispatch file.write and file.read lifecycle updates status counters
- agent.identity.get now reports a stable process start time instead of generating a fresh timestamp on every call.
- the identity receipt now includes the Go-visible RFC3339 startedAt field while preserving startedAtMs for Zig callers.
- authMode now reflects gateway auth posture (token or none) instead of the browser-bridge keyless label.
- regression coverage added:
- dispatch compat agent and skills methods return contracts
- doctor.memory.status now includes the Go-visible health envelope instead of exposing only raw Zig counters:
- healthy
- entryCount
- checkedAt
- maxRetention
- nested stats
- Zig keeps the richer top-level memory counters plus nested runtime, so parity callers and deeper local diagnostics share the same receipt.
- regression coverage added:
- dispatch memory history handlers return persisted send activity
- runtime recovery posture is now exposed on live diagnostics and maintenance surfaces instead of remaining implicit inside the runtime layer.
- ToolRuntime.snapshot() now reports:
- statePath
- persisted
- sessions
- queueDepth
- leasedJobs
- recoveryBacklog
- the following RPC surfaces now publish that runtime snapshot directly:
- status
- doctor
- doctor.memory.status
- agent.identity.get
- system.maintenance.plan
- system.maintenance.run
- system.maintenance.status
- persisted runtime-state files are now normalized after leased-job replay, so on-disk leasedJobs no longer remain stale after restart recovery.
- regression coverage added:
- tool runtime snapshot exposes queue and persistence posture
- runtime state restart replay preserves leased jobs that were dequeued but not released
- dispatch status surfaces runtime snapshot
- dispatch doctor includes runtime posture
- dispatch doctor memory status includes runtime posture
- dispatch maintenance plan exposes runtime posture
- dispatch identity exposes runtime posture
- runtime-state persistence now preserves leased/in-flight jobs across restart instead of dropping them as soon as they are dequeued for execution.
- persisted leasedJobs are replayed ahead of later pending jobs on restore, so interrupted work resumes in deterministic order.
- regression coverage added:
- runtime state restart replay preserves leased jobs that were dequeued but not released
- prior FS1 manual-remediation reporting slice remains in place:
- security.audit --fix now reports when Zig can only apply partial remediation because config still needs an operator update.
- fix.complete=false and fix.unresolved[] now expose manual follow-up for memory-backed runtime-state or policy-bundle config instead of implying those settings were changed.
- system.maintenance.run now reports partial remediation honestly:
- actions[].status=partial
- run status=completed_with_manual_action
- counts.partial
- regression coverage added:
- dispatch security.audit fix exposes manual runtime persistence blockers
- dispatch maintenance run reports partial security remediation when runtime persistence stays memory-backed
- security audit fix reports manual runtime and policy config blockers
[x] FS2 - Provider + channel completion
Strict FS2 matrix/gate progress:
- [x] Define the hard provider/channel matrix in docs/zig-port/FS2_PROVIDER_CHANNEL_MATRIX.md
- [x] Enforce scripts/web-login-smoke-check.ps1 in zig-ci and release-preview
- [x] Enforce scripts/telegram-reply-loop-smoke-check.ps1 in zig-ci and release-preview
- [x] Record at least one successful browser completion proof
- [x] Record at least one successful direct-provider completion proof
- [x] Record dedicated Telegram webhook receive and bot-send success proofs
Latest delivered slice:
- Strict FS2 provider/channel closure is now defined and closed in docs/zig-port/FS2_PROVIDER_CHANNEL_MATRIX.md.
- scripts/web-login-smoke-check.ps1, scripts/browser-request-success-smoke-check.ps1, scripts/browser-request-direct-provider-success-smoke-check.ps1, scripts/browser-request-openrouter-direct-provider-success-smoke-check.ps1, scripts/browser-request-opencode-direct-provider-success-smoke-check.ps1, scripts/telegram-reply-loop-smoke-check.ps1, scripts/telegram-webhook-receive-smoke-check.ps1, and scripts/telegram-bot-send-delivery-smoke-check.ps1 are enforced in both zig-ci and release-preview.
- scripts/browser-request-success-smoke-check.ps1 records a deterministic Lightpanda-compatible bridge success path with non-empty assistant text.
- scripts/browser-request-openrouter-direct-provider-success-smoke-check.ps1 and scripts/browser-request-opencode-direct-provider-success-smoke-check.ps1 prove provider-specific direct-provider completion success.
- scripts/telegram-webhook-receive-smoke-check.ps1 proves inbound update ingress plus outbound reply delivery against a local mock Telegram Bot API.
- scripts/telegram-bot-send-delivery-smoke-check.ps1 proves outbound bot-send delivery, typing pulses, chunking, and Bot API payload capture against a local mock Telegram Bot API.
- default auth.invalid metadata no longer emits Zig-only provider, status, or error.
- runtime and dispatcher regressions now assert those extra fields stay absent on the corresponding fallback receipts.
- Telegram auth edge metadata now matches Go more closely on the remaining no-session wait and missing-code complete paths:
- no-session /auth wait metadata no longer emits the Zig-only timeoutSeconds field.
- /auth complete with an empty extracted code no longer emits the Zig-only top-level loginSessionId.
- runtime and dispatcher regressions now assert those extra fields stay absent on the corresponding receipts.
- Telegram auth success metadata now matches Go more closely on status|wait|complete success paths:
- success receipts now rely on nested metadata.login for auth session details.
- the following top-level success metadata fields were removed on those paths:
  - status
  - loginSessionId
  - code
- already-completed /auth complete metadata now also relies on scope + nested login instead of duplicating provider/account/session status at the top level.
- runtime and dispatcher regressions now parse metadata structurally and assert the removed top-level fields stay absent while login remains present.
- Telegram /auth bridge metadata now matches Go’s nested bridge contract more closely instead of shipping Zig-only probe extras:
- nested metadata.bridge now keeps the Go-style keys:
  - enabled
  - status
  - endpoint
  - reachable
  - httpStatus
  - error
  - sessions
- nested bridge metadata no longer emits Zig-only fields on this path:
  - guidance
  - probeUrl
  - statusCode
  - latencyMs
- runtime and dispatcher regression coverage now assert the absence of those extra bridge fields.
- Telegram invalid /auth parser metadata now matches Go’s narrow envelope instead of leaking Zig-only fields:
- invalid /auth start|status|wait|url|complete|cancel receipts now keep only the Go-style machine-readable core:
  - type
  - target
  - error
- invalid parser receipts no longer emit Zig-only metadata fields on those paths such as:
  - status="invalid"
  - scope
  - resolvedScope
  - timeoutSeconds
- runtime and dispatcher regression coverage now assert the absence of those extra fields on representative invalid-start and invalid-wait parser failures.
- Telegram /auth wait timeout parser metadata now matches Go on all invalid timeout paths:
- missing --timeout values still use the Go-visible operator reply:
  - Missing timeout value. Example: \/auth wait --timeout 90``
- non-integer and out-of-range timeout values still use the Go-visible operator reply:
  - Timeout must be an integer between 1 and 900 seconds.
- machine-readable metadata.error for all of those parser failures now normalizes to the same Go token:
  - /auth wait ... --timeout missing value -> invalid_wait_args
  - /auth wait ... --timeout abc|0|901 -> invalid_wait_args
- runtime and dispatcher regression coverage now assert the normalized Go-compatible metadata error instead of the older Zig-only missing_timeout / invalid_timeout split.
- Telegram pending /auth status completion guidance now matches Go more closely on account-scoped flows:
- pending /auth status still appends the live Open: <verificationUriComplete> line.
- the suggested completion command now always uses the compact Go form:
  - Then run: \/auth complete ``


[x] FS3 - Memory/knowledge depth
Strict FS3 closure reached locally on 2026-03-12:
hard matrix published: docs/zig-port/FS3_MEMORY_KNOWLEDGE_MATRIX.md
repo-native tests explicitly cover:
persistence + restart recovery
semantic recall ranking
graph recall + synthesis
retention-cap and unlimited-retention modes
strict consumer proofs are now enforced with:
scripts/browser-request-memory-context-smoke-check.ps1
scripts/telegram-reply-memory-context-smoke-check.ps1
both FS3 consumer smokes now run in zig-ci and release-preview


[x] FS4 - Security + trust hardening
Strict FS4 matrix source of truth: docs/zig-port/FS4_SECURITY_TRUST_MATRIX.md
scripts/security-secret-store-smoke-check.ps1 is now part of the enforced hosted validation lane in zig-ci and release-preview.
Strict FS4 closure reached locally on 2026-03-12:
security.audit, doctor, and secrets.store.* are documented in:
docs/security-and-diagnostics.md
docs/feature-coverage.md
README.md
secrets.store.status now reports secret-backend truth explicitly instead of leaving native-vs-fallback behavior implicit.
backend posture is now locked for:
env -> implemented
file|encrypted-file -> implemented
dpapi|keychain|keystore -> fallback-only
auto -> fallback-only
unknown backend -> unsupported
machine-readable backend posture fields are enforced:
requestedRecognized
requestedSupport
fallbackApplied
fallbackReason
gateway auth and rate-limit posture is now validated under safe, unsafe, and invalid configs in both dispatcher and audit/doctor paths:
dispatch doctor reflects hardened gateway auth and rate limit posture
dispatch doctor reflects unsafe missing-token and disabled-rate-limit posture
dispatch doctor reflects invalid gateway rate limit thresholds
dispatch security.audit surfaces unsafe gateway auth and rate limit findings
security audit treats hardened public gateway auth and rate limit posture as compliant
security audit reports gateway rate limit warning when disabled
security audit reports gateway rate limit warning when thresholds are invalid
doctor passes hardened public gateway auth and rate limit checks
doctor warns when gateway rate limit is disabled
doctor fails when gateway rate limit thresholds are invalid
prior security.audit --fix signoff remains part of FS4 closure:
auto-remediation
partial remediation
manual blocker reporting
strict hosted-phase execution now advances from FS4 to FS2.


[x] FS5 - Edge/WASM/marketplace depth
strict FS5 matrix now exists at docs/zig-port/FS5_EDGE_WASM_FINETUNE_MATRIX.md
scripts/edge-wasm-lifecycle-smoke-check.ps1 now proves the strict WASM lifecycle end to end:
marketplace list baseline
trusted install with deterministic SHA256 + HMAC verification
post-install marketplace trust metadata
execute allow for permitted hooks
deterministic execute deny for disallowed hooks
bad-signature install failure
remove + execute-after-remove failure


scripts/edge-finetune-lifecycle-smoke-check.ps1 now proves the strict finetune lifecycle end to end:
run
status
job.get
cancel
cancel/job-get consistency


both strict FS5 smokes are now part of .github/workflows/zig-ci.yml and .github/workflows/release-preview.yml
FS5 strict closure is now reached locally
[ ] FS6 - Appliance/bare-metal maturity track
mirror-aware toolchain bootstrap/reproducibility is now required operator evidence for Windows-hosted FS6 work.
CI now explicitly splits toolchains by lane: hosted validation stays on Zig master, while the freestanding bare-metal smoke/probe and bare-metal asset lanes are pinned to the known-good Linux build 0.16.0-dev.2736+3b515fbed until the upstream Linux master compiler crash on zig build baremetal -Doptimize=ReleaseFast is resolved.
rollout boundary is now defined at the runtime contract level: stable, canary, and edge are separate update lanes, with canary no longer collapsing into edge.
latest required evidence now includes scripts/appliance-rollout-boundary-smoke-check.ps1 (secure-boot block, canary apply, stable promotion).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-interrupt-timeout-manual-wake-probe-check.ps1 (live command_task_wait_interrupt_for + command_scheduler_wake_task proof, clearing interrupt-timeout wait state to none, queueing exactly one manual wake, and proving no delayed timer wake appears against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-vector-history-overflow-probe-check.ps1 (interrupt/exception counter resets, repeated dispatch saturation, history-ring overflow behavior, and per-vector telemetry against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-command-health-history-probe-check.ps1 (repeated command_set_health_code mailbox execution, command-history overflow, health-history overflow, and retained oldest/newest payload ordering against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-mode-boot-phase-history-probe-check.ps1 (live command/runtime/panic reason ordering plus post-clear saturation of the mode_history and boot_phase_history rings against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-task-lifecycle-probe-check.ps1 (live task_wait -> scheduler_wake_task -> task_resume -> task_terminate control path plus post-terminate rejected-wake semantics against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-probe-check.ps1 (live command_timer_cancel_task cleanup of timeout-backed interrupt waits, with steady-state timeout clearing and preserved later real-interrupt wake delivery against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-scheduler-wake-timer-clear-probe-check.ps1 (live command_scheduler_wake_task cleanup of pure timer waits, with a single manual wake, no ghost timer wake after idle ticks, and preserved fresh timer allocation against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-interrupt-mask-clear-all-recovery-probe-check.ps1 (live command_interrupt_mask_clear_all recovery after direct mask manipulation, with wake delivery restoration, ignored-count reset, and profile return to none against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-task-terminate-interrupt-timeout-probe-check.ps1 (live command_task_terminate cleanup of timeout-backed interrupt waits, leaving no queued wake or timer residue and preventing later ghost wake delivery for the terminated task against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-scheduler-priority-budget-probe-check.ps1 (live command_scheduler_set_default_budget plus command_task_set_priority proof, including zero-budget inheritance and dispatch-order flip under the priority scheduler against the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-mailbox-header-validation-probe-check.ps1, scripts/baremetal-qemu-mailbox-stale-seq-probe-check.ps1, and scripts/baremetal-qemu-mailbox-seq-wraparound-probe-check.ps1 (invalid mailbox header rejection, stale-sequence replay no-op semantics, and deterministic u64 mailbox-sequence wraparound over the freestanding PVH artifact).
latest required bare-metal evidence now also includes scripts/baremetal-qemu-scheduler-default-budget-invalid-probe-check.ps1 (live command_scheduler_set_default_budget(0) rejection without clobbering the active default budget or later zero-budget inheritance against the freestanding PVH artifact).
minimal appliance profile readiness is now a live runtime contract surfaced on status, doctor, system.boot.status, and system.maintenance.*.
latest required evidence now also includes scripts/appliance-minimal-profile-smoke-check.ps1 (persisted state path, control-plane auth, secure-boot update gate, signer policy, and current verification).
latest required evidence now also includes scripts/appliance-baremetal-closure-smoke-check.ps1 (single FS6 acceptance receipt spanning appliance control-plane, minimal profile, rollout, restart recovery, bare-metal smoke, QEMU smoke, runtime progression, and command-loop behavior).
[x] FS5.6 - Repo-wide GPL-2.0-only license refresh
root LICENSE plus package-local LICENSE files now carry the GNU GPL v2 text.
npm/Python client metadata now declares GPL-2.0-only.
release evidence now emits GPL-2.0-only instead of NOASSERTION for package license fields.
repo-owned source/script files now use Linux-style SPDX headers.
tracking doc: docs/zig-port/FS5_6_LICENSE_REFRESH.md.
[ ] FS7 - Cutover + decommission gates


Phase 1 - Foundation¶

[x] Initialize Zig workspace layout (gateway, protocol, bridge, config/runtime slices)
[x] Add build/test commands (zig build, zig build test, local syntax-check script)
[x] Add config parser + env override skeleton
[x] Add /health endpoint contract in dispatcher (health RPC route with JSON payload)

Phase 2 - Protocol + Gateway Core¶

[x] Implement JSON-RPC envelope parsing/serialization
[x] Build method registry and dispatcher
[x] Implement HTTP RPC route + graceful shutdown
[x] Add contract tests for error codes and method routing
[x] Implement WebSocket routes (GET /ws + root compatibility GET /) with upgrade handling and RPC frame dispatch
[x] Normalize gateway route matching for query-bearing targets (/health?, /rpc?, /ws?) to preserve transport compatibility
[x] Accept websocket RPC frames over both text and binary message types for transport parity with Go
[x] Add stream-chunk envelope path across websocket + HTTP /rpc with bounded chunk sizing (params.stream=true, params.streamChunkBytes) and backpressure-oriented chunk limits
Gateway stream chunk defaults/max are now tunable via env:
OPENCLAW_ZIG_GATEWAY_STREAM_CHUNK_DEFAULT_BYTES
OPENCLAW_ZIG_GATEWAY_STREAM_CHUNK_MAX_BYTES


Stream-option parsing now seeds config-driven chunk defaults and clamps requested chunk sizes to gateway min/max bounds with deterministic fallbacks.
[x] Dispatcher fallback for registered methods now fails fast (-32603 dispatcher gap) instead of returning scaffold success payloads.

Phase 3 - Runtime + Tooling¶

[x] Add runtime state/session primitives
[x] Implement initial tool runtime actions (exec, file read/write)
[x] Add queue/worker scaffolding for async jobs
[x] Add integration tests for request lifecycle

FS1 runtime/core consolidation slice (active):
- [x] Strict FS1-FS5 analysis report added: docs/zig-port/FS1_FS5_STRICT_ANALYSIS_REPORT.md
  - locks the current source-of-truth baseline to the current local repo head and upstream v2026.3.13-1 / v2026.3.13-beta.1.
  - defines dependency-aware execution order: FS1 -> FS4 -> FS2 -> FS3 -> FS5.
  - freezes the first required FS1 slice: node.pending.enqueue + node.pending.drain with upstream no-guesswork semantics.
- [x] First FS1 hard method gap implemented in the Zig gateway:
  - src/gateway/registry.zig now advertises node.pending.enqueue and node.pending.drain.
  - src/gateway/dispatcher.zig now implements pending-work enqueue/drain state, ack integration, guard exemptions, direct compat-state regressions, and dispatcher contract tests.
  - docs/rpc-reference.md regenerated so the RPC surface matches the live registry.
- [x] Runtime state persistence + restart replay path added (src/runtime/state.zig):
  - persists session snapshots and pending job queue to runtime-state.json under configured state_path.
  - restores persisted sessions/queue on runtime bootstrap.
  - regression test added: runtime state persistence roundtrip restores session and pending queue.
- [x] Telegram + auth runtime restart replay added (src/channels/telegram_runtime.zig, src/bridge/web_login.zig):
  - persists/restores web login sessions (web-login-state.json) and Telegram runtime state (telegram-runtime-state.json) under configured state_path.
  - restores target model bindings, auth bindings, and queued Telegram updates across restart.
  - dispatcher bootstrap now enables persistence for both managers (getLoginManager, getTelegramRuntime).
  - regression tests added:
    - web login persistence roundtrip restores authorized session
    - telegram runtime persistence roundtrip restores model auth binding and queue.
- [x] Compat runtime/control-plane restart replay added (src/gateway/dispatcher.zig):
  - CompatState now persists/restores core runtime-control settings and history (compat-state.json) under configured state_path.
  - persisted state includes heartbeat/presence/talk/tts/voicewake profile, update head metadata, bounded event/update histories, config overlay entries, and session tombstones.
  - dispatcher now writes compat persistence snapshots safely after request handling when compatibility state is active.
  - regression test added:
    - compat state persistence roundtrip restores core runtime settings and histories.
- [x] Runtime persistence posture is now surfaced explicitly in diagnostics (src/security/audit.zig, src/gateway/dispatcher.zig):
  - security.audit now emits runtime.state_path.in_memory when runtime state is empty or memory-backed.
  - doctor now exposes runtime.state_path and security.policy_bundle checks with persisted-vs-memory posture details.
  - regression tests added:
    - security audit reports in-memory runtime state path
    - doctor exposes runtime state path and policy bundle posture checks
    - dispatcher doctor JSON now asserts both checks are present.
- [x] Runtime/policy fix reporting now distinguishes partial remediation from true completion (src/security/audit.zig, src/gateway/dispatcher.zig):
  - security.audit --fix now keeps real file/template creation in changes[] but reports unresolved config follow-up separately via fix.complete=false and fix.unresolved[].
  - memory-backed OPENCLAW_ZIG_STATE_PATH and OPENCLAW_ZIG_SECURITY_POLICY_BUNDLE_PATH now surface as manual config actions instead of being implied as auto-fixed.
  - system.maintenance.run now returns status=completed_with_manual_action, counts.partial, and actions[].status=partial when only manual config blockers remain.
  - regression tests added:
    - security audit fix reports manual runtime and policy config blockers
    - dispatch security.audit fix exposes manual runtime persistence blockers
    - dispatch maintenance run reports partial security remediation when runtime persistence stays memory-backed
- [x] Runtime leased-job replay now survives restart interruption (src/runtime/state.zig):
  - dequeued jobs are now persisted in a dedicated leased/in-flight set instead of disappearing from on-disk replay state before completion.
  - restore now requeues leased jobs ahead of later pending jobs so interrupted work resumes in deterministic order.
  - regression test added:
    - runtime state restart replay preserves leased jobs that were dequeued but not released
Phase 4 - Security + Diagnostics¶

[x] Port core guard flow (prompt/tool policy checks)
[x] Implement doctor and security.audit base commands
[x] Add remediation/reporting contract outputs

Phase 4 hardening notes:
- Added optional gateway token auth enforcement for /rpc:
  - OPENCLAW_ZIG_GATEWAY_REQUIRE_TOKEN
  - OPENCLAW_ZIG_GATEWAY_AUTH_TOKEN
- Added gateway /rpc rate limiting controls:
  - OPENCLAW_ZIG_GATEWAY_RATE_LIMIT_ENABLED
  - OPENCLAW_ZIG_GATEWAY_RATE_LIMIT_WINDOW_MS
  - OPENCLAW_ZIG_GATEWAY_RATE_LIMIT_MAX_REQUESTS
- security.audit and doctor now report gateway auth/rate-limit posture with dedicated checks/findings.
- Added deterministic config fingerprinting for diagnostics posture tracking:
  - health, status, and config.get now expose configHash.
  - doctor now includes configHash (stable hash of active config + env overlays).
- Added non-loopback bind token enforcement in gateway transport:
  - /rpc and websocket routes now require token auth on non-loopback bind even when OPENCLAW_ZIG_GATEWAY_REQUIRE_TOKEN=false.
  - non-loopback bind with empty token now fails closed (gateway_token_unconfigured) until OPENCLAW_ZIG_GATEWAY_AUTH_TOKEN is set.
Phase 5 - Browser/Auth/Channels¶

[x] Implement web login manager (start/wait/complete/status)
[x] Implement browser completion bridge contract (Lightpanda-only provider policy)
[x] Implement Telegram command/reply surface (send/poll + /auth + /model command path)
[x] Add smoke coverage for auth + reply loops (scripts/web-login-smoke-check.ps1 + scripts/telegram-reply-loop-smoke-check.ps1)

Phase 5 enhancement notes:
- Added browser request provider split (engine vs target provider) so qwen|zai|inception route through Lightpanda correctly.
- Added guest bypass metadata and action hints (stay_logged_out) to browser completion and OAuth provider catalog payloads.
- Added Telegram /auth guest <provider> flow plus callback URL provider inference and shared callback code extraction (query/fragment/path) via web_login.extractAuthCode.
- Added free guest-chat alias normalization for provider-name variants:
  - qwen-chat-free|qwen-free -> qwen
  - glm-5-chat-free|glm-chat-free -> zai
  - mercury-2-chat-free|mercury-chat-free -> inception
- Expanded auth provider breadth in Telegram + OAuth catalog: minimax, kimi, and zhipuai (with alias normalization + default model coverage).
- Added account-scoped Telegram auth bindings with force replacement semantics:
  - /auth start <provider> [account] [--force]
  - /auth status|wait|guest|complete|cancel <provider> [session_id] [account]
  - provider-level authorized fallback for chat replies when any account scope is authorized.
- Added auth UX depth for guest and account flows:
  - /auth providers now includes auth mode + guest/popup hints.
  - /auth bridge <provider> now returns provider-specific lightpanda guidance.
  - /auth wait supports backward-compatible positional timeout (/auth wait <provider> [account] <seconds>) in addition to --timeout.
  - /auth link|open now re-surfaces active login URL + code + exact completion commands for phone-only flows.
  - /tts speak now emits clip payload metadata in send responses (audioAvailable, audioFormat, audioBase64, audioBytes, audioProviderUsed, audioSource) and queues a dedicated audio_clip update for downstream transport adapters.
  - Authorized non-command Telegram replies now also emit audio_clip updates + audio metadata in send responses when TTS is enabled, aligning with Rust bridge auto-TTS response behavior.
  - Telegram TTS key/bin status checks now use alias-aware env resolution for Zig/Go/Rust migration paths (matching dispatcher fallback chains).
- Added live Lightpanda probe telemetry for browser.request and browser.open:
  - Dispatcher now probes <endpoint>/json/version per request and returns structured probe status (ok/url/statusCode/latencyMs/error).
  - Browser params now support endpoint/timeout overrides (endpoint|bridgeEndpoint|lightpandaEndpoint, requestTimeoutMs|timeoutMs) while preserving existing completion payload fields.
- Added real Lightpanda completion execution path for browser.request:
  - When prompt/messages are present, dispatcher now POSTs to <endpoint>/v1/chat/completions.
  - RPC responses include structured bridgeCompletion telemetry (requested/ok/provider/requestUrl/statusCode/model/assistantText/latencyMs/error).
  - Request parsing now supports completion payload keys with normalization: messages, prompt|message|text, temperature, max_tokens|maxTokens, loginSessionId|login_session_id, and apiKey|api_key.
- Added direct provider completion fallback path (chatgpt and claude) for browser.request:
  - New request flags: directProvider, direct_provider, useProviderApi.
  - Optional completion streaming parse with params.stream=true now supports SSE delta extraction for OpenAI and Anthropic responses.
  - Provider API-key resolution supports explicit request keys plus config/env fallback aliases.
- Added real Telegram Bot API connector path alongside existing runtime queue model:
  - channels.telegram.webhook.receive now accepts Telegram update payloads, routes update text through runtime command handlers, and can optionally deliver replies through Bot API sendMessage.
  - channels.telegram.bot.send adds direct Bot API send path with dryRun/deliver controls and token fallback resolution.
  - src/channels/telegram_bot_api.zig introduces Telegram update parsing, runtime frame builders, and Bot API delivery telemetry.
- Telegram channel typing-depth parity slice:
  - added Bot API typing-action support via sendChatAction in src/channels/telegram_bot_api.zig.
  - channels.telegram.webhook.receive now emits optional typing action (typingAction, default typing) before reply delivery when deliver=true.
  - channels.telegram.bot.send now supports optional typing action hints (typingAction/typing) with structured typing telemetry in the RPC response.
  - regression tests added for typing action error path and bot-send typing contract surface.
- Telegram long-reply chunking parity slice:
  - src/channels/telegram_bot_api.zig now exposes UTF-8-aware splitMessageAlloc with Telegram-safe rune caps (maxTelegramMessageRunes=4096) and whitespace-aware split preference.
  - channels.telegram.webhook.receive and channels.telegram.bot.send now deliver replies through chunk batches with structured deliveryBatch telemetry (chunkCount, deliveredChunkCount, messageIds, maxChunkRunes, chunkDelayMs, failedChunkIndex).
  - stream-style overrides are now supported on both Telegram Bot API methods: stream, streamChunkChars|chunkChars, streamChunkDelayMs|chunkDelayMs.
  - regression tests added for chunk splitting (telegram_bot_api) and dry-run streamed chunk telemetry (dispatcher).
- Telegram stream/typing config parity slice:
  - Runtime config now includes Telegram streaming/typing defaults aligned to Go semantics:
    - runtime.telegram_live_streaming
    - runtime.telegram_stream_chunk_chars
    - runtime.telegram_stream_chunk_delay_ms
    - runtime.telegram_typing_indicators
    - runtime.telegram_typing_interval_ms
  - Env overrides added:
    - OPENCLAW_ZIG_RUNTIME_TELEGRAM_LIVE_STREAMING
    - OPENCLAW_ZIG_RUNTIME_TELEGRAM_STREAM_CHUNK_CHARS
    - OPENCLAW_ZIG_RUNTIME_TELEGRAM_STREAM_CHUNK_DELAY_MS
    - OPENCLAW_ZIG_RUNTIME_TELEGRAM_TYPING_INDICATORS
    - OPENCLAW_ZIG_RUNTIME_TELEGRAM_TYPING_INTERVAL_MS
  - Dispatcher telegram delivery now consumes config defaults when request-level stream/typing fields are omitted.
- Telegram typing keepalive parity slice:
  - channels.telegram.webhook.receive and channels.telegram.bot.send now run chunk-aware typing keepalive pulses during streamed delivery batches instead of a single pre-send typing call.
  - typing cadence now honors runtime/request defaults via runtime.telegram_typing_interval_ms and typingIntervalMs|typing_interval_ms.
  - deliveryBatch now includes typing telemetry (typingPulseCount, typingIntervalMs) for deterministic transport diagnostics.
  - regression tests added for config-default typing interval behavior and explicit typing interval override.
- Telegram channel-status config telemetry slice:
  - channels.status now includes Telegram runtime streaming/typing config fields (liveStreaming, streamChunkChars, streamChunkDelayMs, typingIndicators, typingIntervalMs) for parity with Go status surfaces.
  - regression coverage extended to assert these fields are always present in channels.status responses.
- Channels status compatibility envelope slice:
  - channels.status now also emits Go-style channel registry status fields (count, items[]) while preserving the Zig summary envelope (channels, webLogin, status).
  - status items now include canonical channel entries (webchat, cli, telegram) with compatibility fields (connected, running, defaultTarget, aliases, lastError).
  - regression coverage extended to assert count/items and Telegram item presence.
- Send channel alias compatibility slice:
  - send now normalizes channel aliases for compatibility with Go channel routing (web|webchat, cli|console|terminal, telegram|tg|tele).
  - send|chat.send|sessions.send now inherit the last known session channel when params.channel is omitted; unknown/new sessions default to webchat.
  - session-channel state is now tracked in compat state (sessionChannels) and persisted in compat-state.json, so omitted-channel routing is independent of memory-history retention.
  - compat-state recovery test now explicitly verifies sessionChannels persistence and timestamp replay across restart (gateway.dispatcher.test.compat state persistence roundtrip restores core runtime settings and histories).
  - connect and sessions.patch upsert session-channel state; sessions.delete removes it; sessions.reset keeps it (matching Go session behavior).
  - poll remains Telegram-only by design and now rejects non-Telegram aliases deterministically.
  - regression coverage added for alias acceptance and unsupported-channel rejection paths:
    - channels.telegram_runtime.test.telegram runtime send accepts webchat and cli channel aliases
    - channels.telegram_runtime.test.telegram runtime send and poll reject unsupported channels
    - gateway.dispatcher.test.dispatch browser.open and send aliases follow existing runtime paths
- Completion semantics hardening:
  - Top-level ok/status/message for browser.request now reflect live completion outcome when completion execution is requested (status=failed on bridge failure).
  - Assistant text extraction now supports additional response shapes: output_text, output[].content[], and array-based choices[].message.content.
- Browser bridge context-injection hardening:
  - browser.request now parses sessionId, includeToolContext, includeMemoryContext, and memoryContextLimit (aliases supported).
  - completion payload path now injects runtime tool capability context and per-session memory recap into completion messages before bridge/direct-provider execution.
  - browser responses now expose explicit context telemetry (context.toolContextInjected, context.memoryContextInjected, context.memoryEntriesUsed, context.error) to debug "no tools/no memory" regressions from remote model replies.
- Telegram authorized reply bridge hardening:
  - Telegram runtime now attempts real Lightpanda completion for authorized non-command chat messages using active provider/model/login-session context.
  - fallback behavior is preserved (runtime_echo) when bridge completion is unavailable or returns empty output.
  - send response payload now includes replySource telemetry (bridge_completion, runtime_echo, auth_required, command) for transport-safe reply provenance checks.
- Telegram bridge context-depth hardening:
  - dispatcher now wires Telegram runtime to shared memory store (getTelegramRuntime -> setMemoryStore(getMemoryStore())) so bridge completions can consume persisted memory.
  - Telegram tryGenerateBridgeReply now injects runtime tool capability context, semantic/graph recall synthesis, and recent session history into Lightpanda completion messages.
  - completion payload assembly now applies role filtering and last-user dedupe to prevent duplicate user turns in bridge requests.
  - completion payloads now apply bounded-context shaping (12,000 char budget) while preserving system context and newest user turn.
  - regression test added: telegram runtime completion budget keeps system and newest user turn.
  - Telegram completion attempt fallback now reuses latest authorized login session across providers when selected provider binding is missing/stale, reducing false auth_required responses after model switching.
  - send response envelope now includes providerFailover flag for bridge-completion provenance.
  - Telegram completion attempts now support provider API-key credentials when browser session auth is missing:
    - runtime accepts provider API-key resolver injection from dispatcher and uses those credentials in bridge completion attempts.
    - fallback env aliases are also supported for chatgpt|codex, claude, gemini, openrouter, and opencode.
    - regression test added: telegram runtime uses provider api key when no authorized browser session exists.
  - Dispatcher provider-key resolution now includes extended provider matrix parity:
    - resolver covers codex, gemini, openrouter, and opencode alongside chatgpt and claude.
    - regression test added: resolve browser provider api key supports extended provider matrix.
  - Direct-provider bridge parity now includes OpenRouter:
    - provider_http.executeCompletion now supports direct provider openrouter with OpenAI-compatible transport contracts.
    - dispatcher browser.request direct path now returns deterministic OpenRouter request URL telemetry on credential failures.
    - regression tests added:
      - direct provider openrouter requires api key and reports openrouter endpoint
      - dispatch browser.request supports direct provider path for openrouter with missing key telemetry
  - Direct-provider bridge parity now includes OpenCode:
    - provider_http.executeCompletion now supports direct provider opencode with OpenAI-compatible transport contracts.
    - dispatcher browser.request direct path now returns deterministic OpenCode request URL telemetry on credential failures.
    - regression tests added:
      - direct provider opencode requires api key and reports opencode endpoint
      - dispatch browser.request supports direct provider path for opencode with missing key telemetry
  - Telegram send-result bridge telemetry now includes provider API-key usage:
    - send response includes providerApiKeyUsed to indicate when bridge completion used API-key credentials.
    - regression coverage updated in telegram runtime uses provider api key when no authorized browser session exists.
  - Browser-request auth telemetry now includes API-key usage/source:
    - browser.request now emits auth.loginSessionId, auth.apiKeyUsed, and auth.apiKeySource (explicit|resolver|none) in completion and metadata-only responses.
    - regression coverage added:
      - dispatch browser.request metadata-only direct provider reports explicit api-key telemetry.
  - regression tests added:
    - bridge.web_login.test.latest authorized session supports provider filter and summary status
    - channels.telegram_runtime.test.telegram runtime uses latest authorized session fallback when selected provider is unauthenticated
Phase 6 - Memory + Edge¶

[x] Port memory persistence primitives
[x] Port edge handler contracts
[x] Port wasm runtime/sandbox lifecycle contracts

Phase 6 progress notes:
- PAL v1 extraction shipped (src/pal/*) with concrete interfaces for fs/proc/net/secrets/sandbox:
  - runtime tool execution and file sandbox flows now route through PAL (runtime/tool_runtime.zig -> pal.proc, pal.fs, pal.sandbox).
  - Telegram Bot API connector now routes outbound POST delivery through PAL network interface (channels/telegram_bot_api.zig -> pal.net).
  - dispatcher env secret lookup now routes through PAL secrets interface (gateway/dispatcher.zig -> pal.secrets).
- Secure secret storage backend abstraction shipped (src/security/secret_store.zig):
  - new secrets.store.* methods: status, set, get, delete, list.
  - encrypted-file backend implemented with XChaCha20-Poly1305 persistence (secrets.store.enc.json) and backend selection abstraction (env, encrypted-file, dpapi/keychain/keystore -> encrypted fallback).
  - secrets.resolve now resolves in order: config overlay -> secure secret store -> environment aliases.
- WASM trust/signature + host-hook hardening shipped:
  - edge.wasm.install now computes deterministic module digests, supports expected hash checks, and enforces trust policy (hash|signature|off) with HMAC verification when signature mode is required (OPENCLAW_ZIG_WASM_TRUST_KEY).
  - custom installed modules now persist trust metadata (sha256, signature, signer, verificationMode, verified, sourceUrl) in dispatcher state.
  - edge.wasm.execute now parses requested host hooks and enforces capability mapping (fs.read/write, memory.read/write, network.fetch) for both marketplace and custom modules, returning deterministic sandbox denial on violations.
  - wasm execution responses now surface trust metadata for downstream observability (trust.verified, trust.verificationMode, trust.sha256).
- Implemented persistent memory store (src/memory/store.zig) with session/channel history handlers: sessions.history, chat.history, and doctor.memory.status.
- Memory retention recovery hardening slice:
  - memory/store.zig now enforces max_entries during load/replay, so reopening with a lower retention cap trims oldest entries deterministically.
  - load path now derives next_id from replayed message IDs so stale persisted nextId values cannot cause post-restart ID reuse/collisions.
  - Added high-turn multi-session persistence regression test:
    - memory.store.test.store load enforces max entries and keeps newest multi-session history.
    - memory.store.test.store load derives next id from entries when persisted nextId is stale.
- Memory semantic/graph recall parity hardening slice:
  - memory/store.zig now includes semantic recall and graph-neighbor recall primitives (semanticRecall, graphNeighbors) plus synthesis helper (recallSynthesis).
  - memory stats now include vector and graph telemetry (vectors, graphNodes, graphEdges) and explicit unlimited-retention posture (unlimited, maxEntries).
  - runtime memory retention limit is now configurable via runtime.memory_max_entries (OPENCLAW_ZIG_RUNTIME_MEMORY_MAX_ENTRIES), with unlimited mode when set to <=0.
  - browser completion memory context now includes semantic/graph recall hints to reinforce tool+memory awareness for bridge models.
  - Added regression tests:
    - memory.store.test.store semantic recall returns ranked oracle related hits
    - memory.store.test.store graph neighbors and recall synthesis provide semantic and graph depth
    - memory.store.test.store stats include vector graph metadata and persistence recovery
    - memory.store.test.store unlimited retention keeps all entries and reports unlimited stats
- Optimization hardening for Phase 6 shipped:
  - memory/store.zig: batched front-removal helper applied to overflow + trim, and removeSession rewritten to linear compaction while preserving order.
  - runtime/state.zig: pending job queue now dequeues via head offset + amortized compaction (replaces repeated front removal shifts).
  - channels/telegram_runtime.zig: poll now drains queue prefix then compacts once, preserving FIFO ordering with lower churn.
  - Added regression tests:
    - memory.store.test.store removeSession and trim keep ordering with linear compaction
    - runtime.state.test.runtime state queue depth stays correct across compaction cycles
    - channels.telegram_runtime.test.telegram runtime poll compacts queue front in one pass and keeps ordering
- Diagnostics perf hardening shipped:
  - security/audit.zig: doctor now uses cached docker binary probe (dockerAvailableCached) to reduce repeated process-spawn cost on repeated diagnostics invocations.
  - Added regression test: security.audit.test.doctor includes docker binary check.
- Channel retention hardening shipped:
  - channels/telegram_runtime.zig: bounded queue retention (max_queue_entries=4096) now drops oldest queued messages with single-pass front compaction.
  - Added regression test: channels.telegram_runtime.test.telegram runtime queue retention keeps newest entries under cap.
- Registry hot-path optimization shipped:
  - gateway/registry.zig: supports now checks exact-case method hits first and only performs case-insensitive fallback when request method contains uppercase characters.
  - Added regression check for mixed-case compatibility: supports(\"HeAlTh\").
- Dispatcher bounded-history compaction shipped:
  - gateway/dispatcher.zig: introduced shared trimFrontOwnedList helper and moved capped retention paths away from repeated single-item orderedRemove(0) for compat/edge histories (events, update_jobs, agent_jobs, cron_runs, node_events, finetune_jobs).
  - Added regression tests:
    - gateway.dispatcher.test.compat state bounded history keeps newest events
    - gateway.dispatcher.test.edge state bounded finetune history keeps newest jobs
- Implemented edge contract slice in dispatcher: edge.wasm.marketplace.list, edge.router.plan, edge.swarm.plan, edge.multimodal.inspect, and edge.voice.transcribe.
- Implemented advanced edge contract slice in dispatcher: edge.enclave.status, edge.enclave.prove, edge.mesh.status, edge.homomorphic.compute, edge.finetune.status, edge.finetune.run, edge.identity.trust.status, edge.personality.profile, edge.handoff.plan, edge.marketplace.revenue.preview, edge.finetune.cluster.plan, edge.alignment.evaluate, edge.quantum.status, and edge.collaboration.plan.
- Added edge.acceleration.status parity handler with contract coverage.
- Added wasm/runtime contract depth slice: config.get now exposes wasm module + policy snapshot and tools.catalog advertises wasm/runtime tool families; edge.wasm.marketplace.list now includes witPackages and builderHints parity fields.
- Added explicit wasm lifecycle contracts: edge.wasm.install, edge.wasm.execute, and edge.wasm.remove with custom module state tracking and sandbox limit/capability enforcement.
- Added OAuth + runtime aliases needed by Go parity callers: auth.oauth.providers|start|wait|complete|logout|import, browser.open, chat.send, and sessions.send.
- Added compat observability/session slice:
  - usage + heartbeat + presence methods: usage.status, usage.cost, last-heartbeat, set-heartbeats, system-presence, system-event, wake
  - session/log methods: sessions.list, sessions.preview, session.status, sessions.reset, sessions.delete, sessions.compact, sessions.usage, sessions.usage.timeseries, sessions.usage.logs, logs.tail
  - memory store now supports count, removeSession, and trim to back these contracts with real state mutations.
- Added compat conversation/control slice:
  - talk/voice methods: talk.config, talk.mode, voicewake.get, voicewake.set
  - TTS methods: tts.status, tts.enable, tts.disable, tts.providers, tts.setProvider, tts.convert
  - model/control methods: models.list, chat.abort, chat.inject, push.test, canvas.present, update.run
  - stateful compat runtime now tracks talk mode/voice, TTS provider/enabled, voicewake phrase, and update jobs.
  - tts.convert now performs best-effort real synthesis before fallback:
    - local kittentts binary execution via OPENCLAW_ZIG_KITTENTTS_BIN / OPENCLAW_RS_KITTENTTS_BIN
    - OpenAI TTS HTTP path via OPENAI_API_KEY / OPENCLAW_ZIG_TTS_OPENAI_API_KEY
    - ElevenLabs HTTP path via ELEVENLABS_API_KEY / OPENCLAW_ZIG_TTS_ELEVENLABS_API_KEY
    - deterministic simulated-audio fallback remains for no-key/no-binary or provider failures.
  - tts.status and tts.providers now use the same alias-aware credential/binary detection path as synthesis:
    - OpenAI: OPENAI_API_KEY, OPENCLAW_ZIG_TTS_OPENAI_API_KEY, OPENCLAW_GO_TTS_OPENAI_API_KEY, OPENCLAW_RS_TTS_OPENAI_API_KEY
    - ElevenLabs: ELEVENLABS_API_KEY, OPENCLAW_ZIG_TTS_ELEVENLABS_API_KEY, OPENCLAW_GO_TTS_ELEVENLABS_API_KEY, OPENCLAW_RS_TTS_ELEVENLABS_API_KEY
    - KittenTTS binary: OPENCLAW_ZIG_KITTENTTS_BIN, OPENCLAW_GO_KITTENTTS_BIN, OPENCLAW_GO_TTS_KITTENTTS_BIN, OPENCLAW_RS_KITTENTTS_BIN
  - KittenTTS execution path now supports stdin-fed synthesis and arg overrides for migration parity:
    - stdin payload execution (text written to child stdin) to match Rust runtime behavior.
    - optional args env fallbacks: OPENCLAW_ZIG_KITTENTTS_ARGS, OPENCLAW_GO_KITTENTTS_ARGS, OPENCLAW_GO_TTS_KITTENTTS_ARGS, OPENCLAW_RS_KITTENTTS_ARGS.
    - placeholder token support for args: {{text}} and {{format}}.
- Added compat config/wizard/session-mutation slice:
  - config methods: config.set, config.patch, config.apply, config.schema
  - wizard methods: wizard.start, wizard.next, wizard.cancel, wizard.status
  - session mutation methods: sessions.patch, sessions.resolve
  - secrets.reload and secrets.resolve contract methods added for key reload + secret reference resolution parity.
  - secrets.resolve now performs active resolution from config overlay values (direct + wildcard key matching) and environment alias fallbacks (OPENCLAW_ZIG_*, OPENCLAW_GO_*, OPENCLAW_RS_*).
- Added compat agent/skills slice:
  - agent methods: agent, agent.identity.get, agent.wait
  - agents methods: agents.list, agents.create, agents.update, agents.delete, agents.files.list, agents.files.get, agents.files.set
  - skills methods: skills.status, skills.bins, skills.install, skills.update
  - stateful backing added for agents, agent files, installed skills, and async-compatible agent jobs.
- Added compat cron slice:
  - cron methods: cron.list, cron.status, cron.add, cron.update, cron.remove, cron.run, cron.runs
  - stateful backing added for cron jobs and bounded cron run history with update/run lifecycle fields.
- Added compat device slice:
  - device methods: device.pair.list, device.pair.approve, device.pair.reject, device.pair.remove, device.token.rotate, device.token.revoke
  - stateful backing added for device pairs and token rotate/revoke lifecycle.
- Added compat node + exec-approval slice:
  - node methods: node.pair.request, node.pair.list, node.pair.approve, node.pair.reject, node.pair.verify, node.rename, node.list, node.describe, node.invoke, node.invoke.result, node.event, node.canvas.capability.refresh
  - exec approval methods: exec.approvals.get, exec.approvals.set, exec.approvals.node.get, exec.approvals.node.set, exec.approval.request, exec.approval.waitdecision, exec.approval.resolve
  - stateful backing added for node pairs/nodes/events and approval policies/pending approval lifecycle.
- Self-evolution depth update:
  - edge.finetune.run now supports provider alias/model default normalization, full trainer argv generation, OPENCLAW_ZIG_LORA_TRAINER_TIMEOUT_MS, and non-dry-run trainer execution telemetry.
  - edge.finetune.status now includes richer job metadata (statusReason, updatedAtMs) and dataset source surfaces.
  - new methods: edge.finetune.job.get, edge.finetune.cancel.
- Self-maintenance/update slice:
  - methods: system.maintenance.plan, system.maintenance.run, system.maintenance.status.
  - integrates doctor/security/memory/heartbeat signals into health scoring and actionable remediation workflows.
- Zig-OS appliance control-plane slice:
  - methods: system.boot.status, system.boot.verify, system.boot.attest, system.boot.attest.verify, system.boot.policy.get, system.boot.policy.set, system.rollback.plan, system.rollback.run, system.rollback.cancel.
  - adds stateful secure-boot verification telemetry (measurement, signer, verification timestamp), signed attestation output (statementDigest, optional HMAC signature), attestation verification (digest/nonce/timestamp/signature checks), policy controls (enforceUpdateGate, verificationMaxAgeMs, requiredSigner), and slot-aware rollback planning/apply/cancel lifecycle (A/B slot switching with update-job + event traces).
  - update.run now honors optional secure-boot gate enforcement and fails closed with structured bootGate telemetry when verification is stale/missing.
- Next-generation update/release slice:
  - added update.plan (channel-aware update planning) and update.status (job/queue observability).
  - update.run now resolves channel aliases (stable/latest/lts, edge/nightly/preview) and surfaces npm release metadata.
  - added npm client package at npm/openclaw-zig-rpc-client and release workflow .github/workflows/npm-release.yml.
- Method surface now at 169 Zig methods; tri-baseline method-set parity is complete:
  - Go latest release baseline: 134/134 covered in Zig.
  - Original OpenClaw latest release baseline: 94/94 covered in Zig.
  - Original OpenClaw latest beta baseline: 94/94 covered in Zig.
  - Union baseline: 135/135 covered in Zig.
  - Gateway events parity: original stable 19/19, original beta 19/19, union 19/19 covered in Zig.
  - Zig-only extras vs union baseline: 34 (shutdown, doctor, security.audit, exec.run, file.read, file.write, web.login.complete, web.login.status, edge.wasm.install, edge.wasm.execute, edge.wasm.remove, edge.finetune.job.get, edge.finetune.cancel, system.maintenance.plan, system.maintenance.run, system.maintenance.status, system.boot.status, system.boot.verify, system.boot.attest, system.boot.attest.verify, system.boot.policy.get, system.boot.policy.set, system.rollback.plan, system.rollback.run, system.rollback.cancel, update.plan, update.status, secrets.store.status, secrets.store.set, secrets.store.get, secrets.store.delete, secrets.store.list).
Phase 7 - Validation + Release¶

[x] Run full parity diff against Go baseline
[x] Run full test matrix and smoke checks
[x] Build release binaries + checksums
[x] Publish first Zig preview release

Latest Validation Snapshot¶

[x] zig build
[x] zig build test
[x] zig build test --summary all -> 203/203 passing (includes gateway auth/rate-limit hardening tests, runtime file/exec policy hardening tests, config-hash diagnostics coverage, bind-policy token enforcement checks, secure-boot policy/update-gate enforcement coverage, TTS/completion execution-path coverage, PAL extraction coverage, secure secret-store backend coverage, bare-metal ABI v2 contract tests, runtime persistence posture diagnostics coverage, and appliance minimal-profile readiness coverage)
[x] Runtime policy hardening slice shipped:
file.read / file.write optional sandbox enforcement with traversal + symlink denial paths:
OPENCLAW_ZIG_RUNTIME_FILE_SANDBOX_ENABLED
OPENCLAW_ZIG_RUNTIME_FILE_ALLOWED_ROOTS (CSV/semicolon-delimited roots)


exec.run optional policy gate + allowlist controls:
OPENCLAW_ZIG_RUNTIME_EXEC_ENABLED
OPENCLAW_ZIG_RUNTIME_EXEC_ALLOWLIST (CSV/semicolon command-prefix list)


new runtime tests:
runtime.tool_runtime.test.tool runtime file sandbox blocks traversal and out-of-root writes
runtime.tool_runtime.test.tool runtime exec policy denies non-allowlisted commands


[x] scripts/generate-rpc-reference.ps1 (regenerates docs/rpc-reference.md from src/gateway/registry.zig, currently 169 methods)
[x] scripts/npm-pack-check.ps1 (validates npm package dry-run for npm/openclaw-zig-rpc-client)
[x] scripts/python-pack-check.ps1 (validates python client package tests + wheel/sdist + twine checks for python/openclaw-zig-rpc-client)
[x] scripts/generate-release-evidence.ps1 (generates release trust artifacts from packaged assets: release-manifest.json, sbom.spdx.json, provenance.intoto.json)
[x] Gateway control-plane UI bootstrap + node-pair consolidation shipped:
GET /ui now serves an interactive status/doctor/logs/node-pair control panel for bootstrap operations.
node-pair methods now accept additional alias payloads (node_id/deviceId, pair_id/nodePairId/id) and return consolidated pairing envelopes (node.pair.request, node.pair.approve|reject|verify, node.pair.list with pairs alias).
regression coverage added in gateway + dispatcher tests for /ui and node-pair alias/response compatibility.
[x] WASM trust-host hook hardening regression coverage:
gateway.dispatcher.test.dispatch wasm lifecycle methods install execute remove and enforce sandbox limits now also checks trust mode metadata and host-hook allow/deny behavior.
[x] zig test src/main.zig
[x] zig test src/baremetal_main.zig (37/37 passing; includes mode-history + boot-phase-history + command-result counter + scheduler + allocator/syscall + timer/wake queue telemetry coverage)
[x] Guest/auth parity tests:
channels.telegram_runtime.test.telegram runtime qwen guest auth lifecycle
channels.telegram_runtime.test.telegram runtime auth complete infers provider from callback URL
bridge.web_login.test.guest providers can complete auth with guest token
[x] Account-scoped auth tests:
channels.telegram_runtime.test.telegram runtime auth supports account scope and force restart
[x] Auth UX tests:
channels.telegram_runtime.test.telegram runtime auth bridge and providers help include guest guidance
channels.telegram_runtime.test.telegram runtime wait supports positional timeout with account
[x] scripts/zig-syntax-check.ps1
[x] zig build baremetal (freestanding image build: openclaw-zig-baremetal.elf)
[x] Bare-metal wake queue reason-selective drain slice shipped:
new mailbox opcode: command_wake_queue_pop_reason (arg0=reason, arg1=count, count=0 defaults to one)
new export telemetry: oc_wake_queue_reason_count(reason) for timer/interrupt/manual wake distribution checks
regression coverage added for reason-filtered pop ordering, invalid-reason rejection, and not-found behavior
[x] Bare-metal wake queue vector-selective drain slice shipped:
new mailbox opcode: command_wake_queue_pop_vector (arg0=vector, arg1=count, count=0 defaults to one)
new export telemetry: oc_wake_queue_vector_count(vector) for per-vector wake distribution checks
regression coverage added for vector-filtered pop ordering and not-found behavior while preserving FIFO order for non-matching events
[x] Bare-metal wake queue stale-entry drain slice shipped:
new mailbox opcode: command_wake_queue_pop_before_tick (arg0=max_tick, arg1=count, count=0 defaults to one)
new export telemetry: oc_wake_queue_before_tick_count(max_tick) for deadline-based wake backlog checks
regression coverage added for stale-entry pop ordering and not-found behavior while preserving FIFO order for non-matching events
[x] Added bare-metal optional QEMU wake-queue before-tick wrapper probes (scripts/baremetal-qemu-wake-queue-before-tick-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-before-tick-first-cutoff-probe-check.ps1, scripts/baremetal-qemu-wake-queue-before-tick-bounded-drain-probe-check.ps1, scripts/baremetal-qemu-wake-queue-before-tick-notfound-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-before-tick-notfound-preserve-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig and deeper FINAL_* stage receipts in scripts/baremetal-qemu-wake-queue-before-tick-probe-check.ps1 (they reuse the broad stale-entry drain QEMU probe but fail directly on the baseline queue shape, first stale cutoff, bounded second drain, final result_not_found, and preserved final survivor state after the rejected drain).
[x] Bare-metal wake queue reason+vector selective drain slice shipped:
new mailbox opcode: command_wake_queue_pop_reason_vector (arg0=reason|(vector<<8), arg1=count, count=0 defaults to one)
new export telemetry: oc_wake_queue_reason_vector_count(reason, vector) for exact-pair wake backlog checks
regression coverage added for exact-pair pop ordering and invalid-reason rejection behavior
[x] Bare-metal wake queue summary snapshot slice shipped:
new export telemetry: oc_wake_queue_summary() (len/overflow, reason mix, nonzero-vector count, stale count, oldest/newest tick)
ABI contract extended with BaremetalWakeQueueSummary
regression coverage added for summary field correctness before/after selective drains
[x] Bare-metal wake queue age-bucket snapshot slice shipped:
new export telemetry: oc_wake_queue_age_buckets(quantum_ticks) (current_tick, quantum_ticks, stale_count, stale_older_than_quantum_count, future_count)
ABI contract extended with BaremetalWakeQueueAgeBuckets
regression coverage added for age-bucket field correctness under mixed stale/future wake entries
[x] Bare-metal wake queue count-snapshot slice shipped:
new live QEMU gate: scripts/baremetal-qemu-wake-queue-count-snapshot-probe-check.ps1
exported count-query snapshot pointers (oc_wake_queue_count_query_ptr, oc_wake_queue_count_snapshot_ptr) are now exercised against a five-entry mixed timer/interrupt/manual queue without mutating queue state
live proof validates three query shapes end to end: interrupt@13 <= tick(11) -> 2/2/2, interrupt@31 <= tick(17) -> 1/4/1, and manual@31 <= tick(20) -> 1/5/0
[x] Bare-metal interrupt mask control slice shipped:
new mailbox opcodes: command_interrupt_mask_set (arg0=vector, arg1=masked 0|1), command_interrupt_mask_clear_all, command_interrupt_mask_reset_ignored_counts, and command_interrupt_mask_apply_profile
new x86 bootstrap exports: oc_interrupt_mask_ptr, oc_interrupt_mask_is_set, oc_interrupt_masked_count, oc_interrupt_mask_ignored_count, oc_interrupt_mask_profile, oc_interrupt_last_masked_vector, oc_interrupt_mask_ignored_vector_counts_ptr, oc_interrupt_mask_ignored_vector_count, oc_interrupt_mask_set, oc_interrupt_mask_clear_all, oc_interrupt_mask_reset_ignored_counts, oc_interrupt_mask_apply_profile
runtime behavior: masked non-exception interrupts are ignored while exception vectors remain non-maskable
interrupt-mask profiles now supported: none, external_all, external_high, and automatic custom profile tracking on manual mask edits
regression coverage added for masked wake suppression, per-vector ignored-interrupt telemetry, reset semantics, profile application windows, and command argument validation
[x] Bare-metal interrupt-mask wrapper isolation batch shipped:
new wrapper probes: scripts/baremetal-qemu-interrupt-mask-custom-profile-preserve-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-invalid-input-preserve-state-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-reset-ignored-preserve-mask-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-profile-boundary-probe-check.ps1, and scripts/baremetal-qemu-interrupt-mask-exception-delivery-probe-check.ps1
broad profile/control probes now emit the immediate post-invalid and post-reset mask-state snapshots required for wrapper-level assertions
[x] Bare-metal interrupt-mask control wrapper batch shipped:
new wrapper probes: scripts/baremetal-qemu-interrupt-mask-control-baseline-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-control-unmask-delivery-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-control-invalid-preserve-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-control-reset-ignored-probe-check.ps1, and scripts/baremetal-qemu-interrupt-mask-control-final-state-probe-check.ps1
host regression now asserts invalid vector/state preservation and final clear-all ignored-vector collapse directly in src/baremetal_main.zig
broad direct-control probe remains the source lane while the wrapper family hard-fails on the five narrow boundaries without relying on later cleanup stages
live wrapper coverage now isolates five narrow guarantees: custom profile drift retention, invalid input preserving custom state, ignored-count reset without mask-table mutation, external_high boundary plus invalid-profile rejection, and non-maskable exception delivery while an external vector remains masked
[x] Bare-metal interrupt-mask profile wrapper validation shipped:
new wrapper probes: scripts/baremetal-qemu-interrupt-mask-profile-external-all-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-profile-unmask-recovery-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-profile-custom-profile-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-profile-reset-ignored-counts-probe-check.ps1, and scripts/baremetal-qemu-interrupt-mask-profile-none-clear-all-probe-check.ps1
broad profile probe now supports direct wrapper-level assertions for the masked external_all baseline, vector-200 unmask wake recovery, live custom profile drift plus ignored-count accumulation, ignored-count reset isolation, and final none / clear_all recovery with preserved wake/task state
live wrapper coverage now isolates the five narrow profile-lifecycle guarantees that were previously only implied by the broader profile sequence and the separate boundary wrapper
[x] Bare-metal interrupt-mask/exception wrapper validation shipped:
new wrapper probes: scripts/baremetal-qemu-interrupt-mask-exception-baseline-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-exception-masked-interrupt-blocked-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-exception-delivery-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-exception-history-capture-probe-check.ps1, and scripts/baremetal-qemu-interrupt-mask-exception-final-state-probe-check.ps1
broad exception probe now uses run-stamped GDB/QEMU log paths so repeated wrapper executions cannot collide on shared log names
live wrapper coverage now isolates five narrow guarantees: masked baseline posture, blocked external suppression, non-maskable exception wake delivery, captured interrupt/exception history receipts, and final ready-state wake payload integrity
[x] scripts/baremetal-qemu-interrupt-mask-control-probe-check.ps1 (optional PVH/QEMU probe proves direct command_interrupt_mask_set, invalid vector/state rejection, ignored-count reset, and final command_interrupt_mask_clear_all recovery against the freestanding artifact)
[x] scripts/zig-codeberg-master-check.ps1 (reports local vs remote master hash)
[x] Multi-baseline method diff check: Go(latest)=134, Original(latest)=95, OriginalBeta(latest)=95, Union=136, Zig=170, missing_in_zig=0, union_extras=34
[x] Multi-baseline gateway event diff check: OriginalEvents(latest)=19, OriginalBetaEvents(latest)=19, UnionEvents=19, ZigEvents=19, union_events_missing_in_zig=0
[x] Rust-vs-Zig method diff check: Rust=124, Zig=143, missing_in_zig=0, zig_extras=19
[x] Smoke scripts now run against built binary (zig-out/bin/openclaw-zig.exe) with readiness loops + early-exit diagnostics:
scripts/docker-smoke-check.ps1 -> host+docker HTTP 200
scripts/gateway-auth-smoke-check.ps1 -> token-gated /rpc + websocket unauthorized/authorized contract checks
scripts/websocket-smoke-check.ps1 -> websocket connect + RPC text/binary-frame response on /ws and root compatibility route /
scripts/web-login-smoke-check.ps1 -> start/wait/complete/status HTTP 200
scripts/telegram-reply-loop-smoke-check.ps1 -> send/poll/auth lifecycle HTTP 200
[x] scripts/docker-smoke-check.ps1 (host + Docker HTTP 200 checks on /health and /rpc)
[x] scripts/gateway-auth-smoke-check.ps1 (OPENCLAW_ZIG_GATEWAY_REQUIRE_TOKEN=true with verified 401/200 for /rpc and unauthorized/authorized websocket upgrade behavior)
[x] scripts/websocket-smoke-check.ps1 (GET /ws websocket upgrade + root websocket compatibility route + status/health RPC text and binary-frame dispatch)
[x] Websocket smoke scripts now use bounded receive timeouts to prevent indefinite hangs on stalled websocket frames.
[x] scripts/web-login-smoke-check.ps1 (web.login.start -> wait -> complete -> status all HTTP 200 with authorized completion)
[x] scripts/telegram-reply-loop-smoke-check.ps1 (send /auth start -> send /auth complete -> send chat -> poll all HTTP 200 with non-empty queued replies)
[x] scripts/telegram-reply-loop-smoke-check.ps1 now also validates /auth link guidance payload includes active code/session + completion command hints.
[x] scripts/web-login-smoke-check.ps1 re-run after browser-probe changes (start/wait/complete/status still HTTP 200 with authorized completion).
[x] scripts/system-maintenance-smoke-check.ps1 (system.maintenance.plan -> run(dry-run+apply) -> status all HTTP 200 with lifecycle contract checks)
[x] scripts/appliance-control-plane-smoke-check.ps1 (system.boot.status -> policy.get/set -> verify(fail/ok) -> attest/attest.verify(signature-required) -> rollback.plan/cancel/run(dry-run+apply) -> secure-boot-gated update.run all HTTP 200 with contract checks)
[x] scripts/appliance-restart-recovery-smoke-check.ps1 (persisted compat-state.json replay across restart: boot policy + verification + update head + rollback plan survive stop/start and remain actionable after recovery)
[x] scripts/appliance-minimal-profile-smoke-check.ps1 (readiness contract proves persisted OPENCLAW_ZIG_STATE_PATH, enforced control-plane token auth, secure-boot update gate, required signer, and current boot verification transition not_ready -> ready over live HTTP RPC)
[x] scripts/appliance-baremetal-closure-smoke-check.ps1 (composed FS6 acceptance receipt proves appliance control-plane, minimal profile, rollout, restart recovery, bare-metal smoke, QEMU smoke, runtime progression, and command-loop behavior all pass together from one gate)
[x] scripts/baremetal-qemu-scheduler-probe-check.ps1 (optional PVH/QEMU scheduler probe proves scheduler reset, timeslice update, task creation, policy switch, and live dispatch telemetry end to end against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-priority-budget-probe-check.ps1 (optional PVH/QEMU scheduler priority/budget probe proves command_scheduler_set_default_budget seeds zero-budget task creation and command_task_set_priority flips live dispatch order under the priority scheduler against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-priority-budget-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-priority-budget-default-budget-inheritance-probe-check.ps1, scripts/baremetal-qemu-scheduler-priority-budget-priority-dominance-probe-check.ps1, scripts/baremetal-qemu-scheduler-priority-budget-reprioritize-low-probe-check.ps1, scripts/baremetal-qemu-scheduler-priority-budget-invalid-preserve-probe-check.ps1 (optional PVH/QEMU scheduler priority/budget wrapper probes split the broad lane into isolated baseline, default-budget inheritance, initial priority dominance, low-task reprioritize takeover, and invalid-input preservation checks against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-round-robin-probe-check.ps1 (optional PVH/QEMU scheduler round-robin probe proves the default scheduler policy ignores priority bias and rotates dispatch fairly across two live tasks with deterministic budget consumption against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-round-robin-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-round-robin-first-dispatch-probe-check.ps1, scripts/baremetal-qemu-scheduler-round-robin-second-dispatch-probe-check.ps1, scripts/baremetal-qemu-scheduler-round-robin-third-dispatch-probe-check.ps1, scripts/baremetal-qemu-scheduler-round-robin-final-task-state-probe-check.ps1 (optional PVH/QEMU scheduler round-robin wrapper probes split the broad lane into isolated baseline, first-dispatch, second-dispatch rotation, third-dispatch return, and final scheduler/task-state checks against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-timeslice-update-probe-check.ps1 (optional PVH/QEMU scheduler timeslice-update probe proves live command_scheduler_set_timeslice changes immediately alter subsequent budget consumption under active load and invalid zero leaves the active timeslice unchanged against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-timeslice-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-timeslice-update-4-probe-check.ps1, scripts/baremetal-qemu-scheduler-timeslice-update-2-probe-check.ps1, scripts/baremetal-qemu-scheduler-timeslice-invalid-zero-preserve-probe-check.ps1, scripts/baremetal-qemu-scheduler-timeslice-final-task-state-probe-check.ps1 (optional PVH/QEMU scheduler timeslice wrapper probes split the broad lane into isolated baseline, update-to-4, update-to-2, invalid-zero preservation, and final dispatch/task-state checks against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-disable-enable-probe-check.ps1 (optional PVH/QEMU scheduler disable-enable probe proves live command_scheduler_disable freezes dispatch/budget burn across idle ticks and command_scheduler_enable resumes consumption immediately on the same task against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-disable-enable-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-disable-enable-disabled-freeze-probe-check.ps1, scripts/baremetal-qemu-scheduler-disable-enable-idle-preserve-probe-check.ps1, scripts/baremetal-qemu-scheduler-disable-enable-resume-probe-check.ps1, scripts/baremetal-qemu-scheduler-disable-enable-final-task-state-probe-check.ps1 (optional PVH/QEMU scheduler disable-enable wrapper probes split the broad lane into isolated baseline, disabled freeze-state, idle disabled preservation, resume metadata, and final task-state checks against the freestanding artifact)
[x] scripts/baremetal-qemu-task-lifecycle-wait1-baseline-probe-check.ps1, scripts/baremetal-qemu-task-lifecycle-wake1-manual-probe-check.ps1, scripts/baremetal-qemu-task-lifecycle-wait2-baseline-probe-check.ps1, scripts/baremetal-qemu-task-lifecycle-wake2-manual-probe-check.ps1, scripts/baremetal-qemu-task-lifecycle-terminate-rejected-wake-probe-check.ps1 (optional PVH/QEMU task-lifecycle wrapper probes split the broad lane into isolated initial wait baseline, first manual wake delivery, second wait baseline, second manual wake delivery after command_task_resume, and final terminate plus rejected-wake checks with queue purge for the terminated task against the freestanding artifact)
[x] scripts/baremetal-qemu-active-task-terminate-baseline-probe-check.ps1, scripts/baremetal-qemu-active-task-terminate-failover-probe-check.ps1, scripts/baremetal-qemu-active-task-terminate-repeat-idempotent-probe-check.ps1, scripts/baremetal-qemu-active-task-terminate-survivor-progress-probe-check.ps1, scripts/baremetal-qemu-active-task-terminate-final-collapse-probe-check.ps1 (optional PVH/QEMU active-task terminate wrapper probes split the broad lane into isolated pre-terminate active baseline, immediate failover, repeat-idempotent receipt, survivor progress, and final empty-run collapse checks against the freestanding artifact)
[x] scripts/baremetal-qemu-panic-recovery-baseline-probe-check.ps1, scripts/baremetal-qemu-panic-recovery-freeze-state-probe-check.ps1, scripts/baremetal-qemu-panic-recovery-idle-preserve-probe-check.ps1, scripts/baremetal-qemu-panic-recovery-mode-recovery-probe-check.ps1, scripts/baremetal-qemu-panic-recovery-final-task-state-probe-check.ps1 (optional PVH/QEMU panic-recovery wrapper probes split the broad lane into isolated pre-panic baseline, panic freeze-state, idle panic preservation, mode-recovery resume, and final recovered task-state checks against the freestanding artifact)
[x] scripts/baremetal-qemu-panic-wake-recovery-baseline-probe-check.ps1, scripts/baremetal-qemu-panic-wake-recovery-freeze-state-probe-check.ps1, scripts/baremetal-qemu-panic-wake-recovery-preserved-wakes-probe-check.ps1, scripts/baremetal-qemu-panic-wake-recovery-mode-recovery-probe-check.ps1, scripts/baremetal-qemu-panic-wake-recovery-final-task-state-probe-check.ps1 (optional PVH/QEMU panic-wake recovery wrapper probes split the broad lane into isolated pre-panic waiting baseline, panic freeze-state, preserved interrupt+timer wake queue delivery, mode-recovery dispatch resume, and final recovered task-state checks against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-reset-probe-check.ps1 (optional PVH/QEMU scheduler reset probe proves live command_scheduler_reset clears active scheduler state back to defaults, restarts task IDs at 1, and allows clean task creation + dispatch after re-enable against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-reset-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-collapse-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-id-restart-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-defaults-preserve-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-final-task-state-probe-check.ps1 (optional PVH/QEMU scheduler reset wrapper probes split the broad lane into isolated dirty-baseline, reset-collapse, task-ID-restart, defaults-preservation, and final resumed task-state checks against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-reset-mixed-state-probe-check.ps1 (optional PVH/QEMU scheduler reset mixed-state probe proves live command_scheduler_reset scrubs queued wakes plus armed task timers under stale mixed load, clears timeout arms, preserves timer quantum, and resumes fresh timer scheduling from the preserved next_timer_id against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-reset-mixed-state-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-mixed-state-post-reset-collapse-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-mixed-state-preserved-config-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-mixed-state-idle-stability-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-mixed-state-rearm-state-probe-check.ps1 (optional PVH/QEMU scheduler reset mixed-state wrapper probes split the broad mixed-state lane into isolated dirty-baseline, post-reset collapse, preserved timer configuration, idle-stability, and fresh re-arm state checks against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-policy-switch-probe-check.ps1 (optional PVH/QEMU scheduler policy-switch probe proves live round-robin to priority to round-robin transitions under active load, low-task reprioritization takes effect on the next priority tick, and invalid policy 9 is rejected without changing the active round-robin policy against the freestanding artifact)
[x] scripts/baremetal-qemu-timer-wake-probe-check.ps1 (optional PVH/QEMU timer/wake probe proves timer reset, tick-quantum update, task create + task_wait_for, fired timer entry state, and wake-queue telemetry end to end against the freestanding artifact)
[x] scripts/baremetal-qemu-timer-wake-baseline-probe-check.ps1, scripts/baremetal-qemu-timer-wake-task-state-probe-check.ps1, scripts/baremetal-qemu-timer-wake-timer-telemetry-probe-check.ps1, scripts/baremetal-qemu-timer-wake-wake-payload-probe-check.ps1, and scripts/baremetal-qemu-timer-wake-mailbox-state-probe-check.ps1 (optional PVH/QEMU timer-wake wrapper probes split the broad one-shot timer-wake lane into isolated bootstrap baseline, final task-state telemetry, fired timer telemetry, exact timer wake payload, and final mailbox receipt checks against the freestanding artifact)
[x] scripts/baremetal-qemu-timer-quantum-probe-check.ps1 (optional PVH/QEMU timer-quantum probe proves one-shot command_timer_schedule respects command_timer_set_quantum, keeps the task waiting with wake_queue_len=0 at the pre-boundary tick, and only wakes on the next quantum boundary against the freestanding artifact)
[x] scripts/baremetal-qemu-timer-quantum-baseline-probe-check.ps1, scripts/baremetal-qemu-timer-quantum-boundary-probe-check.ps1, scripts/baremetal-qemu-timer-quantum-preboundary-blocked-probe-check.ps1, scripts/baremetal-qemu-timer-quantum-wake-payload-probe-check.ps1, scripts/baremetal-qemu-timer-quantum-final-state-probe-check.ps1 (optional PVH/QEMU timer-quantum wrapper probes split the broad one-shot quantum lane into isolated armed-baseline, computed-boundary, pre-boundary blocked, timer wake payload, and final timer/task-state checks against the freestanding artifact)
[x] scripts/baremetal-qemu-timer-cancel-task-probe-check.ps1 (optional PVH/QEMU timer cancel-task probe proves command_timer_cancel_task collapses the armed timer entry count from 1 to 0, preserves the canceled slot state, and returns result_not_found on a second cancel against the freestanding artifact)
[x] scripts/baremetal-qemu-timer-cancel-task-baseline-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-cancel-collapse-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-canceled-entry-preserve-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-second-cancel-notfound-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-zero-wake-telemetry-probe-check.ps1 (optional PVH/QEMU timer cancel-task wrapper probes split the broad task-cancel lane into isolated armed-baseline, first-cancel collapse, canceled-slot preservation, second-cancel notfound, and zero wake/dispatch telemetry checks against the freestanding artifact)
[x] scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-probe-check.ps1 (optional PVH/QEMU timer cancel-task interrupt-timeout probe proves command_timer_cancel_task clears timeout-backed interrupt waits back to steady state, keeps wait_timeout=0, and still allows the later real interrupt wake to land exactly once against the freestanding artifact)
[x] scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-cancel-clear-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-interrupt-recovery-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-no-stale-timeout-probe-check.ps1, and scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-telemetry-preserve-probe-check.ps1 (optional PVH/QEMU timer cancel-task interrupt-timeout wrapper probes split the broad timeout-backed task-cancel lane into isolated armed-timeout preservation, immediate cancel-clear state, preserved interrupt-only recovery, no-stale-timeout settle-window, and final mailbox/interrupt telemetry checks against the freestanding artifact)
[x] scripts/baremetal-qemu-timer-reset-recovery-probe-check.ps1 (optional PVH/QEMU timer-reset recovery probe proves command_timer_reset clears live timer entries plus timeout-backed interrupt waits back to steady baseline, prevents stale timeout wakes after reset, preserves manual + interrupt wake recovery, and restarts fresh timer allocation from timer_id=1 against the freestanding artifact)
[x] scripts/baremetal-qemu-task-resume-timer-clear-probe-check.ps1 (optional PVH/QEMU task-resume timer-clear probe proves command_task_resume on a timer-backed wait cancels the armed timer entry, queues exactly one manual wake, prevents a later ghost timer wake after idle ticks, preserves timer quantum, and restarts fresh timer scheduling from the preserved next_timer_id against the freestanding artifact)
[x] scripts/baremetal-qemu-task-resume-interrupt-timeout-probe-check.ps1 (optional PVH/QEMU task-resume interrupt-timeout probe proves command_task_resume on an interrupt-timeout waiter clears the pending timeout back to none, queues exactly one manual wake, prevents a later ghost timer wake after additional slack ticks, and leaves the timer subsystem at next_timer_id=1 against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-wake-timer-clear-probe-check.ps1 (optional PVH/QEMU scheduler-wake timer-clear probe proves command_scheduler_wake_task on a pure timer waiter cancels the armed timer entry, queues exactly one manual wake, prevents a later ghost timer wake after idle ticks, and preserves fresh timer scheduling from the current next_timer_id against the freestanding artifact)
[x] scripts/baremetal-qemu-scheduler-wake-timer-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-wake-timer-clear-wait-clear-probe-check.ps1, scripts/baremetal-qemu-scheduler-wake-timer-clear-canceled-entry-preserve-probe-check.ps1, scripts/baremetal-qemu-scheduler-wake-timer-clear-manual-wake-probe-check.ps1, and scripts/baremetal-qemu-scheduler-wake-timer-clear-rearm-telemetry-probe-check.ps1 (optional PVH/QEMU scheduler-wake timer-clear wrapper probes split that broad pure-timer wake lane into isolated armed-baseline, wait-clear, canceled-entry, manual-wake-payload, and rearm/dispatch-telemetry checks against the freestanding artifact)
[x] scripts/baremetal-qemu-periodic-timer-probe-check.ps1 (optional PVH/QEMU periodic timer probe proves command_timer_schedule_periodic plus command_timer_disable/command_timer_enable pause-resume behavior and captures the first resumed periodic fire/wake snapshot end to end against the freestanding artifact)
[x] scripts/baremetal-qemu-periodic-timer-baseline-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-first-fire-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-paused-window-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-resumed-cadence-probe-check.ps1, and scripts/baremetal-qemu-periodic-timer-telemetry-preserve-probe-check.ps1 (optional PVH/QEMU periodic-timer wrapper probes split the broad pause-resume lane into isolated baseline, first-fire, paused-window, resumed-cadence, and final telemetry checks against the freestanding artifact)
[x] scripts/baremetal-qemu-periodic-timer-clamp-probe-check.ps1 (optional PVH/QEMU periodic timer clamp probe proves a periodic timer armed at u64::max-1 fires once at 18446744073709551615, re-arms to the same saturated deadline without wrapping, and then remains stable after the runtime tick counter wraps to 0)
[x] scripts/baremetal-qemu-periodic-timer-clamp-baseline-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-clamp-first-fire-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-clamp-saturated-rearm-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-clamp-post-wrap-hold-probe-check.ps1, and scripts/baremetal-qemu-periodic-timer-clamp-telemetry-preserve-probe-check.ps1 (optional PVH/QEMU periodic timer clamp wrapper probes split the broad lane into isolated near-u64::max baseline, first-fire wrap, saturated re-arm, post-wrap hold, and final wake-telemetry checks against the freestanding artifact)
[x] scripts/baremetal-qemu-periodic-interrupt-probe-check.ps1 (optional PVH/QEMU periodic-interrupt probe proves mixed periodic timer plus interrupt wake ordering, keeps the periodic cadence intact, and shows timer cancellation prevents a later timeout leak against the freestanding artifact)
[x] scripts/baremetal-qemu-periodic-interrupt-baseline-fire-probe-check.ps1, scripts/baremetal-qemu-periodic-interrupt-interrupt-wake-payload-probe-check.ps1, scripts/baremetal-qemu-periodic-interrupt-periodic-cadence-probe-check.ps1, scripts/baremetal-qemu-periodic-interrupt-cancel-no-late-timeout-probe-check.ps1, and scripts/baremetal-qemu-periodic-interrupt-telemetry-ordering-probe-check.ps1 (optional PVH/QEMU periodic-interrupt wrappers prove first periodic timer wake ordering before the interrupt lands, exact interrupt wake payload semantics, preserved periodic cadence after the interrupt wake, clean cancel-with-no-late-timeout-leak behavior, and preserved mixed interrupt/timer telemetry after settlement against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-timeout-probe-check.ps1 (optional PVH/QEMU interrupt-timeout probe proves task_wait_interrupt_for wakes on interrupt before deadline, clears the timeout arm, and does not later leak a second timer wake against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-timeout-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-interrupt-wake-payload-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-wait-clear-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-no-stale-timer-probe-check.ps1, and scripts/baremetal-qemu-interrupt-timeout-telemetry-preserve-probe-check.ps1 (optional PVH/QEMU interrupt-timeout interrupt-wins wrappers prove preserved armed timeout identity before the interrupt lands, exact interrupt wake payload semantics, cleared wait-kind/vector/timeout state after the interrupt wake, no stale timer wake after slack ticks, and preserved interrupt telemetry against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-timeout-manual-wake-probe-check.ps1 (optional PVH/QEMU interrupt-timeout manual-wake probe proves command_scheduler_wake_task clears the pending interrupt-timeout wait state, queues a single manual wake, and does not later leak a timer wake against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-timeout-timer-probe-check.ps1 (optional PVH/QEMU interrupt-timeout timer probe proves task_wait_interrupt_for stays blocked until the timeout path wins, then queues a timer wake with reason=timer, vector=0, and zero interrupt telemetry against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-timeout-timer-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-timer-deadline-blocked-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-timer-wake-payload-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-timer-no-duplicate-wake-probe-check.ps1, and scripts/baremetal-qemu-interrupt-timeout-timer-telemetry-preserve-probe-check.ps1 (optional PVH/QEMU interrupt-timeout timer wrappers prove preserved armed timeout identity, deadline-edge blocked state with zero wake queue, timer wake payload semantics, no duplicate timer wake after slack ticks, and preserved zero-interrupt telemetry against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-timeout-clamp-probe-check.ps1 (optional PVH/QEMU interrupt-timeout clamp probe proves near-u64::max task_wait_interrupt_for deadlines saturate at 18446744073709551615, queue a timer wake at that saturated tick, and still wrap the live wake boundary cleanly to 0 against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-timeout-clamp-baseline-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-clamp-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-clamp-saturated-boundary-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-clamp-wake-payload-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-clamp-final-telemetry-probe-check.ps1 (optional PVH/QEMU interrupt-timeout clamp wrapper probes split the broad lane into isolated baseline, arm-preservation, saturated-boundary, wake-payload, and final-telemetry checks)
[x] scripts/baremetal-qemu-task-terminate-interrupt-timeout-probe-check.ps1 (optional PVH/QEMU task-terminate interrupt-timeout probe proves command_task_terminate clears timeout-backed interrupt waits for the terminated task, leaves queued wake and timer state empty, and prevents later ghost interrupt or timeout wake delivery against the freestanding artifact)
[x] scripts/baremetal-qemu-wake-queue-selective-probe-check.ps1 (optional PVH/QEMU wake-queue selective probe proves timer, interrupt, and manual wake generation plus command_wake_queue_pop_reason, command_wake_queue_pop_vector, command_wake_queue_pop_reason_vector, and command_wake_queue_pop_before_tick against the freestanding artifact, with live vector-count, reason+vector-count, before-tick-count, and invalid-pair telemetry checks through oc_wake_queue_count_query_ptr + oc_wake_queue_count_snapshot_ptr)
[x] scripts/baremetal-qemu-wake-queue-selective-overflow-probe-check.ps1 (optional PVH/QEMU wake-queue selective-overflow probe proves wrapped-ring selective drains keep FIFO survivor ordering after 66 alternating interrupt@13 / interrupt@31 wake cycles, including command_wake_queue_pop_vector and command_wake_queue_pop_reason_vector against the freestanding artifact)
[x] scripts/baremetal-qemu-wake-queue-before-tick-overflow-probe-check.ps1 (optional PVH/QEMU wake-queue before-tick-overflow probe proves wrapped-ring deadline drains keep FIFO survivor ordering after 66 alternating interrupt@13 / interrupt@31 wake cycles, including command_wake_queue_pop_before_tick clamp behavior across full-drain and empty-queue result_not_found paths against the freestanding artifact)
[x] scripts/baremetal-qemu-wake-queue-reason-overflow-probe-check.ps1 (optional PVH/QEMU wake-queue reason-overflow probe proves wrapped-ring mixed manual/interrupt drains keep FIFO survivor ordering after 66 alternating wake cycles, including command_wake_queue_pop_reason clamp behavior across partial-drain and final-singleton removal paths against the freestanding artifact)
[x] Added bare-metal optional QEMU wake-queue reason-overflow wrapper probes (scripts/baremetal-qemu-wake-queue-reason-overflow-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-overflow-manual-drain-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-overflow-manual-survivors-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-overflow-interrupt-drain-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-reason-overflow-interrupt-survivors-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression tightening in src/baremetal_main.zig (the wrappers reuse the broad wrapped mixed-reason lane but fail directly on the overflow baseline, post-manual drain collapse, lone retained manual survivor ordering, post-final manual drain collapse, and final all-interrupt survivor ordering over the PVH freestanding artifact).
[x] scripts/baremetal-qemu-wake-queue-reason-vector-pop-probe-check.ps1 (optional PVH/QEMU wake-queue reason-vector-pop probe proves a dedicated four-entry mixed queue (manual, interrupt@13, interrupt@13, interrupt@19) drains only the exact interrupt@13 pairs through command_wake_queue_pop_reason_vector, preserves surrounding FIFO survivors, and rejects reason+vector=0 against the freestanding artifact)
[x] Added bare-metal optional QEMU wake-queue reason-vector-pop wrapper probes (scripts/baremetal-qemu-wake-queue-reason-vector-pop-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-vector-pop-first-match-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-vector-pop-survivor-order-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-vector-pop-invalid-pair-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-reason-vector-pop-invalid-preserve-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression tightening in src/baremetal_main.zig and deeper MID_* / FINAL_* stage receipts in scripts/baremetal-qemu-wake-queue-reason-vector-pop-probe-check.ps1 (they reuse the broad dedicated mixed-queue lane but fail directly on baseline composition, first exact-pair survivor ordering, final manual-plus-19 survivor ordering, invalid-pair rejection, and invalid-pair state preservation).
[x] scripts/baremetal-qemu-wake-queue-summary-age-probe-check.ps1 (optional PVH/QEMU wake-queue summary/age probe proves exported summary and age-bucket telemetry snapshots stay correct before and after selective queue drains against the freestanding artifact)
[x] Added bare-metal wake-queue summary/age wrapper probes (scripts/baremetal-qemu-wake-queue-summary-age-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-summary-age-pre-summary-probe-check.ps1, scripts/baremetal-qemu-wake-queue-summary-age-pre-age-probe-check.ps1, scripts/baremetal-qemu-wake-queue-summary-age-post-summary-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-summary-age-post-age-probe-check.ps1) plus matching host-regression tightening in src/baremetal_main.zig (the wrappers reuse the broad exported-summary lane but fail directly on the five-entry baseline, pre-drain summary snapshot, pre-drain age buckets, post-drain summary snapshot, and post-drain age buckets plus final-stability invariants over the PVH freestanding artifact)
[x] scripts/baremetal-qemu-wake-queue-count-snapshot-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-count-snapshot-query1-probe-check.ps1, scripts/baremetal-qemu-wake-queue-count-snapshot-query2-probe-check.ps1, scripts/baremetal-qemu-wake-queue-count-snapshot-query3-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-count-snapshot-nonmutating-read-probe-check.ps1 (optional PVH/QEMU wake-queue count-snapshot wrappers reuse the broad count-query lane and fail directly on baseline queue ordering, staged vector/before-tick/reason+vector count transitions, and nonmutating mailbox-read invariants against the freestanding artifact)
[x] scripts/baremetal-qemu-wake-queue-clear-probe-check.ps1 (optional PVH/QEMU wake-queue clear probe proves a wrapped 64-entry manual wake ring clears back to count/head/tail/overflow = 0, resets pending wake telemetry, and reuses the queue at seq=1 against the freestanding artifact)
[x] Added bare-metal optional QEMU wake-queue clear wrapper probes (scripts/baremetal-qemu-wake-queue-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-clear-collapse-probe-check.ps1, scripts/baremetal-qemu-wake-queue-clear-pending-reset-probe-check.ps1, scripts/baremetal-qemu-wake-queue-clear-reuse-shape-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-clear-reuse-payload-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression tightening in src/baremetal_main.zig (the wrappers reuse the broad clear-and-reuse lane but fail directly on the wrapped baseline, post-clear ring collapse, post-clear pending-wake reset, post-reuse queue shape, and post-reuse payload invariants over the PVH freestanding artifact).
[x] scripts/baremetal-qemu-wake-queue-batch-pop-overflow-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-batch-pop-survivor-pair-probe-check.ps1, scripts/baremetal-qemu-wake-queue-batch-pop-single-survivor-probe-check.ps1, scripts/baremetal-qemu-wake-queue-batch-pop-drain-empty-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-batch-pop-refill-reuse-probe-check.ps1 (optional PVH/QEMU wake-queue batch-pop wrappers reuse the broad batch-drain lane and fail directly on overflow baseline stability, retained seq 65 -> 66 survivors, single-survivor state, drained-empty queue state, and refill/reuse invariants against the freestanding artifact)
[x] scripts/baremetal-qemu-wake-queue-vector-pop-probe-check.ps1 (optional PVH/QEMU wake-queue vector-pop probe proves the dedicated command_wake_queue_pop_vector lane over a live four-entry mixed queue, removing only vector 13 wakes in FIFO order while preserving the surrounding manual / interrupt@31 survivors and ending with vector 255 result_not_found against the freestanding artifact)
[x] scripts/baremetal-qemu-bootdiag-history-clear-probe-check.ps1 (optional PVH/QEMU bootdiag/history-clear probe proves command_reset_boot_diagnostics, command_clear_command_history, and command_clear_health_history semantics live, including pre-reset stack/phase capture and post-clear ring contents against the freestanding artifact)
[x] scripts/baremetal-qemu-descriptor-table-content-probe-check.ps1 (optional PVH/QEMU descriptor-table content probe proves gdtr/idtr limits+bases, code/data gdt entry fields, and idt[0]/idt[255] selector/type/stub wiring survive live descriptor reinit/load against the freestanding artifact)
[x] Added bare-metal optional QEMU descriptor-table-content wrapper probes (scripts/baremetal-qemu-descriptor-table-content-baseline-probe-check.ps1, scripts/baremetal-qemu-descriptor-table-content-pointer-metadata-probe-check.ps1, scripts/baremetal-qemu-descriptor-table-content-gdt-entry-fields-probe-check.ps1, scripts/baremetal-qemu-descriptor-table-content-idt-entry-fields-probe-check.ps1, and scripts/baremetal-qemu-descriptor-table-content-interrupt-stub-mailbox-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad descriptor-table-content QEMU probe but fail directly on the narrow boundaries for baseline mailbox state, descriptor pointer metadata, exact GDT entry fields, exact IDT entry fields, and final interrupt-stub/mailbox invariants over the PVH freestanding artifact).
[x] scripts/baremetal-qemu-descriptor-dispatch-probe-check.ps1 (optional PVH/QEMU descriptor-dispatch probe proves descriptor reinit/load and post-load command_trigger_interrupt + command_trigger_exception stay coherent with interrupt/exception counters and history-ring payloads against the freestanding artifact)
[x] scripts/baremetal-qemu-vector-history-overflow-probe-check.ps1 (optional PVH/QEMU probe proves interrupt/exception counter resets, interrupt history saturation (35 -> len 32 / overflow 3), exception history saturation (19 -> len 16 / overflow 3), and per-vector telemetry against the freestanding artifact)
[x] Added bare-metal optional QEMU vector history overflow wrapper probes (scripts/baremetal-qemu-vector-history-overflow-baseline-probe-check.ps1, scripts/baremetal-qemu-vector-history-overflow-interrupt-overflow-probe-check.ps1, scripts/baremetal-qemu-vector-history-overflow-exception-overflow-probe-check.ps1, scripts/baremetal-qemu-vector-history-overflow-vector-telemetry-probe-check.ps1, and scripts/baremetal-qemu-vector-history-overflow-mailbox-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad vector-history-overflow lane but fail directly on the final mailbox baseline, phase-A interrupt overflow, phase-B exception overflow, phase-B vector telemetry, and final mailbox-state invariants).
[x] scripts/baremetal-qemu-command-health-history-probe-check.ps1 (optional PVH/QEMU probe proves repeated command_set_health_code mailbox execution, command history saturation (35 -> len 32 / overflow 3), health history saturation (71 -> len 64 / overflow 7), and retained oldest/newest payload ordering against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-mask-profile-probe-check.ps1 (optional PVH/QEMU interrupt-mask profile probe proves external-all, custom unmask/remask, ignored-count reset, external-high, invalid profile rejection, and clear-all recovery against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-mask-clear-all-recovery-probe-check.ps1 (optional PVH/QEMU interrupt-mask clear-all recovery probe proves command_interrupt_mask_clear_all restores wake delivery after direct mask manipulation, collapses ignored-count telemetry back to 0, and returns the runtime to mask profile none against the freestanding artifact)
[x] scripts/baremetal-qemu-allocator-syscall-probe-check.ps1 (optional PVH/QEMU allocator/syscall probe proves alloc/free and syscall register/invoke/block/disable/re-enable/clear-flags/unregister paths end to end against the freestanding artifact, then proves command_allocator_reset and command_syscall_reset clear the dirtied runtime state back to steady baseline)
[x] scripts/baremetal-qemu-allocator-syscall-baseline-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-alloc-stage-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-invoke-stage-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-guard-stage-probe-check.ps1, and scripts/baremetal-qemu-allocator-syscall-final-reset-state-probe-check.ps1 (optional PVH/QEMU allocator/syscall wrapper probes split the broad happy-path lane into isolated mailbox-baseline, allocation-stage page/bitmap, invoke-stage dispatch/result, blocked/disabled/re-enabled guard semantics, and final allocator/syscall reset-baseline assertions against the freestanding artifact)
[x] scripts/baremetal-qemu-allocator-syscall-failure-probe-check.ps1 (optional PVH/QEMU allocator/syscall failure probe proves invalid-alignment, no-space, blocked-syscall, and disabled-syscall result semantics plus command-result counters end to end against the freestanding artifact)
[x] scripts/baremetal-qemu-allocator-syscall-failure-baseline-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-failure-invalid-align-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-failure-no-space-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-failure-blocked-probe-check.ps1, and scripts/baremetal-qemu-allocator-syscall-failure-final-state-probe-check.ps1 (optional PVH/QEMU allocator/syscall failure wrapper probes split the broad lane into isolated final-mailbox, invalid-alignment allocator preservation, no-space allocator preservation, blocked-syscall state preservation, and final disabled-syscall/result-counter invariant checks against the freestanding artifact)
[x] scripts/baremetal-qemu-command-result-counters-probe-check.ps1 (optional PVH/QEMU command-result counters probe proves mailbox result categories (ok, invalid_argument, not_supported, other_error) accumulate correctly and command_reset_command_result_counters resets the live struct back to a single reset ok against the freestanding artifact)
[x] scripts/baremetal-qemu-reset-counters-probe-check.ps1 (optional PVH/QEMU reset-counters probe proves command_reset_counters collapses live interrupt, exception, scheduler, allocator, syscall, timer, wake-queue, mode, boot-phase, command-history, and health-history state back to the steady baseline against the freestanding artifact)
[x] scripts/baremetal-qemu-interrupt-mask-exception-probe-check.ps1 (optional PVH/QEMU interrupt-mask/exception probe proves masked external vectors stay blocked while exception vectors still wake the waiting task and record interrupt/exception history telemetry end to end against the freestanding artifact)
[x] scripts/baremetal-smoke-check.ps1 (zig build baremetal + artifact presence/size checks for freestanding image)
[x] scripts/baremetal-smoke-check.ps1 now validates ELF + Multiboot2 magic in the freestanding image.
[x] scripts/baremetal-smoke-check.ps1 now validates .multiboot section + required exported symbols (_start, oc_tick, oc_tick_n, oc_status_ptr, oc_command_ptr, oc_kernel_info_ptr, oc_submit_command, kernel_info, multiboot2_header) from ELF symtab.
[x] Bare-metal ABI v2 contract slice shipped:
shared ABI module: src/baremetal/abi.zig (status/command/kernel-info structs, mode/feature/opcode constants)
freestanding runtime exports command mailbox and kernel introspection hooks (oc_command_ptr, oc_submit_command, oc_kernel_info_ptr)
freestanding runtime supports command processing on tick loop (set health, set feature flags, set mode, reset counters, set tick batch, panic flag)
[x] Bare-metal x86 bootstrap slice shipped:
new descriptor-table + interrupt module: src/baremetal/x86_bootstrap.zig
runtime now initializes descriptor tables on bare-metal start/tick paths
exported bootstrap contracts enforced in smoke gate:
oc_gdtr_ptr, oc_idtr_ptr, oc_gdt_ptr, oc_idt_ptr
oc_descriptor_tables_ready, oc_interrupt_stub, oc_trigger_interrupt
oc_interrupt_count, oc_last_interrupt_vector


[x] scripts/baremetal-qemu-smoke-check.ps1 added for optional boot smoke with debug-exit validation (zig build baremetal -Dbaremetal-qemu-smoke=true); script auto-skips when QEMU is unavailable.
[x] scripts/baremetal-qemu-runtime-oc-tick-check.ps1 added for non-smoke runtime boot progression validation (_start -> oc_tick) under QEMU+GDB with PVH artifact build.
[x] scripts/baremetal-qemu-command-loop-check.ps1 added for non-smoke mailbox command-loop validation under QEMU+GDB with PVH artifact build (_start -> injected command_set_tick_batch_hint -> spinPause with ack=1, last_opcode=6, last_result=0, ticks=7, tick_batch_hint=7).
[x] Added bare-metal mailbox host regression coverage in src/baremetal_main.zig for invalid mailbox header rejection, stale-sequence replay no-op semantics, deterministic u64 mailbox-sequence wraparound, descriptor reinit/load through mailbox commands, isolated vector-counter reset, and default-budget invalid-zero rejection.
[x] Added bare-metal optional QEMU mailbox header validation probe (scripts/baremetal-qemu-mailbox-header-validation-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (invalid magic / api_version rejection advances ack without executing the command, then the next valid mailbox command recovers cleanly over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU mailbox stale-seq probe (scripts/baremetal-qemu-mailbox-stale-seq-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (stale command_seq replay stays no-op, preserves prior ack plus command-history state, and the next fresh sequence executes exactly once over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU mailbox seq-wraparound probe (scripts/baremetal-qemu-mailbox-seq-wraparound-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live mailbox progression across u64::max wrap preserves deterministic ack rollover and command-history ordering over the PVH freestanding artifact).
[x] scripts/baremetal-qemu-descriptor-bootdiag-probe-check.ps1 added for live boot-diagnostics and descriptor-load validation under QEMU+GDB with PVH artifact build (command_reset_boot_diagnostics, stack capture, boot-phase init, invalid phase rejection, descriptor reinit, and descriptor load with ACK=6, LAST_OPCODE=10, INVALID_RESULT=-22, DESCRIPTOR_INIT_AFTER_REINIT=2, LOAD_ATTEMPTS_FINAL=2, LOAD_SUCCESSES_FINAL=2).
[x] Added bare-metal optional QEMU descriptor-dispatch wrapper probes (scripts/baremetal-qemu-descriptor-dispatch-baseline-probe-check.ps1, scripts/baremetal-qemu-descriptor-dispatch-telemetry-probe-check.ps1, scripts/baremetal-qemu-descriptor-dispatch-aggregate-state-probe-check.ps1, scripts/baremetal-qemu-descriptor-dispatch-interrupt-history-probe-check.ps1, and scripts/baremetal-qemu-descriptor-dispatch-exception-history-mailbox-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad descriptor-dispatch QEMU probe but fail directly on the bootstrap baseline, descriptor reinit/load telemetry deltas, final aggregate interrupt/exception state, exact interrupt-history payloads, and final exception-history plus mailbox receipt over the PVH freestanding artifact).
[x] PVH boot shim now initializes SSE/XMM before entering Zig _start (CR0.EM/TS clear, CR0.MP/NE set, CR4.OSFXSR/OSXMMEXCPT set, fninit) to prevent early runtime traps in bootstrap mem.zeroes paths.
[x] Bare-metal command mailbox depth expanded with interrupt control opcodes:
command_trigger_interrupt
command_reset_interrupt_counters
command_reinit_descriptor_tables
[x] Bare-metal interrupt-state telemetry exports added:
oc_descriptor_init_count
oc_interrupt_state_ptr
[x] Bare-metal descriptor-load telemetry exports + mailbox opcode added:
exports: oc_descriptor_tables_loaded, oc_descriptor_load_attempt_count, oc_descriptor_load_success_count, oc_try_load_descriptor_tables
opcode: command_load_descriptor_tables
[x] Bare-metal exception/fault telemetry exports + reset opcode added:
exports: oc_last_exception_vector, oc_exception_count, oc_reset_exception_counters
opcode: command_reset_exception_counters
[x] Bare-metal exception payload path added:
exports: oc_last_exception_code, oc_trigger_exception, oc_exception_stub
opcode: command_trigger_exception (arg0 vector + arg1 fault code payload)
[x] Bare-metal exception history ring added:
exports: oc_exception_history_capacity, oc_exception_history_len, oc_exception_history_head_index, oc_exception_history_overflow_count, oc_exception_history_event, oc_exception_history_clear
opcode: command_clear_exception_history
[x] Bare-metal interrupt history ring added:
exports: oc_interrupt_history_capacity, oc_interrupt_history_len, oc_interrupt_history_head_index, oc_interrupt_history_overflow_count, oc_interrupt_history_event, oc_interrupt_history_clear
opcode: command_clear_interrupt_history
[x] Bare-metal vector counter telemetry added:
exports: oc_interrupt_vector_counts_ptr, oc_interrupt_vector_count, oc_exception_vector_counts_ptr, oc_exception_vector_count, oc_reset_vector_counters
opcode: command_reset_vector_counters
[x] Bare-metal boot diagnostics telemetry added:
exports: oc_boot_diag_ptr, oc_boot_diag_capture_stack
ABI additions: BaremetalBootDiagnostics, boot phase constants, feature_boot_diagnostics_export, kernel_abi_boot_diagnostics
opcodes: command_set_boot_phase, command_reset_boot_diagnostics, command_capture_stack_pointer
[x] Bare-metal command-history telemetry added:
exports: oc_command_history_capacity, oc_command_history_len, oc_command_history_head_index, oc_command_history_overflow_count, oc_command_history_ptr, oc_command_history_event, oc_command_history_clear
ABI additions: BaremetalCommandEvent, feature_command_history_export, kernel_abi_command_history
opcode: command_clear_command_history
[x] Bare-metal health-history telemetry added:
exports: oc_health_history_capacity, oc_health_history_len, oc_health_history_head_index, oc_health_history_overflow_count, oc_health_history_ptr, oc_health_history_event, oc_health_history_clear
ABI additions: BaremetalHealthEvent, feature_health_history_export, kernel_abi_health_history
opcode: command_clear_health_history
[x] Bare-metal mode-history telemetry added:
exports: oc_mode_history_capacity, oc_mode_history_len, oc_mode_history_head_index, oc_mode_history_overflow_count, oc_mode_history_ptr, oc_mode_history_event, oc_mode_history_clear
ABI additions: BaremetalModeEvent, feature_mode_history_export, kernel_abi_mode_history
opcode: command_clear_mode_history
[x] Bare-metal boot-phase-history telemetry added:
exports: oc_boot_phase_history_capacity, oc_boot_phase_history_len, oc_boot_phase_history_head_index, oc_boot_phase_history_overflow_count, oc_boot_phase_history_ptr, oc_boot_phase_history_event, oc_boot_phase_history_clear
ABI additions: BaremetalBootPhaseEvent, feature_boot_phase_history_export, kernel_abi_boot_phase_history
opcode: command_clear_boot_phase_history
[x] Bare-metal command-result-counter telemetry added:
exports: oc_command_result_counters_ptr, oc_command_result_total_count, oc_command_result_count_ok, oc_command_result_count_invalid_argument, oc_command_result_count_not_supported, oc_command_result_count_other_error, oc_command_result_counters_clear
ABI additions: BaremetalCommandResultCounters, feature_command_result_counters_export, kernel_abi_command_result_counters
opcode: command_reset_command_result_counters
[x] Bare-metal scheduler/task telemetry + control added:
exports: oc_scheduler_state_ptr, oc_scheduler_enabled, oc_scheduler_task_capacity, oc_scheduler_task_count, oc_scheduler_task, oc_scheduler_tasks_ptr, oc_scheduler_reset
ABI additions: BaremetalSchedulerState, BaremetalTask, feature_scheduler_export, kernel_abi_scheduler
opcodes: command_scheduler_enable, command_scheduler_disable, command_scheduler_reset, command_task_create, command_task_terminate, command_scheduler_set_timeslice, command_scheduler_set_default_budget
[x] Bare-metal allocator/syscall telemetry + control added:
allocator exports: oc_allocator_state_ptr, oc_allocator_page_count, oc_allocator_page_bitmap_ptr, oc_allocator_allocation_capacity, oc_allocator_allocation_count, oc_allocator_allocation, oc_allocator_allocations_ptr, oc_allocator_reset
syscall exports: oc_syscall_state_ptr, oc_syscall_entry_capacity, oc_syscall_entry_count, oc_syscall_entry, oc_syscall_entries_ptr, oc_syscall_enabled, oc_syscall_reset
ABI additions: BaremetalAllocatorState, BaremetalAllocationRecord, BaremetalSyscallState, BaremetalSyscallEntry, feature_allocator_export, feature_syscall_table_export, kernel_abi_allocator, kernel_abi_syscall_table
opcodes: command_allocator_reset, command_allocator_alloc, command_allocator_free, command_syscall_register, command_syscall_unregister, command_syscall_invoke, command_syscall_reset
[x] Bare-metal timer/wake queue + syscall ABI v2 telemetry/control added:
timer exports: oc_timer_state_ptr, oc_timer_entry_capacity, oc_timer_entry_count, oc_timer_entry, oc_timer_entries_ptr, oc_timer_reset
wake queue exports: oc_wake_queue_capacity, oc_wake_queue_len, oc_wake_queue_head_index, oc_wake_queue_overflow_count, oc_wake_queue_ptr, oc_wake_queue_event, oc_wake_queue_clear
ABI additions: BaremetalTimerState, BaremetalTimerEntry, BaremetalWakeEvent, feature_timer_export, feature_wake_queue_export, feature_syscall_abi_v2, kernel_abi_timer, kernel_abi_wake_queue, kernel_abi_syscall_abi_v2
opcodes: command_syscall_enable, command_syscall_disable, command_syscall_set_flags, command_timer_reset, command_timer_schedule, command_timer_cancel, command_wake_queue_clear, command_scheduler_wake_task
runtime behavior: timer one-shot scheduling transitions tasks to waiting, timer/interrupt/manual wake paths re-arm tasks and enqueue wake telemetry, syscall invoke now enforces entry-level blocked flags and global enable/disable state.
[x] Bare-metal timer control depth added:
timer control exports: oc_timer_enabled, oc_timer_quantum
ABI additions/opcodes: command_timer_enable, command_timer_disable, command_timer_set_quantum, command_timer_schedule_periodic, timer_entry_flag_periodic
runtime behavior: periodic timers now auto re-arm after dispatch, timer scanning honors configurable tick_quantum, and disabled timer state pauses timer dispatch while preserving queued telemetry.
[x] Bare-metal timer-ID cancel QEMU proof shipped:
new script: scripts/baremetal-qemu-timer-cancel-probe-check.ps1
live PVH/QEMU+GDB sequence proves command_timer_cancel operates on the captured live timer ID, cancels the armed entry in place, preserves canceled-slot metadata, and returns result_not_found on a second cancel against the same ID.
[x] Bare-metal vector-counter reset QEMU proof shipped:
new script: scripts/baremetal-qemu-vector-counter-reset-probe-check.ps1
live PVH/QEMU+GDB sequence proves command_reset_vector_counters clears the interrupt/exception per-vector tables after live dispatch while preserving aggregate interrupt/exceptions counts and last-vector telemetry.
[x] Bare-metal feature-flags and tick-batch control proof shipped:
new script: scripts/baremetal-qemu-feature-flags-tick-batch-probe-check.ps1
new host test: test "baremetal feature flags and tick batch hint commands update status" in src/baremetal_main.zig
live PVH/QEMU+GDB sequence proves command_set_feature_flags updates the live flag mask, command_set_tick_batch_hint changes runtime tick progression from 1 to 4, and an invalid zero hint returns result_invalid_argument without changing the active batch size.
[x] Bare-metal scheduler wait/resume and task-targeted timer cancel depth added:
scheduler/timer telemetry exports: oc_scheduler_waiting_count, oc_timer_fire_total_count
ABI additions/opcodes: command_task_wait, command_task_resume, command_timer_cancel_task
runtime behavior: explicit task wait/resume command path now drives runnable vs waiting transitions with manual wake telemetry, and task-targeted timer cancellation clears all armed timers for a task.
[x] Bare-metal deadline-wait + wake-queue consumption depth added:
wake queue exports: oc_wake_queue_tail_index, oc_wake_queue_pop
ABI additions/opcodes: command_task_wait_for, command_wake_queue_pop
runtime behavior: task_wait_for now atomically transitions a task to waiting with a one-shot timer deadline, and wake queue pop semantics remove oldest entries in-order with ring-buffer tail tracking.
[x] Bare-metal wake-queue FIFO QEMU proof shipped:
new script: scripts/baremetal-qemu-wake-queue-fifo-probe-check.ps1
live PVH/QEMU+GDB sequence proves two queued manual wakes preserve FIFO ordering through command_wake_queue_pop, with the second wake becoming the new logical head after the first pop and a final empty-queue pop returning result_not_found.
[x] Bare-metal wake-queue FIFO wrapper probes shipped:
new scripts: scripts/baremetal-qemu-wake-queue-fifo-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-fifo-first-pop-probe-check.ps1, scripts/baremetal-qemu-wake-queue-fifo-survivor-probe-check.ps1, scripts/baremetal-qemu-wake-queue-fifo-drain-empty-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-fifo-notfound-preserve-probe-check.ps1
matching host regression tightening in src/baremetal_main.zig now asserts queued task/reason/tick payload preservation before and after the first pop plus the final rejected-pop opcode/empty-state contract.
the wrappers reuse the broad FIFO lane but fail directly on the two-entry baseline, first-pop oldest-first removal, survivor payload preservation, drained-empty collapse, and final result_not_found plus empty-state invariants against the PVH freestanding artifact.
[x] Bare-metal scheduler policy + priority-control depth added:
scheduler export: oc_scheduler_policy
ABI additions/opcodes: command_scheduler_set_policy, command_task_set_priority, scheduler_policy_round_robin, scheduler_policy_priority
runtime behavior: scheduler now supports priority-aware dispatch policy (highest-priority ready task first, stable tie-break via RR cursor) while preserving default round-robin behavior.
[x] Bare-metal interrupt-wait filtering depth added:
scheduler export: oc_scheduler_wait_interrupt_count
ABI additions/opcodes: command_task_wait_interrupt, wait_interrupt_any_vector
runtime behavior: interrupt-driven wake path now only wakes tasks explicitly waiting for interrupts (any or vector-specific), while manual waits no longer wake on unrelated interrupts.
[x] Bare-metal interrupt-wait timeout depth added:
scheduler export: oc_scheduler_wait_timeout_count
ABI additions/opcodes: command_task_wait_interrupt_for
runtime behavior: interrupt waits can now carry tick deadlines; timeout expiry wakes via timer reason while preserving interrupt-first wake semantics.
[x] Bare-metal tick overflow hardening added:
runtime behavior: timer and interrupt wait deadlines now use saturating tick arithmetic (no wraparound wake regressions near u64 tick ceiling).
periodic re-arm behavior now advances using bounded arithmetic instead of overflow-prone increment loops.
[x] scripts/baremetal-smoke-check.ps1 now validates Multiboot2 header fields and checksum (magic, arch, header_length, checksum, end-tag tuple) in addition to section/symbol invariants.
[x] Release trust evidence now generated and published in release flows:
local scripts/release-preview.ps1 now emits and includes release-manifest.json, sbom.spdx.json, and provenance.intoto.json.
.github/workflows/release-preview.yml now generates and uploads the same trust artifacts into GitHub release assets.
[x] Cross-target diagnostics matrix (scripts/zig-cross-target-matrix.ps1) now covers desktop + Android with per-target logs and JSON summary:
Local Windows Zig master result: 4/8 pass (x86_64-windows, x86_64-linux, x86_64-macos, x86_64-linux-android)
Local failures: aarch64-linux, aarch64-macos, aarch64-linux-android, arm-linux-androideabi
Failure class reproduces in minimal targets and remains toolchain-level on this host (compiler_rt + memory allocation failure; aarch64-linux* additionally show invalid constraint: 'X'; arm-linux-androideabi minimal repro exits with access-violation code -1073741819)
Evidence: release/cross-target-diagnostics/summary.json and per-target stdout/stderr logs in release/cross-target-diagnostics/
[x] Android ARMv7 link failure (__tls_get_addr) was resolved for CI/release builds by forcing single-threaded mode for arm-linux-androideabi in build.zig.
[x] Freshness check: Codeberg Zig master=0ae1c6b54acf112c7bbcc63a19f7ad8fa9842d2a; local toolchain=0.16.0-dev.2703+0a412853a (hash mismatch acknowledged)
[x] Serve smoke: GET /health and POST /rpc (shutdown) both returned HTTP 200
[x] Serve smoke: POST /rpc file.write, file.read, and exec.run returned HTTP 200 with real payloads
[x] Serve smoke: POST /rpc security.audit and doctor return structured diagnostics payloads
[x] Serve smoke: POST /rpc web.login.start, web.login.wait, web.login.complete, web.login.status return expected lifecycle statuses
[x] Serve smoke: POST /rpc send and poll return HTTP 200 and include queued Telegram reply payloads
[x] Release artifacts built in ReleaseFast and checksummed:
openclaw-zig-v0.1.0-zig-preview.1-x86_64-windows.zip
openclaw-zig-v0.1.0-zig-preview.1-x86_64-linux.zip
openclaw-zig-v0.1.0-zig-preview.1-x86_64-macos.zip
SHA256SUMS.txt
[x] GitHub release published: v0.1.0-zig-preview.1
https://github.com/adybag14-cyber/ZAR-Zig-Agent-Runtime/releases/tag/v0.1.0-zig-preview.1
[x] Cross-target note: aarch64-linux and aarch64-macos failed on local Zig 0.16.0-dev.2703+0a412853a Windows toolchain with compiler exit code 5; release matrix kept to passing x86_64 targets.
[x] Dispatcher coverage guard: registry-wide test asserts every method in registry.supported_methods resolves in dispatcher (prevents method-set drift regressions).
[x] Added CI pipeline (.github/workflows/zig-ci.yml) for build/test gates and cross-target release build attempts on Zig master.
[x] Expanded CI cross-target matrix with Android builds:
x86_64-linux-android (required)
aarch64-linux-android and arm-linux-androideabi (required)
[x] Added arm64 diagnostic runner (scripts/zig-arm64-diagnose.ps1) to persist stdout/stderr logs for aarch64-linux and aarch64-macos failures.
[x] Arm64 diagnostics confirmed local Windows Zig master failure class is toolchain-level (repro on minimal build-exe): compiler_rt sub-compilation failure, memory allocation failure, and (aarch64-linux) invalid constraint: 'X'.
[x] CI confirmation: GitHub Actions run 22645119953 passed all jobs, including aarch64-linux and aarch64-macos cross-target builds on Ubuntu Zig master.
[x] Added CI release workflow (.github/workflows/release-preview.yml) to publish full preview artifact matrix from Linux runners, including arm64 targets.
[x] Expanded release preview build matrix with Android artifact targets:
x86_64-android (required)
aarch64-android and armv7-android (required)
[x] CI confirmation after ARMv7 fix: GitHub Actions run 22651999994 succeeded with Android cross-target jobs all green (x86_64-android, aarch64-android, armv7-android).
[x] Release workflow smoke validated: Actions run 22645353103 published v0.1.0-zig-preview.ci-smoke with full 5-target artifact set + SHA256SUMS.txt.
[x] Added cross-repo method/event parity gate script (scripts/check-go-method-parity.ps1) and wired it into CI + release workflows as a blocking check.
[x] Parity gate now resolves and checks all required latest baselines on each run:
adybag14-cyber/openclaw-go-port latest release tag
openclaw/openclaw latest release tag
openclaw/openclaw latest prerelease tag
[x] Release workflow hardened with upfront validate job (build + test + parity gate) and duplicate-tag guard before publish.
[x] Parity gate now emits machine-readable report (parity-go-zig.json) and CI/release workflows publish it as audit evidence.
[x] Release workflow evidence update: run 22646343174 published v0.1.0-zig-preview.ci-parityjson including parity-go-zig.json alongside all target zips + SHA256SUMS.txt.
[x] Parity reporting now includes reviewer-friendly markdown (parity-go-zig.md) in CI artifacts and release assets.
[x] Release workflow evidence update: run 22646648616 published v0.1.0-zig-preview.ci-paritymd including both parity-go-zig.json and parity-go-zig.md.
[x] Added cross-platform runtime smoke gate (scripts/runtime-smoke-check.ps1) and wired it into zig-ci validate job.
[x] Added update lifecycle smoke gate (scripts/update-lifecycle-smoke-check.ps1) and wired it into zig-ci + release-preview validate jobs (update.plan, update.run, update.status contract checks).
[x] Added system maintenance smoke gate (scripts/system-maintenance-smoke-check.ps1) and wired it into zig-ci + release-preview validate jobs (system.maintenance.plan, system.maintenance.run, system.maintenance.status contract checks).
[x] Added appliance control-plane smoke gate (scripts/appliance-control-plane-smoke-check.ps1) and wired it into zig-ci + release-preview validate jobs (system.boot.*, system.rollback.*, signed system.boot.attest.verify, and secure-boot-gated update.run contract checks).
[x] Added appliance restart recovery smoke gate (scripts/appliance-restart-recovery-smoke-check.ps1) and wired it into zig-ci + release-preview validate jobs (persisted compat-state.json replay of boot policy, boot verification, update head, and rollback plan across restart).
[x] Added appliance rollout boundary smoke gate (scripts/appliance-rollout-boundary-smoke-check.ps1) and wired it into zig-ci + release-preview validate jobs (real canary lane selection, secure-boot block, canary apply, and stable promotion over live RPC).
[x] Added appliance minimal-profile smoke gate (scripts/appliance-minimal-profile-smoke-check.ps1) and wired it into zig-ci + release-preview validate jobs (live readiness contract for persisted state, control-plane auth, secure-boot update gating, signer policy, and current verification).
[x] Added bare-metal smoke gate (scripts/baremetal-smoke-check.ps1) and wired it into zig-ci + release-preview validate jobs.
[x] Added bare-metal optional QEMU bootdiag/history-clear probe (scripts/baremetal-qemu-bootdiag-history-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_reset_boot_diagnostics, command_clear_command_history, and command_clear_health_history control proof over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU bootdiag/history-clear wrapper probes (scripts/baremetal-qemu-bootdiag-history-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-bootdiag-history-clear-pre-reset-payloads-probe-check.ps1, scripts/baremetal-qemu-bootdiag-history-clear-post-reset-state-probe-check.ps1, scripts/baremetal-qemu-bootdiag-history-clear-command-event-probe-check.ps1, and scripts/baremetal-qemu-bootdiag-history-clear-health-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (the family now fails directly on the baseline/source marker, pre-reset boot-diagnostics payloads, post-reset collapse, command-history clear-event shape, and health-history preservation boundaries).
[x] Added bare-metal optional QEMU descriptor bootdiag wrapper probes (scripts/baremetal-qemu-descriptor-bootdiag-baseline-probe-check.ps1, scripts/baremetal-qemu-descriptor-bootdiag-reset-capture-probe-check.ps1, scripts/baremetal-qemu-descriptor-bootdiag-set-init-probe-check.ps1, scripts/baremetal-qemu-descriptor-bootdiag-invalid-phase-probe-check.ps1, and scripts/baremetal-qemu-descriptor-bootdiag-final-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad descriptor-bootdiag QEMU probe but fail directly on the narrow boundaries for bootstrap baseline, reset+stack-capture envelope, init transition, invalid-phase preservation, and final descriptor-load/mailbox-state telemetry over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler probe (scripts/baremetal-qemu-scheduler-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (scheduler reset, timeslice, task creation, policy switch, and live dispatch telemetry over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler wrapper probes (scripts/baremetal-qemu-scheduler-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-config-state-probe-check.ps1, scripts/baremetal-qemu-scheduler-task-shape-probe-check.ps1, scripts/baremetal-qemu-scheduler-progress-telemetry-probe-check.ps1, and scripts/baremetal-qemu-scheduler-mailbox-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig and broader file-handle hardening in scripts/baremetal-qemu-scheduler-probe-check.ps1 (they reuse the broad scheduler command-flow lane but fail directly on bootstrap reachability, final scheduler config state, exact task shape, dispatch/budget progress telemetry, and final mailbox receipt invariants over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler priority/budget probe (scripts/baremetal-qemu-scheduler-priority-budget-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (command_scheduler_set_default_budget, zero-budget task inheritance, and command_task_set_priority dispatch-order flip proof over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler priority/budget wrapper probes (scripts/baremetal-qemu-scheduler-priority-budget-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-priority-budget-default-budget-inheritance-probe-check.ps1, scripts/baremetal-qemu-scheduler-priority-budget-priority-dominance-probe-check.ps1, scripts/baremetal-qemu-scheduler-priority-budget-reprioritize-low-probe-check.ps1, and scripts/baremetal-qemu-scheduler-priority-budget-invalid-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad scheduler priority/budget QEMU probe but fail directly on the narrow boundaries for baseline scheduler/task bootstrap, zero-budget default-budget inheritance, initial high-priority dominance, low-task reprioritize takeover, and invalid policy/task preservation over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler default-budget invalid probe (scripts/baremetal-qemu-scheduler-default-budget-invalid-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_scheduler_set_default_budget(0) rejection without default-budget drift, followed by clean zero-budget task inheritance from the preserved budget over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler round-robin probe (scripts/baremetal-qemu-scheduler-round-robin-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (default round-robin dispatch fairness proof over two live tasks with different priorities and deterministic budget consumption on the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler round-robin wrapper probes (scripts/baremetal-qemu-scheduler-round-robin-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-round-robin-first-dispatch-probe-check.ps1, scripts/baremetal-qemu-scheduler-round-robin-second-dispatch-probe-check.ps1, scripts/baremetal-qemu-scheduler-round-robin-third-dispatch-probe-check.ps1, and scripts/baremetal-qemu-scheduler-round-robin-final-task-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad scheduler round-robin QEMU probe but fail directly on the narrow boundaries for baseline task/policy bootstrap, first-task-only dispatch, second-dispatch rotation to the second task, third-dispatch return to the first task, and final scheduler/task-state telemetry over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler timeslice-update probe (scripts/baremetal-qemu-scheduler-timeslice-update-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_scheduler_set_timeslice updates under active load, immediate budget-consumption changes for timeslice 1 -> 4 -> 2, and invalid-zero rejection without active-timeslice drift over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler timeslice wrapper probes (scripts/baremetal-qemu-scheduler-timeslice-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-timeslice-update-4-probe-check.ps1, scripts/baremetal-qemu-scheduler-timeslice-update-2-probe-check.ps1, scripts/baremetal-qemu-scheduler-timeslice-invalid-zero-preserve-probe-check.ps1, and scripts/baremetal-qemu-scheduler-timeslice-final-task-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad scheduler-timeslice-update QEMU probe but fail directly on the narrow boundaries for baseline timeslice=1, first timeslice=4 update, second timeslice=2 update, invalid-zero preservation, and final dispatch/task-state telemetry on the live task over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer-quantum wrapper probes (scripts/baremetal-qemu-timer-quantum-baseline-probe-check.ps1, scripts/baremetal-qemu-timer-quantum-boundary-probe-check.ps1, scripts/baremetal-qemu-timer-quantum-preboundary-blocked-probe-check.ps1, scripts/baremetal-qemu-timer-quantum-wake-payload-probe-check.ps1, and scripts/baremetal-qemu-timer-quantum-final-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad timer-quantum QEMU probe but fail directly on the narrow boundaries for armed baseline capture, computed quantum-boundary hold, blocked pre-boundary wait state, exact timer wake payload, and final timer/task-state telemetry over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler disable-enable probe (scripts/baremetal-qemu-scheduler-disable-enable-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_scheduler_disable freeze semantics, idle no-dispatch proof, and command_scheduler_enable resume-on-next-tick behavior over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler disable-enable wrapper probes (scripts/baremetal-qemu-scheduler-disable-enable-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-disable-enable-disabled-freeze-probe-check.ps1, scripts/baremetal-qemu-scheduler-disable-enable-idle-preserve-probe-check.ps1, scripts/baremetal-qemu-scheduler-disable-enable-resume-probe-check.ps1, and scripts/baremetal-qemu-scheduler-disable-enable-final-task-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad scheduler-disable-enable QEMU probe but fail directly on the narrow boundaries for pre-disable baseline state, disabled freeze-state, idle disabled preservation, re-enable resume metadata, and final task-state telemetry on the resumed task over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler reset probe (scripts/baremetal-qemu-scheduler-reset-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_scheduler_reset cleanup semantics, default-state restoration, and task-ID restart proof over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler reset mixed-state probe (scripts/baremetal-qemu-scheduler-reset-mixed-state-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (runtime bug fixed in src/baremetal_main.zig: oc_scheduler_reset() now clears stale queued wakes and armed task timers tied to the removed task table, clears timeout arms, preserves timer quantum plus next_timer_id, and proves fresh timer re-arming after reset over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler policy-switch probe (scripts/baremetal-qemu-scheduler-policy-switch-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live round-robin to priority to round-robin transitions under active load, immediate dispatch-strategy flips, low-task reprioritization on the next priority tick, and invalid-policy rejection without active-policy drift over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler policy-switch wrapper probes (scripts/baremetal-qemu-scheduler-policy-switch-rr-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-policy-switch-priority-dominance-probe-check.ps1, scripts/baremetal-qemu-scheduler-policy-switch-reprioritize-low-probe-check.ps1, scripts/baremetal-qemu-scheduler-policy-switch-rr-return-probe-check.ps1, scripts/baremetal-qemu-scheduler-policy-switch-invalid-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (wrapper-level isolation of round-robin fairness before policy change, high-priority dominance under priority policy, low-task takeover after reprioritization, round-robin return semantics, and invalid-policy rejection without state drift over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-mask/exception probe (scripts/baremetal-qemu-interrupt-mask-exception-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (masked external vectors remain blocked while exception delivery still wakes a waiting task and records both interrupt and exception histories over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer/wake probe (scripts/baremetal-qemu-timer-wake-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (timer reset, tick-quantum update, task create + task_wait_for, fired timer entry telemetry, and wake-queue evidence over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer-quantum probe (scripts/baremetal-qemu-timer-quantum-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (one-shot command_timer_schedule quantum suppression proof with ARMED_TICKS=7, PRE_BOUNDARY_TICK=8, EXPECTED_BOUNDARY_TICK=9, WAKE0_TICK=9, and a still-waiting task at the pre-boundary tick over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer cancel probe (scripts/baremetal-qemu-timer-cancel-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (capture the live timer ID from the armed entry, cancel via command_timer_cancel, preserve canceled-slot metadata, and prove a second cancel returns LAST_RESULT=-2 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer cancel wrapper probes (scripts/baremetal-qemu-timer-cancel-baseline-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-cancel-collapse-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-canceled-entry-preserve-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-second-cancel-notfound-probe-check.ps1, and scripts/baremetal-qemu-timer-cancel-zero-wake-telemetry-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression tightening in src/baremetal_main.zig (they reuse the broad dedicated timer-cancel lane but fail directly on the armed baseline, cancel collapse to zero live entries, preserved canceled-slot metadata, second-cancel result_not_found, and zero wake/dispatch telemetry).
[x] Added bare-metal optional QEMU vector counter reset probe (scripts/baremetal-qemu-vector-counter-reset-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (trigger interrupt vectors 10/200 plus exception vector 14, prove the per-vector interrupt/exception tables reset back to 0, and keep aggregate counts + last-vector telemetry intact over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU vector-counter-reset wrapper probes (scripts/baremetal-qemu-vector-counter-reset-baseline-probe-check.ps1, scripts/baremetal-qemu-vector-counter-reset-dirty-aggregate-probe-check.ps1, scripts/baremetal-qemu-vector-counter-reset-dirty-vector-table-probe-check.ps1, scripts/baremetal-qemu-reset-vector-counters-preserve-aggregate-probe-check.ps1, scripts/baremetal-qemu-reset-vector-counters-preserve-last-vector-probe-check.ps1, scripts/baremetal-qemu-vector-counter-reset-zeroed-tables-probe-check.ps1, and scripts/baremetal-qemu-vector-counter-reset-mailbox-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad vector-counter-reset lane but fail directly on the baseline artifact/mailbox state, dirty aggregate counts, dirty pre-reset vector tables, preserved aggregate totals, preserved last-vector telemetry, zeroed post-reset vector tables, and final reset-mailbox receipt invariants).
[x] Added bare-metal optional QEMU feature-flags/tick-batch probe (scripts/baremetal-qemu-feature-flags-tick-batch-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (prove feature-flag updates, tick_batch_hint progression 1 -> 4, and zero-hint rejection while preserving the live batch size over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler saturation probe (scripts/baremetal-qemu-scheduler-saturation-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (fill all 16 scheduler slots, prove the 17th command_task_create returns result_no_space, then terminate and reuse one slot with a fresh task ID plus replacement priority/budget over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler saturation wrapper probes (scripts/baremetal-qemu-scheduler-saturation-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-saturation-overflow-preserve-probe-check.ps1, scripts/baremetal-qemu-scheduler-saturation-terminate-state-probe-check.ps1, scripts/baremetal-qemu-scheduler-saturation-reuse-state-probe-check.ps1, and scripts/baremetal-qemu-scheduler-saturation-final-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (narrow wrapper validation now fails directly on the 16-slot baseline fill, overflow rejection without task-count drift, terminated-slot capture, reuse-slot replacement semantics, and final scheduler state on the scheduler pressure lane).
[x] Added bare-metal optional QEMU vector history clear probe (scripts/baremetal-qemu-vector-history-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (dedicated mailbox proof that command_reset_interrupt_counters / command_reset_exception_counters zero aggregate interrupt+exception counters without disturbing retained history/vector tables, followed by command_clear_interrupt_history / command_clear_exception_history zeroing only history-ring state/overflow over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU vector history clear wrapper probes (scripts/baremetal-qemu-vector-history-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-vector-history-clear-pre-interrupt-payloads-probe-check.ps1, scripts/baremetal-qemu-vector-history-clear-pre-exception-payload-probe-check.ps1, scripts/baremetal-qemu-vector-history-clear-interrupt-reset-preserve-probe-check.ps1, and scripts/baremetal-qemu-vector-history-clear-exception-reset-final-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression tightening in src/baremetal_main.zig (they reuse the broad vector-history-clear lane but fail directly on the final mailbox baseline, retained pre-clear interrupt payloads, retained pre-clear exception payload, interrupt-reset preservation plus interrupt-clear boundary, and exception-reset preservation plus final clear-state boundary).
[x] Added bare-metal optional QEMU timer cancel-task probe (scripts/baremetal-qemu-timer-cancel-task-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (command_timer_schedule + command_timer_schedule_periodic arming on a single task, first command_timer_cancel_task collapsing TIMER_ENTRY_COUNT=0 with TIMER0_STATE=3, and second cancel returning LAST_RESULT=-2 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer cancel-task wrapper probes (scripts/baremetal-qemu-timer-cancel-task-baseline-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-cancel-collapse-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-canceled-entry-preserve-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-second-cancel-notfound-probe-check.ps1, and scripts/baremetal-qemu-timer-cancel-task-zero-wake-telemetry-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression tightening in src/baremetal_main.zig (they reuse the broad task-cancel QEMU probe but fail directly on the armed task baseline, first-cancel collapse to zero live timer entries, preserved canceled-slot metadata on timer0, second-cancel result_not_found, and zero wake/dispatch telemetry through the dedicated task-targeted timer cancel lane).
[x] Added bare-metal optional QEMU timer cancel-task interrupt-timeout probe (scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live command_timer_cancel_task on a timeout-backed interrupt waiter clears the timeout back to none, leaves TIMER_ENTRY_COUNT=0, and still allows the later real interrupt wake to land exactly once over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer pressure probe (scripts/baremetal-qemu-timer-pressure-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (fill all 16 runnable task slots with live one-shot timers, prove TIMER_ENTRY_COUNT=16 with timer IDs 1 -> 16, cancel one task timer, then reuse the canceled slot with fresh timer ID 17 and no stray wake/dispatch activity over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer pressure wrapper probes (scripts/baremetal-qemu-timer-pressure-baseline-probe-check.ps1, scripts/baremetal-qemu-timer-pressure-cancel-collapse-probe-check.ps1, scripts/baremetal-qemu-timer-pressure-reuse-slot-probe-check.ps1, scripts/baremetal-qemu-timer-pressure-reuse-next-fire-probe-check.ps1, and scripts/baremetal-qemu-timer-pressure-quiet-telemetry-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression tightening in src/baremetal_main.zig and deeper cancel-stage receipts in scripts/baremetal-qemu-timer-pressure-probe-check.ps1 (they reuse the broad timer-pressure QEMU probe but fail directly on the 16-task/16-timer saturation baseline, cancel collapse to 15 live timers with preserved waiting task state, in-place slot reuse with fresh timer ID 17, preserved waiting-state plus next-fire semantics on the reused task, and zero wake/dispatch telemetry while the scheduler remains disabled).
[x] Added bare-metal optional QEMU timer-reset recovery probe (scripts/baremetal-qemu-timer-reset-recovery-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (dirty live timer entries plus task_wait_interrupt_for timeout state, prove command_timer_reset collapses timer state back to baseline, clears stale timeout arms without losing interrupt waits, prevents delayed timeout wakes after reset, preserves manual + interrupt wake recovery, and restarts timer allocation from timer_id=1 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer-disable reenable wrapper probes (scripts/baremetal-qemu-timer-disable-reenable-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-timer-disable-reenable-deadline-hold-probe-check.ps1, scripts/baremetal-qemu-timer-disable-reenable-deferred-wake-order-probe-check.ps1, scripts/baremetal-qemu-timer-disable-reenable-wake-payload-probe-check.ps1, scripts/baremetal-qemu-timer-disable-reenable-dispatch-drain-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (wrapper-level isolation of disable-time arm preservation, overdue deadline hold while paused, deferred wake ordering after re-enable, timer-only wake payload retention, and single-dispatch queue drain semantics over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU periodic timer probe (scripts/baremetal-qemu-periodic-timer-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (command_timer_schedule_periodic plus command_timer_disable/command_timer_enable pause-resume proof with first resumed-fire snapshot telemetry over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU periodic timer wrapper probes (scripts/baremetal-qemu-periodic-timer-baseline-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-first-fire-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-paused-window-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-resumed-cadence-probe-check.ps1, and scripts/baremetal-qemu-periodic-timer-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, while tightening src/baremetal_main.zig so the hosted regression now also proves explicit scheduler/task baseline state, first-fire telemetry, paused-window stability, resumed cadence, and final wake payload invariants directly.
[x] Added bare-metal optional QEMU periodic timer clamp probe (scripts/baremetal-qemu-periodic-timer-clamp-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (periodic timer armed at u64::max-1, first fire at 18446744073709551615, saturated re-arm to the same deadline, and stable post-wrap hold over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU periodic timer clamp wrapper probes (scripts/baremetal-qemu-periodic-timer-clamp-baseline-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-clamp-first-fire-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-clamp-saturated-rearm-probe-check.ps1, scripts/baremetal-qemu-periodic-timer-clamp-post-wrap-hold-probe-check.ps1, and scripts/baremetal-qemu-periodic-timer-clamp-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression coverage in src/baremetal_main.zig and local package-diagnostics hardening in scripts/package-registry-status.ps1 so the release lane now surfaces default-registry 404 state even without explicit package arguments.
[x] Added bare-metal optional QEMU periodic-interrupt probe (scripts/baremetal-qemu-periodic-interrupt-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (mixed periodic timer + interrupt wake ordering proof, interrupt-before-deadline precedence, preserved periodic cadence, and no later timeout leak over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU periodic-interrupt wrapper probes (scripts/baremetal-qemu-periodic-interrupt-baseline-fire-probe-check.ps1, scripts/baremetal-qemu-periodic-interrupt-interrupt-wake-payload-probe-check.ps1, scripts/baremetal-qemu-periodic-interrupt-periodic-cadence-probe-check.ps1, scripts/baremetal-qemu-periodic-interrupt-cancel-no-late-timeout-probe-check.ps1, and scripts/baremetal-qemu-periodic-interrupt-telemetry-ordering-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad periodic-interrupt QEMU probe but fail directly on the timer-first baseline wake, exact interrupt wake payload, preserved post-interrupt periodic cadence, cancel-with-no-late-timeout-leak boundary, and preserved mixed telemetry/wake ordering after settlement).
[x] Added bare-metal optional QEMU interrupt-timeout probe (scripts/baremetal-qemu-interrupt-timeout-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (interrupt-before-deadline task_wait_interrupt_for precedence, timeout-arm clearing, and no-late-second-wake evidence over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-timeout timer probe (scripts/baremetal-qemu-interrupt-timeout-timer-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (no-interrupt task_wait_interrupt_for timeout path proof with deadline-preceding no-wake state, timer wake reason=1, vector=0, and zero interrupt telemetry over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-timeout timer wrapper probes (scripts/baremetal-qemu-interrupt-timeout-timer-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-timer-deadline-blocked-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-timer-wake-payload-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-timer-no-duplicate-wake-probe-check.ps1, and scripts/baremetal-qemu-interrupt-timeout-timer-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad interrupt-timeout timer QEMU probe but fail directly on preserved armed timeout identity, deadline-edge blocked state with zero wake queue, timer wake payload semantics, no duplicate timer wake after additional slack ticks, and preserved zero-interrupt telemetry through the full timer-only recovery path).
[x] Added bare-metal optional QEMU interrupt-timeout clamp probe (scripts/baremetal-qemu-interrupt-timeout-clamp-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (near-u64::max task_wait_interrupt_for clamp proof with saturated deadline 18446744073709551615, queued wake tick preserved at that value, and live wake-boundary wrap to 0 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue selective probe (scripts/baremetal-qemu-wake-queue-selective-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (timer/interrupt/manual wake generation plus reason/vector/reason+vector/deadline queue-drain evidence over the PVH freestanding artifact).
[x] Deepened bare-metal optional QEMU wake-queue selective probe with generic count-query telemetry (oc_wake_queue_count_query_ptr, oc_wake_queue_count_snapshot_ptr) so the live PVH run now proves vector counts (13, 31), exact interrupt@31 pair counts, before-tick counts, and invalid reason+vector=0 rejection in the same selective-drain sequence.
[x] Added bare-metal optional QEMU wake-queue selective wrapper probes (scripts/baremetal-qemu-wake-queue-selective-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-selective-reason-drain-probe-check.ps1, scripts/baremetal-qemu-wake-queue-selective-vector-drain-probe-check.ps1, scripts/baremetal-qemu-wake-queue-selective-reason-vector-drain-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-selective-before-tick-final-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad mixed selective wake-queue QEMU probe but fail directly on baseline queue composition, reason-drain survivor ordering, vector-drain survivor ordering, exact reason+vector survivor ordering, and the final before-tick/invalid-pair preserved-state boundary over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue selective-overflow probe (scripts/baremetal-qemu-wake-queue-selective-overflow-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (drive a wrapped 64-entry interrupt wake ring with 66 alternating interrupt@13 / interrupt@31 wake cycles, remove the first 31 vector-13 entries with command_wake_queue_pop_vector, then remove the final interrupt@13 survivor with command_wake_queue_pop_reason_vector while preserving FIFO order for the remaining vector=31 wakes over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue selective-overflow wrapper probes (scripts/baremetal-qemu-wake-queue-selective-overflow-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-selective-overflow-vector-drain-probe-check.ps1, scripts/baremetal-qemu-wake-queue-selective-overflow-vector-survivors-probe-check.ps1, scripts/baremetal-qemu-wake-queue-selective-overflow-reason-vector-drain-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-selective-overflow-reason-vector-survivors-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus tightened host-regression assertions in src/baremetal_main.zig (the wrappers reuse the broad wrapped-ring lane but fail directly on overflow baseline shape, post-pop_vector(13,31) collapse, lone retained interrupt@13 survivor ordering, post-pop_reason_vector(interrupt@13) collapse, and final all-vector=31 survivor ordering over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue before-tick-overflow probe (scripts/baremetal-qemu-wake-queue-before-tick-overflow-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (drive a wrapped 64-entry interrupt wake ring with 66 alternating interrupt@13 / interrupt@31 wake cycles, use the retained queue ticks as live command_wake_queue_pop_before_tick thresholds to remove seq 3 -> 34, then seq 35 -> 65, then seq 66, and finally prove the empty-queue result_not_found path over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue before-tick-overflow wrapper probes (scripts/baremetal-qemu-wake-queue-before-tick-overflow-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-before-tick-overflow-first-cutoff-probe-check.ps1, scripts/baremetal-qemu-wake-queue-before-tick-overflow-first-survivor-window-probe-check.ps1, scripts/baremetal-qemu-wake-queue-before-tick-overflow-second-cutoff-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-before-tick-overflow-final-empty-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus tightened host-regression assertions in src/baremetal_main.zig (the wrappers reuse the broad wrapped deadline-drain lane but fail directly on the wrapped baseline shape, first threshold cutoff, first survivor window, second cutoff to only seq=66, and final empty/notfound preserved-state invariants over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue reason-overflow probe (scripts/baremetal-qemu-wake-queue-reason-overflow-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (reuse the batch-pop PVH artifact, drive 66 alternating manual / interrupt@13 wake cycles over one task, remove the first 31 manual wakes with command_wake_queue_pop_reason(manual,31), then remove the final manual survivor with command_wake_queue_pop_reason(manual,99) while preserving FIFO order for the remaining interrupt wakes over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue reason-overflow wrapper probes (scripts/baremetal-qemu-wake-queue-reason-overflow-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-overflow-manual-drain-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-overflow-manual-survivors-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-overflow-interrupt-drain-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-reason-overflow-interrupt-survivors-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus tightened host-regression assertions in src/baremetal_main.zig (the wrappers reuse the broad wrapped mixed-reason lane but fail directly on the overflow baseline shape, post-pop_reason(manual,31) collapse, lone retained manual survivor ordering, post-pop_reason(manual,99) collapse, and final all-interrupt survivor ordering over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue reason-vector-pop probe (scripts/baremetal-qemu-wake-queue-reason-vector-pop-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (build a dedicated PVH artifact, drive a four-entry live mixed queue through command_task_wait, command_task_wait_interrupt, command_scheduler_wake_task, and command_trigger_interrupt, then prove command_wake_queue_pop_reason_vector(interrupt@13) removes only the exact pair in FIFO order and rejects reason+vector=0 over the freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue summary/age probe (scripts/baremetal-qemu-wake-queue-summary-age-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (exported summary and age-bucket telemetry snapshots remain correct before and after selective queue drains over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue summary/age wrapper probes (scripts/baremetal-qemu-wake-queue-summary-age-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-summary-age-pre-summary-probe-check.ps1, scripts/baremetal-qemu-wake-queue-summary-age-pre-age-probe-check.ps1, scripts/baremetal-qemu-wake-queue-summary-age-post-summary-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-summary-age-post-age-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (narrow wrapper validation now fails directly on the baseline queue shape, pre-drain summary/age snapshots, post-drain summary/age snapshots, and final queue stability on that exported summary-pointer lane).
[x] Added bare-metal optional QEMU wake-queue count-snapshot wrapper probes (scripts/baremetal-qemu-wake-queue-count-snapshot-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-count-snapshot-query1-probe-check.ps1, scripts/baremetal-qemu-wake-queue-count-snapshot-query2-probe-check.ps1, scripts/baremetal-qemu-wake-queue-count-snapshot-query3-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-count-snapshot-nonmutating-read-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus a matching host regression in src/baremetal_main.zig (they reuse the broad count-snapshot lane but fail directly on baseline queue ordering, staged query-count transitions after live queue mutations, and nonmutating mailbox reads leaving queue/pending-wake state intact).
[x] Added bare-metal optional QEMU wake-queue overflow probe (scripts/baremetal-qemu-wake-queue-overflow-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (drive 66 manual wakes over one waiting task, prove the 64-entry ring retains seq 3 -> 66, and validate head/tail=2 with overflow=2 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue overflow wrapper probes (scripts/baremetal-qemu-wake-queue-overflow-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-overflow-shape-probe-check.ps1, scripts/baremetal-qemu-wake-queue-overflow-oldest-entry-probe-check.ps1, scripts/baremetal-qemu-wake-queue-overflow-newest-entry-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-overflow-mailbox-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus tightened host-regression assertions in src/baremetal_main.zig (they reuse the broad sustained-manual-pressure lane but fail directly on the 66-wake baseline, wrapped ring shape, oldest retained payload, newest retained payload, and final mailbox receipt).
[x] Added bare-metal optional QEMU wake-queue clear probe (scripts/baremetal-qemu-wake-queue-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (drive the same 66-wake wrapped manual ring, issue command_wake_queue_clear, prove count/head/tail/overflow = 0 with pending wake telemetry reset, then reuse the queue from seq=1 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue clear wrapper probes (scripts/baremetal-qemu-wake-queue-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-clear-collapse-probe-check.ps1, scripts/baremetal-qemu-wake-queue-clear-pending-reset-probe-check.ps1, scripts/baremetal-qemu-wake-queue-clear-reuse-shape-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-clear-reuse-payload-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus tightened host-regression assertions in src/baremetal_main.zig (the wrappers reuse the broad clear-and-reuse lane but fail directly on the wrapped pre-clear baseline, post-clear queue collapse, post-clear pending-wake reset, post-reuse queue shape, and post-reuse payload invariants over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue batch-pop probe (scripts/baremetal-qemu-wake-queue-batch-pop-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (batch-drain the wrapped queue after overflow, prove survivor ordering seq 65 -> 66, drain to empty, and reuse the queue at seq 67 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU wake-queue batch-pop wrapper probes (scripts/baremetal-qemu-wake-queue-batch-pop-overflow-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-batch-pop-survivor-pair-probe-check.ps1, scripts/baremetal-qemu-wake-queue-batch-pop-single-survivor-probe-check.ps1, scripts/baremetal-qemu-wake-queue-batch-pop-drain-empty-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-batch-pop-refill-reuse-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (they reuse the broad batch-pop lane but fail directly on the overflow baseline, retained survivor pair seq 65 -> 66, single-survivor state after the default pop, drained-empty queue state, and refill/reuse receipt at seq 67).
[x] Added bare-metal optional QEMU wake-queue vector-pop probe (scripts/baremetal-qemu-wake-queue-vector-pop-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (build a dedicated PVH artifact, drive a live mixed queue manual, interrupt@13, interrupt@13, interrupt@31, prove command_wake_queue_pop_vector(13,0) removes only the first vector-13 wake, command_wake_queue_pop_vector(13,9) removes the remaining vector-13 survivor, and command_wake_queue_pop_vector(255,1) returns result_not_found over the freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-mask profile probe (scripts/baremetal-qemu-interrupt-mask-profile-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (external-all, custom unmask/remask, ignored-count reset, external-high, invalid profile rejection, and clear-all recovery over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-mask clear-all recovery probe (scripts/baremetal-qemu-interrupt-mask-clear-all-recovery-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (dedicated command_interrupt_mask_clear_all proof after direct mask manipulation, restoring live wake delivery on vector 200, clearing ignored-count telemetry back to 0, and returning the runtime to mask profile none over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU allocator/syscall probe (scripts/baremetal-qemu-allocator-syscall-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (allocator alloc/free plus syscall register/invoke/block/disable/re-enable/clear-flags/unregister evidence over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU syscall saturation probe (scripts/baremetal-qemu-syscall-saturation-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (fill the 64-entry syscall table, reject the 65th register with no_space, reclaim one slot with unregister, reuse it with a fresh syscall ID/token, and prove the reused slot invokes cleanly over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU syscall saturation reset probe (scripts/baremetal-qemu-syscall-saturation-reset-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (fill the 64-entry syscall table, dirty dispatch state with a real invoke, prove command_syscall_reset clears the fully saturated table and dispatch telemetry back to steady state, and then prove a fresh syscall restarts cleanly from slot 0 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU allocator saturation reset probe (scripts/baremetal-qemu-allocator-saturation-reset-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (fill all 64 allocator records, prove the next allocation returns no_space, prove command_allocator_reset collapses counters/bitmap/records back to steady state, and then prove a fresh 2-page allocation restarts cleanly from slot 0 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU allocator saturation reset wrapper probes (scripts/baremetal-qemu-allocator-saturation-reset-baseline-probe-check.ps1, scripts/baremetal-qemu-allocator-saturation-reset-saturated-shape-probe-check.ps1, scripts/baremetal-qemu-allocator-saturation-reset-last-record-probe-check.ps1, scripts/baremetal-qemu-allocator-saturation-reset-post-reset-baseline-probe-check.ps1, and scripts/baremetal-qemu-allocator-saturation-reset-fresh-restart-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad allocator saturation-reset PVH/QEMU lane but fail directly on the final mailbox baseline, saturated table shape, retained last-record metadata, post-reset allocator baseline, and fresh 2-page restart semantics).
[x] Added bare-metal optional QEMU allocator saturation reuse probe (scripts/baremetal-qemu-allocator-saturation-reuse-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (fill all 64 allocator records, prove the next allocation returns no_space, free allocator record slot 5, prove that slot becomes reusable while the table returns to full occupancy, and prove first-fit page search advances to pages 64-65 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU allocator saturation reuse wrapper probes (scripts/baremetal-qemu-allocator-saturation-reuse-baseline-probe-check.ps1, scripts/baremetal-qemu-allocator-saturation-reuse-full-table-shape-probe-check.ps1, scripts/baremetal-qemu-allocator-saturation-reuse-no-space-preserve-probe-check.ps1, scripts/baremetal-qemu-allocator-saturation-reuse-freed-slot-state-probe-check.ps1, and scripts/baremetal-qemu-allocator-saturation-reuse-fresh-restart-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad allocator saturation-reuse PVH/QEMU lane but fail directly on the final mailbox baseline, saturated-table shape, preserved no-space metadata, freed-slot cleanup state, and the fresh two-page restart semantics).
[x] Added bare-metal optional QEMU allocator free-failure probe (scripts/baremetal-qemu-allocator-free-failure-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (prove wrong-pointer command_allocator_free returns result_not_found, wrong-size returns result_invalid_argument, successful free updates last_free_*, double-free returns result_not_found, and a fresh allocation still restarts from page 0 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU allocator free-failure wrapper probes (scripts/baremetal-qemu-allocator-free-failure-baseline-probe-check.ps1, scripts/baremetal-qemu-allocator-free-failure-bad-pointer-preserve-probe-check.ps1, scripts/baremetal-qemu-allocator-free-failure-bad-size-preserve-probe-check.ps1, scripts/baremetal-qemu-allocator-free-failure-good-free-metadata-probe-check.ps1, and scripts/baremetal-qemu-allocator-free-failure-double-free-realloc-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad allocator free-failure QEMU probe but fail directly on the initial allocation baseline, wrong-pointer result_not_found preservation, wrong-size result_invalid_argument preservation, successful free metadata update, and double-free plus clean realloc restart boundaries).
[x] Added bare-metal optional QEMU task-resume timer-clear probe (scripts/baremetal-qemu-task-resume-timer-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live command_task_resume on a timer-backed wait cancels the armed timer entry, queues exactly one manual wake, prevents a later ghost timer wake after idle ticks, preserves timer quantum, and restarts fresh timer scheduling from the preserved next_timer_id over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU task-resume timer-clear wrapper probes (scripts/baremetal-qemu-task-resume-timer-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-task-resume-timer-clear-wait-clear-probe-check.ps1, scripts/baremetal-qemu-task-resume-timer-clear-canceled-entry-preserve-probe-check.ps1, scripts/baremetal-qemu-task-resume-timer-clear-manual-wake-payload-probe-check.ps1, and scripts/baremetal-qemu-task-resume-timer-clear-rearm-telemetry-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig and deeper wait-clear/manual-wake output in scripts/baremetal-qemu-task-resume-timer-clear-probe-check.ps1 (they reuse the broad timer-backed resume lane but fail directly on the pre-resume waiting baseline, cleared wait-kind/timeout state, preserved canceled-slot metadata, exact manual wake payload, and final no-stale-timer plus rearm/telemetry invariants).
[x] Added bare-metal optional QEMU task-terminate mixed-state wrapper probes (scripts/baremetal-qemu-task-terminate-mixed-state-baseline-probe-check.ps1, scripts/baremetal-qemu-task-terminate-mixed-state-target-clear-probe-check.ps1, scripts/baremetal-qemu-task-terminate-mixed-state-survivor-wake-probe-check.ps1, scripts/baremetal-qemu-task-terminate-mixed-state-wait-clear-probe-check.ps1, and scripts/baremetal-qemu-task-terminate-mixed-state-idle-stability-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig and deeper mixed-state receipts in scripts/baremetal-qemu-task-terminate-mixed-state-probe-check.ps1 (they reuse the broad mixed terminate lane but fail directly on the pre-terminate wrapped baseline, immediate target-clear collapse, survivor wake preservation, explicit wait-kind/timeout clearing, and settled idle no-stale-dispatch plus preserved quantum/next-timer invariants).
[x] Deepened bare-metal optional QEMU allocator/syscall probe with real reset recovery proof (scripts/baremetal-qemu-allocator-syscall-probe-check.ps1) and added host regression coverage in src/baremetal_main.zig so both the host suite and the live PVH run now prove dirty allocator/syscall state is cleared by command_allocator_reset and command_syscall_reset after real alloc/register/invoke activity.
[x] Added bare-metal optional QEMU allocator/syscall wrapper probes (scripts/baremetal-qemu-allocator-syscall-baseline-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-alloc-stage-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-invoke-stage-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-guard-stage-probe-check.ps1, and scripts/baremetal-qemu-allocator-syscall-final-reset-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad allocator/syscall QEMU probe but fail directly on the final mailbox baseline, allocation-stage page/bitmap state, invoke-stage dispatch/result state, blocked/disabled/re-enabled guard semantics, and final reset allocator/syscall baseline).
[x] Added bare-metal optional QEMU allocator/syscall reset probe (scripts/baremetal-qemu-allocator-syscall-reset-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (dirty allocator alloc plus syscall register/invoke state, then dedicated command_allocator_reset + command_syscall_reset proof showing both subsystems collapse independently back to steady baseline and a final missing-entry invoke returns result_not_found over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU allocator/syscall reset wrapper probes (scripts/baremetal-qemu-allocator-syscall-reset-dirty-allocator-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-reset-dirty-syscall-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-reset-post-reset-allocator-baseline-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-reset-post-reset-syscall-baseline-probe-check.ps1, and scripts/baremetal-qemu-allocator-syscall-reset-missing-entry-after-reset-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (they reuse the broad allocator/syscall reset QEMU probe but fail directly on the narrow dirty-allocator snapshot, dirty-syscall snapshot, post-reset allocator baseline, post-reset syscall baseline, and final missing-entry invoke receipt boundaries).
[x] Added bare-metal optional QEMU syscall control probe (scripts/baremetal-qemu-syscall-control-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (isolated syscall mutation lane proof for re-register, blocked/disabled invoke, successful invoke, unregister, and missing-entry set_flags/unregister semantics over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU allocator/syscall failure probe (scripts/baremetal-qemu-allocator-syscall-failure-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (allocator invalid-alignment/no-space plus blocked/disabled syscall result semantics and command-result counter evidence over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU command-result counters probe (scripts/baremetal-qemu-command-result-counters-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live mailbox result-bucket accumulation plus command_reset_command_result_counters reset proof over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU reset counters probe (scripts/baremetal-qemu-reset-counters-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_reset_counters proof over dirty interrupt, exception, scheduler, allocator, syscall, timer, wake-queue, mode, boot-phase, command-history, and health-history state on the PVH freestanding artifact).
[x] Deepened bare-metal reset/control isolation coverage in src/baremetal_main.zig and the existing live QEMU probes without increasing workflow fan-out:
added host regressions for command_clear_command_history, command_clear_health_history, command_reset_command_result_counters, command_reset_boot_diagnostics, command_capture_stack_pointer, and command_reset_counters preservation of feature_flags + tick_batch_hint.
scripts/baremetal-qemu-command-result-counters-probe-check.ps1 now proves command_reset_command_result_counters preserves mode=running and last_health_code=200 while collapsing counters back to the single reset receipt.
scripts/baremetal-qemu-bootdiag-history-clear-probe-check.ps1 now proves command_reset_boot_diagnostics preserves boot-phase history depth, command_clear_command_history does not reset health history, and command_clear_health_history does not reset command history.
scripts/baremetal-qemu-reset-counters-probe-check.ps1 now proves command_reset_counters preserves configured feature_flags=0xA55AA55A and tick_batch_hint=4, with the post-reset tick advancing by the preserved batch size over the PVH freestanding artifact.
[x] Promoted bare-metal reset-preservation wrappers to first-class QEMU gates in zig-ci + release-preview:
scripts/baremetal-qemu-reset-counters-preserve-config-probe-check.ps1 reuses the live reset-counters probe and fails unless the post-reset runtime still carries feature_flags=0xA55AA55A, tick_batch_hint=4, and the single reset command-result receipt.
scripts/baremetal-qemu-reset-bootdiag-preserve-state-probe-check.ps1 reuses the live bootdiag/history-clear probe and fails unless command_reset_boot_diagnostics preserves runtime mode plus existing command/boot history state while resetting the diagnostics struct.
scripts/baremetal-qemu-clear-command-history-preserve-health-probe-check.ps1 reuses the live bootdiag/history-clear probe and fails unless command_clear_command_history collapses only command history while preserving health history depth.
scripts/baremetal-qemu-clear-health-history-preserve-command-probe-check.ps1 reuses the live bootdiag/history-clear probe and fails unless command_clear_health_history collapses only health history while preserving command history depth.
scripts/baremetal-qemu-reset-command-result-preserve-runtime-probe-check.ps1 reuses the live command-result counters probe and fails unless command_reset_command_result_counters preserves mode=running, last_health_code=200, and the reset receipt shape.
[x] Promoted bare-metal reset-counters wrapper probes to first-class QEMU gates in zig-ci + release-preview:
scripts/baremetal-qemu-reset-counters-baseline-probe-check.ps1 reuses the live reset-counters probe and fails unless the final mailbox/status envelope lands on the reset receipt (POST_ACK=13, POST_LAST_OPCODE=3, POST_LAST_RESULT=0, POST_TICKS=4, POST_MODE=1).
scripts/baremetal-qemu-reset-counters-vector-reset-probe-check.ps1 fails unless interrupt/exception aggregates, history lengths, and per-vector counters collapse to zero after command_reset_counters.
scripts/baremetal-qemu-reset-counters-history-reset-probe-check.ps1 fails unless command/health history collapse to the single reset receipt and mode/boot history depths collapse to zero.
scripts/baremetal-qemu-reset-counters-subsystem-reset-probe-check.ps1 fails unless scheduler, allocator, syscall, timer, and wake-queue state all return to their steady baseline while timer quantum returns to 1.
scripts/baremetal-qemu-reset-counters-command-result-probe-check.ps1 fails unless the command-result counters collapse to the single reset ok receipt shape after the full runtime reset.
[x] Added bare-metal optional QEMU command-result counter wrapper probes (scripts/baremetal-qemu-command-result-counters-baseline-probe-check.ps1, scripts/baremetal-qemu-command-result-counters-ok-bucket-probe-check.ps1, scripts/baremetal-qemu-command-result-counters-invalid-bucket-probe-check.ps1, scripts/baremetal-qemu-command-result-counters-not-supported-bucket-probe-check.ps1, and scripts/baremetal-qemu-command-result-counters-other-error-bucket-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (they reuse the broad command-result counters PVH/QEMU lane but fail directly on the pre-reset status/counter envelope and each mailbox result bucket instead of only through the mixed broad probe).
[x] Promoted bare-metal interrupt/exception reset-isolation wrappers to first-class QEMU gates in zig-ci + release-preview:
scripts/baremetal-qemu-reset-interrupt-counters-preserve-history-probe-check.ps1 reuses the live vector-history-clear probe and fails unless command_reset_interrupt_counters zeroes interrupt aggregates while preserving interrupt history depth, exception aggregate count, and retained vector-200 telemetry.
scripts/baremetal-qemu-reset-exception-counters-preserve-history-probe-check.ps1 reuses the live vector-history-clear probe and fails unless command_reset_exception_counters zeroes exception aggregates while preserving exception history depth, interrupt history depth, and retained exception-vector 13 telemetry.
scripts/baremetal-qemu-clear-interrupt-history-preserve-exception-probe-check.ps1 reuses the live vector-history-clear probe and fails unless command_clear_interrupt_history collapses only interrupt history/overflow while preserving sibling exception-history depth.
scripts/baremetal-qemu-reset-vector-counters-preserve-aggregate-probe-check.ps1 reuses the live vector-counter-reset probe and fails unless command_reset_vector_counters preserves aggregate interrupt/exception totals while the per-vector tables zero.
scripts/baremetal-qemu-reset-vector-counters-preserve-last-vector-probe-check.ps1 reuses the live vector-counter-reset probe and fails unless command_reset_vector_counters preserves the last interrupt vector, last exception vector, and last exception code while the per-vector tables zero.
[x] build.zig now includes the host-run src/baremetal_main.zig suite in the default zig build test step, and the surfaced wake-queue assertion drift was corrected so the standard test gate covers hosted + bare-metal unit suites together.
[x] Added bare-metal optional QEMU command-health history probe (scripts/baremetal-qemu-command-health-history-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (repeated command_set_health_code mailbox execution, command history overflow, health history overflow, and retained oldest/newest payload evidence over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU command-health history wrapper probes (scripts/baremetal-qemu-command-health-history-baseline-probe-check.ps1, scripts/baremetal-qemu-command-health-history-command-shape-probe-check.ps1, scripts/baremetal-qemu-command-health-history-command-payloads-probe-check.ps1, scripts/baremetal-qemu-command-health-history-health-shape-probe-check.ps1, and scripts/baremetal-qemu-command-health-history-health-payloads-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad command/health-history PVH/QEMU lane but fail directly on the final mailbox baseline, command-ring shape, command oldest/newest payloads, health-ring shape, and health oldest/newest payloads instead of only through the mixed broad probe).
[x] Added bare-metal optional QEMU command-history overflow clear probe (scripts/baremetal-qemu-command-history-overflow-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (combined overflow, clear, and restart proof for the command-history ring, validating retained seq 4 -> 35, single-receipt clear collapse, and clean restart semantics without disturbing health-history overflow state over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU command-history overflow clear wrapper probes (scripts/baremetal-qemu-command-history-overflow-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-command-history-overflow-clear-overflow-window-probe-check.ps1, scripts/baremetal-qemu-command-history-overflow-clear-overflow-payloads-probe-check.ps1, scripts/baremetal-qemu-command-history-overflow-clear-clear-event-probe-check.ps1, and scripts/baremetal-qemu-command-history-overflow-clear-restart-event-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig and the underlying broad probes (they reuse the command-history overflow-clear PVH/QEMU lane but fail directly on the broad-lane baseline, overflow-window shape, oldest/newest overflow payloads, clear-event collapse plus preserved health-history length, and post-clear restart-event payloads instead of only through the mixed overflow-clear probe).
[x] Added bare-metal optional QEMU health-history overflow clear probe (scripts/baremetal-qemu-health-history-overflow-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (combined overflow, clear, and restart proof for the health-history ring, validating retained seq 8 -> 71, single-receipt clear collapse at seq 1, and clean restart semantics without disturbing command-history overflow state over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU health-history overflow clear wrapper probes (scripts/baremetal-qemu-health-history-overflow-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-health-history-overflow-clear-overflow-window-probe-check.ps1, scripts/baremetal-qemu-health-history-overflow-clear-overflow-payloads-probe-check.ps1, scripts/baremetal-qemu-health-history-overflow-clear-clear-event-probe-check.ps1, and scripts/baremetal-qemu-health-history-overflow-clear-command-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig and the underlying broad probes (they reuse the health-history overflow-clear PVH/QEMU lane but fail directly on the broad-lane baseline, overflow-window shape, retained oldest/newest health payloads plus trailing ack telemetry, clear-event collapse, and preserved command-history tail state instead of only through the mixed overflow-clear probe).
[x] Added bare-metal optional QEMU mode/boot-phase history probe (scripts/baremetal-qemu-mode-boot-phase-history-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command/runtime/panic reason ordering plus post-clear saturation of the 64-entry mode-history and boot-phase-history rings over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU mode/boot-phase history wrapper probes (scripts/baremetal-qemu-mode-boot-phase-history-baseline-probe-check.ps1, scripts/baremetal-qemu-mode-boot-phase-history-mode-semantics-probe-check.ps1, scripts/baremetal-qemu-mode-boot-phase-history-boot-semantics-probe-check.ps1, scripts/baremetal-qemu-mode-boot-phase-history-mode-overflow-window-probe-check.ps1, and scripts/baremetal-qemu-mode-boot-phase-history-boot-overflow-window-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, while tightening src/baremetal_main.zig so the hosted regressions now also assert retained head-index and post-clear command-reason restart semantics for both rings.
[x] Added bare-metal optional QEMU mode/boot-phase setter probe (scripts/baremetal-qemu-mode-boot-phase-setter-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (direct command_set_boot_phase / command_set_mode proof over the PVH freestanding artifact, covering same-value idempotence, invalid boot-phase 99 and invalid mode 77 rejection without state/history clobbering, and direct mode_panicked / mode_running transitions without panic-counter or boot-phase side effects).
[x] Added bare-metal optional QEMU mode/boot-phase setter wrapper probes (scripts/baremetal-qemu-mode-boot-phase-setter-baseline-probe-check.ps1, scripts/baremetal-qemu-mode-boot-phase-setter-boot-noop-invalid-probe-check.ps1, scripts/baremetal-qemu-mode-boot-phase-setter-mode-invalid-probe-check.ps1, scripts/baremetal-qemu-mode-boot-phase-setter-mode-history-probe-check.ps1, and scripts/baremetal-qemu-mode-boot-phase-setter-boot-history-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, while tightening src/baremetal_main.zig so the hosted setter regression now also asserts explicit last-command opcode stability across the no-op, invalid, and transition stages.
[x] Added bare-metal optional QEMU allocator/syscall failure wrapper probes (scripts/baremetal-qemu-allocator-syscall-failure-baseline-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-failure-invalid-align-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-failure-no-space-probe-check.ps1, scripts/baremetal-qemu-allocator-syscall-failure-blocked-probe-check.ps1, and scripts/baremetal-qemu-allocator-syscall-failure-final-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, while tightening src/baremetal_main.zig so the hosted regression now also asserts allocator failure-state preservation, blocked invoke preservation, and final command-result bucket counts locally.
[x] Added bare-metal optional QEMU mode/boot-phase history clear probe (scripts/baremetal-qemu-mode-boot-phase-history-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (dedicated mailbox proof that command_clear_mode_history and command_clear_boot_phase_history independently reset len/head/overflow/seq and restart both histories at seq=1 on the next live transitions over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU mode/boot-phase history clear wrapper probes (scripts/baremetal-qemu-mode-boot-phase-history-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-mode-boot-phase-history-clear-pre-semantics-probe-check.ps1, scripts/baremetal-qemu-mode-boot-phase-history-clear-mode-collapse-preserve-boot-probe-check.ps1, scripts/baremetal-qemu-mode-boot-phase-history-clear-boot-collapse-probe-check.ps1, and scripts/baremetal-qemu-mode-boot-phase-history-clear-restart-semantics-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, while tightening src/baremetal_main.zig so the hosted regression now also asserts that clearing the mode ring preserves the live boot-history panic entry until its own clear and that both rings restart with the expected command/runtime ordering after the dual-clear sequence.
[x] Added bare-metal optional QEMU mode-history overflow clear probe (scripts/baremetal-qemu-mode-history-overflow-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (combined overflow, clear, and restart proof for the mode-history ring, validating retained seq 3 -> 66, dedicated clear collapse, and seq=1 restart semantics while the boot-phase ring stays intact until its own clear over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU mode-history overflow clear wrapper probes (scripts/baremetal-qemu-mode-history-overflow-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-mode-history-overflow-clear-overflow-window-probe-check.ps1, scripts/baremetal-qemu-mode-history-overflow-clear-overflow-payloads-probe-check.ps1, scripts/baremetal-qemu-mode-history-overflow-clear-clear-collapse-probe-check.ps1, and scripts/baremetal-qemu-mode-history-overflow-clear-restart-event-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, while tightening src/baremetal_main.zig so the hosted regression now also asserts wrapped newest-event payloads and explicit post-clear restart ordering for the mode-history ring.
[x] Added bare-metal optional QEMU boot-phase-history overflow clear probe (scripts/baremetal-qemu-boot-phase-history-overflow-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (combined overflow, clear, and restart proof for the boot-phase-history ring, validating retained seq 3 -> 66, dedicated clear collapse, and seq=1 restart semantics while the mode ring stays intact until its own clear over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU boot-phase-history overflow clear wrapper probes (scripts/baremetal-qemu-boot-phase-history-overflow-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-boot-phase-history-overflow-clear-overflow-window-probe-check.ps1, scripts/baremetal-qemu-boot-phase-history-overflow-clear-overflow-payloads-probe-check.ps1, scripts/baremetal-qemu-boot-phase-history-overflow-clear-clear-collapse-probe-check.ps1, and scripts/baremetal-qemu-boot-phase-history-overflow-clear-restart-event-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, while tightening src/baremetal_main.zig plus the broad overflow-clear probe so the hosted and QEMU checks now also assert wrapped newest-event boot payloads, dedicated clear collapse with preserved mode-history length, and explicit post-clear restart ordering for the boot-phase-history ring.
[x] Added bare-metal optional QEMU task lifecycle probe (scripts/baremetal-qemu-task-lifecycle-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live task_wait, command_scheduler_wake_task, command_task_resume, and command_task_terminate control semantics plus post-terminate rejected manual wake over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU task-lifecycle wrapper probes (scripts/baremetal-qemu-task-lifecycle-wait1-baseline-probe-check.ps1, scripts/baremetal-qemu-task-lifecycle-wake1-manual-probe-check.ps1, scripts/baremetal-qemu-task-lifecycle-wait2-baseline-probe-check.ps1, scripts/baremetal-qemu-task-lifecycle-wake2-manual-probe-check.ps1, and scripts/baremetal-qemu-task-lifecycle-terminate-rejected-wake-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad task-lifecycle QEMU probe but fail directly on the narrow boundaries for the first wait baseline, first manual wake delivery, second wait baseline, second manual wake delivery after command_task_resume, and final terminate plus rejected-wake telemetry once queue entries for the terminated task have been purged over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU active-task terminate probe (scripts/baremetal-qemu-active-task-terminate-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_task_terminate against the currently running high-priority task, immediate failover to the remaining ready task, idempotent repeat-terminate semantics, and final empty-run collapse over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU active-task terminate wrapper probes (scripts/baremetal-qemu-active-task-terminate-baseline-probe-check.ps1, scripts/baremetal-qemu-active-task-terminate-failover-probe-check.ps1, scripts/baremetal-qemu-active-task-terminate-repeat-idempotent-probe-check.ps1, scripts/baremetal-qemu-active-task-terminate-survivor-progress-probe-check.ps1, and scripts/baremetal-qemu-active-task-terminate-final-collapse-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad active-task terminate QEMU probe but fail directly on the narrow boundaries for pre-terminate active baseline state, immediate failover after the first terminate, repeat-idempotent terminate receipt, survivor low-task progress after the repeat terminate, and final empty-run collapse telemetry over the PVH freestanding artifact).
[x] Restored the bare-metal task-terminate mixed-state workflow gate on current runtime semantics (scripts/baremetal-qemu-task-terminate-mixed-state-probe-check.ps1) after aligning it with timer-cancel-on-manual-wake behavior, while keeping the narrower direct recovery probes (scripts/baremetal-qemu-task-terminate-interrupt-timeout-probe-check.ps1, scripts/baremetal-qemu-scheduler-wake-timer-clear-probe-check.ps1, and scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-probe-check.ps1) in the active CI baseline.
[x] Added bare-metal optional QEMU wake-queue reason-pop probe (scripts/baremetal-qemu-wake-queue-reason-pop-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host coverage already present in src/baremetal_main.zig (live dedicated command_wake_queue_pop_reason control on a four-entry mixed queue, proving FIFO removal of only the matching interrupt wakes and invalid-reason rejection without vector/overflow setup noise).
[x] Added bare-metal optional QEMU wake-queue reason-pop wrapper probes (scripts/baremetal-qemu-wake-queue-reason-pop-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-pop-first-match-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-pop-survivor-order-probe-check.ps1, scripts/baremetal-qemu-wake-queue-reason-pop-invalid-reason-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-reason-pop-invalid-preserve-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression tightening in src/baremetal_main.zig and deeper stage receipts in scripts/baremetal-qemu-wake-queue-reason-pop-probe-check.ps1 (they reuse the broad dedicated mixed-queue lane but fail directly on baseline composition, first matching-pop survivor order, final manual-only survivor order, invalid-reason rejection, and invalid-reason state preservation).
[x] Added bare-metal optional QEMU wake-queue vector-pop wrapper probes (scripts/baremetal-qemu-wake-queue-vector-pop-baseline-probe-check.ps1, scripts/baremetal-qemu-wake-queue-vector-pop-first-match-probe-check.ps1, scripts/baremetal-qemu-wake-queue-vector-pop-survivor-order-probe-check.ps1, scripts/baremetal-qemu-wake-queue-vector-pop-invalid-vector-probe-check.ps1, and scripts/baremetal-qemu-wake-queue-vector-pop-invalid-preserve-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression tightening in src/baremetal_main.zig and deeper stage receipts in scripts/baremetal-qemu-wake-queue-vector-pop-probe-check.ps1 (they reuse the broad dedicated mixed-queue lane but fail directly on baseline composition, first matching-vector survivor order, final manual-plus-31 survivor order, invalid-vector rejection, and invalid-vector state preservation).
[x] Added bare-metal optional QEMU wake-queue before-tick probe (scripts/baremetal-qemu-wake-queue-before-tick-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host coverage already present in src/baremetal_main.zig (live dedicated command_wake_queue_pop_before_tick control on a four-entry mixed queue, proving single oldest stale removal, bounded deadline-window drain, and final result_not_found without overflow setup noise).
[x] Added bare-metal optional QEMU task-terminate interrupt-timeout probe (scripts/baremetal-qemu-task-terminate-interrupt-timeout-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live command_task_terminate on a timeout-backed interrupt waiter, clearing the timeout and wait state back to steady baseline, leaving queued wake/timer state empty, and preventing later ghost interrupt or timeout wake delivery over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU task-terminate interrupt-timeout wrapper probes (scripts/baremetal-qemu-task-terminate-interrupt-timeout-baseline-probe-check.ps1, scripts/baremetal-qemu-task-terminate-interrupt-timeout-target-clear-probe-check.ps1, scripts/baremetal-qemu-task-terminate-interrupt-timeout-interrupt-telemetry-probe-check.ps1, scripts/baremetal-qemu-task-terminate-interrupt-timeout-no-stale-timeout-probe-check.ps1, and scripts/baremetal-qemu-task-terminate-interrupt-timeout-mailbox-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig and deeper PRE_* / POST_* receipts in scripts/baremetal-qemu-task-terminate-interrupt-timeout-probe-check.ps1 (they reuse the broad timeout-backed terminate lane but fail directly on the armed baseline, immediate target-clear collapse, preserved interrupt telemetry after the follow-up interrupt, settled no-stale-timeout invariants after slack ticks, and final mailbox plus budget state over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU panic-recovery probe (scripts/baremetal-qemu-panic-recovery-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_trigger_panic_flag under active scheduler load, proving panic freezes dispatch/budget burn, command_set_mode(mode_running) resumes the same task immediately, and command_set_boot_phase(runtime) restores boot diagnostics over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU panic-recovery wrapper probes (scripts/baremetal-qemu-panic-recovery-baseline-probe-check.ps1, scripts/baremetal-qemu-panic-recovery-freeze-state-probe-check.ps1, scripts/baremetal-qemu-panic-recovery-idle-preserve-probe-check.ps1, scripts/baremetal-qemu-panic-recovery-mode-recovery-probe-check.ps1, and scripts/baremetal-qemu-panic-recovery-final-task-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad panic-recovery QEMU probe but fail directly on the narrow boundaries for pre-panic baseline state, panic freeze-state, idle panic preservation, mode-recovery resume semantics, and final recovered task-state telemetry over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU panic-wake recovery probe (scripts/baremetal-qemu-panic-wake-recovery-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_trigger_panic_flag with preserved interrupt + timer wake delivery, proving panic holds scheduler dispatch at 0 while both waiters become ready, then command_set_mode(mode_running) and command_set_boot_phase(runtime) resume the preserved ready queue in order over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU panic-wake recovery wrapper probes (scripts/baremetal-qemu-panic-wake-recovery-baseline-probe-check.ps1, scripts/baremetal-qemu-panic-wake-recovery-freeze-state-probe-check.ps1, scripts/baremetal-qemu-panic-wake-recovery-preserved-wakes-probe-check.ps1, scripts/baremetal-qemu-panic-wake-recovery-mode-recovery-probe-check.ps1, and scripts/baremetal-qemu-panic-wake-recovery-final-task-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad panic-wake recovery QEMU probe but fail directly on the narrow boundaries for pre-panic waiting baseline, panic freeze-state, preserved interrupt+timer wake queue delivery, mode-recovery dispatch resume, and final recovered task-state telemetry over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-filter probe (scripts/baremetal-qemu-interrupt-filter-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_task_wait_interrupt any-vector wake, vector-specific non-match filtering, matching-vector wake, and invalid-vector rejection over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-filter wrapper probes (scripts/baremetal-qemu-interrupt-filter-any-baseline-probe-check.ps1, scripts/baremetal-qemu-interrupt-filter-any-wake-payload-probe-check.ps1, scripts/baremetal-qemu-interrupt-filter-vector-blocked-nonmatch-probe-check.ps1, scripts/baremetal-qemu-interrupt-filter-vector-match-wake-payload-probe-check.ps1, and scripts/baremetal-qemu-interrupt-filter-invalid-vector-preserve-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig and deeper stage receipts in the broad QEMU probe (they reuse the broad interrupt-filter lane but fail directly on the interrupt-any waiting baseline, exact any-wake payload, blocked vector-scoped nonmatch state, exact matching-vector wake payload, and invalid-vector preserved mailbox/wake invariants over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU timer-disable interrupt probe (scripts/baremetal-qemu-timer-disable-interrupt-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_timer_disable suppression of timer dispatch while command_trigger_interrupt still wakes an interrupt waiter, followed by deferred timer wake delivery after command_timer_enable, over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU manual-wait interrupt probe (scripts/baremetal-qemu-manual-wait-interrupt-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_task_wait isolation under interrupt 44, plus explicit recovery through command_scheduler_wake_task, over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU manual-wait interrupt wrapper probes (scripts/baremetal-qemu-manual-wait-interrupt-baseline-probe-check.ps1, scripts/baremetal-qemu-manual-wait-interrupt-wait-preserve-probe-check.ps1, scripts/baremetal-qemu-manual-wait-interrupt-interrupt-no-wake-probe-check.ps1, scripts/baremetal-qemu-manual-wait-interrupt-manual-wake-payload-probe-check.ps1, and scripts/baremetal-qemu-manual-wait-interrupt-final-telemetry-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad manual-wait interrupt QEMU probe but fail directly on the one-task waiting baseline, preserved manual wait-kind before the interrupt, blocked post-interrupt state with empty wake queue, exact manual wake payload, and final interrupt/mailbox invariants after explicit command_scheduler_wake_task recovery).
[x] Added bare-metal optional QEMU interrupt-timeout manual-wake probe (scripts/baremetal-qemu-interrupt-timeout-manual-wake-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_task_wait_interrupt_for + command_scheduler_wake_task proof, clearing the pending timeout/wait state to none, queueing exactly one manual wake, and proving no delayed timer wake appears over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-timeout manual-wake wrapper probes (scripts/baremetal-qemu-interrupt-timeout-manual-wake-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-manual-wake-queue-delivery-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-manual-wake-wait-clear-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-manual-wake-no-stale-timer-probe-check.ps1, and scripts/baremetal-qemu-interrupt-timeout-manual-wake-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad interrupt-timeout manual-wake QEMU probe but fail directly on preserved pre-wake interrupt-timeout arm state, single manual wake-queue delivery, cleared wait-kind/vector/timeout state after command_scheduler_wake_task, no stale timer wake after additional slack ticks, and preserved zero-interrupt plus last-wake telemetry through the full recovery path).
[x] Added bare-metal optional QEMU interrupt-timeout interrupt-wins wrapper probes (scripts/baremetal-qemu-interrupt-timeout-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-interrupt-wake-payload-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-wait-clear-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-no-stale-timer-probe-check.ps1, and scripts/baremetal-qemu-interrupt-timeout-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad interrupt-timeout QEMU probe but fail directly on preserved pre-interrupt armed timeout state, exact interrupt wake payload semantics, cleared wait-kind/vector/timeout state after the interrupt wake, no stale timer wake after additional slack ticks, and preserved interrupt plus last-wake telemetry through the full interrupt-first recovery path).
[x] Added bare-metal optional QEMU task-resume interrupt-timeout probe (scripts/baremetal-qemu-task-resume-interrupt-timeout-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live command_task_resume on an interrupt-timeout waiter, clearing the pending timeout/wait state to none, queueing exactly one manual wake, proving no delayed timer wake appears after additional slack ticks, and leaving the timer subsystem at next_timer_id=1 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU task-resume interrupt probe (scripts/baremetal-qemu-task-resume-interrupt-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live command_task_resume on a pure command_task_wait_interrupt waiter, clearing the interrupt wait state back to none, queueing exactly one manual wake, proving a later interrupt only advances telemetry without adding a second wake, and leaving the timer subsystem idle at next_timer_id=1 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt manual-wake probe (scripts/baremetal-qemu-interrupt-manual-wake-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live command_scheduler_wake_task on a pure command_task_wait_interrupt waiter, clearing the interrupt wait state back to none, queueing exactly one manual wake, proving a later interrupt only advances telemetry without adding a second wake, and keeping timer state idle over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt manual-wake wrapper probes (scripts/baremetal-qemu-interrupt-manual-wake-baseline-probe-check.ps1, scripts/baremetal-qemu-interrupt-manual-wake-wait-clear-probe-check.ps1, scripts/baremetal-qemu-interrupt-manual-wake-manual-wake-payload-probe-check.ps1, scripts/baremetal-qemu-interrupt-manual-wake-no-second-wake-probe-check.ps1, and scripts/baremetal-qemu-interrupt-manual-wake-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad interrupt manual-wake QEMU probe but fail directly on ready-task baseline, cleared wait-kind/vector/timeout state after command_scheduler_wake_task, exact manual wake payload semantics, preserved single-wake state after the later real interrupt, and final mailbox plus timer/interrupt telemetry invariants).
[x] Added bare-metal optional QEMU scheduler-wake timer-clear probe (scripts/baremetal-qemu-scheduler-wake-timer-clear-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live command_scheduler_wake_task on a pure timer waiter, clearing the armed timer entry, queueing exactly one manual wake, preventing a later ghost timer wake after idle ticks, and preserving fresh timer scheduling from the current next_timer_id over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU scheduler-wake timer-clear wrapper probes (scripts/baremetal-qemu-scheduler-wake-timer-clear-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-wake-timer-clear-wait-clear-probe-check.ps1, scripts/baremetal-qemu-scheduler-wake-timer-clear-canceled-entry-preserve-probe-check.ps1, scripts/baremetal-qemu-scheduler-wake-timer-clear-manual-wake-probe-check.ps1, and scripts/baremetal-qemu-scheduler-wake-timer-clear-rearm-telemetry-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad scheduler-wake timer-clear QEMU probe but fail directly on the armed timer baseline, cleared wait/timer state after command_scheduler_wake_task, preserved canceled timer-entry state, exact manual wake payload, and final rearm/dispatch telemetry invariants).
[x] Added bare-metal optional QEMU masked interrupt timeout probe (scripts/baremetal-qemu-masked-interrupt-timeout-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs (live command_interrupt_mask_apply_profile(external_all) suppression of vector 200, preserved interrupt-wait state with no wake-queue entry and zero interrupt telemetry, and timeout fallthrough to reason=timer, vector=0, over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU masked interrupt timeout wrapper probes (scripts/baremetal-qemu-masked-interrupt-timeout-mask-preserve-probe-check.ps1, scripts/baremetal-qemu-masked-interrupt-timeout-no-wake-probe-check.ps1, scripts/baremetal-qemu-masked-interrupt-timeout-wait-preserve-probe-check.ps1, scripts/baremetal-qemu-masked-interrupt-timeout-timer-fallback-probe-check.ps1, and scripts/baremetal-qemu-masked-interrupt-timeout-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad masked interrupt-timeout QEMU probe but fail directly on preserved external_all mask profile and masked-vector telemetry, zero-wake behavior under the masked interrupt, preserved armed wait/deadline state, timer-only fallback wake semantics, and preserved zero-interrupt telemetry through the timeout wake).
[x] Added bare-metal optional QEMU timer-disable reenable probe (scripts/baremetal-qemu-timer-disable-reenable-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live pure one-shot timer wait across command_timer_disable and command_timer_enable, proving the waiter survives idle time past the original deadline, wakes exactly once after re-enable, and records a single reason=timer wake over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-timeout disable-enable probe (scripts/baremetal-qemu-interrupt-timeout-disable-enable-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live command_task_wait_interrupt_for across command_timer_disable and command_timer_enable, proving the timeout arm survives the disabled window, no wake is emitted while timers stay disabled, and the overdue timer wake lands exactly once after re-enable with reason=timer, vector=0 over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-timeout disable-enable wrapper probes (scripts/baremetal-qemu-interrupt-timeout-disable-enable-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-disable-enable-deadline-hold-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-disable-enable-paused-window-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-disable-enable-deferred-timer-wake-probe-check.ps1, and scripts/baremetal-qemu-interrupt-timeout-disable-enable-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs. They reuse the broad interrupt-timeout disable-enable QEMU probe but fail directly on the narrow boundaries for immediate timeout-arm preservation after disable, continued waiting past the original deadline while timers stay disabled, paused-window zero-wake stability, deferred timer-only wake after command_timer_enable, and preserved zero-interrupt telemetry on the later timer wake..
[x] Added bare-metal optional QEMU interrupt-timeout disable-interrupt probe (scripts/baremetal-qemu-interrupt-timeout-disable-interrupt-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs, plus matching host regression coverage in src/baremetal_main.zig (live command_task_wait_interrupt_for across command_timer_disable with a real interrupt arriving while timers are disabled, proving the waiter wakes immediately on the interrupt path, the timeout arm is cleared, and re-enabling timers later does not leak a stale timer wake over the PVH freestanding artifact).
[x] Added bare-metal optional QEMU interrupt-timeout disable-interrupt wrapper probes (scripts/baremetal-qemu-interrupt-timeout-disable-interrupt-immediate-wake-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-disable-interrupt-timeout-clear-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-disable-interrupt-disabled-state-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-disable-interrupt-reenable-no-stale-timer-probe-check.ps1, and scripts/baremetal-qemu-interrupt-timeout-disable-interrupt-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig (they reuse the broad interrupt-timeout disable-interrupt QEMU probe but fail directly on the narrow boundaries for immediate interrupt wake while timers remain disabled, cleared timeout/wait-vector state, preserved disabled timer state after the wake, no stale timer wake after command_timer_enable, and preserved interrupt/last-wake telemetry across the later settle window).
[x] Added bare-metal optional QEMU timer-disable interrupt wrapper probes (scripts/baremetal-qemu-timer-disable-interrupt-immediate-wake-probe-check.ps1, scripts/baremetal-qemu-timer-disable-interrupt-arm-preservation-probe-check.ps1, scripts/baremetal-qemu-timer-disable-interrupt-paused-window-probe-check.ps1, scripts/baremetal-qemu-timer-disable-interrupt-deferred-timer-wake-probe-check.ps1, and scripts/baremetal-qemu-timer-disable-interrupt-telemetry-preserve-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host regression strengthening in src/baremetal_main.zig (they reuse the broad timer-disable interrupt QEMU probe but fail directly on the narrow boundaries for immediate interrupt wake, preserved armed timer state immediately after the interrupt, stable paused disabled-window state, deferred one-shot timer wake only after command_timer_enable, and preserved interrupt telemetry on the later timer wake).
[x] Added bare-metal optional QEMU timer-recovery wrapper probes (scripts/baremetal-qemu-timer-disable-paused-state-probe-check.ps1, scripts/baremetal-qemu-timer-disable-reenable-oneshot-recovery-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-disable-reenable-timer-probe-check.ps1, scripts/baremetal-qemu-interrupt-timeout-disable-interrupt-recovery-probe-check.ps1, and scripts/baremetal-qemu-timer-reset-wait-kind-isolation-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (they reuse the broad timer-disable and timer-reset QEMU probes but fail directly on the narrow recovery boundaries for paused disabled-state stability, pure one-shot re-enable recovery, timeout-backed timer-only re-enable recovery, timeout-backed direct interrupt recovery while timers are disabled, and timer-reset wait-kind isolation).
[x] Added bare-metal optional QEMU timer-reset-recovery wrapper probes (scripts/baremetal-qemu-timer-reset-recovery-baseline-probe-check.ps1, scripts/baremetal-qemu-timer-reset-recovery-post-reset-collapse-probe-check.ps1, scripts/baremetal-qemu-timer-reset-recovery-wait-isolation-probe-check.ps1, scripts/baremetal-qemu-timer-reset-recovery-manual-wake-payload-probe-check.ps1, and scripts/baremetal-qemu-timer-reset-recovery-interrupt-rearm-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs, plus matching host-regression strengthening in src/baremetal_main.zig and deeper pre/post stage receipts in scripts/baremetal-qemu-timer-reset-recovery-probe-check.ps1 (they reuse the broad timer-reset lane but fail directly on the dirty armed baseline, immediate post-reset timer collapse, preserved manual+interrupt wait isolation after reset, exact manual wake payload semantics, and final interrupt wake plus rearm telemetry).
[x] Added bare-metal optional QEMU timer/scheduler reset wrapper probes (scripts/baremetal-qemu-timer-reset-pure-wait-recovery-probe-check.ps1, scripts/baremetal-qemu-timer-reset-timeout-interrupt-recovery-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-wake-clear-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-timer-clear-probe-check.ps1, and scripts/baremetal-qemu-scheduler-reset-config-preservation-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (they reuse the broad timer-reset and scheduler-reset mixed-state QEMU probes but fail directly on the narrow recovery boundaries for pure timer manual-wake recovery, timeout-backed interrupt recovery after timer reset, queued wake cleanup on scheduler reset, stale pending timer bookkeeping cleanup on scheduler reset, and timer quantum/next_timer_id preservation across scheduler reset).
[x] Added bare-metal optional QEMU scheduler reset wrapper probes (scripts/baremetal-qemu-scheduler-reset-baseline-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-collapse-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-id-restart-probe-check.ps1, scripts/baremetal-qemu-scheduler-reset-defaults-preserve-probe-check.ps1, and scripts/baremetal-qemu-scheduler-reset-final-task-state-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (they reuse the broad scheduler-reset QEMU probe but fail directly on the narrow boundaries for dirty active pre-reset baseline, immediate reset collapse to defaults, task-ID restart at 1, restored timeslice/default-budget state, and final resumed task-state telemetry after the post-reset re-enable path).
[x] Added bare-metal optional QEMU syscall-wrapper probes (scripts/baremetal-qemu-syscall-reregister-preserve-count-probe-check.ps1, scripts/baremetal-qemu-syscall-blocked-invoke-preserve-state-probe-check.ps1, scripts/baremetal-qemu-syscall-disabled-invoke-preserve-state-probe-check.ps1, scripts/baremetal-qemu-syscall-saturation-overflow-preserve-full-probe-check.ps1, scripts/baremetal-qemu-syscall-saturation-reuse-slot-probe-check.ps1, and scripts/baremetal-qemu-syscall-saturation-reset-restart-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (they reuse the broad syscall QEMU probes but fail directly on the narrow re-register/no-growth, blocked-invoke, disabled-invoke, saturation-overflow full-table, reclaimed-slot reuse, and post-reset restart boundaries).
[x] Expanded the bare-metal optional QEMU syscall-control lane into a direct stage wrapper family (scripts/baremetal-qemu-syscall-control-baseline-probe-check.ps1, scripts/baremetal-qemu-syscall-control-register-stage-probe-check.ps1, scripts/baremetal-qemu-syscall-control-reregister-stage-probe-check.ps1, scripts/baremetal-qemu-syscall-control-blocked-state-probe-check.ps1, scripts/baremetal-qemu-syscall-control-enabled-invoke-stage-probe-check.ps1, scripts/baremetal-qemu-syscall-control-unregister-cleanup-stage-probe-check.ps1, and scripts/baremetal-qemu-syscall-control-final-state-probe-check.ps1) and wired it into zig-ci + release-preview so CI now fails directly on the register baseline, re-register token-update/no-growth, blocked invoke state, enabled invoke telemetry, unregister cleanup, and final steady-state invariants.
[x] Expanded the bare-metal optional QEMU syscall-saturation-reset lane into a full wrapper family (scripts/baremetal-qemu-syscall-saturation-reset-baseline-probe-check.ps1, scripts/baremetal-qemu-syscall-saturation-reset-pre-reset-shape-probe-check.ps1, scripts/baremetal-qemu-syscall-saturation-reset-post-reset-baseline-probe-check.ps1, scripts/baremetal-qemu-syscall-saturation-reset-restart-probe-check.ps1, and scripts/baremetal-qemu-syscall-saturation-reset-fresh-invoke-probe-check.ps1) and wired it into zig-ci + release-preview so CI now fails directly on final mailbox baseline, dirty saturated pre-reset state, zero-entry post-reset baseline, slot-0 restart, and fresh invoke telemetry.
[x] Expanded the bare-metal optional QEMU syscall-saturation-reset lane into a full wrapper family (scripts/baremetal-qemu-syscall-saturation-reset-baseline-probe-check.ps1, scripts/baremetal-qemu-syscall-saturation-reset-pre-reset-shape-probe-check.ps1, scripts/baremetal-qemu-syscall-saturation-reset-post-reset-baseline-probe-check.ps1, scripts/baremetal-qemu-syscall-saturation-reset-restart-probe-check.ps1, and scripts/baremetal-qemu-syscall-saturation-reset-fresh-invoke-probe-check.ps1) and wired it into zig-ci + release-preview so CI now fails directly on final mailbox baseline, dirty saturated pre-reset state, zero-entry post-reset baseline, slot-0 restart, and fresh invoke telemetry.
[x] Added bare-metal optional QEMU mixed task-recovery wrapper probes (scripts/baremetal-qemu-task-resume-interrupt-timeout-wait-clear-probe-check.ps1, scripts/baremetal-qemu-task-resume-interrupt-timeout-manual-wake-probe-check.ps1, scripts/baremetal-qemu-scheduler-wake-timer-clear-manual-wake-probe-check.ps1, scripts/baremetal-qemu-timer-cancel-task-interrupt-timeout-interrupt-recovery-probe-check.ps1, and scripts/baremetal-qemu-task-terminate-mixed-state-survivor-probe-check.ps1) and wired them into zig-ci + release-preview validate jobs (they reuse the broad mixed recovery probes but fail directly on the narrow boundaries for timeout-backed resume wait clearing, timeout-backed resume manual-wake delivery, pure-timer scheduler-wake manual recovery, timeout-backed interrupt recovery after command_timer_cancel_task, and survivor wake preservation across mixed terminate cleanup).
[x] Completed the bare-metal optional QEMU task-resume interrupt-timeout wrapper family (scripts/baremetal-qemu-task-resume-interrupt-timeout-wait-clear-probe-check.ps1, scripts/baremetal-qemu-task-resume-interrupt-timeout-manual-wake-probe-check.ps1, scripts/baremetal-qemu-task-resume-interrupt-timeout-ready-state-probe-check.ps1, scripts/baremetal-qemu-task-resume-interrupt-timeout-no-stale-timeout-probe-check.ps1, and scripts/baremetal-qemu-task-resume-interrupt-timeout-telemetry-preserve-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs so that timeout-backed resume regressions now fail directly on ready-state, wait-clear, manual-wake, no-stale-timeout, and telemetry boundaries.
[x] Completed the bare-metal optional QEMU task-resume interrupt wrapper family (scripts/baremetal-qemu-task-resume-interrupt-ready-state-probe-check.ps1, scripts/baremetal-qemu-task-resume-interrupt-wait-clear-probe-check.ps1, scripts/baremetal-qemu-task-resume-interrupt-manual-wake-probe-check.ps1, scripts/baremetal-qemu-task-resume-interrupt-no-late-interrupt-probe-check.ps1, and scripts/baremetal-qemu-task-resume-interrupt-telemetry-preserve-probe-check.ps1) and wired it into zig-ci + release-preview validate jobs so that pure-interrupt command_task_resume regressions now fail directly on ready-state, wait-clear, manual-wake, no-second-wake, and telemetry boundaries.
[x] Normalized the bare-metal optional QEMU feature-flags/tick-batch wrapper family to a single family prefix (scripts/baremetal-qemu-feature-flags-tick-batch-baseline-probe-check.ps1, scripts/baremetal-qemu-feature-flags-tick-batch-valid-update-probe-check.ps1, scripts/baremetal-qemu-feature-flags-tick-batch-invalid-preserve-probe-check.ps1, scripts/baremetal-qemu-feature-flags-tick-batch-mailbox-state-probe-check.ps1, and scripts/baremetal-qemu-feature-flags-tick-batch-state-preserve-probe-check.ps1) and rewired zig-ci + release-preview so the lane is recorded consistently as one five-wrapper family over the broad feature-flags/tick-batch QEMU probe.
[x] Expanded bare-metal optional QEMU mailbox wrapper coverage with five dedicated u32 sequence-wraparound stage probes (scripts/baremetal-qemu-mailbox-seq-wraparound-baseline-probe-check.ps1, scripts/baremetal-qemu-mailbox-seq-wraparound-pre-wrap-state-probe-check.ps1, scripts/baremetal-qemu-mailbox-seq-wraparound-pre-wrap-mailbox-sequence-probe-check.ps1, scripts/baremetal-qemu-mailbox-seq-wraparound-post-wrap-state-probe-check.ps1, and scripts/baremetal-qemu-mailbox-seq-wraparound-post-wrap-mailbox-state-probe-check.ps1) and wired them into zig-ci + release-preview, plus matching host-regression tightening in src/baremetal_main.zig so the wrap boundary now asserts command-history payloads for seq=max_u32,arg0=6 and seq=0,arg0=7 directly.
[x] Expanded bare-metal optional QEMU mailbox wrapper coverage with five dedicated stale-seq stage probes (scripts/baremetal-qemu-mailbox-stale-seq-baseline-probe-check.ps1, scripts/baremetal-qemu-mailbox-stale-seq-first-state-probe-check.ps1, scripts/baremetal-qemu-mailbox-stale-seq-stale-preserve-probe-check.ps1, scripts/baremetal-qemu-mailbox-stale-seq-fresh-recovery-state-probe-check.ps1, and scripts/baremetal-qemu-mailbox-stale-seq-final-mailbox-state-probe-check.ps1) and wired them into zig-ci + release-preview, plus matching host-regression tightening in src/baremetal_main.zig so the stale-replay boundary now asserts the retained event payload for seq=1,arg0=4 and the fresh recovery event payload for seq=2,arg0=6 directly.
[x] Expanded bare-metal optional QEMU mailbox header validation coverage into a full five-wrapper family (scripts/baremetal-qemu-mailbox-invalid-magic-preserve-state-probe-check.ps1, scripts/baremetal-qemu-mailbox-invalid-api-version-preserve-state-probe-check.ps1, scripts/baremetal-qemu-mailbox-header-ack-sequence-probe-check.ps1, scripts/baremetal-qemu-mailbox-header-tick-batch-recovery-probe-check.ps1, and scripts/baremetal-qemu-mailbox-valid-recovery-probe-check.ps1) and wired it into zig-ci + release-preview so the lane now fails directly on invalid-header preservation, staged ack/sequence advancement, staged tick-batch recovery, and final valid recovery over the PVH freestanding artifact.
[x] Expanded bare-metal optional QEMU interrupt-mask clear-all recovery coverage with five dedicated wrapper probes (scripts/baremetal-qemu-interrupt-mask-clear-all-recovery-baseline-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-clear-all-recovery-clear-collapse-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-clear-all-recovery-wake-delivery-probe-check.ps1, scripts/baremetal-qemu-interrupt-mask-clear-all-recovery-history-payload-probe-check.ps1, and scripts/baremetal-qemu-interrupt-mask-clear-all-recovery-mailbox-state-probe-check.ps1) and wired them into zig-ci + release-preview, plus matching host-regression tightening in src/baremetal_main.zig so the clear-all lane now asserts masked-count and last-masked-vector collapse directly in the host suite.
[x] Hardened the bare-metal optimized build lane so the freestanding packaged ELF retains the Multiboot2 header in optimized modes: build.zig now disables section garbage collection for the final bare-metal executable, and scripts/baremetal-smoke-check.ps1, scripts/baremetal-qemu-smoke-check.ps1, and scripts/zig-syntax-check.ps1 now validate the optimized bare-metal build path that matches release packaging instead of the Zig-master-crashing freestanding Debug smoke path.
[x] Added bare-metal release packaging to release-preview (publishes openclaw-zig-<version>-x86_64-freestanding-none.elf with checksums).
[x] CI regression fixed for Zig master environ API mismatch (std.process.Environ):
failing run: zig-ci 22668754695 (compile failure in telegram_runtime.zig from .block = .global on posix targets).
fix commit: e204e60 (fix(ci): inject process environ for telegram runtime env checks), wiring dispatcher environ into telegram runtime (telegram_runtime.setEnviron).
verification run: zig-ci 22669040232 passed validate + full cross-target matrix.
[x] Tracking/docs refresh:
README updated with current parity + validation + workflow status.
docs/zig-port/ZIG_TOOLCHAIN_LOCAL.md updated to current local/remote Zig hash state.
GitHub tracking comments updated with recent optimization evidence.
full MkDocs docs site added (mkdocs.yml + docs/*.md) and GitHub Pages deployment workflow added (.github/workflows/docs-pages.yml), with local mkdocs build --strict validation.
GitHub Pages publish verified successful via Actions run 22653680203 with both build and deploy jobs green.
RPC docs drift guard added with generated reference script (scripts/generate-rpc-reference.ps1) and workflow enforcement in zig-ci, release-preview, and docs-pages.
current workflow head status re-verified: docs-pages rerun 22669207780 success; latest zig-ci, release-preview, and npm-release are all success.
current workflow head status re-verified again (2026-03-05):
zig-ci run 22699044422 success (validate + full cross-target matrix)
docs-pages run 22699044418 success
manual docs-pages dispatch run 22698975595 success (build + deploy)


zig-master freshness evidence hardening:
scripts/zig-codeberg-master-check.ps1 is now cross-platform (-ZigExePath/OPENCLAW_ZIG_EXE/PATH fallback) and can emit JSON evidence (-OutputJsonPath).
zig-ci now captures freshness snapshot as non-blocking evidence artifact (zig-master-freshness.json) with Codeberg->GitHub mirror fallback semantics.
release-preview now captures/publishes the same freshness evidence artifact and attaches zig-master-freshness.json to release assets.
release-preview validate stage now also enforces scripts/docs-status-check.ps1 to prevent stale status docs in release cuts.
local scripts/release-preview.ps1 now mirrors CI validate gates (python-pack-check, parity, docs-status, zig-freshness snapshot) before building artifacts.


python package release lane added:
python/openclaw-zig-rpc-client package scaffold + tests + CLI.
scripts/python-pack-check.ps1 added to local/CI/release validation gates.
.github/workflows/python-release.yml added for manual publish with artifact attach + optional PyPI push.


docs snapshot drift gate added:
new script: scripts/docs-status-check.ps1 validates README/docs status tokens against parity snapshot and latest release tag metadata.
wired into workflows: zig-ci validate stage and docs-pages build stage.
initial CI regression (zig-ci run 22698812368) fixed by switching release-tag resolution from gh CLI to GitHub API; fix commit bcc0e68.
post-fix verification runs: zig-ci 22698898719 success and docs-pages 22698975595 success.