Capability Board

Policy Board

Operational rules that define registry-first behavior, hot-swap activation, and storage safety.

policy_platform_survival_core_v1

Scope: platform · Status: active

New CPU and board ports may add only survival substrate to core; device behavior moves to sandbox capabilities.

  • serial recovery before GUI
  • CPU entry memory interrupts and recovery IO may be core
  • virtio PCI USB display storage voice and policy remain capabilities
  • query by arch and machine keys before generation
  • upload platform evaluation after each boot milestone

policy_voice_route_v1

Scope: voice · Status: active

Voice routing defaults to text-first and escalates to direct audio only when justified.

  • text-first is default
  • hybrid preferred over always-direct audio
  • direct-audio requires bounded compressed clips
  • route policy belongs in sandbox skills
  • core stores route state but does not decide semantic audio policy

policy_voice_privacy_v1

Scope: voice · Status: active

Voice capture is user-controlled, bounded, visible, and transcript-confirmed before action.

  • default off
  • autonomy cannot enable microphone
  • visible recording state required
  • transcript before action by default
  • bounded audio clips only
  • direct audio only by route policy or explicit user request

policy_storage_safe_write_v1

Scope: storage · Status: active

Storage writes require staged validation.

  • read-only first
  • scratch write before real write
  • flush and verify
  • rollback target required

policy_registry_first_v1

Scope: workflow · Status: active

Always query registry before generating new capabilities.

  • local cache first
  • registry second
  • generation third

policy_object_capability_isolation_v1

Scope: runtime · Status: active

Capabilities must behave as isolated objects.

  • explicit identity
  • explicit lifecycle
  • object-scoped mutation
  • rollback target required

policy_sandbox_first_capabilities_v1

Scope: runtime · Status: active

All non-core capabilities should be sandbox-owned by default.

  • query registry before generation
  • sandbox before activation
  • persist only after validation

policy_core_minimalism_v1

Scope: runtime · Status: active

Keep only mandatory survival paths in core.

  • core owns boot recovery sandbox ABI rollback gates
  • device policy belongs in drivers or workflows
  • GUI behavior belongs in skills when possible

policy_probe_v1

Scope: runtime · Status: draft

probe

  • probe

policy_runtime_hotswap_v1

Scope: runtime · Status: active

Prefer live activation and rollback for non-core changes instead of reboot-based rollout.

  • sandbox-first
  • live binding switch
  • rollback before reboot