Dictionary

A single rule within an ACL. Contains a type, flags, an access mask, and a trustee SID, with optional extensions for GUIDs (object ACEs) or conditional expressions (callback ACEs).

An ordered list of ACEs in a standard binary format. Two kinds: DACL (controls access) and SACL (controls audit, integrity labels, resource attributes, and policy references).

A 32-bit bitmask representing requested or granted access rights. Divided into four regions: object-specific (bits 0–15), standard (bits 16–20), special (bits 24–25), and generic (bits 28–31).

The complete authorization evaluation function. Takes a token, a security descriptor, and a desired access mask. Evaluates a pipeline of layers (privileges, MIC, PIP, DACL, restricted tokens, confinement, CAAP) and returns the granted rights or denial.

A mechanism that monitors query patterns and dynamically creates or drops secondary indexes on event store columns and payload fields. Indexes are created during quiet periods and shed under write pressure to protect throughput.

A mechanism that monitors metric query patterns and pre-computes aggregate values (averages, percentiles, rates) for frequently queried function/window combinations. Computed during quiet periods and transparent to queries.

A callout box in documentation content. GitHub-style blockquote syntax for NOTE, WARNING, IMPORTANT, TIP, and CAUTION types.

Start-time checks with the same format as Conditions, but failure causes the service to enter Failed state rather than Skipped.

Authentication daemon — the principal router responsible for authentication (Kerberos/NTLM), token creation, credential management, and CAAP cache population. Design deliberately undecided until KACS + registry are real.

A process mitigation locking hardware shadow stack (Intel CET) so the process cannot disable it. Blocks return-oriented programming (ROP) attacks.

The kernel-reserved implicit layer (named 'base') at precedence 0. Cannot be deleted, disabled, or have its precedence changed. The default target for writes that do not specify a layer.

Cryptographic signing of executable files with Ed25519 to establish PIP trust level. Signatures are stored in an ELF .peios.sig section or a security.peios.sig xattr. The kernel verifies; it never signs.

Runtime coupling. If any bound service stops (for any reason), this service is stopped. Stronger than Requires — Requires only affects startup, BindsTo affects the entire lifetime.

A per-layer marker on a key that masks all values from lower-precedence layers for that key. Required for registry.pol **DelVals semantics. Values written in the same or higher-precedence layer override the blanket.

Internal per-CPU kernel buffers that capture events during early boot, before ring buffers are created. Not visible to consumers. Contents are copied into ring buffers when they become available.

A GUID assigned by peinit at each boot, used by eventd to partition data across boots. KMES per-CPU sequence numbers reset on each boot; the boot ID disambiguates.

A file-based project tracker for solo developers. Stores tasks as TOML files on disk, provides a CLI for automation, and serves a milestone-centric web board. Written in Go.

A SID (S-1-15-3-*) representing a declared access capability for confined applications. Used in the confinement pass of AccessCheck.

A centrally-defined collection of access and audit rules, referenced by objects via SYSTEM_SCOPED_POLICY_ID_ACE in the SACL. CAAP can only further restrict access (AND semantics), never expand it.

A name-value pair carried on a token (user claims or device claims) and used in conditional ACE evaluation. Set by authd at token creation time.

An ACE with an appended boolean expression that must evaluate to TRUE for the rule to take effect. Enables attribute-based access control (ABAC). Uses three-valued logic: TRUE, FALSE, UNKNOWN.

Start-time checks (path exists, file exists, directory exists, registry key exists). If any condition fails, the service is skipped (not failed). A skipped service satisfies dependents.

A default-deny sandbox on a token. When a token has a confinement SID, AccessCheck independently evaluates the DACL against only the confinement SID and capability SIDs, then intersects with the normal result. Privileges do not bypass confinement.

A SID (S-1-15-2-*) identifying a confined application. When set on a token, enables the default-deny confinement sandbox.

Mutual exclusion between services. Starting a service stops any conflicting services. The conflict relationship is bidirectional.

A userspace process that maps KMES ring buffers and reads events. Typically dedicates one thread per CPU buffer. eventd is the primary consumer.

The Unix socket through which administrators and tools send commands (start, stop, restart, reload, shutdown) to peinit. Every command is authorized via AccessCheck against the target service's ServiceSecurity SD.

The well-known SID S-1-3-1. A placeholder in inheritable ACEs that is replaced with the creating principal's primary group SID during SD inheritance.

The well-known SID S-1-3-0. A placeholder in inheritable ACEs that is replaced with the creating principal's user SID during SD inheritance.

The one-way mapping of token identity onto Linux credentials (UID/GID). Computed by authd at token creation, stored on the token. Enables unmodified Linux applications to function. Not a security mechanism.

A kernel-level alias, not a real hive. Paths beginning with CurrentUser\ are rewritten to Users\<caller SID>\<remainder> before routing. Not applied to symlink targets (prevents confused deputy attacks).

The mechanism that gives every Peios process Linux capabilities (CAP_DAC_OVERRIDE, etc.) to bypass UID/GID/mode-bit checks, ensuring KACS LSM hooks always fire and are the sole access authority.

The unnamed value on a key (empty string as its name). For symlink keys, the default value with type REG_LINK provides the symlink target.

An ACE that explicitly denies specified rights to a trustee SID. In canonical ordering, explicit deny ACEs come before explicit allow ACEs, ensuring denials take precedence.

A group on a token with SE_GROUP_USE_FOR_DENY_ONLY set. Matches deny ACEs but not allow ACEs. Set permanently by FilterToken; cannot be reverted.

A built-in Trail feature that defines terms with definitions, abbreviations, aliases, and references. Terms are auto-linked in page content and browsable at /dictionary/.

The ACL within an SD that defines who is allowed or denied access. The owner controls the DACL via WRITE_DAC. A null DACL grants all access; an empty DACL denies all access.

An Active Directory domain — a logical grouping of machines and users sharing a common security database and trust relationships.

The comparison relationship used by MIC and PIP. A caller dominates an object when their level is greater than or equal to the object's label. Dominant callers face no mandatory restrictions from that mechanism.

A thread dedicated to reading events from one KMES per-CPU ring buffer. One drain thread per CPU. Drain threads copy events from the ring buffer and hand them off to writer threads.

The token used for access control decisions on a thread — the impersonation token if one is installed, otherwise the primary token.

The value visible to callers after layer resolution — the highest-precedence, highest-sequence entry for a (key GUID, value name) pair that is not a tombstone.

The mechanism for switching from a filtered (Limited) token to its linked elevated (Full) token. KACS stores the pair; authd decides when elevation is permitted.

A per-service policy for irrecoverable failure. Normal (default): service remains in Failed state. Critical: peinit syncs filesystems and reboots the system.

An indivisible record consisting of a header (packed binary metadata) and a payload (msgpack-encoded structured data). Header and payload are always produced and consumed together.

The packed binary prefix of every event. Contains: event size, header size, wall clock timestamp, per-CPU sequence number, CPU identifier, origin class, three identity GUIDs (effective token, true token, process), and a length-prefixed event type string. All fields before the event type string are at fixed offsets.

The msgpack-encoded body of an event. Structure defined by the emitting subsystem or process. KMES treats payloads as opaque — it buffers and delivers without interpreting.

The persistent storage engine for KMES events. One or more SQLite shard databases containing structured event records with full KMES header metadata and identity stamps.

An arbitrary, length-prefixed UTF-8 string in the event header identifying the kind of event. KMES imposes no structure or naming convention — schema and naming are consumer concerns.

The Peios observability daemon. A userspace process that consumes events from KMES, ingests logs and metrics, and provides persistent storage and querying for all three data types.

Event daemon — drains kernel audit events (from the PKM ring buffer) to SQLite for persistent storage and observability.

A per-service mechanism for storing file descriptors across service restarts. The service sends fds to peinit via sd_notify with FDSTORE=1. Restored to the service on the next start.

The KACS subsystem that replaces Linux DAC with SD-based evaluation on files. Enforces the handle model: AccessCheck at open time, granted mask cached on the file descriptor.

The principle governing the DACL walk: once a bit in the access mask has been decided (granted or denied), no later ACE can change that bit's outcome.

A cached VM snapshot taken after boot and setup. Tests resume from a fixture instead of cold-booting, dramatically reducing test execution time.

The Unicode Simple Case Folded form of a key name, value name, or child name. Stored alongside the canonical (case-preserving) name for case-insensitive lookups.

A process mitigation locking hardware indirect-branch tracking (Intel IBT, ARM BTI) so the process cannot disable it. Blocks forward-edge code reuse attacks.

A synthetic event (event_type 'synthetic.gap') recording a detected sequence number gap on a CPU. Indicates lost events due to ring buffer overrun, event drops, or eventd restart.

Abstract access rights (GENERIC_READ, GENERIC_WRITE, GENERIC_EXECUTE, GENERIC_ALL) mapped to object-specific rights via the object type's GenericMapping before evaluation.

A per-object-type table that translates the four generic rights to specific combinations of object-specific and standard rights.

The C binary injected into QEMU VMs by Provium. Listens on vsock for commands from the host, executes syscalls, ioctls, and shell commands, and returns results.

A 128-bit identifier assigned by the kernel at key creation time and persisted by the source. A key's GUID is its immutable identity — never reused. Paths are the user-facing interface; GUIDs are the internal identity.

The enforcement pattern where AccessCheck runs once at open time, the granted access mask is cached on the file descriptor, and subsequent operations check the cached mask. Authority is on the handle, not the holder.

A command run periodically to verify a service is functioning. Exit 0 = healthy. Consecutive failures (HealthCheckRetries) trigger the service's restart or failure policy.

A top-level registry namespace — the first path component in every registry path. Each hive is an independent tree of keys and values, backed by exactly one source. Examples: Machine, Users.

A SQLite database file backing one hive. Each hive registered by loregd has its own database file. The file path is provided on the command line.

The impersonation check that determines whether a server may impersonate a specific client's identity. Passes if same user + same restriction status, or if SeImpersonatePrivilege is held. Failure caps to Identification level.

A mechanism allowing a server thread to temporarily assume a client's identity for access control decisions. The server's PSB is unaffected. Controlled by impersonation level and two gates (identity gate and integrity ceiling).

Controls how far a token's identity can travel. Four levels from least to most permissive: Anonymous (no identity), Identification (inspect only), Impersonation (act locally), Delegation (act remotely via Kerberos).

A temporary, per-thread token that overrides the primary token for access control decisions. Only affects the thread that installed it.

The impersonation check that prevents a server from assuming a higher integrity level than its own. Always enforced — SeImpersonatePrivilege does not bypass it. Failure caps to Identification level.

A vertical trust classification on tokens and objects. Five standard levels forming a strict total order: Untrusted (0) < Low (4096) < Medium (8192) < High (12288) < System (16384). Arbitrary numeric values are also valid.

A privilege (SeBackupPrivilege, SeRestorePrivilege) that is only evaluated when the caller explicitly passes the corresponding intent flag. Prevents broad-category privileges from applying to every AccessCheck.

A number on the token identifying which interactive user environment a process belongs to. 0 for services (no interactive environment), 1+ for interactive/remote user environments. Metadata only — no kernel security mechanism evaluates it. Future use: multi-user isolation, desktop namespace routing.

The subsystem for submitting and managing supervised jobs. Out of scope for v0.20.

A single supervised process execution. Every time peinit forks a process — starting a service, running a hook, executing a health check — the execution is a job with a GUID, lifecycle tracking, and log correlation.

The PKM subsystem that implements tokens, security descriptors, AccessCheck, privileges, impersonation, PIP, and file access control (FACS). The sole identity-based authorization engine for managed objects.

A node in the registry hierarchy. Keys are containers holding subkeys (forming a tree) and values (holding data). Each key has a GUID (identity), a security descriptor, and metadata. Analogous to filesystem directories.

The registry-specific access rights on key SDs: KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, KEY_CREATE_LINK, and KEY_ALL_ACCESS.

A path entry with target HIDDEN that masks a key from lower-precedence layers, making it invisible. The path-level equivalent of a value tombstone. Removing the hiding layer causes the lower-precedence key to reappear.

The PKM subsystem providing the sole event emission path in Peios. Buffers events, stamps them with trusted metadata, assigns per-CPU sequence numbers, and delivers via shared memory ring buffers.

A named, precedence-ordered collection of registry writes. Every write is tagged with a layer. Reads resolve across layers: the highest-precedence entry wins. Removing a layer removes its entries and lower-precedence values surface automatically.

The algorithm that determines the effective state of a path entry or value from multiple per-layer entries. Highest precedence wins; within the same precedence, highest sequence number wins.

The PKM subsystem that implements the kernel-mediated hierarchical registry with layers, watches, and transactions.

A process mitigation requiring all shared libraries to be cryptographically signed before they can be loaded (mmap with PROT_EXEC). For PIP-protected processes, libraries must be signed at or above the process's trust level.

A pair of tokens for the same principal — one elevated (Full) and one filtered (Limited) — associated at the logon session level. The filtered token is the session default; the elevated token exists for elevation requests.

The kernel framework that KACS builds on. Provides hook points throughout the kernel where security modules interpose access control decisions.

A single log entry consisting of a timestamp, origin (service name), error flag (stdout vs stderr), and message text. Ingested via the log socket as a msgpack-encoded datagram.

The persistent storage engine for log records. A single SQLite database containing timestamped text output from services.

A per-authentication-event SID (S-1-5-5-X-Y) generated at session creation and injected into the token's groups. Ties the token to its logon session.

A kernel object identified by a LUID representing a single authentication event. Contains LogonSession ID, logon type, user SID, and authentication package. Tokens reference their LogonSession by auth_id. Created by kacs_create_logon_session, invalidated by kacs_invalidate_logon_session.

Local Registry Daemon — a specific SQLite-backed RSI implementation. Currently the only implementation used as registryd, but the two terms are not synonymous.

Local Principal Store — the userspace daemon providing the local user/group directory backed by SQLite.

A 64-bit value unique within a single boot session. Used to identify tokens (token_id), logon sessions (auth_id), and privilege positions.

A mandatory access constraint evaluated before the DACL. Blocks write access (and optionally read/execute) when the caller's integrity level is below the object's mandatory label. Does not constrain privilege-granted rights.

A SYSTEM_MANDATORY_LABEL_ACE in the SACL that defines an object's integrity level for MIC. The SID encodes the level (S-1-16-X); the mask encodes which operations are blocked for non-dominant callers.

The persistent storage engine for metric data. A single SQLite database containing time-series numeric measurements organised by series (name + labels).

An ordered release target in Cairn. The web board organises tasks into columns by milestone. Tasks without a milestone appear in a Backlog column.

A synthetic Oneshot service generated by peinit from mount entries in Machine\System\Boot\Mounts\. Named mount:<mountpoint>. Participates in the dependency graph like any real service.

An ACE scoped to a specific property or object class via one or two GUIDs (ObjectType and InheritedObjectType). Used for per-property access control on objects with internal structure.

The category of a protected resource (file, registry key, token, process, etc.). Each object type defines its own GenericMapping and object-specific access rights.

A run-to-completion task. Readiness is 'successful exit' (exit code 0 or SuccessExitCodes match). With RemainAfterExit, stays in Completed state to satisfy dependents.

A first-class object representing a requested state machine action on a service (start, stop, restart, reload, reset). Operations provide conflict resolution for concurrent commands and observable lifecycle tracking via GUIDs.

A header field identifying which subsystem or emission path produced the event: a specific kernel subsystem (KMES, KACS, LCS) or userspace (via syscall).

A key GUID with no path entries in any layer. Existing fds continue to work (alive but unnamed). When the last fd closes, LCS tells the source to drop the GUID. Follows the Linux unlink model.

The principal who owns a securable object, identified by the owner SID in the SD. The owner implicitly receives READ_CONTROL and WRITE_DAC unless an Owner Rights ACE suppresses this default.

The well-known SID S-1-3-4. When present in a DACL, suppresses the owner's implicit READ_CONTROL and WRITE_DAC grants, replacing them with whatever the ACE explicitly allows or denies.

A layer-qualified naming record mapping (parent GUID, child name, layer) to a target GUID or HIDDEN. Separates naming (which is layered) from identity (which is not). Analogous to overlay filesystem directory entries.

An ordered sequence of pages that guides readers through a topic. Pathways replace the sidebar with their own page list and add prev/next navigation. Defined in .toml files in the pathways/ directory.

Peios init — the PID 1 process responsible for service lifecycle management, boot sequencing, and supervised process execution

The operating system. A Linux-based OS that implements Windows-derived security primitives (SIDs, tokens, SDs, AccessCheck) natively in the kernel to provide coherent, SD-everywhere identity and access control.

The hardcoded bootstrap phase. peinit remounts root read-write, mounts virtual filesystems, starts registryd, and performs infrastructure setup. No registry access occurs during Phase 1.

The registry-driven boot phase. With registryd running, peinit reads service definitions from the registry and starts all boot-triggered services in dependency order.

A file descriptor referring to a specific process, obtained atomically at fork time via clone3(CLONE_PIDFD). Eliminates PID reuse races. peinit tracks every managed process via a pidfd.

The second axis of PIP's 2D trust model, representing trust tier within a PIP type. Higher values dominate lower. Examples: Authenticode (1024), AntiMalware (1536), App (2048), Peios (4096), PeiosTcb (8192).

The first axis of PIP's 2D trust model. Standard values: None (0), Protected (512), Isolated (1024). Encoded as the first sub-authority in a process trust label SID.

The single loadable kernel module containing all Peios kernel extensions.

A layer's override order. Higher precedence wins during layer resolution. Precedence 0 is the default (base and role layers). Precedence > 0 requires SeTcbPrivilege to create or elevate (prevents unprivileged Group Policy injection).

The token that defines a process's baseline identity. Inherited by child processes on fork. Stored via real_cred. Unaffected by impersonation.

Any entity — user, group, service, or machine — that can be identified by a SID. Principals exist in a directory; tokens are runtime snapshots of principal identity.

A hive registered with RSI_HIVE_PRIVATE and a scope GUID. Only accessible to threads whose credentials carry the matching scope GUID. Can shadow global hives for complete registry isolation.

A disabled layer attached to a specific thread's credentials. Globally invisible during normal resolution but included when resolving on behalf of that thread. Enables per-session overrides, testing, and sandboxing.

A system-wide right carried on a token that gates specific operations. Standalone privileges gate system operations; AccessCheck-influencing privileges can cause AccessCheck to grant rights the DACL would not.

A 2D trust model (type × trust level) that protects objects and processes from access by insufficiently trusted processes. Unlike MIC, PIP actively revokes privilege-granted rights. No privilege can bypass PIP.

One-way security flags on the PSB (LSV, WXP, TLP, CFIF, CFIB, PIE, SML) that restrict process behaviour. Set by the process launcher; once set, cannot be cleared. Distinct from PIP, which is determined by binary signature.

The security descriptor on a process that controls who can signal it, inspect its memory, query its token, and perform other operations. Replaces Linux's UID-based process access control.

A per-process security structure carrying PIP identity, process mitigations, and process restrictions. Determined by the loaded binary, not the running principal. Never affected by impersonation.

A SYSTEM_PROCESS_TRUST_LABEL_ACE in the SACL that defines an object's PIP trust level. The SID encodes both the PIP type axis and trust axis (S-1-19-{type}-{trust}).

A top-level content scope in a multi-product Trail site. Each product has its own categories, pathways, and content hierarchy. A single site can host documentation for multiple products.

A KVM test harness for Linux kernel modules and system-level code. Tests are written in Lua and run against real QEMU/KVM virtual machines. Written in Go (host) and C (guest agent).

A SQLite connection used for read-only RSI operations. Multiple read connections may be open concurrently (WAL mode).

How peinit determines a Simple service is ready. Notify (default): service sends READY=1 via sd_notify. Alive: process existence is sufficient. Ignored for Oneshot services.

The hardcoded fallback CAAP applied when a scoped policy ACE references a policy SID not in the kernel cache. Grants GENERIC_ALL to Administrators, SYSTEM, and OWNER_RIGHTS. Prevents missing CAAP from locking out administrators.

The user-facing configuration system provided by LCS and its sources working together. Use 'LCS' for the kernel subsystem and the source name (e.g. loregd) for the userspace component. 'The Registry' covers the whole thing.

The binary protocol and contract between LCS and its backing stores. Defines the operations LCS can request, the response format, and the error model. Any process implementing the RSI can back a hive — LCS is source-agnostic.

The primary registry source that peinit starts during Phase 1 boot. A named slot, not an implementation — registryd is whatever RSI source provides the Machine and Users hives. Currently loregd fills this slot.

The last sub-authority in a SID — the portion that distinguishes individual principals within a domain.

A hard dependency. All required services must be satisfied before this service starts. If any required service fails, this service fails.

A name-value pair stored as a SYSTEM_RESOURCE_ATTRIBUTE_ACE in the SACL. Provides per-object metadata for conditional ACE evaluation. Does not grant or deny access directly.

Controls whether and when peinit restarts a failed service. Never (no restarts), OnFailure (restart on abnormal exit, the default), Always (restart on any exit).

A token carrying a secondary SID list (restricting SIDs). AccessCheck evaluates the DACL twice — once with normal SIDs, once with restricting SIDs — and grants only the intersection.

A per-CPU shared memory region managed by KMES and mapped into authorized consumers' address spaces. Each buffer has a producer metadata page, a consumer metadata page, and a double-virtual-mapped data region. The sole delivery mechanism from KMES to userspace.

A pre-computed aggregate value for a time series, stored in the rollups table. Defined by a series, aggregation function, window size, and window start time.

The eager, creation-time propagation of inheritable ACEs from a parent object's SD to a newly created child's SD. Controlled by ACE flags (OI, CI, NP, IO) and the SD's PROTECTED flags.

A datagram-based readiness and health signalling protocol. Services send structured messages (READY=1, WATCHDOG=1, etc.) to peinit via a Unix datagram socket. Sender authentication uses kernel-attested PID matching.

Any object that has a security descriptor — files, registry keys, IPC endpoints, tokens, processes, and logon sessions.

In LCS context, a registry key. Values inherit their key's access control — there is no per-value SD.

The complete security policy for a protected object. Contains an owner SID, a group SID, a DACL, and optionally a SACL. Every protected object has exactly one SD.

A variable-length binary value that uniquely identifies a principal. Format: S-1-{authority}-{sub1}-...-{subN}. Binary-compatible with Windows SIDs.

The mechanism by which LCS reads its own operational parameters from Machine\System\Registry\, using compiled-in defaults at boot and hot-swapping to registry values when a source registers.

The SD binary encoding where all data (owner, group, DACL, SACL) is packed into a contiguous byte buffer with offsets instead of pointers. The only format KACS uses for storage and wire transmission.

LCS's internal watch on Machine\System\Registry\ that drives self-configuration. Layer table updates, configuration hot-swap, and layer metadata changes are all triggered by self-watch events.

A monotonic counter value assigned by LCS to every mutation. Provides deterministic tiebreaking within a precedence tier. The global sequence counter is never decremented or reset.

A named, supervised unit of execution managed by peinit. Has a definition (registry schema), a runtime state (state machine), and a security policy (ServiceSecurity SD). Two types: Simple (long-running daemon) and Oneshot (run-to-completion task).

A per-service identity SID derived from the SHA-1 hash of the service name (S-1-5-80-{hash}). Enables per-service access control independent of the account the service runs under.

One of nine states every service is in at any given time: Inactive, Starting, Active, Reloading, Stopping, Completed, Failed, Abandoned, or Skipped.

The security descriptor on a service controlling who may manage it via the control interface. Stored as REG_BINARY in the service's registry definition. Makes services securable objects.

An independent SQLite database in the event store. Each shard has its own file, WAL, and writer thread. Shards share no write-path state. The number of shards is configurable.

A SID paired with a 32-bit attributes field controlling how the SID participates in access evaluation (mandatory, enabled, deny-only, etc.).

A long-running daemon. The process IS the service. Readiness is determined by sd_notify (Notify) or process existence (Alive). The default service type.

A userspace process that implements the RSI for one or more hives. Sources handle storage (reads, writes, enumeration, transactions). They do not make access control decisions, see caller identity, or manage watches. loregd is the first source.

A CAAP testing mechanism where each rule may carry staged DACLs/SACLs alongside effective ones. Both are evaluated in parallel; differences are logged. Staged results do not affect access.

The set of metadata fields in the event header populated by KMES at emission time: timestamp, sequence number, cpu_id, origin class (KMES-intrinsic), and effective token GUID, true token GUID, process GUID (identity, captured from KACS). Trusted because only the kernel writes them.

Access rights common to all object types: DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE (bits 16–20 of the access mask).

A confinement mode where ALL_APPLICATION_PACKAGES is omitted from capabilities, resulting in a much narrower access surface. Only objects explicitly granting to ALL_RESTRICTED_APPLICATION_PACKAGES or to specific capabilities are accessible.

A task scoped within a parent task. Addressed as parent_id/subtask_id (e.g. 12/1). Same schema as global tasks but exists as decomposition of the parent's work.

A watch that observes changes not only on the watched key but on all its descendants. Events include path components identifying the depth and location of the change.

A key that redirects path resolution to another registry path. The symlink flag is set at creation (immutable). The target is the default value with type REG_LINK — which is itself layered, so higher-precedence layers can redirect a symlink.

A record generated by eventd itself (not received from KMES). Stored in the events table with an event_type prefixed by 'synthetic.' (e.g., synthetic.startup, synthetic.gap). Does not have KMES header fields.

The ACL within an SD that carries system-level policy: audit ACEs, mandatory integrity labels, resource attributes, scoped policy references, and process trust labels. Modification requires ACCESS_SYSTEM_SECURITY.

A unit of work in Cairn, stored as a directory containing a meta.toml file. Has an integer ID, a status (todo, active, done), and optional metadata (product, priority, milestone, dependencies).

A unique combination of metric name and label set. Each time series accumulates samples (timestamp + value) over time. Identified by a series ID in the metric store.

A kernel object representing a thread's identity and security policy. Contains a user SID, group SIDs, privileges, integrity level, impersonation level, claims, and confinement settings. Every thread must have a token.

A layer entry with type REG_TOMBSTONE that masks a specific value from lower-precedence layers. Callers see 'value not found'. Required for registry.pol **Del.ValueName semantics.

A static site generator purpose-built for documentation. Single Go binary, zero dependencies. Produces fast, searchable sites with pathway navigation, dark mode, and multi-product support.

A hive-scoped atomic multi-key write scope. Either all operations commit together or none do. Bound to a specific hive on first mutation. Lifetime is tied to the transaction fd.

The set of components whose correct behaviour is necessary for system security. In Peios: the Linux kernel, PKM, and core trusted userspace daemons (peinit, authd, loregd).

A process mitigation restricting shared library loading to approved directory prefixes. Weaker than LSV (trusts the path, not the binary). Prefixes are stored in a machine-wide kernel cache.

The SID that an ACE targets — the principal to whom the ACE's access rule applies.

A named, typed datum stored within a key. Each value has a name (string), a type (REG_SZ, REG_DWORD, etc.), and data. A key can hold multiple values. One unnamed value per key is the default value.

The type tag on a registry value. LCS supports the Windows registry type set: REG_SZ, REG_EXPAND_SZ, REG_BINARY, REG_DWORD, REG_QWORD, REG_MULTI_SZ, REG_LINK, REG_NONE, REG_DWORD_BIG_ENDIAN. REG_TOMBSTONE is internal only.

A key stored in non-persistent storage only, lost on reboot or hive unload. Set at creation, immutable. Children of volatile keys must also be volatile.

A SQLite in-memory database (:memory:) ATTACHed to a hive database connection. Volatile keys are stored here. Lost when loregd exits.

The host-guest communication channel used by Provium. No IP stack or network configuration required. Provides a direct socket connection between the host binary and the guest agent.

A soft dependency. Wanted services are started before this service if they exist. Failure of a wanted service does not prevent this service from starting.

A persistent subscription for changes on a key fd. Armed via ioctl, pollable via epoll. Events are structured records read from the fd. Watches report effective state changes (post-layer-resolution), not layer mechanics.

A structured record describing a specific change: VALUE_SET, VALUE_DELETED, SUBKEY_CREATED, SUBKEY_DELETED, SD_CHANGED, KEY_DELETED, or OVERFLOW. Events reflect effective state changes only.

A keepalive mechanism where a service must send WATCHDOG=1 via sd_notify within WatchdogTimeout seconds. Missing the deadline is treated as a service failure.

A SID with a fixed value and well-defined meaning that the implementation must recognise. Examples: Everyone (S-1-1-0), SYSTEM (S-1-5-18), Anonymous (S-1-5-7).

A forked instance of the guest agent inside a VM, providing an independent process with its own credentials and command channel. Used for testing multi-process scenarios.

A SQLite connection used for mutating RSI operations. Only one write connection exists per hive database. All writes are serialised through this connection.

A restricted token variant where the restricting SID intersection applies only to write-category bits. Read and execute access comes from the normal pass alone.

A process mitigation preventing memory pages from being simultaneously writable and executable. W+X mappings and transitions between writable and executable states are rejected.

A thread dedicated to writing events to one shard database. Owns the sole read-write SQLite connection for that shard. Receives events from one or more drain threads.