strat9_kernel/syscall/

dispatcher.rs

//! Strat9-OS syscall dispatcher.
//!
//! Routes syscall numbers to handler functions and converts results to RAX values.
//! Called from the naked `syscall_entry` assembly with a pointer to `SyscallFrame`.
use super::{
    error::SyscallError, exec::sys_execve, fork::sys_fork, numbers::*, process as proc_sys,
    SyscallFrame,
};
use crate::{
    arch::x86_64::pci,
    capability::{get_capability_manager, CapId, CapPermissions, ResourceType},
    hardware::storage::{
        ahci,
        virtio_block::{self, BlockDevice, SECTOR_SIZE},
    },
    ipc::{
        channel::{self, ChanId},
        message::IpcMessage,
        port::{self, PortId},
        reply,
        semaphore::{self, SemId},
        shared_ring::{self, RingId},
    },
    memory::{UserSliceRead, UserSliceWrite},
    process::current_task_clone,
    silo,
};
use alloc::{sync::Arc, vec};
use core::sync::atomic::{AtomicU32, Ordering};

static NET_SEND_ERR_LOG_BUDGET: AtomicU32 = AtomicU32::new(32);
static NET_RECV_ERR_LOG_BUDGET: AtomicU32 = AtomicU32::new(32);
static DHCP_TRACE_LOG_BUDGET: AtomicU32 = AtomicU32::new(64);

/// Performs the trace dhcp frame operation.
fn trace_dhcp_frame(tag: &str, frame: &[u8]) {
    if DHCP_TRACE_LOG_BUDGET.fetch_sub(1, Ordering::Relaxed) == 0 {
        return;
    }
    if frame.len() < 14 {
        return;
    }
    let ethertype = u16::from_be_bytes([frame[12], frame[13]]);
    if ethertype != 0x0800 {
        return;
    }
    if frame.len() < 34 {
        return;
    }
    let ip_hlen = ((frame[14] & 0x0f) as usize) * 4;
    if ip_hlen < 20 || frame.len() < 14 + ip_hlen + 8 {
        return;
    }
    if frame[23] != 17 {
        return;
    }
    let udp = 14 + ip_hlen;
    let src_port = u16::from_be_bytes([frame[udp], frame[udp + 1]]);
    let dst_port = u16::from_be_bytes([frame[udp + 2], frame[udp + 3]]);
    let is_dhcp = (src_port == 68 && dst_port == 67) || (src_port == 67 && dst_port == 68);
    if !is_dhcp {
        return;
    }
    let mut xid: u32 = 0;
    let bootp = udp + 8;
    if frame.len() >= bootp + 8 {
        xid = u32::from_be_bytes([
            frame[bootp + 4],
            frame[bootp + 5],
            frame[bootp + 6],
            frame[bootp + 7],
        ]);
    }
    crate::serial_println!(
        "[dhcp-trace] {} src_port={} dst_port={} len={} xid=0x{:08x}",
        tag,
        src_port,
        dst_port,
        frame.len(),
        xid
    );
}

/// Main dispatch function called from `syscall_entry` assembly.
///
/// # Arguments
/// * `frame` - Pointer to the SyscallFrame on the kernel stack.
///
/// # Returns
/// The value to place in RAX (positive = success, negative = error).
///
/// # Safety
/// Called from naked assembly. `frame` must be a valid pointer to a
/// `SyscallFrame` on the current kernel stack.
#[no_mangle]
pub extern "C" fn __strat9_syscall_dispatch(frame: &mut SyscallFrame) -> u64 {
    let syscall_num = frame.rax as usize;
    let arg1 = frame.rdi;
    let arg2 = frame.rsi;
    let arg3 = frame.rdx;
    let arg4 = frame.r10;
    let _arg5 = frame.r8;
    let _arg6 = frame.r9;

    // FORCE OUTPUT for syscall - bypasses normal logging mutexes
    if let Some(tid) = crate::process::current_task_id() {
        crate::serial_force_println!(
            "\x1b[32m[syscall] ENTER\x1b[0m: tid={} num={} arg1={:#x} arg2={:#x} rip={:#x}",
            tid,
            syscall_num,
            arg1,
            arg2,
            frame.rcx // User RIP is in RCX on entry
        );
    }

    let result = match syscall_num {
        SYS_NULL => sys_null(),
        SYS_HANDLE_DUPLICATE => sys_handle_duplicate(arg1),
        SYS_HANDLE_CLOSE => sys_handle_close(arg1),
        SYS_HANDLE_WAIT => sys_handle_wait(arg1, arg2),
        SYS_HANDLE_GRANT => sys_handle_grant(arg1, arg2),
        SYS_HANDLE_REVOKE => sys_handle_revoke(arg1),
        SYS_HANDLE_INFO => sys_handle_info(arg1, arg2),

        // Memory management (block 100-199)
        SYS_MMAP => super::mmap::sys_mmap(arg1, arg2, arg3 as u32, arg4 as u32, frame.r8, frame.r9),
        SYS_MUNMAP => super::mmap::sys_munmap(arg1, arg2),
        SYS_BRK => super::mmap::sys_brk(arg1),
        SYS_MREMAP => super::mmap::sys_mremap(arg1, arg2, arg3, arg4),
        SYS_MPROTECT => super::mmap::sys_mprotect(arg1, arg2, arg3),

        SYS_PROC_EXIT => sys_proc_exit(arg1),
        SYS_PROC_YIELD => sys_proc_yield(),
        SYS_PROC_FORK => sys_fork(frame).map(|result| result.child_pid as u64),
        SYS_PROC_GETPID | SYS_GETPID => proc_sys::sys_getpid(),
        SYS_PROC_GETPPID => proc_sys::sys_getppid(),
        SYS_GETTID => proc_sys::sys_gettid(),
        SYS_PROC_WAITPID => {
            super::wait::sys_waitpid(arg1 as i64, arg2, arg3 as u32).map(|pid| pid as u64)
        }
        SYS_PROC_WAIT => super::wait::sys_wait(arg1),
        SYS_PROC_EXECVE => sys_execve(frame, arg1, arg2, arg3),
        SYS_FCNTL => super::fcntl::sys_fcntl(arg1, arg2, arg3),
        SYS_SETPGID => proc_sys::sys_setpgid(arg1 as i64, arg2 as i64),
        SYS_GETPGID => proc_sys::sys_getpgid(arg1 as i64),
        SYS_SETSID => proc_sys::sys_setsid(),
        SYS_GETPGRP => proc_sys::sys_getpgrp(),
        SYS_GETSID => proc_sys::sys_getsid(arg1 as i64),
        // ── Credentials (335-340) ────────────────────────────────────────────
        SYS_GETUID => proc_sys::sys_getuid(),
        SYS_GETEUID => proc_sys::sys_geteuid(),
        SYS_GETGID => proc_sys::sys_getgid(),
        SYS_GETEGID => proc_sys::sys_getegid(),
        SYS_SETUID => proc_sys::sys_setuid(arg1),
        SYS_SETGID => proc_sys::sys_setgid(arg1),
        SYS_THREAD_CREATE => proc_sys::sys_thread_create(frame, arg1, arg2, arg3, arg4, frame.r8),
        SYS_THREAD_JOIN => proc_sys::sys_thread_join(arg1, arg2, arg3),
        SYS_THREAD_EXIT => proc_sys::sys_thread_exit(arg1),
        SYS_UNAME => sys_uname(arg1),
        // ── Thread lifecycle (333-334) ────────────────────────────────────────
        SYS_SET_TID_ADDRESS => proc_sys::sys_set_tid_address(arg1),
        SYS_EXIT_GROUP => proc_sys::sys_exit_group(arg1),
        // ── Architecture-specific (350) ───────────────────────────────────────
        SYS_ARCH_PRCTL => proc_sys::sys_arch_prctl(arg1, arg2),
        // ── tgkill (352) ──────────────────────────────────────────────────────
        SYS_TGKILL => proc_sys::sys_tgkill(arg1, arg2, arg3),
        SYS_RT_SIGRETURN => super::signal::sys_rt_sigreturn(frame),
        SYS_FUTEX_WAIT => super::futex::sys_futex_wait(arg1, arg2 as u32, arg3),
        SYS_FUTEX_WAKE => super::futex::sys_futex_wake(arg1, arg2 as u32),
        SYS_FUTEX_REQUEUE => super::futex::sys_futex_requeue(arg1, arg2 as u32, arg3 as u32, arg4),
        SYS_FUTEX_CMP_REQUEUE => super::futex::sys_futex_cmp_requeue(
            arg1,
            arg2 as u32,
            arg3 as u32,
            arg4,
            frame.r8 as u32,
        ),
        SYS_FUTEX_WAKE_OP => {
            super::futex::sys_futex_wake_op(arg1, arg2 as u32, arg3 as u32, arg4, frame.r8 as u32)
        }
        SYS_KILL => super::signal::sys_kill(arg1 as i64, arg2 as u32),
        SYS_SIGPROCMASK => sys_sigprocmask(arg1 as i32, arg2, arg3),
        SYS_SIGACTION => super::signal::sys_sigaction(arg1, arg2, arg3),
        SYS_SIGALTSTACK => super::signal::sys_sigaltstack(arg1, arg2),
        SYS_SIGPENDING => super::signal::sys_sigpending(arg1),
        SYS_SIGSUSPEND => super::signal::sys_sigsuspend(arg1),
        SYS_SIGTIMEDWAIT => super::signal::sys_sigtimedwait(arg1, arg2, arg3),
        SYS_SIGQUEUE => super::signal::sys_sigqueue(arg1 as i64, arg2 as u32, arg3),
        SYS_KILLPG => super::signal::sys_killpg(arg1, arg2 as u32),
        SYS_GETITIMER => super::signal::sys_getitimer(arg1 as u32, arg2),
        SYS_SETITIMER => super::signal::sys_setitimer(arg1 as u32, arg2, arg3),
        SYS_IPC_CREATE_PORT => sys_ipc_create_port(arg1),
        SYS_IPC_SEND => sys_ipc_send(arg1, arg2),
        SYS_IPC_RECV => sys_ipc_recv(arg1, arg2),
        SYS_IPC_TRY_RECV => sys_ipc_try_recv(arg1, arg2),
        SYS_IPC_CONNECT => sys_ipc_connect(arg1, arg2),
        SYS_IPC_CALL => sys_ipc_call(arg1, arg2),
        SYS_IPC_REPLY => sys_ipc_reply(arg1),
        SYS_IPC_BIND_PORT => sys_ipc_bind_port(arg1, arg2, arg3),
        SYS_IPC_UNBIND_PORT => sys_ipc_unbind_port(arg1, arg2),
        SYS_IPC_RING_CREATE => sys_ipc_ring_create(arg1),
        SYS_IPC_RING_MAP => sys_ipc_ring_map(arg1, arg2),
        SYS_SEM_CREATE => sys_sem_create(arg1),
        SYS_SEM_WAIT => sys_sem_wait(arg1),
        SYS_SEM_TRYWAIT => sys_sem_trywait(arg1),
        SYS_SEM_POST => sys_sem_post(arg1),
        SYS_SEM_CLOSE => sys_sem_close(arg1),
        SYS_PCI_ENUM => sys_pci_enum(arg1, arg2, arg3),
        SYS_PCI_CFG_READ => sys_pci_cfg_read(arg1, arg2, arg3),
        SYS_PCI_CFG_WRITE => sys_pci_cfg_write(arg1, arg2, arg3, arg4),

        // Typed MPMC sync-channel (IPC-02)
        SYS_CHAN_CREATE => sys_chan_create(arg1),
        SYS_CHAN_SEND => sys_chan_send(arg1, arg2),
        SYS_CHAN_RECV => sys_chan_recv(arg1, arg2),
        SYS_CHAN_TRY_RECV => sys_chan_try_recv(arg1, arg2),
        SYS_CHAN_CLOSE => sys_chan_close(arg1),
        SYS_MODULE_LOAD => silo::sys_module_load(arg1, arg2),
        SYS_MODULE_UNLOAD => silo::sys_module_unload(arg1),
        SYS_MODULE_GET_SYMBOL => silo::sys_module_get_symbol(arg1, arg2),
        SYS_MODULE_QUERY => silo::sys_module_query(arg1, arg2),
        SYS_OPEN => sys_open(arg1, arg2, arg3),
        SYS_WRITE => sys_write(arg1, arg2, arg3),
        SYS_READ => sys_read(arg1, arg2, arg3),
        SYS_CLOSE => sys_close(arg1),
        SYS_LSEEK => sys_lseek(arg1, arg2, arg3),
        SYS_FSTAT => sys_fstat(arg1, arg2),
        SYS_STAT => sys_stat(arg1, arg2, arg3),
        SYS_GETDENTS => sys_getdents(arg1, arg2, arg3),
        SYS_PIPE => sys_pipe(arg1),
        SYS_DUP => sys_dup(arg1),
        SYS_DUP2 => sys_dup2(arg1, arg2),
        // ── New VFS syscalls (440-455) ─────────────────────────────────────────
        SYS_CHDIR => crate::vfs::sys_chdir(arg1, arg2),
        SYS_FCHDIR => crate::vfs::sys_fchdir(arg1 as u32),
        SYS_GETCWD => crate::vfs::sys_getcwd(arg1, arg2),
        SYS_IOCTL => crate::vfs::sys_ioctl(arg1 as u32, arg2, arg3),
        SYS_UMASK => crate::vfs::sys_umask(arg1),
        SYS_UNLINK => crate::vfs::sys_unlink(arg1, arg2),
        SYS_RMDIR => crate::vfs::sys_rmdir(arg1, arg2),
        SYS_MKDIR => crate::vfs::sys_mkdir(arg1, arg2, arg3),
        SYS_RENAME => crate::vfs::sys_rename(arg1, arg2, arg3, arg4),
        SYS_LINK => crate::vfs::sys_link(arg1, arg2, arg3, arg4),
        SYS_SYMLINK => crate::vfs::sys_symlink(arg1, arg2, arg3, arg4),
        SYS_READLINK => crate::vfs::sys_readlink(arg1, arg2, arg3, arg4),
        SYS_CHMOD => crate::vfs::sys_chmod(arg1, arg2, arg3),
        SYS_FCHMOD => crate::vfs::sys_fchmod(arg1 as u32, arg2),
        SYS_TRUNCATE => crate::vfs::sys_truncate(arg1, arg2, arg3),
        SYS_FTRUNCATE => crate::vfs::sys_ftruncate(arg1 as u32, arg2),
        SYS_PREAD => crate::vfs::sys_pread(arg1 as u32, arg2, arg3, arg4),
        SYS_PWRITE => crate::vfs::sys_pwrite(arg1 as u32, arg2, arg3, arg4),
        SYS_POLL => super::poll::sys_poll(arg1, arg2, arg3),
        SYS_PPOLL => super::poll::sys_poll(arg1, arg2, 0),

        // Network
        SYS_NET_RECV => sys_net_recv(arg1, arg2),
        SYS_NET_SEND => sys_net_send(arg1, arg2),
        SYS_NET_INFO => sys_net_info(arg1, arg2),

        SYS_VOLUME_READ => sys_volume_read(arg1, arg2, arg3, arg4),
        SYS_VOLUME_WRITE => sys_volume_write(arg1, arg2, arg3, arg4),
        SYS_VOLUME_INFO => sys_volume_info(arg1),
        SYS_CLOCK_GETTIME => super::time::sys_clock_gettime(arg1 as u32, arg2),
        SYS_NANOSLEEP => super::time::sys_nanosleep(arg1, arg2),
        SYS_DEBUG_LOG => sys_debug_log(arg1, arg2),
        SYS_SILO_CREATE => silo::sys_silo_create(arg1),
        SYS_SILO_CONFIG => silo::sys_silo_config(arg1, arg2),
        SYS_SILO_ATTACH_MODULE => silo::sys_silo_attach_module(arg1, arg2),
        SYS_SILO_START => silo::sys_silo_start(arg1),
        SYS_SILO_STOP => silo::sys_silo_stop(arg1),
        SYS_SILO_KILL => silo::sys_silo_kill(arg1),
        SYS_SILO_EVENT_NEXT => silo::sys_silo_event_next(arg1),
        SYS_SILO_SUSPEND => silo::sys_silo_suspend(arg1),
        SYS_SILO_RESUME => silo::sys_silo_resume(arg1),
        SYS_SILO_PLEDGE => silo::sys_silo_pledge(arg1),
        SYS_SILO_UNVEIL => silo::sys_silo_unveil(arg1, arg2, arg3),
        SYS_SILO_ENTER_SANDBOX => silo::sys_silo_enter_sandbox(),
        SYS_ABI_VERSION => {
            Ok(((strat9_abi::ABI_VERSION_MAJOR as u64) << 16)
                | (strat9_abi::ABI_VERSION_MINOR as u64))
        }
        _ => {
            log::warn!("Unknown syscall: {} (0x{:x})", syscall_num, syscall_num);
            Err(SyscallError::NotImplemented)
        }
    };

    match result {
        Ok(val) => {
            if syscall_num == SYS_PROC_FORK {
                crate::serial_println!("[syscall] FORK returning Ok({})", val);
            }
            frame.rax = val;
        }
        Err(e) => {
            if syscall_num == SYS_PROC_FORK {
                crate::serial_println!("[syscall] FORK returning err");
            }
            frame.rax = e.to_raw();
        }
    }

    crate::process::signal::deliver_pending_signal(frame);

    frame.rax
}

/// Alias used by the `call {dispatch}` in syscall_entry.
/// Re-exports `__strat9_syscall_dispatch` under the symbol the assembly expects.
#[no_mangle]
pub extern "C" fn dispatch(frame: &mut SyscallFrame) -> u64 {
    __strat9_syscall_dispatch(frame)
}

// ============================================================
// Syscall handlers
// ============================================================

/// SYS_NULL (0): Ping/test syscall. Returns magic value 0x57A79 ("STRAT9").
fn sys_null() -> Result<u64, SyscallError> {
    Ok(0x57A79)
}

/// SYS_HANDLE_CLOSE (2): Close a handle. Stub — always succeeds.
fn sys_handle_close(_handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(_handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    if let Some(cap) = caps.remove(CapId::from_raw(_handle)) {
        cleanup_cap_resource(&cap);
        log::trace!("syscall: HANDLE_CLOSE({})", _handle);
        Ok(0)
    } else {
        Err(SyscallError::BadHandle)
    }
}

/// Performs the cleanup cap resource operation.
fn cleanup_cap_resource(cap: &crate::capability::Capability) {
    match cap.resource_type {
        ResourceType::File => {
            if let Ok(fd) = u32::try_from(cap.resource) {
                let _ = crate::vfs::close(fd);
            }
        }
        ResourceType::SharedRing => {
            let _ = shared_ring::destroy_ring(RingId::from_u64(cap.resource as u64));
        }
        ResourceType::Semaphore => {
            let _ = semaphore::destroy_semaphore(SemId::from_u64(cap.resource as u64));
        }
        _ => {}
    }
}

/// SYS_HANDLE_DUPLICATE (1): Duplicate a handle (grant required).
fn sys_handle_duplicate(handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    let dup = caps
        .duplicate(CapId::from_raw(handle))
        .ok_or(SyscallError::PermissionDenied)?;
    let id = caps.insert(dup);
    Ok(id.as_u64())
}

const HANDLE_EVENT_READABLE: u64 = 1 << 0;
const HANDLE_EVENT_WRITABLE: u64 = 1 << 1;

/// Performs the poll handle events operation.
fn poll_handle_events(handle: u64) -> Result<u64, SyscallError> {
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;

    match cap.resource_type {
        ResourceType::Semaphore => {
            if !cap.permissions.read {
                return Err(SyscallError::PermissionDenied);
            }
            let sem = semaphore::get_semaphore(SemId::from_u64(cap.resource as u64))
                .ok_or(SyscallError::BadHandle)?;
            if sem.is_destroyed() {
                return Err(SyscallError::Pipe);
            }
            if sem.count() > 0 {
                Ok(HANDLE_EVENT_READABLE)
            } else {
                Ok(0)
            }
        }
        ResourceType::IpcPort => {
            let port = port::get_port(PortId::from_u64(cap.resource as u64))
                .ok_or(SyscallError::BadHandle)?;
            if port.is_destroyed() {
                return Err(SyscallError::Pipe);
            }
            let mut events = 0u64;
            if cap.permissions.read && port.has_messages() {
                events |= HANDLE_EVENT_READABLE;
            }
            if cap.permissions.write && port.can_send() {
                events |= HANDLE_EVENT_WRITABLE;
            }
            if events == 0 && !cap.permissions.read && !cap.permissions.write {
                return Err(SyscallError::PermissionDenied);
            }
            Ok(events)
        }
        ResourceType::Channel => {
            let chan = channel::get_channel(ChanId::from_u64(cap.resource as u64))
                .ok_or(SyscallError::BadHandle)?;
            if chan.is_destroyed() {
                return Err(SyscallError::Pipe);
            }
            let mut events = 0u64;
            if cap.permissions.read && !chan.is_empty() {
                events |= HANDLE_EVENT_READABLE;
            }
            if cap.permissions.write && chan.can_send() {
                events |= HANDLE_EVENT_WRITABLE;
            }
            if events == 0 && !cap.permissions.read && !cap.permissions.write {
                return Err(SyscallError::PermissionDenied);
            }
            Ok(events)
        }
        ResourceType::SharedRing => {
            let _ = shared_ring::get_ring(RingId::from_u64(cap.resource as u64))
                .ok_or(SyscallError::BadHandle)?;
            let mut events = 0u64;
            if cap.permissions.read {
                events |= HANDLE_EVENT_READABLE;
            }
            if cap.permissions.write {
                events |= HANDLE_EVENT_WRITABLE;
            }
            if events == 0 {
                return Err(SyscallError::PermissionDenied);
            }
            Ok(events)
        }
        _ => Err(SyscallError::NotSupported),
    }
}

/// Performs the sys handle wait operation.
fn sys_handle_wait(handle: u64, timeout_ns: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    let check_ready = || -> Result<u64, SyscallError> {
        let events = poll_handle_events(handle)?;
        if events != 0 {
            Ok(events)
        } else {
            Err(SyscallError::Again)
        }
    };

    if timeout_ns == 0 {
        return check_ready();
    }

    let deadline = if timeout_ns == u64::MAX {
        None
    } else {
        Some(crate::syscall::time::current_time_ns().saturating_add(timeout_ns))
    };

    loop {
        if let Ok(events) = check_ready() {
            return Ok(events);
        }

        if crate::process::has_pending_signals() {
            return Err(SyscallError::Interrupted);
        }

        let now = crate::syscall::time::current_time_ns();
        let wake_ns = if let Some(deadline_ns) = deadline {
            if now >= deadline_ns {
                return Err(SyscallError::TimedOut);
            }
            core::cmp::min(deadline_ns, now.saturating_add(10_000_000))
        } else {
            now.saturating_add(10_000_000)
        };

        if let Some(task) = current_task_clone() {
            task.wake_deadline_ns.store(wake_ns, Ordering::Relaxed);
        }
        crate::process::block_current_task();
        if let Some(task) = current_task_clone() {
            task.wake_deadline_ns.store(0, Ordering::Relaxed);
        }
    }
}

/// Performs the sys handle grant operation.
fn sys_handle_grant(handle: u64, target_pid: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    crate::silo::enforce_silo_may_grant()?;
    let pid = u32::try_from(target_pid).map_err(|_| SyscallError::InvalidArgument)?;

    let source = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let granted = {
        let source_caps = unsafe { &*source.process.capabilities.get() };
        let cap = source_caps
            .get(CapId::from_raw(handle))
            .ok_or(SyscallError::BadHandle)?;
        if !cap.permissions.grant {
            return Err(SyscallError::PermissionDenied);
        }
        let mut dup = cap.clone();
        dup.id = CapId::new();
        dup
    };

    let target = crate::process::get_task_by_pid(pid).ok_or(SyscallError::NotFound)?;
    let target_caps = unsafe { &mut *target.process.capabilities.get() };
    let new_id = target_caps.insert(granted);
    Ok(new_id.as_u64())
}

/// Performs the sys handle revoke operation.
fn sys_handle_revoke(handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };

    {
        let cap = caps
            .get(CapId::from_raw(handle))
            .ok_or(SyscallError::BadHandle)?;
        if !cap.permissions.revoke {
            return Err(SyscallError::PermissionDenied);
        }
    }

    let cap = caps
        .remove(CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    cleanup_cap_resource(&cap);
    Ok(0)
}

use strat9_abi::data::HandleInfo as HandleInfoAbi;

/// Performs the cap perm bits operation.
fn cap_perm_bits(p: CapPermissions) -> u32 {
    (if p.read { 1 } else { 0 })
        | (if p.write { 1 << 1 } else { 0 })
        | (if p.execute { 1 << 2 } else { 0 })
        | (if p.grant { 1 << 3 } else { 0 })
        | (if p.revoke { 1 << 4 } else { 0 })
}

/// Performs the resource type code operation.
fn resource_type_code(rt: ResourceType) -> u32 {
    match rt {
        ResourceType::MemoryRegion => 1,
        ResourceType::IoPortRange => 2,
        ResourceType::InterruptLine => 3,
        ResourceType::IpcPort => 4,
        ResourceType::Channel => 5,
        ResourceType::SharedRing => 6,
        ResourceType::Semaphore => 7,
        ResourceType::Device => 8,
        ResourceType::AddressSpace => 9,
        ResourceType::Silo => 10,
        ResourceType::Module => 11,
        ResourceType::File => 12,
        ResourceType::Nic => 13,
        ResourceType::FileSystem => 14,
        ResourceType::Console => 15,
        ResourceType::Keyboard => 16,
        ResourceType::Volume => 17,
        ResourceType::Namespace => 18,
    }
}

/// Performs the sys handle info operation.
fn sys_handle_info(handle: u64, out_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    if out_ptr == 0 {
        return Err(SyscallError::Fault);
    }
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;

    let info = HandleInfoAbi {
        resource_type: resource_type_code(cap.resource_type),
        permissions: cap_perm_bits(cap.permissions),
        resource: cap.resource as u64,
    };
    let user = UserSliceWrite::new(out_ptr, core::mem::size_of::<HandleInfoAbi>())?;
    let bytes = unsafe {
        core::slice::from_raw_parts(
            &info as *const HandleInfoAbi as *const u8,
            core::mem::size_of::<HandleInfoAbi>(),
        )
    };
    user.copy_from(bytes);
    Ok(0)
}

/// SYS_PROC_EXIT (300): Exit the current task.
///
/// Marks the task as Dead and yields. This function never returns to the caller.
fn sys_proc_exit(exit_code: u64) -> Result<u64, SyscallError> {
    log::info!("syscall: PROC_EXIT(code={})", exit_code);

    // Mark current task as Dead and yield. The scheduler won't re-queue dead tasks.
    // exit_current_task() diverges (-> !), so this function never returns.
    crate::process::scheduler::exit_current_task(exit_code as i32)
}

/// SYS_PROC_YIELD (301): Yield the current time slice.
fn sys_proc_yield() -> Result<u64, SyscallError> {
    crate::process::yield_task();
    Ok(0)
}

/// SYS_SIGPROCMASK (321): Examine and change blocked signals.
///
/// arg1 = how (0=BLOCK, 1=UNBLOCK, 2=SETMASK), arg2 = set_ptr (new mask), arg3 = oldset_ptr (old mask out)
fn sys_sigprocmask(how: i32, set_ptr: u64, oldset_ptr: u64) -> Result<u64, SyscallError> {
    use crate::process::current_task_clone;

    const SIG_BLOCK: i32 = 0;
    const SIG_UNBLOCK: i32 = 1;
    const SIG_SETMASK: i32 = 2;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;

    let blocked = &task.blocked_signals;

    if oldset_ptr != 0 {
        let old_mask = blocked.get_mask();
        let user = UserSliceWrite::new(oldset_ptr, 8)?;
        user.copy_from(&old_mask.to_ne_bytes());
    }

    if set_ptr != 0 {
        let user = UserSliceRead::new(set_ptr, 8)?;
        let mut buf = [0u8; 8];
        user.copy_to(&mut buf);
        let new_mask = u64::from_ne_bytes(buf);

        let old_mask = blocked.get_mask();
        let updated_mask = match how {
            SIG_BLOCK => old_mask | new_mask,
            SIG_UNBLOCK => old_mask & !new_mask,
            SIG_SETMASK => new_mask,
            _ => return Err(SyscallError::InvalidArgument),
        };

        blocked.set_mask(updated_mask);
    }

    Ok(0)
}

/// Performs the sys uname operation.
fn sys_uname(uts_ptr: u64) -> Result<u64, SyscallError> {
    const UTS_FIELD_LEN: usize = 65;
    const UTS_TOTAL_LEN: usize = UTS_FIELD_LEN * 6;

    if uts_ptr == 0 {
        return Err(SyscallError::Fault);
    }

    /// Writes field.
    fn write_field(dst: &mut [u8], src: &[u8]) {
        let n = core::cmp::min(src.len(), dst.len().saturating_sub(1));
        if n > 0 {
            dst[..n].copy_from_slice(&src[..n]);
        }
        dst[n] = 0;
    }

    let mut uts = [0u8; UTS_TOTAL_LEN];
    write_field(&mut uts[0 * UTS_FIELD_LEN..1 * UTS_FIELD_LEN], b"Strat9");
    write_field(&mut uts[1 * UTS_FIELD_LEN..2 * UTS_FIELD_LEN], b"localhost");
    write_field(&mut uts[2 * UTS_FIELD_LEN..3 * UTS_FIELD_LEN], b"0.1.0");
    write_field(&mut uts[3 * UTS_FIELD_LEN..4 * UTS_FIELD_LEN], b"Strat9-OS");
    write_field(&mut uts[4 * UTS_FIELD_LEN..5 * UTS_FIELD_LEN], b"x86_64");
    write_field(
        &mut uts[5 * UTS_FIELD_LEN..6 * UTS_FIELD_LEN],
        b"localdomain",
    );

    let user = UserSliceWrite::new(uts_ptr, UTS_TOTAL_LEN)?;
    user.copy_from(&uts);
    Ok(0)
}

/// SYS_WRITE (404): Write bytes to a file descriptor.
fn sys_write(fd: u64, buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_write(fd as u32, buf_ptr, buf_len)
}

/// SYS_OPEN (403): Open a path from the minimal in-kernel namespace.
fn sys_open(path_ptr: u64, path_len: u64, flags: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_open(path_ptr, path_len, flags)
}

/// SYS_READ (405): Read bytes from a handle.
fn sys_read(fd: u64, buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_read(fd as u32, buf_ptr, buf_len)
}

/// SYS_CLOSE (406): Close a handle (fd).
fn sys_close(fd: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_close(fd as u32)
}

/// SYS_LSEEK (407): Seek in a file.
fn sys_lseek(fd: u64, offset: u64, whence: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_lseek(fd as u32, offset as i64, whence as u32)
}

/// SYS_FSTAT (408): Get metadata of an open file.
fn sys_fstat(fd: u64, stat_ptr: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_fstat(fd as u32, stat_ptr)
}

/// SYS_STAT (409): Get metadata by path.
fn sys_stat(path_ptr: u64, path_len: u64, stat_ptr: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_stat(path_ptr, path_len, stat_ptr)
}

/// SYS_GETDENTS (430): Read directory entries.
fn sys_getdents(fd: u64, buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_getdents(fd as u32, buf_ptr, buf_len)
}

/// SYS_PIPE (431): Create a pipe pair.
fn sys_pipe(fds_ptr: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_pipe(fds_ptr)
}

/// SYS_DUP (432): Duplicate a file descriptor.
fn sys_dup(old_fd: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_dup(old_fd as u32)
}

/// SYS_DUP2 (433): Duplicate fd to a specific number.
fn sys_dup2(old_fd: u64, new_fd: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_dup2(old_fd as u32, new_fd as u32)
}

// ============================================================
// Volume / Block device syscalls
// ============================================================

const MAX_SECTORS_PER_CALL: u64 = 256;

enum VolumeDeviceRef {
    Virtio(&'static virtio_block::VirtioBlockDevice),
    Ahci(&'static ahci::AhciController),
}

impl VolumeDeviceRef {
    /// Performs the sector count operation.
    fn sector_count(&self) -> u64 {
        match self {
            VolumeDeviceRef::Virtio(dev) => BlockDevice::sector_count(*dev),
            VolumeDeviceRef::Ahci(dev) => BlockDevice::sector_count(*dev),
        }
    }

    /// Reads sector.
    fn read_sector(&self, sector: u64, buf: &mut [u8]) -> Result<(), SyscallError> {
        match self {
            VolumeDeviceRef::Virtio(dev) => {
                BlockDevice::read_sector(*dev, sector, buf).map_err(SyscallError::from)
            }
            VolumeDeviceRef::Ahci(dev) => {
                BlockDevice::read_sector(*dev, sector, buf).map_err(SyscallError::from)
            }
        }
    }

    /// Writes sector.
    fn write_sector(&self, sector: u64, buf: &[u8]) -> Result<(), SyscallError> {
        match self {
            VolumeDeviceRef::Virtio(dev) => {
                BlockDevice::write_sector(*dev, sector, buf).map_err(SyscallError::from)
            }
            VolumeDeviceRef::Ahci(dev) => {
                BlockDevice::write_sector(*dev, sector, buf).map_err(SyscallError::from)
            }
        }
    }
}

/// Performs the resolve volume device operation.
fn resolve_volume_device(
    handle: u64,
    required: CapPermissions,
) -> Result<VolumeDeviceRef, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get_with_permissions(CapId::from_raw(handle), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::Volume {
        return Err(SyscallError::BadHandle);
    }

    if let Some(device) = virtio_block::get_device() {
        let device_ptr = device as *const virtio_block::VirtioBlockDevice as usize;
        if cap.resource == device_ptr {
            return Ok(VolumeDeviceRef::Virtio(device));
        }
    }
    if let Some(device) = ahci::get_device() {
        let device_ptr = device as *const ahci::AhciController as usize;
        if cap.resource == device_ptr {
            return Ok(VolumeDeviceRef::Ahci(device));
        }
    }
    Err(SyscallError::BadHandle)
}

/// Performs the sys volume read operation.
fn sys_volume_read(
    handle: u64,
    sector: u64,
    buf_ptr: u64,
    sector_count: u64,
) -> Result<u64, SyscallError> {
    if sector_count == 0 {
        return Ok(0);
    }
    if sector_count > MAX_SECTORS_PER_CALL {
        return Err(SyscallError::InvalidArgument);
    }

    let required = CapPermissions {
        read: true,
        write: false,
        execute: false,
        grant: false,
        revoke: false,
    };
    let device = resolve_volume_device(handle, required)?;
    let total_sectors = device.sector_count();
    if sector >= total_sectors || sector.saturating_add(sector_count) > total_sectors {
        return Err(SyscallError::InvalidArgument);
    }

    let mut kbuf = [0u8; SECTOR_SIZE];
    for i in 0..sector_count {
        let cur_sector = sector.checked_add(i).ok_or(SyscallError::InvalidArgument)?;
        device.read_sector(cur_sector, &mut kbuf)?;
        let offset = (i as usize)
            .checked_mul(SECTOR_SIZE)
            .ok_or(SyscallError::InvalidArgument)?;
        let ptr = buf_ptr
            .checked_add(offset as u64)
            .ok_or(SyscallError::Fault)?;
        let user = UserSliceWrite::new(ptr, SECTOR_SIZE)?;
        user.copy_from(&kbuf);
    }

    Ok(sector_count)
}

/// Performs the sys volume write operation.
fn sys_volume_write(
    handle: u64,
    sector: u64,
    buf_ptr: u64,
    sector_count: u64,
) -> Result<u64, SyscallError> {
    if sector_count == 0 {
        return Ok(0);
    }
    if sector_count > MAX_SECTORS_PER_CALL {
        return Err(SyscallError::InvalidArgument);
    }

    let required = CapPermissions {
        read: false,
        write: true,
        execute: false,
        grant: false,
        revoke: false,
    };
    let device = resolve_volume_device(handle, required)?;
    let total_sectors = device.sector_count();
    if sector >= total_sectors || sector.saturating_add(sector_count) > total_sectors {
        return Err(SyscallError::InvalidArgument);
    }

    let mut kbuf = [0u8; SECTOR_SIZE];
    for i in 0..sector_count {
        let cur_sector = sector.checked_add(i).ok_or(SyscallError::InvalidArgument)?;
        let offset = (i as usize)
            .checked_mul(SECTOR_SIZE)
            .ok_or(SyscallError::InvalidArgument)?;
        let ptr = buf_ptr
            .checked_add(offset as u64)
            .ok_or(SyscallError::Fault)?;
        let user = UserSliceRead::new(ptr, SECTOR_SIZE)?;
        let data = user.read_to_vec();
        if data.len() != SECTOR_SIZE {
            return Err(SyscallError::InvalidArgument);
        }
        kbuf.copy_from_slice(&data);
        device.write_sector(cur_sector, &kbuf)?;
    }

    Ok(sector_count)
}

/// Performs the sys volume info operation.
fn sys_volume_info(handle: u64) -> Result<u64, SyscallError> {
    let required = CapPermissions {
        read: true,
        write: false,
        execute: false,
        grant: false,
        revoke: false,
    };
    let device = resolve_volume_device(handle, required)?;
    Ok(device.sector_count())
}

/// SYS_DEBUG_LOG (600): Write a debug message to serial output.
///
/// arg1 = buffer pointer, arg2 = buffer length.
fn sys_debug_log(buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    if buf_len == 0 {
        return Ok(0);
    }

    // Restrict debug logging to admin or console-capable tasks.
    crate::silo::enforce_console_access()?;

    let len = core::cmp::min(buf_len as usize, 4096);

    // Validate the user buffer via UserSlice
    let user_buf = UserSliceRead::new(buf_ptr, len)?;

    // Copy into kernel buffer
    let mut kbuf = [0u8; 4096];
    let copied = user_buf.copy_to(&mut kbuf);

    // Write to serial with a prefix
    crate::serial_print!("[user-debug] ");
    for &byte in &kbuf[..copied] {
        crate::serial_print!("{}", byte as char);
    }
    crate::serial_println!();

    if let Some(task) = crate::process::current_task_clone() {
        if let Some(silo_id) = crate::silo::task_silo_id(task.id) {
            crate::silo::silo_output_write(silo_id, &kbuf[..copied]);
        }
    }

    Ok(copied as u64)
}

// ============================================================
// Network syscalls
// ============================================================

/// Performs the sys net recv operation.
pub fn sys_net_recv(buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    let device = crate::hardware::nic::get_default_device().ok_or(SyscallError::Again)?;
    let mut kbuf = vec![0u8; buf_len as usize];

    let n = match device.receive(&mut kbuf) {
        Ok(n) => n,
        Err(e) => {
            let se = SyscallError::from(e);
            if se != SyscallError::Again
                && NET_RECV_ERR_LOG_BUDGET.fetch_sub(1, Ordering::Relaxed) > 0
            {
                crate::serial_println!("[net-sys] recv error: {:?} -> {}", e, se.name());
            }
            return Err(se);
        }
    };
    trace_dhcp_frame("rx", &kbuf[..n]);

    let user = UserSliceWrite::new(buf_ptr, n)?;
    user.copy_from(&kbuf[..n]);
    Ok(n as u64)
}

/// Performs the sys net send operation.
pub fn sys_net_send(buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    let device = crate::hardware::nic::get_default_device().ok_or(SyscallError::Again)?;
    let user = UserSliceRead::new(buf_ptr, buf_len as usize)?;
    let kbuf = user.read_to_vec();
    trace_dhcp_frame("tx", &kbuf);

    if let Err(e) = device.transmit(&kbuf) {
        let se = SyscallError::from(e);
        if NET_SEND_ERR_LOG_BUDGET.fetch_sub(1, Ordering::Relaxed) > 0 {
            crate::serial_println!("[net-sys] send error: {:?} -> {}", e, se.name());
        }
        return Err(se);
    }

    Ok(buf_len)
}

/// Performs the sys net info operation.
pub fn sys_net_info(info_type: u64, buf_ptr: u64) -> Result<u64, SyscallError> {
    let device = crate::hardware::nic::get_default_device().ok_or(SyscallError::Again)?;

    match info_type {
        0 => {
            let mac = device.mac_address();
            let user = UserSliceWrite::new(buf_ptr, 6)?;
            user.copy_from(&mac);
            Ok(6)
        }
        _ => Err(SyscallError::InvalidArgument),
    }
}

// ============================================================
// IPC syscalls (with capability enforcement)
// ============================================================

/// Performs the sys ipc create port operation.
fn sys_ipc_create_port(_flags: u64) -> Result<u64, SyscallError> {
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let port_id = port::create_port(task.id);
    let cap = get_capability_manager().create_capability(
        ResourceType::IpcPort,
        port_id.as_u64() as usize,
        CapPermissions::all(),
    );
    let cap_id = unsafe { (&mut *task.process.capabilities.get()).insert(cap) };
    Ok(cap_id.as_u64())
}

/// Performs the sys ipc send operation.
fn sys_ipc_send(port: u64, _msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(port)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: false,
        write: true,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(port), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let user = UserSliceRead::new(_msg_ptr, MSG_SIZE)?;
    let mut buf = [0u8; MSG_SIZE];
    user.copy_to(&mut buf);
    let mut msg = crate::ipc::message::ipc_message_from_raw(&buf);

    // Stamp identity
    msg.sender = task.id.as_u64();

    if msg.flags == 0 {
        if let Some((sid, _label, _mem_used, _mem_min, _mem_max)) =
            crate::silo::silo_info_for_task(task.id)
        {
            if let Some(snapshot) = crate::silo::list_silos_snapshot()
                .into_iter()
                .find(|s| s.id == sid)
            {
                let structured_label = crate::ipc::message::IpcLabel {
                    tier: snapshot.tier as u8,
                    family: 5,
                    compartment: sid as u16,
                };
                msg.flags = unsafe { core::mem::transmute(structured_label) };
            }
        }
    }

    let port_id = PortId::from_u64(cap.resource as u64);
    let port = port::get_port(port_id).ok_or(SyscallError::BadHandle)?;
    port.send(msg).map_err(SyscallError::from)?;
    Ok(0)
}

/// Performs the sys ipc recv operation.
fn sys_ipc_recv(port: u64, _msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(port)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: true,
        write: false,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(port), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    let port_id = PortId::from_u64(cap.resource as u64);
    let port = port::get_port(port_id).ok_or(SyscallError::BadHandle)?;
    let mut msg = port.recv().map_err(SyscallError::from)?;

    // Handle transfer (optional): msg.flags contains a handle in the sender table.
    if msg.flags != 0 {
        let sender_id = crate::process::TaskId::from_u64(msg.sender);
        let sender = crate::process::get_task_by_id(sender_id).ok_or(SyscallError::BadHandle)?;
        let sender_caps = unsafe { &mut *sender.process.capabilities.get() };
        let dup = sender_caps
            .duplicate(CapId::from_raw(msg.flags as u64))
            .ok_or(SyscallError::PermissionDenied)?;

        let receiver = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
        let receiver_caps = unsafe { &mut *receiver.process.capabilities.get() };
        let new_id = receiver_caps.insert(dup);
        if new_id.as_u64() > u32::MAX as u64 {
            return Err(SyscallError::InvalidArgument);
        }
        msg.flags = new_id.as_u64() as u32;
    }

    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let mut buf = [0u8; MSG_SIZE];
    crate::ipc::message::ipc_message_to_raw(&msg, &mut buf);
    let user = UserSliceWrite::new(_msg_ptr, MSG_SIZE)?;
    user.copy_from(&buf);
    Ok(0)
}

/// Performs the sys ipc try recv operation.
fn sys_ipc_try_recv(port: u64, _msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(port)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: true,
        write: false,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(port), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    let port_id = PortId::from_u64(cap.resource as u64);
    let port = port::get_port(port_id).ok_or(SyscallError::BadHandle)?;
    let msg_opt = port.try_recv().map_err(SyscallError::from)?;

    let mut msg = match msg_opt {
        Some(m) => m,
        None => return Err(SyscallError::Again),
    };

    // Handle transfer (optional): msg.flags contains a handle in the sender table.
    if msg.flags != 0 {
        let sender_id = crate::process::TaskId::from_u64(msg.sender);
        let sender = crate::process::get_task_by_id(sender_id).ok_or(SyscallError::BadHandle)?;
        let sender_caps = unsafe { &mut *sender.process.capabilities.get() };
        let dup = sender_caps
            .duplicate(CapId::from_raw(msg.flags as u64))
            .ok_or(SyscallError::PermissionDenied)?;

        let receiver = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
        let receiver_caps = unsafe { &mut *receiver.process.capabilities.get() };
        let new_id = receiver_caps.insert(dup);
        if new_id.as_u64() > u32::MAX as u64 {
            return Err(SyscallError::InvalidArgument);
        }
        msg.flags = new_id.as_u64() as u32;
    }

    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let mut buf = [0u8; MSG_SIZE];
    crate::ipc::message::ipc_message_to_raw(&msg, &mut buf);
    let user = UserSliceWrite::new(_msg_ptr, MSG_SIZE)?;
    user.copy_from(&buf);
    Ok(0)
}

/// Performs the sys ipc connect operation.
fn sys_ipc_connect(path_ptr: u64, path_len: u64) -> Result<u64, SyscallError> {
    if path_ptr == 0 || path_len == 0 {
        return Err(SyscallError::Fault);
    }
    const MAX_PATH_LEN: usize = 4096;
    if path_len as usize > MAX_PATH_LEN {
        return Err(SyscallError::InvalidArgument);
    }
    let user = UserSliceRead::new(path_ptr, path_len as usize)?;
    let bytes = user.read_to_vec();
    let path = core::str::from_utf8(&bytes).map_err(SyscallError::from)?;

    let (port_raw, _remaining) = crate::namespace::resolve(path).ok_or(SyscallError::NotFound)?;
    let port_id = PortId::from_u64(port_raw);
    if port::get_port(port_id).is_none() {
        return Err(SyscallError::BadHandle);
    }

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let cap = get_capability_manager().create_capability(
        ResourceType::IpcPort,
        port_raw as usize,
        CapPermissions {
            read: true,
            write: true,
            execute: false,
            grant: false,
            revoke: false,
        },
    );
    let cap_id = unsafe { (&mut *task.process.capabilities.get()).insert(cap) };
    Ok(cap_id.as_u64())
}

/// Performs the sys ipc call operation.
fn sys_ipc_call(port: u64, _msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(port)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: false,
        write: true,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(port), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let user = UserSliceRead::new(_msg_ptr, MSG_SIZE)?;
    let mut buf = [0u8; MSG_SIZE];
    user.copy_to(&mut buf);
    let mut msg = crate::ipc::message::ipc_message_from_raw(&buf);
    msg.sender = task.id.as_u64();
    if msg.flags != 0 {
        let transfer_required = CapPermissions {
            read: false,
            write: false,
            execute: false,
            grant: true,
            revoke: false,
        };
        if caps
            .get_with_permissions(CapId::from_raw(msg.flags as u64), transfer_required)
            .is_none()
        {
            return Err(SyscallError::PermissionDenied);
        }
    }

    let port_id = PortId::from_u64(cap.resource as u64);
    let port = port::get_port(port_id).ok_or(SyscallError::BadHandle)?;
    port.send(msg).map_err(SyscallError::from)?;

    let reply_msg = reply::wait_for_reply(task.id);
    let mut out_buf = [0u8; MSG_SIZE];
    crate::ipc::message::ipc_message_to_raw(&reply_msg, &mut out_buf);
    let user = UserSliceWrite::new(_msg_ptr, MSG_SIZE)?;
    user.copy_from(&out_buf);
    Ok(0)
}

/// Performs the sys ipc reply operation.
fn sys_ipc_reply(_msg_ptr: u64) -> Result<u64, SyscallError> {
    if _msg_ptr == 0 {
        return Err(SyscallError::Fault);
    }
    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let user = UserSliceRead::new(_msg_ptr, MSG_SIZE)?;
    let mut buf = [0u8; MSG_SIZE];
    user.copy_to(&mut buf);
    let msg = crate::ipc::message::ipc_message_from_raw(&buf);

    let target = crate::process::TaskId::from_u64(msg.sender);
    let mut msg = msg;
    if msg.flags != 0 {
        let sender = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
        let sender_caps = unsafe { &mut *sender.process.capabilities.get() };
        let dup = sender_caps
            .duplicate(CapId::from_raw(msg.flags as u64))
            .ok_or(SyscallError::PermissionDenied)?;

        let receiver = crate::process::get_task_by_id(target).ok_or(SyscallError::BadHandle)?;
        let receiver_caps = unsafe { &mut *receiver.process.capabilities.get() };
        let new_id = receiver_caps.insert(dup);
        if new_id.as_u64() > u32::MAX as u64 {
            return Err(SyscallError::InvalidArgument);
        }
        msg.flags = new_id.as_u64() as u32;
    }

    reply::deliver_reply(target, msg).map_err(|_| SyscallError::BadHandle)?;
    Ok(0)
}

/// Performs the sys ipc bind port operation.
fn sys_ipc_bind_port(port: u64, _path_ptr: u64, _path_len: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_registry_bind_for_current_task()?;
    crate::silo::enforce_cap_for_current_task(port)?;
    if _path_ptr == 0 || _path_len == 0 {
        return Err(SyscallError::Fault);
    }
    const MAX_PATH_LEN: usize = 4096;
    if _path_len as usize > MAX_PATH_LEN {
        return Err(SyscallError::InvalidArgument);
    }
    let user = UserSliceRead::new(_path_ptr, _path_len as usize)?;
    let bytes = user.read_to_vec();
    let path = core::str::from_utf8(&bytes).map_err(SyscallError::from)?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get_with_permissions(
            CapId::from_raw(port),
            CapPermissions {
                read: true,
                write: true,
                execute: false,
                grant: true,
                revoke: false,
            },
        )
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    crate::vfs::mount(
        path,
        Arc::new(crate::vfs::IpcScheme::new(PortId::from_u64(
            cap.resource as u64,
        ))),
    )?;
    let _ = crate::namespace::bind(path, cap.resource as u64);
    let _ = crate::silo::set_current_silo_label_from_path(path);

    // Bootstrap convenience: if a privileged userspace server binds root `/`
    // or a strate mountpoint, queue a bootstrap message.
    //
    // Volume capability seeding is optional (depends on a block device), but
    // bootstrap delivery must still happen so strate servers can bind their
    // label alias (`/srv/strate-fs-*/<label>`).
    let should_bootstrap = path == "/" || path.starts_with("/srv/strate-fs-");
    if should_bootstrap {
        let mut seeded_handle: u32 = 0;
        if let Some(device) = crate::hardware::storage::virtio_block::get_device() {
            let volume_resource = device as *const _ as usize;
            let volume_perms = CapPermissions {
                read: true,
                write: true,
                execute: false,
                grant: true,
                revoke: true,
            };
            let volume_cap = crate::capability::get_capability_manager().create_capability(
                ResourceType::Volume,
                volume_resource,
                volume_perms,
            );
            let task_caps = unsafe { &mut *task.process.capabilities.get() };
            let id = task_caps.insert(volume_cap);
            let _ = crate::silo::register_current_task_granted_resource(
                ResourceType::Volume,
                volume_resource,
                volume_perms,
            );
            if id.as_u64() <= u32::MAX as u64 {
                seeded_handle = id.as_u64() as u32;
            }
            log::info!(
                "ipc_bind_port('/'): seeded volume capability handle={} for task {:?}",
                id.as_u64(),
                task.id
            );
        }

        // Send a bootstrap message to the just-bound filesystem server.
        // Message format:
        // - msg_type = 0x10
        // - flags = optional volume capability handle (0 if none)
        // - payload[0] = label length (u8)
        // - payload[1..] = UTF-8 label bytes (truncated to fit)
        const BOOTSTRAP_MSG_TYPE: u32 = 0x10;
        let mut boot_msg = IpcMessage::new(BOOTSTRAP_MSG_TYPE);
        // Use the bound task as sender so capability transfer path can
        // duplicate `flags` from a valid capability table when present.
        boot_msg.sender = task.id.as_u64();
        boot_msg.flags = seeded_handle;
        let label_owned = crate::silo::current_task_silo_label().unwrap_or_else(|| {
            if path == "/" {
                alloc::string::String::from("root")
            } else {
                alloc::string::String::from(
                    path.rsplit('/')
                        .find(|part| !part.is_empty())
                        .unwrap_or("default"),
                )
            }
        });
        let label_bytes = label_owned.as_bytes();
        let max_len = boot_msg.payload.len().saturating_sub(1);
        let copy_len = core::cmp::min(label_bytes.len(), max_len);
        boot_msg.payload[0] = copy_len as u8;
        if copy_len > 0 {
            boot_msg.payload[1..1 + copy_len].copy_from_slice(&label_bytes[..copy_len]);
        }

        let port_id = PortId::from_u64(cap.resource as u64);
        if let Some(p) = port::get_port(port_id) {
            if p.send(boot_msg).is_ok() {
                log::info!(
                    "ipc_bind_port('{}'): queued bootstrap message (handle={}, label={})",
                    path,
                    seeded_handle,
                    label_owned
                );
            } else {
                log::warn!(
                    "ipc_bind_port('{}'): failed to queue bootstrap message",
                    path
                );
            }
        } else {
            log::warn!(
                "ipc_bind_port('{}'): bound port disappeared before bootstrap",
                path
            );
        }
    }
    Ok(0)
}

/// Performs the sys ipc unbind port operation.
fn sys_ipc_unbind_port(path_ptr: u64, path_len: u64) -> Result<u64, SyscallError> {
    crate::silo::require_silo_admin()?;
    if path_ptr == 0 || path_len == 0 {
        return Err(SyscallError::Fault);
    }
    const MAX_PATH_LEN: usize = 4096;
    if path_len as usize > MAX_PATH_LEN {
        return Err(SyscallError::InvalidArgument);
    }
    let user = UserSliceRead::new(path_ptr, path_len as usize)?;
    let bytes = user.read_to_vec();
    let path = core::str::from_utf8(&bytes).map_err(SyscallError::from)?;
    let _ = crate::namespace::unbind(path);
    crate::vfs::unmount(path)?;
    Ok(0)
}

/// Performs the sys ipc ring create operation.
fn sys_ipc_ring_create(_size: u64) -> Result<u64, SyscallError> {
    let size = usize::try_from(_size).map_err(|_| SyscallError::InvalidArgument)?;
    let ring_id = shared_ring::create_ring(size).map_err(|e| match e {
        shared_ring::RingError::InvalidSize => SyscallError::InvalidArgument,
        shared_ring::RingError::Alloc => SyscallError::OutOfMemory,
        shared_ring::RingError::NotFound => SyscallError::NotFound,
    })?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let cap = get_capability_manager().create_capability(
        ResourceType::SharedRing,
        ring_id.as_u64() as usize,
        CapPermissions {
            read: true,
            write: true,
            execute: false,
            grant: true,
            revoke: true,
        },
    );
    let cap_id = unsafe { (&mut *task.process.capabilities.get()).insert(cap) };
    Ok(cap_id.as_u64())
}

/// Performs the sys ipc ring map operation.
fn sys_ipc_ring_map(ring: u64, _out_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(ring)?;
    if _out_ptr == 0 {
        return Err(SyscallError::Fault);
    }

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: true,
        write: true,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(ring), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::SharedRing {
        return Err(SyscallError::BadHandle);
    }

    let ring_id = RingId::from_u64(cap.resource as u64);
    let ring_obj = shared_ring::get_ring(ring_id).ok_or(SyscallError::BadHandle)?;
    let frame_phys_addrs = ring_obj.frame_phys_addrs();
    let page_count = ring_obj.page_count();
    let map_size = page_count
        .checked_mul(4096)
        .ok_or(SyscallError::InvalidArgument)? as u64;

    let addr_space = unsafe { &*task.process.address_space.get() };
    let base = addr_space
        .find_free_vma_range(
            super::mmap::MMAP_BASE,
            page_count,
            crate::memory::address_space::VmaPageSize::Small,
        )
        .ok_or(SyscallError::OutOfMemory)?;

    addr_space
        .map_shared_frames(
            base,
            &frame_phys_addrs,
            crate::memory::address_space::VmaFlags {
                readable: true,
                writable: true,
                executable: false,
                user_accessible: true,
            },
            crate::memory::address_space::VmaType::Anonymous,
        )
        .map_err(|_| SyscallError::OutOfMemory)?;

    let out = UserSliceWrite::new(_out_ptr, core::mem::size_of::<u64>())?;
    out.copy_from(&base.to_ne_bytes());
    Ok(map_size)
}

/// Performs the sys sem create operation.
fn sys_sem_create(initial: u64) -> Result<u64, SyscallError> {
    let initial = u32::try_from(initial).map_err(|_| SyscallError::InvalidArgument)?;
    let sem_id = semaphore::create_semaphore(initial).map_err(|e| match e {
        semaphore::SemaphoreError::InvalidValue => SyscallError::InvalidArgument,
        semaphore::SemaphoreError::WouldBlock => SyscallError::Again,
        semaphore::SemaphoreError::Destroyed => SyscallError::Pipe,
        semaphore::SemaphoreError::NotFound => SyscallError::NotFound,
    })?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let cap = get_capability_manager().create_capability(
        ResourceType::Semaphore,
        sem_id.as_u64() as usize,
        CapPermissions {
            read: true,
            write: true,
            execute: false,
            grant: true,
            revoke: true,
        },
    );
    let cap_id = unsafe { (&mut *task.process.capabilities.get()).insert(cap) };
    Ok(cap_id.as_u64())
}

/// Performs the resolve sem operation.
fn resolve_sem(
    handle: u64,
    required: CapPermissions,
) -> Result<alloc::sync::Arc<semaphore::PosixSemaphore>, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get_with_permissions(CapId::from_raw(handle), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::Semaphore {
        return Err(SyscallError::BadHandle);
    }
    let id = SemId::from_u64(cap.resource as u64);
    semaphore::get_semaphore(id).ok_or(SyscallError::BadHandle)
}

/// Performs the sys sem wait operation.
fn sys_sem_wait(handle: u64) -> Result<u64, SyscallError> {
    let sem = resolve_sem(
        handle,
        CapPermissions {
            read: true,
            write: false,
            execute: false,
            grant: false,
            revoke: false,
        },
    )?;
    sem.wait().map_err(|e| match e {
        semaphore::SemaphoreError::WouldBlock => SyscallError::Again,
        semaphore::SemaphoreError::Destroyed => SyscallError::Pipe,
        semaphore::SemaphoreError::InvalidValue => SyscallError::InvalidArgument,
        semaphore::SemaphoreError::NotFound => SyscallError::NotFound,
    })?;
    Ok(0)
}

/// Performs the sys sem trywait operation.
fn sys_sem_trywait(handle: u64) -> Result<u64, SyscallError> {
    let sem = resolve_sem(
        handle,
        CapPermissions {
            read: true,
            write: false,
            execute: false,
            grant: false,
            revoke: false,
        },
    )?;
    sem.try_wait().map_err(|e| match e {
        semaphore::SemaphoreError::WouldBlock => SyscallError::Again,
        semaphore::SemaphoreError::Destroyed => SyscallError::Pipe,
        semaphore::SemaphoreError::InvalidValue => SyscallError::InvalidArgument,
        semaphore::SemaphoreError::NotFound => SyscallError::NotFound,
    })?;
    Ok(0)
}

/// Performs the sys sem post operation.
fn sys_sem_post(handle: u64) -> Result<u64, SyscallError> {
    let sem = resolve_sem(
        handle,
        CapPermissions {
            read: false,
            write: true,
            execute: false,
            grant: false,
            revoke: false,
        },
    )?;
    sem.post().map_err(|e| match e {
        semaphore::SemaphoreError::WouldBlock => SyscallError::Again,
        semaphore::SemaphoreError::Destroyed => SyscallError::Pipe,
        semaphore::SemaphoreError::InvalidValue => SyscallError::InvalidArgument,
        semaphore::SemaphoreError::NotFound => SyscallError::NotFound,
    })?;
    Ok(0)
}

/// Performs the sys sem close operation.
fn sys_sem_close(handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    let cap = caps
        .remove(CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Semaphore {
        return Err(SyscallError::BadHandle);
    }
    semaphore::destroy_semaphore(SemId::from_u64(cap.resource as u64)).map_err(|e| match e {
        semaphore::SemaphoreError::WouldBlock => SyscallError::Again,
        semaphore::SemaphoreError::Destroyed => SyscallError::Pipe,
        semaphore::SemaphoreError::InvalidValue => SyscallError::InvalidArgument,
        semaphore::SemaphoreError::NotFound => SyscallError::NotFound,
    })?;
    Ok(0)
}

use strat9_abi::data::{
    PciAddress as PciAddressAbi, PciDeviceInfo as PciDeviceInfoAbi,
    PciProbeCriteria as PciProbeCriteriaAbi, PCI_MATCH_CLASS_CODE, PCI_MATCH_DEVICE_ID,
    PCI_MATCH_PROG_IF, PCI_MATCH_SUBCLASS, PCI_MATCH_VENDOR_ID,
};

/// Reads pci address.
fn read_pci_address(addr_ptr: u64) -> Result<pci::PciAddress, SyscallError> {
    if addr_ptr == 0 {
        return Err(SyscallError::Fault);
    }
    let user = UserSliceRead::new(addr_ptr, core::mem::size_of::<PciAddressAbi>())?;
    let mut raw = [0u8; core::mem::size_of::<PciAddressAbi>()];
    user.copy_to(&mut raw);
    let abi = unsafe { core::ptr::read_unaligned(raw.as_ptr() as *const PciAddressAbi) };
    if abi.device > 31 || abi.function > 7 {
        return Err(SyscallError::InvalidArgument);
    }
    Ok(pci::PciAddress::new(abi.bus, abi.device, abi.function))
}

/// Performs the sys pci enum operation.
fn sys_pci_enum(criteria_ptr: u64, out_ptr: u64, max_entries: u64) -> Result<u64, SyscallError> {
    if criteria_ptr == 0 || out_ptr == 0 {
        return Err(SyscallError::Fault);
    }
    if max_entries == 0 {
        return Ok(0);
    }
    let max_entries = core::cmp::min(max_entries as usize, 4096);
    let user_criteria =
        UserSliceRead::new(criteria_ptr, core::mem::size_of::<PciProbeCriteriaAbi>())?;
    let mut criteria_bytes = [0u8; core::mem::size_of::<PciProbeCriteriaAbi>()];
    user_criteria.copy_to(&mut criteria_bytes);
    let criteria_abi =
        unsafe { core::ptr::read_unaligned(criteria_bytes.as_ptr() as *const PciProbeCriteriaAbi) };

    let criteria = pci::ProbeCriteria {
        vendor_id: if (criteria_abi.match_flags & PCI_MATCH_VENDOR_ID) != 0 {
            Some(criteria_abi.vendor_id)
        } else {
            None
        },
        device_id: if (criteria_abi.match_flags & PCI_MATCH_DEVICE_ID) != 0 {
            Some(criteria_abi.device_id)
        } else {
            None
        },
        class_code: if (criteria_abi.match_flags & PCI_MATCH_CLASS_CODE) != 0 {
            Some(criteria_abi.class_code)
        } else {
            None
        },
        subclass: if (criteria_abi.match_flags & PCI_MATCH_SUBCLASS) != 0 {
            Some(criteria_abi.subclass)
        } else {
            None
        },
        prog_if: if (criteria_abi.match_flags & PCI_MATCH_PROG_IF) != 0 {
            Some(criteria_abi.prog_if)
        } else {
            None
        },
    };

    let devices = pci::probe_all(criteria);
    let count = core::cmp::min(devices.len(), max_entries);
    let mut out = alloc::vec::Vec::<PciDeviceInfoAbi>::with_capacity(count);
    for dev in devices.into_iter().take(count) {
        out.push(PciDeviceInfoAbi {
            address: PciAddressAbi {
                bus: dev.address.bus,
                device: dev.address.device,
                function: dev.address.function,
                _reserved: 0,
            },
            vendor_id: dev.vendor_id,
            device_id: dev.device_id,
            class_code: dev.class_code,
            subclass: dev.subclass,
            prog_if: dev.prog_if,
            revision: dev.revision,
            header_type: dev.header_type,
            interrupt_line: dev.interrupt_line,
            interrupt_pin: dev.interrupt_pin,
            _reserved: 0,
        });
    }
    let out_bytes_len = out
        .len()
        .checked_mul(core::mem::size_of::<PciDeviceInfoAbi>())
        .ok_or(SyscallError::InvalidArgument)?;
    let user_out = UserSliceWrite::new(out_ptr, out_bytes_len)?;
    let out_bytes =
        unsafe { core::slice::from_raw_parts(out.as_ptr() as *const u8, out_bytes_len) };
    user_out.copy_from(out_bytes);
    Ok(out.len() as u64)
}

/// Performs the sys pci cfg read operation.
fn sys_pci_cfg_read(addr_ptr: u64, offset: u64, width: u64) -> Result<u64, SyscallError> {
    let dev_addr = read_pci_address(addr_ptr)?;
    let offset = u8::try_from(offset).map_err(|_| SyscallError::InvalidArgument)?;
    let width = u8::try_from(width).map_err(|_| SyscallError::InvalidArgument)?;
    if !matches!(width, 1 | 2 | 4) {
        return Err(SyscallError::InvalidArgument);
    }
    if offset > 0xFC || (offset as u16 + width as u16) > 0x100 {
        return Err(SyscallError::InvalidArgument);
    }
    if (width == 2 && (offset & 1) != 0) || (width == 4 && (offset & 3) != 0) {
        return Err(SyscallError::InvalidArgument);
    }
    let dev = pci::all_devices()
        .into_iter()
        .find(|d| d.address == dev_addr)
        .ok_or(SyscallError::NotFound)?;
    let value = match width {
        1 => dev.read_config_u8(offset) as u32,
        2 => dev.read_config_u16(offset) as u32,
        _ => dev.read_config_u32(offset),
    };
    Ok(value as u64)
}

/// Performs the sys pci cfg write operation.
fn sys_pci_cfg_write(
    addr_ptr: u64,
    offset: u64,
    width: u64,
    value: u64,
) -> Result<u64, SyscallError> {
    let dev_addr = read_pci_address(addr_ptr)?;
    let offset = u8::try_from(offset).map_err(|_| SyscallError::InvalidArgument)?;
    let width = u8::try_from(width).map_err(|_| SyscallError::InvalidArgument)?;
    if !matches!(width, 1 | 2 | 4) {
        return Err(SyscallError::InvalidArgument);
    }
    if offset > 0xFC || (offset as u16 + width as u16) > 0x100 {
        return Err(SyscallError::InvalidArgument);
    }
    if (width == 2 && (offset & 1) != 0) || (width == 4 && (offset & 3) != 0) {
        return Err(SyscallError::InvalidArgument);
    }
    let dev = pci::all_devices()
        .into_iter()
        .find(|d| d.address == dev_addr)
        .ok_or(SyscallError::NotFound)?;
    match width {
        1 => dev.write_config_u8(offset, value as u8),
        2 => dev.write_config_u16(offset, value as u16),
        _ => dev.write_config_u32(offset, value as u32),
    }
    Ok(0)
}

// ── Typed MPMC sync-channel syscall handlers (IPC-02) ─────────────────────────

/// SYS_CHAN_CREATE (220): create a bounded sync-channel.
///
/// arg1 = capacity (clamped to [1, 1024]).
/// Returns a capability handle whose `resource` field encodes the `ChanId`.
fn sys_chan_create(capacity: u64) -> Result<u64, SyscallError> {
    let cap = capacity.clamp(1, 1024) as usize;
    let chan_id = channel::create_channel(cap);

    // Register a Channel capability in the current task's capability table.
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    let cap_id = caps.insert(crate::capability::Capability {
        id: crate::capability::CapId::new(),
        permissions: crate::capability::CapPermissions {
            read: true,
            write: true,
            execute: false,
            grant: true,
            revoke: false,
        },
        resource_type: ResourceType::Channel,
        resource: chan_id.as_u64() as usize,
    });

    log::debug!(
        "syscall: CHAN_CREATE(cap={}) → chan={} handle={}",
        cap,
        chan_id,
        cap_id.as_u64()
    );
    Ok(cap_id.as_u64())
}

/// SYS_CHAN_SEND (221): send one `IpcMessage` to a channel, blocking if full.
///
/// arg1 = channel handle (CapId), arg2 = user pointer to 64-byte IpcMessage.
fn sys_chan_send(handle: u64, msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    // Validate and copy the message from userspace.
    let user_slice = UserSliceRead::new(msg_ptr, 64).map_err(SyscallError::from)?;
    let mut msg = IpcMessage::new(0);
    // SAFETY: IpcMessage is repr(C), 64 bytes, fully initialised above.
    let n = user_slice.copy_to(unsafe {
        core::slice::from_raw_parts_mut(&mut msg as *mut IpcMessage as *mut u8, 64)
    });
    if n != 64 {
        return Err(SyscallError::Fault);
    }

    // Fill in the sender task ID.
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    msg.sender = task.id.as_u64();

    // Look up the channel capability.
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(crate::capability::CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Channel || !cap.permissions.write {
        return Err(SyscallError::PermissionDenied);
    }
    let chan_id = ChanId::from_u64(cap.resource as u64);

    let chan = channel::get_channel(chan_id).ok_or(SyscallError::BadHandle)?;
    chan.send(msg).map_err(SyscallError::from)?;

    Ok(0)
}

/// SYS_CHAN_RECV (222): receive one `IpcMessage` from a channel, blocking if empty.
///
/// arg1 = channel handle (CapId), arg2 = user pointer to 64-byte output buffer.
fn sys_chan_recv(handle: u64, msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(crate::capability::CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Channel || !cap.permissions.read {
        return Err(SyscallError::PermissionDenied);
    }
    let chan_id = ChanId::from_u64(cap.resource as u64);

    let chan = channel::get_channel(chan_id).ok_or(SyscallError::BadHandle)?;
    let msg = chan.recv().map_err(SyscallError::from)?;

    // Write the received message to userspace.
    let user_slice = UserSliceWrite::new(msg_ptr, 64).map_err(SyscallError::from)?;
    // SAFETY: IpcMessage is repr(C), 64 bytes.
    let n = user_slice.copy_from(unsafe {
        core::slice::from_raw_parts(&msg as *const IpcMessage as *const u8, 64)
    });
    if n != 64 {
        return Err(SyscallError::Fault);
    }

    Ok(0)
}

/// SYS_CHAN_TRY_RECV (223): non-blocking receive.
///
/// Returns 0 if a message was delivered, -EWOULDBLOCK if the channel is empty.
fn sys_chan_try_recv(handle: u64, msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(crate::capability::CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Channel || !cap.permissions.read {
        return Err(SyscallError::PermissionDenied);
    }
    let chan_id = ChanId::from_u64(cap.resource as u64);

    let chan = channel::get_channel(chan_id).ok_or(SyscallError::BadHandle)?;
    match chan.try_recv() {
        Ok(msg) => {
            let user_slice = UserSliceWrite::new(msg_ptr, 64).map_err(SyscallError::from)?;
            // SAFETY: IpcMessage is repr(C), 64 bytes.
            let n = user_slice.copy_from(unsafe {
                core::slice::from_raw_parts(&msg as *const IpcMessage as *const u8, 64)
            });
            if n != 64 {
                return Err(SyscallError::Fault);
            }
            Ok(0)
        }
        Err(e) => Err(SyscallError::from(e)),
    }
}

/// SYS_CHAN_CLOSE (224): destroy a channel and remove it from the registry.
///
/// Wakes all tasks blocked on this channel with `Disconnected`.
fn sys_chan_close(handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    let cap = caps
        .remove(crate::capability::CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Channel {
        return Err(SyscallError::BadHandle);
    }
    let chan_id = ChanId::from_u64(cap.resource as u64);
    channel::destroy_channel(chan_id).map_err(SyscallError::from)?;

    log::debug!("syscall: CHAN_CLOSE(handle={}) → chan={}", handle, chan_id);
    Ok(0)
}