Core Concepts
Section titled “Core Concepts”The Capsule execution model operates with CLI, Runtime, and Desktop having separated responsibilities,
based on declarations in capsule.toml.
What is Capsule
Section titled “What is Capsule”Capsule is a package format for .capsule (app distribution) or .sync (self-updating data). Both are ultimately validated and executed based on declaration files.
| Format | Primary Purpose | Reference Spec |
|---|---|---|
.capsule | App/tool distribution, runtime selection, signature verification | CAPSULE_SPEC.md |
.sync | Immediate payload display + TTL updates + (future) Vault encryption | SYNC_SPEC.md |
Manifest (capsule.toml)
Section titled “Manifest (capsule.toml)”Required fields are schema_version, name, version, type, execution. Additional declarations: targets, metadata, build, isolation.
schema_version = "1.1"name = "example-app"version = "0.1.0"type = "app"
[execution]runtime = "source"entrypoint = "./main.py"
[targets.oci]image = "python:3.11-slim"
[targets.wasm]# digest = "sha256:..."Lifecycle: Tasks and Services
Section titled “Lifecycle: Tasks and Services”LIFECYCLE_SPEC v1.2 explicitly separates terminating processes as [tasks] and resident processes as [services]. Nacelle executes them as a DAG (Smart Build, Dumb Runtime).
[tasks.install]cmd = "npm ci"
[services.app]cmd = "npm start"depends_on = ["install"]readiness_probe = { http_get = "/health", port = "APP_PORT" }
[lifecycle]run = "app"Runtime Routing
Section titled “Runtime Routing”The router’s default order is oci → wasm → source. However, execution.runtime or explicit target specifications take priority.
| Condition | Selected Runtime |
|---|---|
targets.oci.image present, or execution.runtime=oci | OCI |
targets.wasm present, or entrypoint is wasm | Wasm |
| Otherwise | Source (nacelle) |
IPC Roles (v1.1)
Section titled “IPC Roles (v1.1)”The key change in IPC v1.1 is the transfer of Broker responsibilities from nacelle to capsule-cli.
capsule-cli: Service resolution, RefCount, Token management, Schema validation, DAG integration
nacelle: Sandbox Enforcer. Does not interpret IPC content, only handles isolation
ato-desktop: HostBridge, mode switching, User Consent dialogs
Trust Model
Section titled “Trust Model”Minimum Trust UX is TOFU + Fingerprint pinning + Revocation list application. When signature mismatch occurs, the policy requires re-verification rather than temporary allowance.
- Save fingerprint on first connection (
~/.capsule/trust_store.json) - Petname is optional but linked to trust store’s key_id
- Key rotation maintains short
previous_keyco-existence period
Source specs: CAPSULE_SPEC, LIFECYCLE_SPEC, CAPSULE_IPC_SPEC, TRUST_AND_KEYS.