PR #25 landed the Kernel House as a pixel-art cross-section of 8 Linux subsystem rooms driven by live seccomp-unotify telemetry. The core visualization, character system, telemetry binding, interactive overlays, demo mode, and robustness features are in place.
This issue tracks follow-up work in three areas: completing data for existing rooms, adding richer user interaction, and tapping LKL's internal state for kernel-level observability that goes beyond seccomp events.
Completing existing rooms
- Basement room activation: The Block I/O room exists visually but has no live data. Add block I/O counters to
web-telemetry.c (read LKL /proc/diskstats or hook lkl_dev_blk_ops directly) and wire them to the Basement room ambient state and Storage Tux resident.
- Syscall argument narration: The SSE event struct already carries
args[6] but they are not serialized to JSON. Add an args_summary field to the JSON payload in web-events.c with a redaction policy (no raw pointers, truncate long paths). Enables richer speech bubbles, e.g. openat(/etc/passwd) -> VFS Room.
- Per-PID process lifecycle: Add
fork/exec/exit SSE events so each guest penguin in the Process room represents a real tracee process. Currently the Process room only has ambient glow from the coarse context_switch counter.
- Bespoke sprite art: Replace flat-color prototype room backgrounds with detailed pixel-art. Add room-specific furniture sprites (TinyAGI assets are available as reference material but not yet integrated).
Interactive exploration
- Room drill-down panels: Click a room to open a side panel with live metrics, recent events, and a subsystem explanation. Currently rooms only show informational overlays from
strings.json; drill-down panels should display live counters and per-room event history.
- PID pinning and filtering: Click a guest penguin to pin it. The global event stream, speech bubbles, and room highlights filter to that PID. Add controls for filtering by process name, syscall class, and room.
- Timeline scrub and replay: Buffer the last 30-60 seconds of events client-side. Add pause/resume and a scrub bar so users can freeze the house and inspect transient spikes after they occur.
- Event-to-room flow highlighting: When an SSE event arrives, briefly pulse the destination room and draw a transient path arrow from Syscall Gate to the target room. Makes dispatch flow legible without reading logs.
- Zoom and pan: Support zooming into individual rooms and panning the house canvas. Matters once room contents become denser with per-process entities and props.
- Density modes: Provide
ambient, normal, and debug visualization modes. ambient shows only major pulses and counters; debug shows every event and edge. Keeps the visualization usable for both demos and active debugging.
- Record and replay: Allow saving a short telemetry capture to JSON and replaying it through the frontend. Useful for demos, regression testing of sprite/interaction behavior, and working without a live workload.
LKL-native telemetry
web-telemetry.c already polls LKL /proc/stat, /proc/meminfo, /proc/vmstat, and /proc/loadavg. The work below extends that foundation.
- Wire existing memory/scheduler data to room animations: Page faults, dirty/writeback pages, and context switch deltas are already collected but only exposed as raw counters in
/api/snapshot. Map these to per-room ambient intensity, sprite behavior, and glow effects so the Memory and Process rooms react to real kernel activity.
- Slab and scheduler detail:
web-telemetry.c has a Phase 2 placeholder for /proc/slabinfo and /proc/sched_debug. Implement parsing for both: slab usage feeds Memory room drill-down, task run/sleep state feeds Process room entity display.
- Block I/O counters: Parse LKL
/proc/diskstats for read/write counts, sectors, merges, and time-in-IO. Feeds the Basement room (complements item 1's lkl_dev_blk_ops hook path with a polling fallback).
- Network room throughput: Sample LKL
/proc/net/dev for interface byte/packet counters and /proc/net/tcp+/proc/net/udp for socket counts. Animate the Network room with "data packet" sprites proportional to throughput.
- FD table view for VFS room: Walk the kbox FD table (
fd-table.c) to show open virtual FDs, their LKL FD numbers, shadow status, and associated paths. This uses kbox's own data structures rather than assuming LKL exposes per-PID /proc entries.
- VFS and socket hooks: Where
/proc polling is too coarse, add small instrumentation hooks at LKL VFS paths (open/create/unlink/rename) and socket paths (connect/accept/close) to emit structured events into the web event pipeline. Seccomp shows userspace intent; VFS/socket hooks confirm what the kernel actually touched.
- Event source tagging: Tag each emitted event as
seccomp, lkl_proc, or lkl_hook in the SSE protocol. Lets the frontend teach the difference between "userspace requested X" and "kernel state became Y".
- Normalized state snapshot endpoint: Add a periodic
/api/kernel-state endpoint assembling data from /proc, /sys, and hooks. The frontend can use this for initial render, recovery after reconnect, and replay support (complements item 11).
PR #25 landed the Kernel House as a pixel-art cross-section of 8 Linux subsystem rooms driven by live seccomp-unotify telemetry. The core visualization, character system, telemetry binding, interactive overlays, demo mode, and robustness features are in place.
This issue tracks follow-up work in three areas: completing data for existing rooms, adding richer user interaction, and tapping LKL's internal state for kernel-level observability that goes beyond seccomp events.
Completing existing rooms
web-telemetry.c(read LKL/proc/diskstatsor hooklkl_dev_blk_opsdirectly) and wire them to the Basement room ambient state and Storage Tux resident.args[6]but they are not serialized to JSON. Add anargs_summaryfield to the JSON payload inweb-events.cwith a redaction policy (no raw pointers, truncate long paths). Enables richer speech bubbles, e.g.openat(/etc/passwd) -> VFS Room.fork/exec/exitSSE events so each guest penguin in the Process room represents a real tracee process. Currently the Process room only has ambient glow from the coarsecontext_switchcounter.Interactive exploration
strings.json; drill-down panels should display live counters and per-room event history.ambient,normal, anddebugvisualization modes.ambientshows only major pulses and counters;debugshows every event and edge. Keeps the visualization usable for both demos and active debugging.LKL-native telemetry
web-telemetry.calready polls LKL/proc/stat,/proc/meminfo,/proc/vmstat, and/proc/loadavg. The work below extends that foundation./api/snapshot. Map these to per-room ambient intensity, sprite behavior, and glow effects so the Memory and Process rooms react to real kernel activity.web-telemetry.chas a Phase 2 placeholder for/proc/slabinfoand/proc/sched_debug. Implement parsing for both: slab usage feeds Memory room drill-down, task run/sleep state feeds Process room entity display./proc/diskstatsfor read/write counts, sectors, merges, and time-in-IO. Feeds the Basement room (complements item 1'slkl_dev_blk_opshook path with a polling fallback)./proc/net/devfor interface byte/packet counters and/proc/net/tcp+/proc/net/udpfor socket counts. Animate the Network room with "data packet" sprites proportional to throughput.fd-table.c) to show open virtual FDs, their LKL FD numbers, shadow status, and associated paths. This uses kbox's own data structures rather than assuming LKL exposes per-PID/procentries./procpolling is too coarse, add small instrumentation hooks at LKL VFS paths (open/create/unlink/rename) and socket paths (connect/accept/close) to emit structured events into the web event pipeline. Seccomp shows userspace intent; VFS/socket hooks confirm what the kernel actually touched.seccomp,lkl_proc, orlkl_hookin the SSE protocol. Lets the frontend teach the difference between "userspace requested X" and "kernel state became Y"./api/kernel-stateendpoint assembling data from/proc,/sys, and hooks. The frontend can use this for initial render, recovery after reconnect, and replay support (complements item 11).