# FreeBSD mapping notes (draft)

## Isolation domains
- Use **jails** to isolate tools/workers.
- Map `domain_id` to a jail instance.

## Capabilities
- Use **Capsicum** to restrict tool runners.
- Capabilities are represented as scoped grants in the cognitive kernel and realized via Capsicum + pre-opened descriptors.

## Eventing
- Use **kqueue** for event-driven IO in the cognitive runtime.
- Provenance logs are append-only files (optionally per-domain datasets on ZFS).

## Resource control
- rctl, login classes, cpuset can enforce limits.
- Budgeting logic lives in the cognitive runtime; enforcement uses kernel primitives.