Space banks and meters are the fundamental way that storage resources and CPU time are allocated in Keykos. We call them ROs (resource objects) in this note.

To each RO there is a draw capability to draw on the resource, and a service capability to control the allocation that the RO provides. Both of these types are hierarchical so that with a draw capability to a RO, a service key to a subservient RO can be had. Resources drawn from a subservient RO are drawn, in effect, also from the superior RO. If RO X is subservient to RO Y then resources drawn from X are drawn, in effect, also from Y.

The capability signatures are not polymorphic and this is how we map for this unified description:
draw capabilityservice capability
space bankbuy and sell rightsdestroy bank
meter“meter key”node key to underlying node

Current Practice

There is a widely available object CUA that takes a directory and two ROs as arguments, are returns a ZMK capability to a new user account. For this purpose you can think of a ZMK capability as a RS232 plug, which was a common data interface to a dumb terminal—think glass teletype. A ready CLI is attached to the ZMK. The ZMK is deposited in the LUD (local user directory) along with a username and password. Access to the CUA is wide; access to the LUD is somewhat narrower. When someone tries to reach this host via Tymnet a signal appears at the host’s Tymnet interface announcing the proffered username. The “receptionist” owns the Tymnet interface, via a capability, and prompts the new user, via Tymnet, to give the password. If things match a new object which represents the Tymnet circuit is introduced to the ZMK that the receptionist finds in the LUD. The ZMK is aware that the user was disconnected, but the CLI is not.

Generally only one user, SYSADMIN, would introduce a new user by invoking CUA. SYSADMIN would typically create 2 new subservient ROs for that user and put draw capabilities to them in the directory. The directory might well include a capability to the CUA along with access to other harmless system facilities. SYSADMIN also retained the service keys to the ROs of each user and a trivial program would invoke these at anytime for a current usage report. If another user were to create an account on his own he would have to draw on his own ROs.

The CLI objects provide a multi-concurrent-environment facility called branches. Normally a debugger would create a branch of his environment as a sandbox. The CLI automatically produces subservient ROs for this branch and a new directory with draw capabilities to these. When the program died without giving back all of its space the branch was zapped which caused the CLI to zap the ROs but not before reporting missing pages and nodes.

If a complex application is losing pages or nodes it may create a few sub-banks and only distribute those. This makes it easy, if not immediate, to track down leaks.