Kernel House: deeper interactions and LKL-native telemetry

[jserv]

PR #25 landed the Kernel House as a pixel-art cross-section of 8 Linux subsystem rooms driven by live seccomp-unotify telemetry. The core visualization, character system, telemetry binding, interactive overlays, demo mode, and robustness features are in place.

This issue tracks follow-up work in three areas: completing data for existing rooms, adding richer user interaction, and tapping LKL's internal state for kernel-level observability that goes beyond seccomp events.

Completing existing rooms

1. Basement room activation: The Block I/O room exists visually but has no live data. Add block I/O counters to web-telemetry.c (read LKL /proc/diskstats or hook lkl_dev_blk_ops directly) and wire them to the Basement room ambient state and Storage Tux resident.
2. Syscall argument narration: The SSE event struct already carries args[6] but they are not serialized to JSON. Add an args_summary field to the JSON payload in web-events.c with a redaction policy (no raw pointers, truncate long paths). Enables richer speech bubbles, e.g. openat(/etc/passwd) -> VFS Room.
3. Per-PID process lifecycle: Add fork/exec/exit SSE events so each guest penguin in the Process room represents a real tracee process. Currently the Process room only has ambient glow from the coarse context_switch counter.
4. Bespoke sprite art: Replace flat-color prototype room backgrounds with detailed pixel-art. Add room-specific furniture sprites (TinyAGI assets are available as reference material but not yet integrated).

Interactive exploration

5. Room drill-down panels: Click a room to open a side panel with live metrics, recent events, and a subsystem explanation. Currently rooms only show informational overlays from strings.json; drill-down panels should display live counters and per-room event history.
6. PID pinning and filtering: Click a guest penguin to pin it. The global event stream, speech bubbles, and room highlights filter to that PID. Add controls for filtering by process name, syscall class, and room.
7. Timeline scrub and replay: Buffer the last 30-60 seconds of events client-side. Add pause/resume and a scrub bar so users can freeze the house and inspect transient spikes after they occur.
8. Event-to-room flow highlighting: When an SSE event arrives, briefly pulse the destination room and draw a transient path arrow from Syscall Gate to the target room. Makes dispatch flow legible without reading logs.
9. Zoom and pan: Support zooming into individual rooms and panning the house canvas. Matters once room contents become denser with per-process entities and props.
10. Density modes: Provide ambient, normal, and debug visualization modes. ambient shows only major pulses and counters; debug shows every event and edge. Keeps the visualization usable for both demos and active debugging.
11. Record and replay: Allow saving a short telemetry capture to JSON and replaying it through the frontend. Useful for demos, regression testing of sprite/interaction behavior, and working without a live workload.

LKL-native telemetry

web-telemetry.c already polls LKL /proc/stat, /proc/meminfo, /proc/vmstat, and /proc/loadavg. The work below extends that foundation.

12. Wire existing memory/scheduler data to room animations: Page faults, dirty/writeback pages, and context switch deltas are already collected but only exposed as raw counters in /api/snapshot. Map these to per-room ambient intensity, sprite behavior, and glow effects so the Memory and Process rooms react to real kernel activity.
13. Slab and scheduler detail: web-telemetry.c has a Phase 2 placeholder for /proc/slabinfo and /proc/sched_debug. Implement parsing for both: slab usage feeds Memory room drill-down, task run/sleep state feeds Process room entity display.
14. Block I/O counters: Parse LKL /proc/diskstats for read/write counts, sectors, merges, and time-in-IO. Feeds the Basement room (complements item 1's lkl_dev_blk_ops hook path with a polling fallback).
15. Network room throughput: Sample LKL /proc/net/dev for interface byte/packet counters and /proc/net/tcp+/proc/net/udp for socket counts. Animate the Network room with "data packet" sprites proportional to throughput.
16. FD table view for VFS room: Walk the kbox FD table (fd-table.c) to show open virtual FDs, their LKL FD numbers, shadow status, and associated paths. This uses kbox's own data structures rather than assuming LKL exposes per-PID /proc entries.
17. VFS and socket hooks: Where /proc polling is too coarse, add small instrumentation hooks at LKL VFS paths (open/create/unlink/rename) and socket paths (connect/accept/close) to emit structured events into the web event pipeline. Seccomp shows userspace intent; VFS/socket hooks confirm what the kernel actually touched.
18. Event source tagging: Tag each emitted event as seccomp, lkl_proc, or lkl_hook in the SSE protocol. Lets the frontend teach the difference between "userspace requested X" and "kernel state became Y".
19. Normalized state snapshot endpoint: Add a periodic /api/kernel-state endpoint assembling data from /proc, /sys, and hooks. The frontend can use this for initial render, recovery after reconnect, and replay support (complements item 11).