Just to be clear, the kernel will be a wasm module that runs on the nucleus?

Yes, this has been clarified in my latest revision.

Is the firmament an actual "thing", or just a way to define interfaces between drivers and processes?

The firmament would be the equivalent of the syscall boundary in a traditional OS.

Sounds good.

Good call about the exokernel-like interface

Can you be clearer about whether the kernel is a wasm module or not?

Done in latest commit.

I'm curious how send_inplace would work. The user supplies it a function that takes a EthernetPacket reference?

See link for an example of a similar function. The idea here is that the network driver can allocate a packet located inside its Tx queue, then the application modifies the packet.
https://github.com/libpnet/libpnet/blob/master/pnet_datalink/src/linux.rs#L231

Oh interesting! I hadn't thought of that. It'd be difficult to get the packet into the other wasm linear memory without copying, but could be possible through page flipping.

This is an important thing to think about. I'm leaning towards being able to dynamically load (or at startup only, depending on the security model) clif ir for drivers without sandboxing overhead, but this remains to be seen.

As someone with both a security and networking background, I would argue in favor of statically-compiled drivers, with the nucleus implementing the firmament. That said, I wonder if we can somehow have it both ways.

Okay, I'm okay with that. I suppose recompiling the nucleus for each different use-case is fine.

If the nucleus is to contain the webassembly compiler and runtime, which are largely architecture independent, should we break it up further? That is, into the compiler/runtime and the HAL?

Good idea. Another boundary, yay!