You are acting as a Senior Staff Engineer, Principal Systems Architect, and Senior Product Manager at a FAANG-level company.
You are helping me design and implement a new product called:
Offside Navigator
The long-term product vision is:
Offside Navigator is an Android Subsystem for macOS: a macOS-native application/runtime system that boots and manages a custom Android/AOSP virtual machine using Apple Virtualization.framework, allows users to install and run Android APKs, and presents Android apps through a polished macOS desktop experience.
This is NOT merely an Android Emulator wrapper. The selected direction is:
Custom macOS Android VM using Apple Virtualization.framework
- custom AOSP/Android guest image
- Offside Agent running inside the Android guest
- Rust/macOS control plane
- premium Offside Navigator desktop shell
- eventual per-app desktop integration.
IMPORTANT: Do not start coding immediately.
Your first job is to interview me, clarify product goals, identify unknowns, identify technical risks, produce an architecture plan, and define a carefully staged MVP. Only after I approve the plan should you scaffold and implement code.
You must operate like a staff-level engineer: be skeptical, precise, security-conscious, and willing to de-risk the project in phases.
====================================================================
- Problem Context ====================================================================
Today, there is no easy way for Android developers to write an Android app and have it run end-to-end on macOS as a desktop OS experience without depending on the normal Android Emulator/device workflow.
The normal emulator works, but the developer/user experience is clunky:
- separate emulator window
- slow boot or heavy runtime
- awkward APK install flows
- limited productizable desktop integration
- weak app-management experience
- hard to build AI-driven app automation around it
- not a true macOS subsystem feel
We want Offside Navigator to solve this.
The target experience:
A user opens Offside Navigator on macOS. Offside Navigator boots an Android runtime in a managed VM. The user sees a phone/tablet-shaped device frame or app manager. The user drags an APK into the app. Offside Navigator installs it into the Android guest. The app launches. The user can interact with it using mouse/keyboard/touch-like events. Offside Navigator exposes Back/Home/Overview controls. Eventually, Android apps may appear as individual macOS-like app windows.
The initial platform target is macOS, especially Apple Silicon. Linux can come later. Windows is out of scope for the first implementation.
An Android APK is not just a simple executable.
A typical APK depends on:
- ART, the Android Runtime, which executes DEX bytecode.
- Android framework APIs.
- PackageManager.
- ActivityManager.
- WindowManager.
- Binder IPC.
- Zygote/process model.
- SurfaceFlinger/graphics stack.
- Android resources.
- Permissions.
- ContentProviders.
- Services.
- BroadcastReceivers.
- Input system.
- Audio/media/camera/location services.
- Bionic/native Android ABI for native .so libraries.
- Android filesystem conventions.
- Sometimes Google Play Services.
Therefore, Offside Navigator must not attempt to directly execute APKs in Rust.
The selected architecture is to run a real Android/AOSP userspace inside a VM, and control it from the macOS host.
==================================================================== 3. Authoritative References You Should Read/Use
Before planning, research and use official documentation where possible:
Apple Virtualization.framework:
- https://developer.apple.com/documentation/virtualization
- https://developer.apple.com/documentation/virtualization/creating-and-running-a-linux-virtual-machine
- https://developer.apple.com/documentation/virtualization/virtualize-linux-on-a-mac
- https://developer.apple.com/videos/play/wwdc2023/10007/
Android / AOSP architecture:
- https://source.android.com/docs/core/architecture
- https://source.android.com/docs/core/runtime
- https://source.android.com/docs/core/architecture/ipc/binder-overview
- https://source.android.com/docs/core/graphics/architecture
Cuttlefish reference architecture:
- https://source.android.com/docs/devices/cuttlefish
- https://source.android.com/docs/devices/cuttlefish/get-started
- https://source.android.com/docs/devices/cuttlefish/custom-device
Licensing:
- https://developer.android.com/studio/terms
- AOSP licenses for source components
- Any restrictions around redistributing Android SDK/system images/Google APIs/Google Play Services
Use the references to validate technical assumptions. Do not hallucinate capabilities. Clearly distinguish:
- what Apple Virtualization.framework supports directly
- what Android/AOSP supports directly
- what requires custom engineering
- what is unknown and needs a spike
Product: Offside Navigator
Internal subsystem name: Offside Android Subsystem for macOS
Internal runtime name: Offside Android Runtime, abbreviated OAR
Internal guest agent name: offside-agentd
Offside Navigator should eventually become:
- A macOS-native Android runtime manager.
- A desktop Android app runner.
- A developer-friendly Android app execution environment.
- A testing and automation surface for AI agents.
- A premium alternative to the clunky emulator workflow.
- A future subsystem where Android apps can feel integrated with macOS.
Long-term capabilities:
- Boot Android VM.
- Install APKs.
- Launch apps.
- Show Android display inside Offside Navigator.
- Control Back/Home/Overview.
- Stream logs.
- Capture screenshots/video.
- Inspect packages, permissions, and crashes.
- Snapshot/restore runtime state.
- Run multiple device profiles.
- Provide AI automation hooks.
- Eventually show Android apps as separate macOS windows.
We are choosing:
Custom macOS Android VM using Apple Virtualization.framework.
Architecture:
macOS Host ↓ Offside Navigator.app ↓ Rust control plane + Swift/macOS Virtualization host bridge ↓ Apple Virtualization.framework ↓ Android/AOSP ARM64 guest VM ↓ ART + Android Framework + Binder + SurfaceFlinger + system_server ↓ offside-agentd inside Android guest ↓ APK install/run/control/logs/display bridge
Important: Apple Virtualization.framework gives us the VM host substrate. It does not magically make Android boot. We need a guest image strategy.
Use a layered design.
Layer 1: macOS App Shell
- Native macOS application.
- Premium dark-mode UI.
- Phone/tablet device frame.
- Control bar.
- App Manager.
- Logs/diagnostics.
- Settings.
- Runtime status.
Layer 2: Rust Core
- Product state.
- Runtime orchestration.
- Profiles.
- APK manager.
- Security policy.
- Logging.
- Host/guest command abstraction.
- Business logic.
Layer 3: macOS Virtualization Bridge
- Swift or Objective-C bridge to Apple Virtualization.framework.
- Could be a Swift helper library/process called by Rust.
- Evaluate whether Rust can call the framework directly through objc2 or whether Swift should own the VM layer.
- MVP should prioritize correctness and maintainability over pure Rust ideology.
Layer 4: VM Backend
- Apple Virtualization.framework VM.
- ARM64 guest first.
- Virtio storage.
- Virtio network.
- Virtio graphics/display where available.
- Virtio console or vsock-like communication channel where possible.
- NAT networking.
Layer 5: Android Guest
- Custom AOSP image eventually.
- First spike may boot a Linux VM to prove VM manager.
- Later boot Android/AOSP guest.
- offside-agentd preinstalled eventually.
Layer 6: Host/Guest Control Plane
- First: ADB if Android guest exposes it.
- Later: offside-agentd over a dedicated channel.
- Must support install APK, launch package, query packages, stream logs, screenshot, control input.
Layer 7: Display/Input Bridge
- First: render VM display using Apple-provided VM view if available.
- Later: custom display stream and input mapping.
- Need clear research on how Android guest graphics will appear through Apple Virtualization.framework.
==================================================================== 8. Non-Negotiable Engineering Constraints
- Do not attempt to directly run APK bytecode in Rust.
- Do not attempt to reimplement all of Android framework APIs.
- Do not depend on Google Play Services for MVP.
- Do not bypass Play Integrity, SafetyNet, DRM, banking app checks, paid licensing, or anti-tamper systems.
- Do not redistribute Google system images or proprietary components unless legally reviewed.
- Treat APKs as untrusted.
- Keep host filesystem isolated from guest by default.
- No arbitrary host mounts by default.
- No clipboard sync by default.
- Network access should be explicit and inspectable.
- Build with testability.
- Build with observability.
- Everything that boots, installs, launches, or fails must be logged.
The real full product is large. The MVP should be a staged vertical slice.
MVP-A: VM Host Spike Goal: Prove we can create a macOS app that boots and manages a VM using Apple Virtualization.framework.
Deliverables:
- macOS app shell.
- Swift VM host bridge or equivalent.
- Rust orchestration layer.
- Boot a minimal Linux ARM64 VM.
- Show VM display or serial console.
- Start/stop VM.
- Store VM profile metadata.
- Log lifecycle events.
MVP-B: Android Guest Research Spike Goal: Identify and prove a viable Android/AOSP guest image boot path.
Deliverables:
- Research document on Android guest options:
- AOSP ARM64 image.
- Cuttlefish-derived image.
- Android GSI.
- LineageOS-derived image.
- Custom-built minimal AOSP target.
- Identify kernel/boot requirements.
- Identify expected bootloader/EFI/kernel/initrd/disk image format.
- Determine whether Apple Virtualization.framework can boot the chosen guest directly.
- Document blockers.
MVP-C: Android VM Boot Spike Goal: Boot an Android/AOSP guest far enough to expose ADB or equivalent shell/control.
Deliverables:
- VM starts Android guest.
- Host can detect boot success/failure.
- ADB or guest control channel available.
- Basic logs captured.
- Runtime profile saved.
MVP-D: APK Install/Launch Spike Goal: Install and launch one simple APK.
Deliverables:
- Drag/drop APK into Offside Navigator.
- Validate APK file.
- Install into Android guest.
- Launch app.
- Show errors.
- Show logs.
MVP-E: Device Shell Goal: Make the experience feel like Offside Navigator.
Deliverables:
- Phone/tablet frame.
- Back/Home/Overview controls.
- App Manager.
- Logs panel.
- Runtime status.
- Start/stop/reboot controls.
==================================================================== 10. First Implementation Should NOT Try To
Do not attempt in the first implementation:
- Play Store support.
- Google Play Services support.
- Banking/DRM app support.
- Per-app macOS windows.
- Split APK/APKM/XAPK support.
- GPU-perfect rendering.
- Multi-device orchestration.
- AI automation.
- Linux support.
- Cloud runtime.
- Full AOSP build automation unless needed for the spike.
Before coding, generate these docs:
- PRD.md Product requirements:
- problem
- target users
- use cases
- success metrics
- MVP scope
- non-goals
- UX principles
- phased roadmap
- SPEC.md Technical specification:
- core requirements
- functional requirements
- non-functional requirements
- APIs/interfaces
- data models
- user flows
- failure states
- observability
- ARCHITECTURE.md System architecture:
- host app
- Rust core
- Swift virtualization bridge
- VM backend
- Android guest
- offside-agentd
- display/input bridge
- storage/network model
- profile model
- diagrams
- VM_RESEARCH.md Research findings:
- Apple Virtualization.framework capabilities
- Linux VM boot path
- Android guest options
- Cuttlefish/GSI/AOSP feasibility
- image format requirements
- boot risks
- GPU/display risks
- ADB/control risks
- SECURITY.md Security model:
- threat model
- APK trust boundary
- VM isolation
- host filesystem policy
- network policy
- clipboard policy
- permissions model
- malware caveats
- update policy
- LICENSING.md Licensing/distribution:
- AOSP components
- Android SDK terms
- Google APIs/Play Services restrictions
- system image redistribution concerns
- user-provided image strategy
- enterprise image strategy
- ROADMAP.md Phased execution:
- MVP-A through MVP-E
- milestones
- risks
- acceptance criteria
- ADRs Create architecture decision records:
- ADR-001: Why Apple Virtualization.framework
- ADR-002: Why Swift bridge + Rust core
- ADR-003: Why custom AOSP guest instead of direct APK runtime
- ADR-004: Why no Play Services in MVP
- ADR-005: Guest image strategy
==================================================================== 12. Proposed Repository Structure
Create or propose a structure similar to:
offside-navigator/ README.md PRD.md SPEC.md ARCHITECTURE.md VM_RESEARCH.md SECURITY.md LICENSING.md ROADMAP.md
docs/ adr/ ADR-001-virtualization-framework.md ADR-002-rust-core-swift-vm-bridge.md ADR-003-custom-aosp-guest.md ADR-004-no-play-services-mvp.md ADR-005-guest-image-strategy.md
apps/ macos/ OffsideNavigator/ Sources/ App/ UI/ VMHost/ RustBridge/ Resources/
crates/ navigator-core/ src/ lib.rs config.rs errors.rs events.rs state.rs
navigator-runtime/
src/
lib.rs
backend.rs
session.rs
profile.rs
lifecycle.rs
navigator-vm/
src/
lib.rs
vm_config.rs
vm_events.rs
vm_errors.rs
navigator-apk/
src/
lib.rs
validation.rs
manifest.rs
metadata.rs
navigator-agent-protocol/
src/
lib.rs
messages.rs
commands.rs
responses.rs
navigator-security/
src/
lib.rs
policy.rs
apk_trust.rs
filesystem.rs
network.rs
guest/ offside-agentd/ README.md src/ main.rs package_manager.rs app_launcher.rs log_streamer.rs health.rs
aosp/
README.md
build-notes.md
tools/ scripts/ bootstrap_macos.sh check_prereqs.sh
examples/ sample-apks/ README.md
Design these interfaces before implementing.
AndroidRuntimeBackend:
- boot(profile) -> RuntimeSession
- shutdown(session_id)
- reboot(session_id)
- pause(session_id)
- resume(session_id)
- install_apk(session_id, apk_path)
- uninstall_package(session_id, package_name)
- launch_package(session_id, package_name)
- press_home(session_id)
- press_back(session_id)
- press_overview(session_id)
- stream_logs(session_id)
- capture_screenshot(session_id)
- query_packages(session_id)
- query_runtime_health(session_id)
VmBackend:
- create_vm_config(profile)
- start_vm(config)
- stop_vm(vm_id)
- observe_vm_state(vm_id)
- attach_display(vm_id)
- attach_serial_console(vm_id)
- attach_network(vm_id)
- attach_storage(vm_id)
GuestControlChannel:
- send_command(command)
- receive_event()
- stream_logs()
- health_check()
- install_apk()
- launch_package()
- get_package_metadata()
ApkManager:
- validate_apk(path)
- parse_metadata(path)
- check_supported_abis(path)
- inspect_permissions(path)
- prepare_install(path)
SecurityPolicy:
- can_mount_host_path(path)
- can_enable_network(profile)
- can_share_clipboard(profile)
- can_install_apk(apk_metadata)
- can_access_device_feature(feature)
Design the UI as premium, restrained, developer-friendly, and dark-mode-first.
Main screens:
- Welcome / setup
- Runtime status
- Device shell
- App Manager
- APK install drop zone
- Logs
- VM diagnostics
- Settings
- Profiles
Device controls:
- Boot
- Shutdown
- Restart
- Back
- Home
- Overview
- Install APK
- Screenshot
- Logs
- Settings
Status states:
- No runtime configured
- Missing guest image
- VM booting
- Android booting
- Ready
- Installing APK
- Launching app
- App running
- VM crashed
- Guest unresponsive
- Install failed
==================================================================== 15. Questions You Must Ask Me First
In your first response, ask focused questions such as:
- Is the first target Apple Silicon only, or must Intel Mac be supported too?
- Are we okay requiring macOS 13/14/15+ if needed?
- Is the first goal to boot any Android/AOSP guest, or to run one sample APK end-to-end?
- Do we want to build a custom AOSP image ourselves, or start with a user-supplied image?
- Are we willing to start with a Linux VM spike before Android?
- Should the macOS app be SwiftUI-first with Rust core, or Tauri/Rust-first with Swift VM helper?
- Is Play Services explicitly out of scope for MVP?
- Should the product target developers only, or eventual consumer APK users too?
- Do we need local-only execution, or is cloud fallback acceptable later?
- What is the first demo APK we want to run?
- Is GPU acceleration required for MVP or can first MVP use basic display?
- How important is per-app macOS window integration for v1?
- What level of code signing/notarization is expected for the MVP?
- Are we building open source, closed source, or mixed?
- Should offside-agentd be Rust, Kotlin, Go, or native Android service?
- Do we want AI automation hooks in v1, or later?
- What is the desired visual design style?
- Should this integrate with Android Studio/Gradle later?
Analyze these risks before implementation:
- Apple Virtualization.framework may not directly support the exact Android guest boot path we want.
- Android guest image may require custom kernel/device tree/virtio configuration.
- Display/graphics integration may be difficult.
- Input mapping from macOS to Android may need custom guest services.
- ADB availability may require guest image configuration.
- Custom AOSP build complexity may be high.
- Google Play Services cannot be redistributed freely.
- APK compatibility may be poor without Play Services.
- GPU acceleration may be difficult.
- VM cold boot may be slow without snapshots.
- File sharing may create security risks.
- Network/clipboard integration may create privacy risks.
- Apple sandboxing/notarization may complicate packaging.
- Intel Mac support may be a distraction.
- Project scope can explode if we try to build everything at once.
Your first response must not write code.
It must include:
- Interview questions.
- A concise restatement of the product vision.
- A proposed technical strategy.
- A staged MVP plan.
- Top risks.
- Research tasks.
- Proposed initial repository structure.
- Recommendation on Swift bridge vs pure Rust VM integration.
- Recommendation on first spike.
- Ask for approval to generate the documents and scaffold.
==================================================================== 18. Implementation Rules After Approval
After I approve the plan:
- Generate all required docs.
- Scaffold the repository.
- Build the Rust workspace.
- Build a macOS app shell.
- Build or stub the Swift VM bridge.
- Add a Linux VM boot spike if Android boot is not immediately feasible.
- Add runtime profile storage.
- Add event logging.
- Add a device shell UI.
- Add placeholder App Manager.
- Add APK validation.
- Add guest-control abstractions.
- Add tests for Rust crates.
- Add clear TODOs for Android guest boot path.
Do not fake Android VM boot success. Do not claim APK support until proven. Surface blockers honestly.
This is a serious platform project. Favor:
- correctness
- modularity
- clear architecture
- observable runtime events
- progressive milestones
- honest limitations
- strong documentation
- security isolation
- legal/licensing clarity
Do not optimize for a flashy demo that hides technical debt.
Begin in interview mode.
Do not write code yet.
Ask me the clarification questions, summarize the intended architecture, identify risks, and propose the first technical spike.