niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/Any node can become a system.md

291 lines
5.2 KiB
Markdown
Raw Normal View History

Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00
Yes — and that is not only reasonable, its *structurally elegant*.
What youre converging on is:
> **“Any node can become a system”** — including the *authority node* itself.
Lets make this precise and safe.
---
## 1. Key Insight
> The **Domain Authority Node (DAN)** should be bootstrapped **exactly like a SystemRescue node**,
> but with **authority-only capabilities enabled** and **no federation by default**.
Same mechanics, different policy.
This symmetry matters a lot.
---
## 2. Treat the Authority Node as a First-Class ASL-HOST
### Properties of the Domain Authority Node
* Boots from a known image (like SystemRescue)
* Has:
* ASL-HOST layout
* Internal ASL store
* Append-only log
* Snapshot support (even if trivial)
* Runs **offline**
* Never federates automatically
* Never publishes blocks unless explicitly authorized
This means:
* Keys
* DAMs
* policies
* environment claims
…are all **just artifacts**.
No magic.
---
## 3. Minimal Internal Store for Authority Node
The authority node needs only a **tiny ASL subset**:
### Required
* Block store
* Artifact index
* Append-only log
* Snapshot marker
### Not Required
* SIMD
* TGK traversal
* Federation
* GC beyond “delete nothing”
Think of it as:
> **ASL in conservation mode**
---
## 4. Why This Is the Right Model
### 4.1 Self-Consistency
If the authority node uses ASL:
* Authority artifacts are immutable
* Provenance exists from day zero
* Receipts can be generated later
You can say:
> “This domain authority was generated under snapshot X, log Y.”
Thats extremely powerful.
---
### 4.2 No Special Code Paths
There is no:
* “special authority filesystem”
* “magic cert directory”
* “out-of-band signing tool”
Everything is:
* artifacts
* policies
* receipts
This keeps the system honest.
---
## 5. Bootstrapping Flow (Concrete)
### Step 0 — Boot Image
* Boot **ASL-Authority image**
* (SystemRescue + authority tools)
* Network disabled
* Storage ephemeral or encrypted USB
---
### Step 1 — Initialize Local ASL-HOST
```text
/asl-host
/domains
/<new-domain-id>
/store
/log
/snapshots
```
No federation. Local only.
---
### Step 2 — Generate Root Key Artifact
* Keypair generated
* Stored as:
* public key artifact
* encrypted private key artifact (local only)
* DomainID derived
---
### Step 3 — Write DAM Artifact
DAM is written as an artifact into the local store.
---
### Step 4 — Write Authority Environment Claim Artifact
Also stored locally.
---
### Step 5 — Seal Snapshot
Create snapshot:
> **“Domain Authority Genesis Snapshot”**
Everything up to here is immutable.
---
### Step 6 — Export Admission Bundle
PEL program runs:
* inputs:
* DAM artifact
* environment claim artifact
* policy artifact
* output:
* SOPS bundle artifact
That output is exported.
This is **receipt-producing**, not ad-hoc scripting.
---
## 6. Why This Beats “Just a Laptop”
Because now:
* the authority machine is *auditable*
* the ceremony is *recorded*
* the result is *deterministic*
And still:
* no TPM
* no network
* no registry
---
## 7. Internal Store Security Posture
You can be strict or lax:
| Mode | Behavior |
| ------------- | ----------------------------- |
| Ephemeral | RAM-backed store, destroyed |
| Encrypted USB | LUKS + ZFS |
| WORM | Never delete, manual handling |
All valid.
ASL doesnt care.
---
## 8. Relationship to Rescue Nodes
| Aspect | Rescue Node | Authority Node |
| ---------------------- | ----------- | -------------- |
| Boots from known image | yes | yes |
| Has ASL store | yes | yes |
| Offline | often | always |
| Publishes | rarely | never |
| Federation | no | no |
| Authority keys | no | yes |
Same skeleton. Different organs.
---
## 9. Important Constraint
> **The authority node must never be required for validation.**
Once the bundle is exported:
* it stands alone
* verification does not consult the authority node
If you lose the authority machine, the domain still exists.
---
## 10. Philosophical Alignment
You described:
> “Standing at the river with a printing press.”
What youre doing here is:
> **Printing the press itself as an artifact.**
Thats the right kind of recursion.
---
## 11. What This Enables Later
Because the authority node is ASL-native, later you can:
* publish historical authority artifacts
* rotate keys with receipts
* prove domain lineage
* federate authority domains
All without rewriting assumptions.
---
## 12. One-Line Rule
> **If it matters, it should be an artifact.
> If its an artifact, it should live in ASL.**
Youre converging on a system with very few “special cases” — which is exactly why it will scale conceptually.
If you want next, we can:
* draft **ASL-AUTH-HOST profile**
* specify **authority-only PEL programs**
* define **authority key rotation as a PEL DAG**
* or draw the **exact on-disk layout for authority vs rescue nodes**
Just say the word.
Reference in a new issue Copy permalink