amduat-api/tier1/asl-dam-1.md

# ASL/DAM/1 -- Domain Authority Manifest

Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2025-01-17
Tags: [authority, trust, policy, domains]

**Document ID:** `ASL/DAM/1`
**Layer:** L2 -- Authority semantics (no encoding)

**Depends on (normative):**

* `ASL/POLICY-HASH/1`

**Informative references:**

* `ASL/OCS/1` -- offline certificate system
* `ASL/OFFLINE-ROOT-TRUST/1` -- offline root policy
* `PER/SIGNATURE/1` -- PER signature verification

---

## 0. Conventions

The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119.

ASL/DAM/1 defines the **logical structure and semantics** of the Domain Authority Manifest. It does not define an encoding.

---

## 1. Purpose

The Domain Authority Manifest (DAM) defines **who may assert authority** on behalf of a domain.
It binds domain identity to principals, roles, and a policy hash.

---

## 2. Core Concepts

* **Principal**: a cryptographic public key
* **Role**: capability granted to a principal
* **Policy hash**: canonical hash binding policy constraints to a domain
* **Authority scope**: explicit actions this DAM authorizes within the domain

---

## 3. Roles (Minimal Set)

| Role       | Capability |
| ---------- | ---------- |
| produce    | Create internal artifacts |
| execute    | Emit PERs |
| publish    | Publish artifacts/snapshots |
| federate   | Export published state |
| audit      | Verify only, no mutations |

Roles are **capabilities**, not identities.

---

## 4. Logical Schema

```text
DomainAuthorityManifest {
    domain_id    : DomainID
    version      : u32
    root_key     : PublicKey
    principals[] : PrincipalEntry
    policy_hash  : Hash
    scope[]      : AuthorityScope
}

PrincipalEntry {
    principal_id : Hash
    public_key   : PublicKey
    roles[]      : Role
}
```

The DAM is immutable once published. Rotation is performed by publishing a new DAM.

### 4.1 Authority Scope

The optional `scope[]` constrains what this DAM authorizes. If omitted, scope is
assumed to include all roles defined in this document.

```text
AuthorityScope = {
  "produce",
  "execute",
  "publish",
  "federate",
  "audit"
}
```

---

## 5. Admission and Pinning (Normative)

Before a DAM is trusted, a receiving domain MUST:

1. Admit the domain (see `ASL/DAP/1`).
2. Pin the DAM artifact to a snapshot.
3. Pin the DAM's `policy_hash` for that snapshot lineage.

---

## 6. Validation Rules (Normative)

A node MUST reject any action unless:

1. The DAM artifact is visible in the relevant snapshot.
2. The DAM hash matches the snapshot reference (if recorded).
3. The action is signed by a principal listed in the DAM.
4. The principal has the required role.
5. The DAM `root_key` is certified by the offline root trust chain.
6. The action is within the DAM's declared `scope[]` (if present).

---

## 7. Policy Binding

The DAM `policy_hash` binds the domain to a specific policy document. If policy changes, a new DAM MUST be published and referenced by new snapshots.

---

## 8. Idempotency and Rotation

* Replaying the same snapshot + DAM MUST yield identical authority decisions.
* Rotation is done by publishing a new DAM and referencing it in new snapshots.
* Old snapshots remain valid with the DAM they reference.

---

## 9. Non-Goals

* Encoding format
* Key rotation workflow
* Live revocation

---

## 10. Summary

ASL/DAM/1 defines the minimal authority document for a domain, binding principals and roles to a policy hash under an offline root trust chain.