niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/ASL-HOST v0-2.md

318 lines
5.9 KiB
Markdown
Raw Normal View History

Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00
Good — this is the right integration point.
What follows is a **clean, minimal integration of DAP + DAM + Courtesy Leases into ASL-HOST**, without leaking authority into ASL-CORE or policy into ASL-STORE.
Think of **ASL-HOST as the membrane** where *authority, storage, and execution meet but do not mix*.
---
# ASL-HOST v0.1 (Integrated with Admission & Authority)
---
## 1. Purpose of ASL-HOST
**ASL-HOST defines the responsibilities of a node that hosts ASL domains.**
It is responsible for:
* Domain lifecycle
* Admission and recognition
* Block and log materialization
* Snapshot discipline
* Resource enforcement
* Separation of authority from storage semantics
It explicitly does **not** define:
* Artifact encoding (ASL-CORE)
* Index layout (ENC-ASL-STORE)
* PER or TGK semantics (PEL / TGK layers)
* Cryptographic algorithms (delegated to ASL-AUTH)
---
## 2. ASL-HOST Position in the Stack
```
+-------------------------+
| ASL-AUTH | ← identity, keys, policy
+-------------------------+
| ASL-HOST | ← THIS SPEC
+-------------------------+
| ASL-STORE / INDEX | ← blocks, logs, snapshots
+-------------------------+
| ASL-CORE / PEL / TGK | ← semantics & execution
+-------------------------+
| Filesystem / ZFS / POSIX|
+-------------------------+
```
ASL-HOST is where **domains become real**.
---
## 3. Domain Lifecycle in ASL-HOST
### 3.1 Domain States
```text
UNRECOGNIZED
ADMITTED (COURTESY)
ADMITTED (FULL)
SUSPENDED
REVOKED
```
ASL-HOST tracks domain state explicitly.
---
### 3.2 Domain Creation (Local)
A domain MAY be created locally without admission:
```text
asl-host domain create
```
This creates:
* DomainID
* Empty storage namespace
* Empty log
* No external recognition
This domain is **self-contained only**.
---
## 4. Domain Admission Integration (DAP)
### 4.1 Admission Request Handling
ASL-HOST MUST provide:
```c
AdmissionResult asl_host_admit(DAM, signature, request);
```
Responsibilities:
* Validate DAM schema
* Verify signature
* Check policy compatibility
* Decide admission outcome
ASL-HOST does **not** inspect artifacts.
---
### 4.2 Admission Outcome Effects
| Outcome | ASL-HOST Behavior |
| ---------------- | --------------------------------------- |
| ACCEPTED | Enable publishing, indexing, federation |
| ACCEPTED_LIMITED | Enable courtesy-only storage |
| DEFERRED | Domain exists but blocked |
| REJECTED | Domain remains isolated |
---
## 5. Courtesy Leases in ASL-HOST
### 5.1 Courtesy Lease Attachment
A courtesy lease is **attached to a domain in ASL-HOST**, not to ASL-STORE.
```text
Domain {
domain_id
admission_state
courtesy_lease?
}
```
---
### 5.2 Enforcement Responsibilities
ASL-HOST MUST enforce:
* Storage limits
* Snapshot count
* Lease expiry
* Encryption-only constraint (if specified)
ASL-STORE must **not** be aware of courtesy semantics.
---
### 5.3 Courtesy Lease Expiry
On expiry, ASL-HOST MAY:
* unpin snapshots
* block new writes
* mark domain as SUSPENDED
ASL-STORE is not required to preserve data.
---
## 6. StoreHandle Integration
### 6.1 StoreHandle Is Scoped to a Domain
ASL-HOST provides:
```c
StoreHandle *asl_host_open_domain(domain_id);
```
The StoreHandle is:
* domain-scoped
* snapshot-aware
* admission-aware
---
### 6.2 Admission-Gated Capabilities
Capabilities exposed via StoreHandle depend on admission state:
| Capability | Courtesy | Full |
| ---------------- | -------- | ---- |
| allocate_block | yes | yes |
| seal_block | yes | yes |
| append_log | yes | yes |
| publish_snapshot | no | yes |
| federate_log | no | yes |
ASL-CORE and PEL never see this distinction.
---
## 7. Snapshots and CURRENT (ASL-HOST Role)
ASL-HOST defines:
* Snapshot creation
* Snapshot pinning
* Snapshot association with log position
ASL-HOST guarantees:
```text
CURRENT = snapshot + replay(log)
```
This is **host-level truth**, not an ASL-CORE concern.
---
## 8. Block Ownership and Movement
### 8.1 Block Ownership
Every block belongs to exactly one domain.
Block ownership is enforced by:
* filesystem layout
* StoreHandle scoping
* ASL-HOST policy
---
### 8.2 Block Migration Between Domains
Block migration is an **ASL-HOST operation**:
```text
asl-host migrate-block --from A --to B
```
Rules:
* Source block must be sealed
* Destination domain must accept the block
* Policy compatibility enforced
* Provenance preserved
---
## 9. Federation Boundary
ASL-HOST is the **only layer allowed to federate**.
It decides:
* which logs may be exported
* which snapshots may be published
* which foreign roots are trusted
ASL-STORE and ASL-CORE remain oblivious.
---
## 10. Revocation and Suspension
ASL-HOST MAY:
* suspend a domain (stop new writes)
* revoke federation
* invalidate admission
Already-sealed artifacts remain immutable.
---
## 11. SystemRescue Mapping (Concrete)
Your patched SystemRescue image now hosts:
* ASL-HOST runtime
* Local domains (personal, courtesy, common)
* Admission client
* Offline authority material
On boot, SystemRescue may:
1. Create a local domain
2. Load DAM + keys
3. Submit admission request
4. Receive courtesy lease
5. Begin sealed ingestion
6. Snapshot and wait
You are *literally standing ready*.
---
## 12. Why This Integration Is Clean
✔ ASL-CORE untouched
✔ ASL-STORE unaware of authority
✔ Authority never touches block bytes
✔ Admission precedes trust
✔ Rescue and sovereign modes unified
---
## 13. Mental Model (One Sentence)
> **ASL-HOST is the constitutional layer that turns storage into a domain, and a domain into a participant.**
---
If you want next, we can:
* define **ASL-HOST on-disk layout**
* specify **revocation propagation**
* map **PEL execution to admission state**
* or walk a **full rescue → admission → federation scenario end-to-end**
Just point the direction.
Reference in a new issue Copy permalink