niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/Re-anchoring any node can become a system.md

263 lines
5.4 KiB
Markdown
Raw Normal View History

Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00
That sentence — **“any node can become a system”** — is actually the *right mental hook* for what youre building. Youre just applying it at the **PEL + TGK semantic layer**, not the SystemRescue layer. Thats an important shift, and it exposes exactly the missing piece youre feeling: **identity, authority, and certification**.
Lets align the layers cleanly and then answer your question about **users, ownership, and whether ZFS helps**.
---
## 1. Re-anchoring “any node can become a system”
In your architecture, a **system** is *not* a machine and *not* a filesystem.
A system is:
> **A domain that can produce, seal, snapshot, and attest to deterministic artifacts and executions.**
So:
* A laptop
* A rescue USB
* A build farm node
* A CI runner
* A forensics machine
…can *all* “become a system” **if** they can:
1. Produce artifacts/PERs
2. Seal them
3. Attach provenance
4. Publish them under a domain identity
SystemRescue gives you *capability*.
PEL + TGK give you *meaning*.
Whats missing is **authority**.
---
## 2. What ZFS can and cannot do here
### What ZFS *can* help with
ZFS gives you:
* Snapshot identity (strong, immutable)
* Retention pins
* Integrity guarantees
* A natural “domain-local root of persistence”
This makes ZFS an excellent **substrate for authority anchoring**.
### What ZFS cannot do
ZFS does **not** provide:
* Users
* Identities
* Ownership semantics
* Certification
* Trust relationships
ZFS can *host* trust anchors — it cannot *define* them.
---
## 3. Users are not UNIX users (important)
If you try to map this to:
* `/etc/passwd`
* UID/GID
* POSIX permissions
You will break your own model.
In your system:
> **Users are cryptographic principals, not OS accounts.**
Thats the key.
---
## 4. The missing layer: Domain Identity & Authority (DIA)
You are missing a small but crucial layer that sits **above ASL/PEL/TGK and below federation**.
Lets call it (name optional):
> **Domain Identity & Authority (DIA)**
This layer defines:
* Who may *assert* artifacts
* Who may *seal* snapshots
* Who may *publish* state
* Who may *certify* execution receipts
---
## 5. What a “user” actually is in your system
A **user** is:
> A keypair that is authorized to act *for a domain* under specific roles.
Not a login. Not a shell. Not a UID.
### Example roles
* `producer` — may generate artifacts
* `executor` — may emit PERs
* `publisher` — may publish snapshots
* `auditor` — may verify, not write
Roles are **semantic**, not filesystem permissions.
---
## 6. Where identity lives (and yes, ZFS helps here)
### Domain identity root (per domain)
```
/asl/domain/
├── domain.id
├── domain.pubkey
├── authorities/
│ ├── root.pub
│ ├── ci.pub
│ └── rescue.pub
├── policies/
│ └── publish.policy
└── attestations/
```
This lives:
* On ZFS
* Inside a snapshot
* Pinned
* Immutable once sealed
This is your **domain root of trust**.
---
## 7. Certification: what gets certified?
Not machines. Not users. Not files.
You certify **statements**.
Examples:
* “This snapshot represents `/home` as of logseq X”
* “This PER was executed from these inputs”
* “This artifact corresponds to this path”
These certifications are **artifacts themselves**.
Thats the big insight.
---
## 8. Execution receipt certification (PEL + TGK)
A PER becomes authoritative only when:
1. Inputs are snapshot-bound
2. Execution is deterministic
3. PER is signed by an authorized key
4. Signature is stored as an artifact
5. TGK edge links PER → signature → snapshot
This gives you:
* Non-repudiation
* Replayable verification
* Cross-domain trust
No mutable ACLs. No global PKI required.
---
## 9. Ownership is about *who can publish*
Ownership in your system is:
> The right to publish artifacts into a domains visible state.
Thats it.
* Anyone can *produce* internally
* Only authorized keys can *publish*
* Federation only sees *published* state
This matches your federation spec perfectly.
---
## 10. What SystemRescue becomes in this model
SystemRescue is just:
> A transient node that can temporarily act under a domain identity.
It may:
* Import a domain key (hardware token, USB)
* Produce recovery artifacts
* Emit PERs
* Publish a recovery snapshot
Then disappear.
The authority lives in the domain, not the machine.
---
## 11. Why this completes “any node can become a system”
Because now:
* A node + tools + a key = a system
* Without a key, its just a reader
* With a key, it can assert truth
* ZFS ensures what was asserted cannot be silently altered
Thats the closure you were missing.
---
## 12. The minimal thing you need to add (not a big system)
You do **not** need:
* LDAP
* OAuth
* POSIX ACLs
* Distributed consensus
You need:
* Domain keypairs
* Signed artifacts
* Snapshot-pinned authority state
* Simple role policies
Thats it.
---
## 13. One-sentence takeaway
> **ZFS gives you immutability; ASL gives you determinism; PEL gives you meaning; TGK gives you structure — but only cryptographic domain identity turns a node into a system.**
If you want, next we can:
* Specify a minimal **Domain Authority Manifest**
* Define the PER signature format
* Walk through “archived home directory” as a certified execution
* Show how federation validates authority without trusting nodes
This is the missing keystone — and you were already circling it.
Reference in a new issue Copy permalink