amduat-api/ops/enc-asl-auth-host-1.md

# ENC-ASL-AUTH-HOST/1 - Authority Host Layout

Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, authority, layout]

**Document ID:** `ENC-ASL-AUTH-HOST/1`
**Layer:** O2E - Authority host layout profile

**Depends on (normative):**

* `ASL/AUTH-HOST/1`
* `ENC-ASL-HOST/1`

**Informative references:**

* `ASL/DAM/1`
* `PEL/1-CORE`

---

## 0. Conventions

The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.

---

## 1. Purpose and Scope

ENC-ASL-AUTH-HOST/1 extends ENC-ASL-HOST/1 with authority-specific layout
requirements for offline admission and signing workflows.

---

## 2. Authority Root Layout

```
/asl-auth-host/
├── host/
├── domains/
├── env-claims/
├── sops-bundles/
└── tools/
```

This layout may be mounted as a single root or mapped into `/asl-host` with
additional authority directories.

---

## 3. Domains

Domain layout MUST follow ENC-ASL-HOST/1 under:

```
/asl-auth-host/domains/<domain-id>/
```

---

## 4. Environment Claims

```
/asl-auth-host/env-claims/
```

Each claim MUST be stored as an immutable artifact, named by snapshot or
content hash.

---

## 5. SOPS Bundles

```
/asl-auth-host/sops-bundles/
```

Bundles contain DAMs, receipts, and policy artifacts for offline transfer.

---

## 6. Tools

```
/asl-auth-host/tools/
```

Authority binaries and scripts SHOULD be versioned and treated as immutable.

---

## 7. Naming Conventions (Informative)

The following naming conventions are recommended for interop:

### 7.1 Store Blocks

```
<block-id>.bin
<block-id>.meta
```

### 7.2 Index Segments

```
segment-<n>.idx
bloom-<n>.bf
```

### 7.3 Log Files

```
log-<seq>.aol
```

### 7.4 Snapshots

```
snapshot-<id>.meta
snapshot-<id>.blocks
```

### 7.5 Certificates

```
root.pub
root.priv.enc
dam-signer.pub
dam-signer.priv.enc
```

### 7.6 Policies

```
policy-<hash>.json
```

### 7.7 DAM Artifacts

```
dam-<seq>.json.sig
```

### 7.8 Environment Claims

```
<snapshot-id>.claim
```

Environment claims SHOULD include:

* OS image hash
* Boot environment info
* Installed tool hashes
* Store checksum at snapshot

### 7.9 SOPS Bundles

Bundles SHOULD include checksums for integrity validation.

---

## 8. Versioning

Backward-incompatible layout changes MUST bump the major version.
Rework ops specs 2026-01-17 09:21:47 +01:00			`# ENC-ASL-AUTH-HOST/1 - Authority Host Layout`

			`Status: Draft`
			`Owner: Architecture`
			`Version: 0.1.0`
			`SoT: No`
			`Last Updated: 2026-01-17`
			`Tags: [ops, authority, layout]`

			Document ID: `ENC-ASL-AUTH-HOST/1`
			`Layer: O2E - Authority host layout profile`

			`Depends on (normative):`

			* `ASL/AUTH-HOST/1`
			* `ENC-ASL-HOST/1`

			`Informative references:`

			* `ASL/DAM/1`
			* `PEL/1-CORE`

			`---`

			`## 0. Conventions`

			`The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be`
			`interpreted as in RFC 2119.`

			`---`

			`## 1. Purpose and Scope`

			`ENC-ASL-AUTH-HOST/1 extends ENC-ASL-HOST/1 with authority-specific layout`
			`requirements for offline admission and signing workflows.`

			`---`

			`## 2. Authority Root Layout`

			```
			`/asl-auth-host/`
			`├── host/`
			`├── domains/`
			`├── env-claims/`
			`├── sops-bundles/`
			`└── tools/`
			```

			This layout may be mounted as a single root or mapped into `/asl-host` with
			`additional authority directories.`

			`---`

			`## 3. Domains`

			`Domain layout MUST follow ENC-ASL-HOST/1 under:`

			```
			`/asl-auth-host/domains/<domain-id>/`
			```

			`---`

			`## 4. Environment Claims`

			```
			`/asl-auth-host/env-claims/`
			```

			`Each claim MUST be stored as an immutable artifact, named by snapshot or`
			`content hash.`

			`---`

			`## 5. SOPS Bundles`

			```
			`/asl-auth-host/sops-bundles/`
			```

			`Bundles contain DAMs, receipts, and policy artifacts for offline transfer.`

			`---`

			`## 6. Tools`

			```
			`/asl-auth-host/tools/`
			```

			`Authority binaries and scripts SHOULD be versioned and treated as immutable.`

			`---`

			`## 7. Naming Conventions (Informative)`

			`The following naming conventions are recommended for interop:`

			`### 7.1 Store Blocks`

			```
			`<block-id>.bin`
			`<block-id>.meta`
			```

			`### 7.2 Index Segments`

			```
			`segment-<n>.idx`
			`bloom-<n>.bf`
			```

			`### 7.3 Log Files`

			```
			`log-<seq>.aol`
			```

			`### 7.4 Snapshots`

			```
			`snapshot-<id>.meta`
			`snapshot-<id>.blocks`
			```

			`### 7.5 Certificates`

			```
			`root.pub`
			`root.priv.enc`
			`dam-signer.pub`
			`dam-signer.priv.enc`
			```

			`### 7.6 Policies`

			```
			`policy-<hash>.json`
			```

			`### 7.7 DAM Artifacts`

			```
			`dam-<seq>.json.sig`
			```

			`### 7.8 Environment Claims`

			```
			`<snapshot-id>.claim`
			```

			`Environment claims SHOULD include:`

			`* OS image hash`
			`* Boot environment info`
			`* Installed tool hashes`
			`* Store checksum at snapshot`

			`### 7.9 SOPS Bundles`

			`Bundles SHOULD include checksums for integrity validation.`

			`---`

			`## 8. Versioning`

			`Backward-incompatible layout changes MUST bump the major version.`