niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/Rescue Node ASL Deployment.md

173 lines
7.5 KiB
Markdown
Raw Normal View History

Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00
Perfect. Lets map out a **Rescue Node ASL Deployment** for your scenario, integrating **personal domain, common domain (Unity/Rakeroot), foreign-domain trust, and ASL layers**. Ill keep it clear and structured.
---
# Rescue Node ASL Deployment Conceptual Diagram
## 1. Overview
Goal: A rescue node (e.g., old laptop booted with SystemRescue) can:
* Read old material and register it in a **new personal domain**
* Store **resurrected artifacts** safely
* Interact with **common/shared domains** (Unity / Rakeroot)
* Respect **foreign-domain trust** (read-only imported artifacts)
* Produce **signed PERs** for auditing and traceability
---
## 2. Layered Architecture
```
┌───────────────────────────────────────────────────────────────┐
│ Rescue Node / SystemRescue Runtime │
│ (ASL-HOST) │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ Store Handles / Filesystems (POSIX/ZFS) │ │
│ │ - personal domain store │ │
│ │ - common / Unity store │ │
│ │ - optional foreign domain caches │ │
│ └───────────────────────────────────────────────────────────┘ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ ASL-STORE(-INDEX) │ │
│ │ - Handles blocks, snapshots, sealed segments │ │
│ │ - CURRRENT reconstruction, GC │ │
│ │ - Uses store handles provided by ASL-HOST │ │
│ └───────────────────────────────────────────────────────────┘ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ ASL-AUTH │ │
│ │ - Domain authority (personal / common / foreign) │ │
│ │ - PER signing and verification │ │
│ │ - Policy hash and offline root enforcement │ │
│ └───────────────────────────────────────────────────────────┘ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ PEL / TGK Execution │ │
│ │ - Generates PERs from recovered artifacts │ │
│ │ - TGK edges record provenance │ │
│ │ - Deterministic DAG execution │ │
│ └───────────────────────────────────────────────────────────┘ │
└───────────────────────────────────────────────────────────────┘
```
---
## 3. Domains
| Domain | Purpose | Storage / Backing |
| ------------------------------ | ----------------------------------------------------------- | ------------------------------------------------ |
| **Personal Domain** | Newly minted domain on rescue node; stores rescued material | ZFS dataset or POSIX store, encrypted optionally |
| **Common / Unity Domain** | Group-shared artifacts; Unity / Rakeroot | ZFS dataset shared among users, snapshot-based |
| **Foreign Domains (optional)** | Imported read-only artifacts; pinned by trust | Cache store / ASL-HOST mount |
---
## 4. Domain Initialization
1. **Personal Domain**
* Create store: `CreateStore("/mnt/rescue/personal")`
* Generate DA manifest
* Sign manifest with offline root
* Mount snapshot overlay if needed
2. **Common / Unity Domain**
* Mount read-only: `OpenStore("/mnt/common")`
* Synchronize snapshot to local host
* Pin trusted foreign domains if group members exist
3. **Foreign Domains**
* Configure trust pin: Domain ID + Policy hash
* Mount local cache for imported artifacts
* Access **read-only**, verified via ASL-AUTH
---
## 5. Storage / Filesystem Layout
```
/mnt/rescue/
personal/ <-- personal domain store (ZFS/POSIX)
blocks/
segments/
logs/
common/ <-- Unity / Rakeroot (shared read-only store)
blocks/
segments/
logs/
foreign/ <-- optional cache for foreign domains
domainX/
blocks/
segments/
```
* **Blocks**: immutable, sealed by ASL-STORE
* **Segments**: index entries + metadata
* **Logs**: append-only, monotonic ordering
---
## 6. Snapshot Strategy
* ZFS snapshots (or overlayfs copies) per domain
* Personal domain snapshots allow **deterministic recovery**
* Common domain snapshots define **group-visible CURRENT**
* Foreign domain snapshots pinned by trust
```
personal@rescue-snap-2025-12-28
common@unity-snap-2025-12-28
foreign-domainX@snap-2025-12-01
```
---
## 7. PER Signing & Provenance
1. PEL executes DAG over rescued artifacts
2. Generates PERs
3. ASL-AUTH signs PERs with:
* Personal domain authority key
* Policy hash embedded
4. PERs stored in **personal domain**, optionally referencing:
* Common / Unity artifacts
* Foreign pinned artifacts (read-only)
---
## 8. Optional Encryption / Public Domain Courtesy
* Blocks from personal domain can be encrypted when storing in **common domain**
* Ensures **privacy while allowing shared indexing**
* Encryption keys managed by **personal DA**
---
## 9. Trust & Governance
* Offline root(s) provide deterministic trust
* Policy hash enforces publishing and cross-domain rules
* Personal domain can safely publish selected artifacts to Unity / Rakeroot
* Foreign-domain pins enforce **read-only deterministic import**
---
## 10. Summary
* Rescue node can bootstrap **personal + common + foreign domains**
* Storage handled by ASL-HOST (POSIX/ZFS)
* Indexing, snapshots, sealing by ASL-STORE(-INDEX)
* PER signing and cross-domain trust by ASL-AUTH
* Execution provenance tracked via PEL/TGK
* Flexible architecture for **personal, group, and federated domains**
---
If you want, I can **draw a fully labeled diagram** showing **how artifacts flow from the rescued home directory into personal domain, common domain, and PER generation**, including snapshots, seals, and trust pins. This would be a visual reference for your rescue mission.
Do you want me to do that next?
Reference in a new issue Copy permalink