From 74efedf62cb92a44bec72ba91f1b89a19fa3ad26 Mon Sep 17 00:00:00 2001 From: Carl Niklas Rydberg Date: Sat, 17 Jan 2026 09:21:47 +0100 Subject: [PATCH] Rework ops specs --- ops/README.md | 17 ++ ops/asl-auth-host-1.md | 128 +++++++++ ops/asl-auth-host-config-1.md | 161 ++++++++++++ ops/asl-auth-host-image-1.md | 129 +++++++++ ops/asl-auth-host-threat-model-1.md | 123 +++++++++ ops/asl-host-1.md | 248 ++++++++++++++++++ ops/asl-rescue-node-1.md | 107 ++++++++ ops/asl-rescue-operation-1.md | 89 +++++++ ops/asl-systemrescue-overlay-1.md | 134 ++++++++++ ops/enc-asl-auth-host-1.md | 169 ++++++++++++ ops/enc-asl-host-1.md | 239 +++++++++++++++++ ...SL SystemRescue Overlay – Intake Schema.md | 0 .../ASL-AUTH-HOST Configuration.md | 0 ...UTH-HOST ISO + Overlay Directory Layout.md | 0 .../ASL-AUTH-HOST v0-1 - Threat Model.md | 0 ...AUTH-HOST v0.1 — Authority Node Profile.md | 0 ops/{ => legacy}/ASL-HOST v0-1.md | 0 ops/{ => legacy}/ASL-HOST v0-2.md | 0 ops/{ => legacy}/Bootable ASL-AUTH-HOST.md | 0 ops/{ => legacy}/ENC-ASL-AUTH-HOST.md | 0 ops/{ => legacy}/ENC-ASL-HOST.md | 0 .../Rescue Node ASL Deployment.md | 0 .../Rescue Node Blueprint v0-1.md | 0 .../Rescue Operation Architecture.md | 0 .../bootable authority host image.md | 0 25 files changed, 1544 insertions(+) create mode 100644 ops/README.md create mode 100644 ops/asl-auth-host-1.md create mode 100644 ops/asl-auth-host-config-1.md create mode 100644 ops/asl-auth-host-image-1.md create mode 100644 ops/asl-auth-host-threat-model-1.md create mode 100644 ops/asl-host-1.md create mode 100644 ops/asl-rescue-node-1.md create mode 100644 ops/asl-rescue-operation-1.md create mode 100644 ops/asl-systemrescue-overlay-1.md create mode 100644 ops/enc-asl-auth-host-1.md create mode 100644 ops/enc-asl-host-1.md rename ops/{ => legacy}/ASL SystemRescue Overlay – Intake Schema.md (100%) rename ops/{ => legacy}/ASL-AUTH-HOST Configuration.md (100%) rename ops/{ => legacy}/ASL-AUTH-HOST ISO + Overlay Directory Layout.md (100%) rename ops/{ => legacy}/ASL-AUTH-HOST v0-1 - Threat Model.md (100%) rename ops/{ => legacy}/ASL-AUTH-HOST v0.1 — Authority Node Profile.md (100%) rename ops/{ => legacy}/ASL-HOST v0-1.md (100%) rename ops/{ => legacy}/ASL-HOST v0-2.md (100%) rename ops/{ => legacy}/Bootable ASL-AUTH-HOST.md (100%) rename ops/{ => legacy}/ENC-ASL-AUTH-HOST.md (100%) rename ops/{ => legacy}/ENC-ASL-HOST.md (100%) rename ops/{ => legacy}/Rescue Node ASL Deployment.md (100%) rename ops/{ => legacy}/Rescue Node Blueprint v0-1.md (100%) rename ops/{ => legacy}/Rescue Operation Architecture.md (100%) rename ops/{ => legacy}/bootable authority host image.md (100%) diff --git a/ops/README.md b/ops/README.md new file mode 100644 index 0000000..1deb46a --- /dev/null +++ b/ops/README.md @@ -0,0 +1,17 @@ +# Ops Specifications + +This directory contains operational specs aligned with tier1 formatting and +structure. Legacy drafts are preserved in `ops/legacy/`. + +## Ordered List + +1. ASL/HOST/1 - `ops/asl-host-1.md` +2. ENC-ASL-HOST/1 - `ops/enc-asl-host-1.md` +3. ASL/AUTH-HOST/1 - `ops/asl-auth-host-1.md` +4. ENC-ASL-AUTH-HOST/1 - `ops/enc-asl-auth-host-1.md` +5. ASL/AUTH-HOST-CONFIG/1 - `ops/asl-auth-host-config-1.md` +6. ASL/AUTH-HOST-THREAT-MODEL/1 - `ops/asl-auth-host-threat-model-1.md` +7. ASL/AUTH-HOST-IMAGE/1 - `ops/asl-auth-host-image-1.md` +8. ASL/SYSTEMRESCUE-OVERLAY/1 - `ops/asl-systemrescue-overlay-1.md` +9. ASL/RESCUE-NODE/1 - `ops/asl-rescue-node-1.md` +10. ASL/RESCUE-OP/1 - `ops/asl-rescue-operation-1.md` diff --git a/ops/asl-auth-host-1.md b/ops/asl-auth-host-1.md new file mode 100644 index 0000000..010e4f0 --- /dev/null +++ b/ops/asl-auth-host-1.md @@ -0,0 +1,128 @@ +# ASL/AUTH-HOST/1 - Authority Node Profile + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, authority, offline] + +**Document ID:** `ASL/AUTH-HOST/1` +**Layer:** O2 - Authority host profile + +**Depends on (normative):** + +* `ASL/HOST/1` +* `ASL/DAM/1` +* `ASL/POLICY-HASH/1` +* `ASL/OFFLINE-ROOT-TRUST/1` + +**Informative references:** + +* `PEL/1-CORE` +* `PEL/1-SURF` +* `ENC-ASL-AUTH-HOST/1` +* `ASL/RESCUE-NODE/1` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +ASL/AUTH-HOST/1 defines an operational profile. It does not define cryptography +or artifact semantics. + +--- + +## 1. Purpose and Scope + +ASL/AUTH-HOST/1 defines the profile for an offline authority node that mints +and signs domain admission artifacts. The host: + +* Operates offline by default +* Maintains a local ASL/HOST store +* Produces deterministic artifacts and receipts +* Issues DAM artifacts for new domains + +--- + +## 2. Core Principles (Normative) + +1. Authority state is stored as artifacts. +2. Operations are deterministic and snapshot-bound. +3. The host remains offline during authority operations. +4. Outputs are immutable artifacts suitable for later transfer. +5. Authority functionality is limited to signing, sealing, and packaging + artifacts. +6. Receipts (PERs) are primary outputs for auditing and later federation. + +--- + +## 3. Required Components + +An authority host MUST provide: + +* ASL/HOST store for authority and domain artifacts +* Root authority key material (offline) +* PEL execution environment for deterministic receipts +* Policy hash verification for admission + +--- + +## 4. Operation Modes + +The host MAY operate in the following modes: + +* `GENESIS` - mint initial domain and keys +* `RESCUE` - ingest external artifacts and produce receipts +* `ADMISSION` - sign DAMs and policy artifacts +* `MAINTENANCE` - rotate keys, seal snapshots, audit state + +--- + +## 5. Output Artifacts + +The host MUST be able to produce: + +* Root key artifacts (public, encrypted private) +* DAM artifacts and signatures +* Policy hash artifacts +* Environment claim artifacts +* PER receipts and associated TGK edges + +--- + +## 6. Snapshot Discipline + +Each authority operation MUST: + +1. Append log entries for new artifacts +2. Seal relevant segments +3. Create a snapshot marker capturing CURRENT state + +Snapshots MUST be immutable once sealed. + +--- + +## 7. Offline Constraints + +* Network interfaces SHOULD be disabled. +* External input and output MUST occur via explicit operator action. +* No background services SHOULD alter authority state. +* Garbage collection SHOULD be disabled for authority domains. + +--- + +## 8. Security Considerations + +* Private keys MUST remain offline and encrypted at rest. +* Only signed outputs may leave the host. +* Operator presence is required for authority operations. + +--- + +## 9. Versioning + +Backward-incompatible profile changes MUST bump the major version. diff --git a/ops/asl-auth-host-config-1.md b/ops/asl-auth-host-config-1.md new file mode 100644 index 0000000..fd1aff6 --- /dev/null +++ b/ops/asl-auth-host-config-1.md @@ -0,0 +1,161 @@ +# ASL/AUTH-HOST-CONFIG/1 - Configuration Schema + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, authority, config] + +**Document ID:** `ASL/AUTH-HOST-CONFIG/1` +**Layer:** O2C - Authority host configuration + +**Depends on (normative):** + +* `ASL/AUTH-HOST/1` +* `ASL/HOST/1` + +**Informative references:** + +* `ENC-ASL-AUTH-HOST/1` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +--- + +## 1. Purpose and Scope + +This document defines the configuration schema for an ASL authority host. +Configuration is expressed as a single YAML file. + +--- + +## 2. File Format + +* UTF-8 YAML 1.2 +* Root object with the fields defined below +* Unknown fields SHOULD be ignored with warning + +--- + +## 3. Root Schema + +``` +host: + name: string + version: string + mode: "rescue" | "admission" | "normal" + +domains: + : + id: string + type: "courtesy" | "private" | "authority" + description: string + path: string + snapshot_retention: duration + allowed_operations: [read, write, append, seal, gc] + courtesy_lease: duration + +certificates: + root_offline_path: string + domain_authority_path: string + sops_bundle_path: string + +policy: + hash_file: string + description: string + +logging: + path: string + level: "DEBUG" | "INFO" | "WARN" | "ERROR" + +store: + type: "posix" | "zfs" + pools: + - name: string + mount_point: string + enable_snapshotting: boolean + snapshot_prefix: string + +hooks: + pre_start: string + post_start: string +``` + +--- + +## 4. Semantics + +* `host.mode` controls startup behavior. +* `domains` entries are keyed by stable names; `id` is the authoritative domain + identifier. +* `courtesy_lease` is required for `type: courtesy` and MUST be omitted for + `type: authority`. +* `store.type` selects the host backend. If `zfs`, each pool entry MUST be + mounted before starting the host. + +--- + +## 5. Example Configuration + +```yaml +host: + name: "asl-auth-host-01" + version: "0.1" + mode: "rescue" + +domains: + common: + id: "00000000-0000-0000-0000-000000000001" + type: "courtesy" + description: "Shared courtesy domain" + path: "/var/lib/asl/common" + snapshot_retention: 30d + allowed_operations: [read, write, append] + courtesy_lease: 7d + personal: + id: "00000000-0000-0000-0000-000000000002" + type: "private" + description: "Private rescue domain" + path: "/var/lib/asl/personal" + snapshot_retention: 90d + allowed_operations: [read, write, append, seal, gc] + +certificates: + root_offline_path: "/var/lib/asl/certs/root-offline" + domain_authority_path: "/var/lib/asl/certs/domain-authority" + sops_bundle_path: "/var/lib/asl/certs/sops" + +policy: + hash_file: "/etc/asl-auth-host/policy.hash" + description: "Offline policy hash" + +logging: + path: "/var/log/asl-auth-host.log" + level: "INFO" + +store: + type: "zfs" + pools: + - name: "common_pool" + mount_point: "/var/lib/asl/common" + - name: "personal_pool" + mount_point: "/var/lib/asl/personal" + enable_snapshotting: true + snapshot_prefix: "asl_snap" + +hooks: + pre_start: "/bin/init-asl-host.sh" + post_start: "/bin/helper-mount.sh" +``` + +--- + +## 6. Versioning + +Backward-incompatible schema changes MUST bump the major version. diff --git a/ops/asl-auth-host-image-1.md b/ops/asl-auth-host-image-1.md new file mode 100644 index 0000000..ed9cb23 --- /dev/null +++ b/ops/asl-auth-host-image-1.md @@ -0,0 +1,129 @@ +# ASL/AUTH-HOST-IMAGE/1 - Bootable Image and Overlay Layout + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, authority, image] + +**Document ID:** `ASL/AUTH-HOST-IMAGE/1` +**Layer:** O2I - Authority host image profile + +**Depends on (normative):** + +* `ASL/AUTH-HOST/1` +* `ENC-ASL-AUTH-HOST/1` + +**Informative references:** + +* `ASL/AUTH-HOST-CONFIG/1` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +--- + +## 1. Purpose and Scope + +This document defines a bootable, offline authority host image. It specifies +base system requirements, overlay layout, and the boot workflow used to +initialize authority operations. + +--- + +## 2. Base Image Requirements + +The base OS MUST: + +* Boot in offline mode by default +* Include minimal POSIX tooling +* Disable network services unless explicitly enabled + +--- + +## 3. Overlay Layout + +``` +/overlay/ +├── bin/ +│ ├── asl-auth-host +│ ├── asl-rescue +│ └── init-asl-host.sh +├── etc/ +│ └── asl-auth-host/ +│ ├── config.yaml +│ └── policy.hash +├── var/ +│ ├── lib/ +│ │ └── asl/ +│ │ ├── common/ +│ │ ├── personal/ +│ │ └── pools/ +│ └── log/ +│ └── asl-auth-host.log +└── usr/ + └── local/ + └── bin/ + └── asl-admin +``` + +The overlay MUST be merged into the ISO root at build time. + +--- + +## 4. ISO Root Layout (Runtime) + +``` +/iso_root/ +├── bin/ +├── etc/ +│ └── asl-auth-host/ +├── var/ +│ ├── lib/ +│ │ └── asl/ +│ └── log/ +└── usr/local/bin/ +``` + +--- + +## 5. Boot Workflow + +1. Boot offline image. +2. Run `init-asl-host.sh` to mount storage pools and apply config. +3. Initialize or open domain stores per config. +4. Start the authority host service. +5. Enforce witness authority (DAM) before general userspace services start. + +--- + +## 6. Persistence Strategy + +Writable storage MUST be mounted separately from the read-only system image. +Examples: + +* ZFS datasets mounted under `/var/lib/asl` +* External disk mounted at `/mnt` and bound to `/var/lib/asl` + +--- + +## 7. Build Pipeline (Informative) + +A typical pipeline: + +1. Create minimal root via debootstrap or equivalent. +2. Merge overlay into ISO root. +3. Optionally wrap build steps with `asl-capture` to record build provenance. +4. Add bootloader config. +5. Build ISO with `xorriso` or equivalent tool. + +--- + +## 8. Versioning + +Backward-incompatible image changes MUST bump the major version. diff --git a/ops/asl-auth-host-threat-model-1.md b/ops/asl-auth-host-threat-model-1.md new file mode 100644 index 0000000..366e6fc --- /dev/null +++ b/ops/asl-auth-host-threat-model-1.md @@ -0,0 +1,123 @@ +# ASL/AUTH-HOST-THREAT-MODEL/1 - Threat Model + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, authority, security] + +**Document ID:** `ASL/AUTH-HOST-THREAT-MODEL/1` +**Layer:** O2S - Authority host security profile + +**Depends on (normative):** + +* `ASL/AUTH-HOST/1` + +**Informative references:** + +* `ASL/OFFLINE-ROOT-TRUST/1` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +--- + +## 1. Scope and Assumptions + +### 1.1 In Scope + +* Offline authority host +* USB-mediated intake and output +* DAM signing and admission artifacts +* PEL execution for receipt generation +* Snapshot and log sealing + +### 1.2 Assumptions + +1. Physical access to hardware is controlled. +2. The host is offline (no network interfaces). +3. Root keys are uncompromised. +4. Operator presence is required for authority actions. + +--- + +## 2. Assets + +* Root authority keys +* Domain signing keys +* DAM and policy artifacts +* PER receipts and environment claims +* Domain identity bindings + +--- + +## 3. Adversary Model + +The adversary MAY: + +* Supply malicious USB content +* Replay old requests +* Provide malformed PEL programs +* Attempt to confuse domain identity + +The adversary MUST NOT: + +* Access signing keys without operator approval +* Modify host binaries without physical compromise + +--- + +## 4. Trust Boundaries + +``` +[ USB INPUT ] -> [ AUTH HOST ] -> [ USB OUTPUT ] +``` + +Data flows are unidirectional per phase. The host MUST treat input as untrusted +until verification succeeds. + +--- + +## 5. Threats and Mitigations + +### 5.1 Spoofing + +* Mitigation: DAM signature verification and policy hash checks. + +### 5.2 Tampering + +* Mitigation: hash all inputs, sign outputs, mount USB read-only. + +### 5.3 Repudiation + +* Mitigation: PER receipts include program hash, input hashes, and snapshot ID. + +### 5.4 Information Disclosure + +* Mitigation: no network, explicit publish rules, encrypted private artifacts. + +### 5.5 Denial of Service + +* Mitigation: operator-mediated execution, size limits, deterministic PEL subset. + +### 5.6 Elevation of Privilege + +* Mitigation: PEL is declarative, no syscalls or I/O primitives. + +--- + +## 6. Residual Risk + +* Physical compromise of hardware is out of scope. +* Operator error remains a risk and SHOULD be mitigated with checklists. + +--- + +## 7. Versioning + +Backward-incompatible changes MUST bump the major version. diff --git a/ops/asl-host-1.md b/ops/asl-host-1.md new file mode 100644 index 0000000..4b708e8 --- /dev/null +++ b/ops/asl-host-1.md @@ -0,0 +1,248 @@ +# ASL/HOST/1 - Host Runtime Interface + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, host, admission, storage] + +**Document ID:** `ASL/HOST/1` +**Layer:** O1 - Host runtime profile (node boundary) + +**Depends on (normative):** + +* `ASL/1-STORE` +* `ASL/LOG/1` +* `ASL/DAP/1` +* `ASL/DAM/1` +* `ASL/POLICY-HASH/1` + +**Informative references:** + +* `ASL/SYSTEM/1` +* `ASL/OFFLINE-ROOT-TRUST/1` +* `ENC-ASL-HOST/1` +* `ENC-ASL-LOG` +* `ASL/AUTH-HOST/1` +* `ASL/RESCUE-NODE/1` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +ASL/HOST/1 defines host responsibilities and boundaries. It does not define +artifact semantics, encoding formats, or cryptographic algorithms. + +--- + +## 1. Purpose and Scope + +ASL/HOST/1 specifies the runtime contract between an ASL node and its host +environment. It covers: + +* Domain lifecycle and admission state tracking +* Store handle provisioning for ASL/1-STORE and ASL/LOG/1 +* Snapshot coordination and log append guarantees +* Resource and lease enforcement at the host boundary + +Out of scope: + +* Artifact semantics (ASL/1-CORE) +* On-disk encoding and byte layouts (ENC specs) +* Policy definition and authority semantics (ASL/AUTH layers) + +--- + +## 2. Position in the Stack + +ASL/HOST is the membrane between host services and ASL semantics. + +``` ++--------------------------+ +| ASL/AUTH (policy, keys) | ++--------------------------+ +| ASL/HOST (this spec) | ++--------------------------+ +| ASL/1-STORE + ASL/LOG | ++--------------------------+ +| Host FS / ZFS / POSIX | ++--------------------------+ +``` + +--- + +## 3. Core Responsibilities (Normative) + +An ASL host implementation MUST: + +1. Provide stable store handles for ASL/1-STORE and ASL/LOG/1 operations. +2. Maintain domain lifecycle state and admission status. +3. Enforce admission outcomes and courtesy leases without leaking those + semantics into ASL/1-STORE. +4. Provide atomic append guarantees for log operations. +5. Coordinate snapshot creation and mounting. +6. Enforce local resource limits and error handling. + +--- + +## 4. Core Concepts + +| Concept | Definition | +| ----------------- | ------------------------------------------------------------------------- | +| **StoreHandle** | Opaque reference to a host-provided store instance | +| **StoreLocation** | Host-defined location where a store exists (path, URI, mount point, etc.) | +| **AppendUnit** | Minimum atomic write unit for the append-only log | +| **SnapshotID** | Opaque identifier of a host-provided snapshot | +| **HostClock** | Monotonic counter or timestamp source | +| **HostIdentity** | Unique machine or user identity for signing or domain minting | + +--- + +## 5. Domain Model + +### 5.1 Domain States + +A host MUST track the following domain states: + +* `UNRECOGNIZED` +* `COURTESY` +* `FULL` +* `SUSPENDED` +* `REVOKED` + +### 5.2 Domain Descriptor + +Host-owned metadata MUST include: + +``` +domain_id +state +created_at +admitted_at +root_key_fingerprint +policy_hash +current_snapshot +current_logseq +``` + +The descriptor is derived state and MUST NOT be treated as authoritative +artifact content. + +--- + +## 6. Domain Lifecycle Operations + +### 6.1 Create + +`CreateDomain(location) -> domain_id` + +* MUST allocate an isolated domain root. +* MUST initialize empty store, log, and snapshot markers. + +### 6.2 Admit + +`AdmitDomain(dam, signature) -> AdmissionResult` + +* MUST validate DAM schema and signature per `ASL/DAM/1`. +* MUST enforce policy hash compatibility per `ASL/POLICY-HASH/1`. + +Admission outcomes MUST have the following effects: + +| Outcome | Host Behavior | +| ---------------- | --------------------------------------- | +| ACCEPTED | Enable publishing, indexing, federation | +| ACCEPTED_LIMITED | Enable courtesy-only storage | +| DEFERRED | Domain exists but blocked | +| REJECTED | Domain remains isolated | + +### 6.3 Suspend and Revoke + +* `SUSPENDED` MUST block new writes. +* `REVOKED` MUST block all access except local inspection. + +--- + +## 7. Store Handle Interface + +A host MUST expose at least the following operations: + +* `CreateStore(location) -> StoreHandle` +* `OpenStore(location) -> StoreHandle` +* `CloseStore(handle)` + +The StoreHandle is opaque and scoped to a domain. Admission state MUST gate +capabilities exposed by the StoreHandle (see Section 7). + +--- + +## 8. Admission-Gated Capabilities + +Capabilities MUST be gated as follows: + +| Capability | Courtesy | Full | +| ---------------- | -------- | ---- | +| allocate_block | yes | yes | +| seal_block | yes | yes | +| append_log | yes | yes | +| publish_snapshot | no | yes | +| federate_log | no | yes | + +ASL/1-STORE and ASL/LOG MUST remain unaware of admission semantics. + +--- + +## 9. Courtesy Leases + +Courtesy leases are host-owned metadata attached to a domain. The host MUST +enforce lease limits without exposing courtesy state to ASL/1-STORE. + +Enforcement MAY include: + +* Storage caps +* Snapshot count limits +* Write blocking after expiry + +--- + +## 10. Snapshot and Log Coordination + +The host MUST ensure: + +* Append-only log semantics with strict ordering +* Snapshot creation captures a consistent view of sealed segments +* Snapshot mounts are read-only and bounded by a log sequence + +--- + +## 11. Error Model + +Host operations MUST report deterministic error codes. Minimum set: + +* `HOST_OK` +* `HOST_EXISTS` +* `HOST_NOT_FOUND` +* `HOST_IO_ERROR` +* `HOST_CONCURRENT_MODIFICATION` +* `HOST_ADMISSION_REJECTED` +* `HOST_LEASE_EXPIRED` + +--- + +## 12. Security Considerations + +* Admission verification MUST be performed before enabling federation or + publication. +* Private key material SHOULD NOT be required on the host except for explicit + authority operations. +* The host MUST treat all imported artifacts as untrusted until admission and + policy validation succeed. + +--- + +## 13. Versioning + +Backward-incompatible changes MUST bump the major version of ASL/HOST. diff --git a/ops/asl-rescue-node-1.md b/ops/asl-rescue-node-1.md new file mode 100644 index 0000000..da563b9 --- /dev/null +++ b/ops/asl-rescue-node-1.md @@ -0,0 +1,107 @@ +# ASL/RESCUE-NODE/1 - Deployment Profile + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, rescue, deployment] + +**Document ID:** `ASL/RESCUE-NODE/1` +**Layer:** O3 - Rescue node deployment + +**Depends on (normative):** + +* `ASL/HOST/1` +* `ASL/1-STORE` +* `ASL/LOG/1` + +**Informative references:** + +* `ASL/AUTH-HOST/1` +* `ASL/SYSTEMRESCUE-OVERLAY/1` +* `ASL/RESCUE-OP/1` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +--- + +## 1. Purpose and Scope + +ASL/RESCUE-NODE/1 defines the deployment profile for a rescue node that boots +from a minimal OS and provides local intake into ASL stores. + +--- + +## 2. Node Roles + +A rescue node MAY host: + +* A personal domain (new or existing) +* A courtesy or common domain (shared, e.g. Common/Unity/Rakeroot) +* Optional read-only caches for foreign domains + +--- + +## 3. Domain Types + +* **Personal domain** - private, authoritative store +* **Courtesy domain** - temporary storage with lease enforcement, may store + encrypted blocks during bootstrap +* **Foreign domain** - read-only imported artifacts + +--- + +## 4. Storage Layout (Informative) + +``` +/mnt/rescue/ + personal/ + blocks/ + segments/ + logs/ + common/ + blocks/ + segments/ + logs/ + foreign/ + / + blocks/ + segments/ +``` + +--- + +## 5. Snapshot Strategy + +* Personal domain snapshots SHOULD be created at intake boundaries. +* Courtesy domain snapshots SHOULD be pinned until admission is complete. +* Foreign domain snapshots MUST be read-only and pinned by trust. + +--- + +## 6. Trust and Admission + +* Admission decisions MUST be verified before publishing to shared domains. +* Foreign artifacts MUST be pinned by policy hash and offline roots. + +--- + +## 7. PER and TGK Integration + +Rescue nodes SHOULD generate PER receipts for intake operations. TGK edges +MAY be produced to capture provenance across personal and common domains. + +Sedelpress (or equivalent deterministic tooling) MAY be used to normalize +legacy inputs into artifacts before storage. + +--- + +## 8. Versioning + +Backward-incompatible changes MUST bump the major version. diff --git a/ops/asl-rescue-operation-1.md b/ops/asl-rescue-operation-1.md new file mode 100644 index 0000000..905c77d --- /dev/null +++ b/ops/asl-rescue-operation-1.md @@ -0,0 +1,89 @@ +# ASL/RESCUE-OP/1 - Rescue Operation Flow + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, rescue, operations] + +**Document ID:** `ASL/RESCUE-OP/1` +**Layer:** O3 - Rescue operation profile + +**Depends on (normative):** + +* `ASL/RESCUE-NODE/1` +* `ASL/HOST/1` + +**Informative references:** + +* `PEL/1-CORE` +* `TGK/1-CORE` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +--- + +## 1. Purpose and Scope + +ASL/RESCUE-OP/1 defines the operational flow for personal rescue and bootstrap +into a personal domain with optional courtesy storage. + +--- + +## 2. Phases + +### 2.1 Intake + +* Collect legacy material and intent artifacts. +* Normalize inputs into artifacts for deterministic processing (e.g. Sedelpress). + +### 2.2 Deterministic Processing + +* Execute PEL programs over the intake snapshot. +* Generate PER receipts and optional TGK edges. + +### 2.3 Courtesy Bootstrap (Optional) + +* Store encrypted blocks in a courtesy domain (Common/Unity/Rakeroot). +* Seal segments and pin snapshots for determinism. + +### 2.4 Personal Domain Minting + +* Create a personal domain and copy sealed artifacts. +* Generate DAM and policy artifacts. +* Produce receipts that bind provenance to the new domain. + +### 2.5 Publication (Optional) + +* Publish selected artifacts to a common domain. +* Enforce policy hash and visibility rules. + +--- + +## 3. Constraints + +* Intake artifacts MUST be treated as untrusted until verified. +* Courtesy storage MUST enforce lease limits. +* Publication MUST be gated by admission and policy compatibility. + +--- + +## 4. Outputs + +A rescue operation SHOULD produce: + +* PER receipts for each processing phase +* Sealed snapshots for replay +* DAM and policy artifacts for domain admission + +--- + +## 5. Versioning + +Backward-incompatible changes MUST bump the major version. diff --git a/ops/asl-systemrescue-overlay-1.md b/ops/asl-systemrescue-overlay-1.md new file mode 100644 index 0000000..c467100 --- /dev/null +++ b/ops/asl-systemrescue-overlay-1.md @@ -0,0 +1,134 @@ +# ASL/SYSTEMRESCUE-OVERLAY/1 - Intake Overlay Layout + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, rescue, overlay] + +**Document ID:** `ASL/SYSTEMRESCUE-OVERLAY/1` +**Layer:** O3 - Rescue overlay profile + +**Depends on (normative):** + +* `ASL/HOST/1` + +**Informative references:** + +* `ASL/RESCUE-NODE/1` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +--- + +## 1. Purpose and Scope + +This overlay defines what exists at boot for a rescue intake environment. It +separates immutable tools from mutable runtime state and defines mount points +for local or remote ASL stores. + +--- + +## 2. Overlay Layout + +``` +overlay/ +├── usr/ +│ └── local/ +│ ├── bin/ +│ │ ├── asl-intake +│ │ ├── asl-admin +│ │ └── asl-debug +│ └── lib/ +│ └── libasl.so +├── etc/ +│ └── asl/ +│ ├── asl.conf +│ ├── federation.conf +│ └── logging.conf +├── etc/systemd/system/ +│ ├── asl-intake.service +│ └── asl-preflight.service +├── var/ +│ └── lib/ +│ └── asl/ +│ ├── runtime/ +│ ├── cache/ +│ └── locks/ +├── run/ +│ └── asl/ +│ └── sockets/ +└── mnt/ + └── asl/ + ├── local/ + └── remote/ +``` + +--- + +## 3. Directory Semantics + +* `/usr/local/bin` is immutable and MUST NOT be written at runtime. +* `/etc/asl` contains declarative configuration only. +* `/var/lib/asl` contains all mutable state for the rescue session. +* `/mnt/asl/local` is the mount target for a local ASL store. +* `/mnt/asl/remote` is an optional remote mount. + +--- + +## 4. Local Store Layout (Informative) + +When mounted, a local store typically exposes: + +``` +/mnt/asl/local/ +├── blocks/ +├── segments/ +├── snapshots/ +└── logs/ +``` + +This internal layout is backend-defined and not mandated by this overlay. + +--- + +## 5. Services + +### 5.1 asl-preflight.service + +Responsibilities: + +* Detect storage backends +* Detect importable pools +* Write mode decisions to `/run/asl/mode` + +### 5.2 asl-intake.service + +Responsibilities: + +* Read `/run/asl/mode` +* Start `asl-intake` with the selected backend + +--- + +## 6. Configuration Defaults + +`/etc/asl/asl.conf` SHOULD include at minimum: + +``` +mode = auto +local.mount = /mnt/asl/local +remote.endpoint = none +``` + +--- + +## 7. Versioning + +Backward-incompatible overlay changes MUST bump the major version. diff --git a/ops/enc-asl-auth-host-1.md b/ops/enc-asl-auth-host-1.md new file mode 100644 index 0000000..513adcb --- /dev/null +++ b/ops/enc-asl-auth-host-1.md @@ -0,0 +1,169 @@ +# ENC-ASL-AUTH-HOST/1 - Authority Host Layout + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, authority, layout] + +**Document ID:** `ENC-ASL-AUTH-HOST/1` +**Layer:** O2E - Authority host layout profile + +**Depends on (normative):** + +* `ASL/AUTH-HOST/1` +* `ENC-ASL-HOST/1` + +**Informative references:** + +* `ASL/DAM/1` +* `PEL/1-CORE` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +--- + +## 1. Purpose and Scope + +ENC-ASL-AUTH-HOST/1 extends ENC-ASL-HOST/1 with authority-specific layout +requirements for offline admission and signing workflows. + +--- + +## 2. Authority Root Layout + +``` +/asl-auth-host/ +├── host/ +├── domains/ +├── env-claims/ +├── sops-bundles/ +└── tools/ +``` + +This layout may be mounted as a single root or mapped into `/asl-host` with +additional authority directories. + +--- + +## 3. Domains + +Domain layout MUST follow ENC-ASL-HOST/1 under: + +``` +/asl-auth-host/domains// +``` + +--- + +## 4. Environment Claims + +``` +/asl-auth-host/env-claims/ +``` + +Each claim MUST be stored as an immutable artifact, named by snapshot or +content hash. + +--- + +## 5. SOPS Bundles + +``` +/asl-auth-host/sops-bundles/ +``` + +Bundles contain DAMs, receipts, and policy artifacts for offline transfer. + +--- + +## 6. Tools + +``` +/asl-auth-host/tools/ +``` + +Authority binaries and scripts SHOULD be versioned and treated as immutable. + +--- + +## 7. Naming Conventions (Informative) + +The following naming conventions are recommended for interop: + +### 7.1 Store Blocks + +``` +.bin +.meta +``` + +### 7.2 Index Segments + +``` +segment-.idx +bloom-.bf +``` + +### 7.3 Log Files + +``` +log-.aol +``` + +### 7.4 Snapshots + +``` +snapshot-.meta +snapshot-.blocks +``` + +### 7.5 Certificates + +``` +root.pub +root.priv.enc +dam-signer.pub +dam-signer.priv.enc +``` + +### 7.6 Policies + +``` +policy-.json +``` + +### 7.7 DAM Artifacts + +``` +dam-.json.sig +``` + +### 7.8 Environment Claims + +``` +.claim +``` + +Environment claims SHOULD include: + +* OS image hash +* Boot environment info +* Installed tool hashes +* Store checksum at snapshot + +### 7.9 SOPS Bundles + +Bundles SHOULD include checksums for integrity validation. + +--- + +## 8. Versioning + +Backward-incompatible layout changes MUST bump the major version. diff --git a/ops/enc-asl-host-1.md b/ops/enc-asl-host-1.md new file mode 100644 index 0000000..58e1da0 --- /dev/null +++ b/ops/enc-asl-host-1.md @@ -0,0 +1,239 @@ +# ENC-ASL-HOST/1 - On-Disk Layout for ASL/HOST + +Status: Draft +Owner: Architecture +Version: 0.1.0 +SoT: No +Last Updated: 2026-01-17 +Tags: [ops, host, layout] + +**Document ID:** `ENC-ASL-HOST/1` +**Layer:** O1E - Host layout profile (storage-agnostic) + +**Depends on (normative):** + +* `ASL/HOST/1` +* `ASL/1-STORE` +* `ASL/LOG/1` + +**Informative references:** + +* `ASL/DAM/1` +* `ASL/DAP/1` +* `ENC-ASL-LOG` +* `ENC-ASL-CORE-INDEX` + +--- + +## 0. Conventions + +The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be +interpreted as in RFC 2119. + +This document defines directory and file placement only. It does not define +byte-level encodings or storage engine internals. + +--- + +## 1. Purpose and Scope + +ENC-ASL-HOST/1 specifies a minimal, storage-agnostic on-disk layout for +ASL/HOST implementations. It standardizes where host metadata, domain data, +logs, and snapshots live. + +--- + +## 2. Root Layout + +``` +/asl-host/ +├── host/ +├── domains/ +├── federation/ +└── quarantine/ +``` + +All host-managed state MUST live under `/asl-host`. + +--- + +## 3. Host-Level Metadata + +``` +/asl-host/host/ +├── host-id +├── host-policy +└── trusted-roots/ +``` + +* `host-id` is a stable identifier for the host. +* `host-policy` contains local policy constraints. +* `trusted-roots/` contains offline trust anchors. + +--- + +## 4. Domain Root + +Each domain has a single root directory: + +``` +/asl-host/domains// +``` + +Nothing outside this directory MAY be interpreted as part of the domain state. + +--- + +## 5. Domain Descriptor + +``` +/asl-host/domains//domain.json +``` + +The descriptor contains host-derived metadata (not signed): + +``` +{ + "domain_id": "...", + "state": "COURTESY|FULL|SUSPENDED|REVOKED", + "created_at": "...", + "admitted_at": "...", + "root_key_fingerprint": "...", + "policy_hash": "...", + "current_snapshot": "...", + "current_logseq": 0 +} +``` + +--- + +## 6. Admission Records + +``` +/asl-host/domains//admission/ +├── dam.cbor +├── dam.sig +├── admission-request.cbor +├── admission-decision.cbor +└── admission-decision.sig +``` + +Admission records are immutable and MUST be retained. + +--- + +## 7. Authority Material + +``` +/asl-host/domains//auth/ +├── root.pub +├── operators/ +├── device.pub +└── revocations/ +``` + +Private keys MAY exist only temporarily and SHOULD NOT be required for +steady-state operation. + +--- + +## 8. Store Area + +``` +/asl-host/domains//store/ +├── blocks/ +│ ├── open/ +│ ├── sealed/ +│ └── gc/ +├── objects/ +└── encryption/ +``` + +* `open/` blocks are writable and may be lost on crash. +* `sealed/` blocks are immutable. +* `gc/` is host-managed reclaim staging. + +--- + +## 9. Index Area + +``` +/asl-host/domains//index/ +├── segments/ +├── bloom/ +└── tmp/ +``` + +Segment encodings are defined by `ENC-ASL-CORE-INDEX`. + +--- + +## 10. Log Area + +``` +/asl-host/domains//log/ +``` + +Log records and envelopes are defined by `ENC-ASL-LOG`. + +--- + +## 11. Snapshot Area + +``` +/asl-host/domains//snapshots/ +``` + +Snapshot metadata MUST include the log sequence boundary and segment set used +for deterministic replay. + +--- + +## 12. Leases + +``` +/asl-host/domains//leases/ +``` + +Courtesy lease metadata is stored here and MUST NOT be interpreted by +ASL/1-STORE. + +--- + +## 13. Temporary Workspace + +``` +/asl-host/domains//tmp/ +``` + +The host MAY use this directory for temporary, non-authoritative files. +It MUST NOT be required for deterministic replay. + +--- + +## 14. Federation (Optional) + +``` +/asl-host/federation/ +├── peers/ +├── exports/ +└── imports/ +``` + +Federation caches are optional and MUST NOT change local domain state. + +--- + +## 15. Quarantine + +``` +/asl-host/quarantine/ +``` + +Untrusted or failed admissions MAY be staged here for inspection. + +--- + +## 16. Versioning + +Backward-incompatible layout changes MUST bump the major version. diff --git a/ops/ASL SystemRescue Overlay – Intake Schema.md b/ops/legacy/ASL SystemRescue Overlay – Intake Schema.md similarity index 100% rename from ops/ASL SystemRescue Overlay – Intake Schema.md rename to ops/legacy/ASL SystemRescue Overlay – Intake Schema.md diff --git a/ops/ASL-AUTH-HOST Configuration.md b/ops/legacy/ASL-AUTH-HOST Configuration.md similarity index 100% rename from ops/ASL-AUTH-HOST Configuration.md rename to ops/legacy/ASL-AUTH-HOST Configuration.md diff --git a/ops/ASL-AUTH-HOST ISO + Overlay Directory Layout.md b/ops/legacy/ASL-AUTH-HOST ISO + Overlay Directory Layout.md similarity index 100% rename from ops/ASL-AUTH-HOST ISO + Overlay Directory Layout.md rename to ops/legacy/ASL-AUTH-HOST ISO + Overlay Directory Layout.md diff --git a/ops/ASL-AUTH-HOST v0-1 - Threat Model.md b/ops/legacy/ASL-AUTH-HOST v0-1 - Threat Model.md similarity index 100% rename from ops/ASL-AUTH-HOST v0-1 - Threat Model.md rename to ops/legacy/ASL-AUTH-HOST v0-1 - Threat Model.md diff --git a/ops/ASL-AUTH-HOST v0.1 — Authority Node Profile.md b/ops/legacy/ASL-AUTH-HOST v0.1 — Authority Node Profile.md similarity index 100% rename from ops/ASL-AUTH-HOST v0.1 — Authority Node Profile.md rename to ops/legacy/ASL-AUTH-HOST v0.1 — Authority Node Profile.md diff --git a/ops/ASL-HOST v0-1.md b/ops/legacy/ASL-HOST v0-1.md similarity index 100% rename from ops/ASL-HOST v0-1.md rename to ops/legacy/ASL-HOST v0-1.md diff --git a/ops/ASL-HOST v0-2.md b/ops/legacy/ASL-HOST v0-2.md similarity index 100% rename from ops/ASL-HOST v0-2.md rename to ops/legacy/ASL-HOST v0-2.md diff --git a/ops/Bootable ASL-AUTH-HOST.md b/ops/legacy/Bootable ASL-AUTH-HOST.md similarity index 100% rename from ops/Bootable ASL-AUTH-HOST.md rename to ops/legacy/Bootable ASL-AUTH-HOST.md diff --git a/ops/ENC-ASL-AUTH-HOST.md b/ops/legacy/ENC-ASL-AUTH-HOST.md similarity index 100% rename from ops/ENC-ASL-AUTH-HOST.md rename to ops/legacy/ENC-ASL-AUTH-HOST.md diff --git a/ops/ENC-ASL-HOST.md b/ops/legacy/ENC-ASL-HOST.md similarity index 100% rename from ops/ENC-ASL-HOST.md rename to ops/legacy/ENC-ASL-HOST.md diff --git a/ops/Rescue Node ASL Deployment.md b/ops/legacy/Rescue Node ASL Deployment.md similarity index 100% rename from ops/Rescue Node ASL Deployment.md rename to ops/legacy/Rescue Node ASL Deployment.md diff --git a/ops/Rescue Node Blueprint v0-1.md b/ops/legacy/Rescue Node Blueprint v0-1.md similarity index 100% rename from ops/Rescue Node Blueprint v0-1.md rename to ops/legacy/Rescue Node Blueprint v0-1.md diff --git a/ops/Rescue Operation Architecture.md b/ops/legacy/Rescue Operation Architecture.md similarity index 100% rename from ops/Rescue Operation Architecture.md rename to ops/legacy/Rescue Operation Architecture.md diff --git a/ops/bootable authority host image.md b/ops/legacy/bootable authority host image.md similarity index 100% rename from ops/bootable authority host image.md rename to ops/legacy/bootable authority host image.md