niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Rework ops specs

Browse source
This commit is contained in:
Carl Niklas Rydberg 2026-01-17 09:21:47 +01:00
parent 4cba1f45eb
commit 74efedf62c
25 changed files with 1544 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
ops/README.md Normal file
View file

@ -0,0 +1,17 @@
# Ops Specifications
This directory contains operational specs aligned with tier1 formatting and
structure. Legacy drafts are preserved in `ops/legacy/`.
## Ordered List
1. ASL/HOST/1 - `ops/asl-host-1.md`
2. ENC-ASL-HOST/1 - `ops/enc-asl-host-1.md`
3. ASL/AUTH-HOST/1 - `ops/asl-auth-host-1.md`
4. ENC-ASL-AUTH-HOST/1 - `ops/enc-asl-auth-host-1.md`
5. ASL/AUTH-HOST-CONFIG/1 - `ops/asl-auth-host-config-1.md`
6. ASL/AUTH-HOST-THREAT-MODEL/1 - `ops/asl-auth-host-threat-model-1.md`
7. ASL/AUTH-HOST-IMAGE/1 - `ops/asl-auth-host-image-1.md`
8. ASL/SYSTEMRESCUE-OVERLAY/1 - `ops/asl-systemrescue-overlay-1.md`
9. ASL/RESCUE-NODE/1 - `ops/asl-rescue-node-1.md`
10. ASL/RESCUE-OP/1 - `ops/asl-rescue-operation-1.md`

128
ops/asl-auth-host-1.md Normal file
View file

@ -0,0 +1,128 @@
# ASL/AUTH-HOST/1 - Authority Node Profile
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, authority, offline]
**Document ID:** `ASL/AUTH-HOST/1`
**Layer:** O2 - Authority host profile
**Depends on (normative):**
* `ASL/HOST/1`
* `ASL/DAM/1`
* `ASL/POLICY-HASH/1`
* `ASL/OFFLINE-ROOT-TRUST/1`
**Informative references:**
* `PEL/1-CORE`
* `PEL/1-SURF`
* `ENC-ASL-AUTH-HOST/1`
* `ASL/RESCUE-NODE/1`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
ASL/AUTH-HOST/1 defines an operational profile. It does not define cryptography
or artifact semantics.
---
## 1. Purpose and Scope
ASL/AUTH-HOST/1 defines the profile for an offline authority node that mints
and signs domain admission artifacts. The host:
* Operates offline by default
* Maintains a local ASL/HOST store
* Produces deterministic artifacts and receipts
* Issues DAM artifacts for new domains
---
## 2. Core Principles (Normative)
1. Authority state is stored as artifacts.
2. Operations are deterministic and snapshot-bound.
3. The host remains offline during authority operations.
4. Outputs are immutable artifacts suitable for later transfer.
5. Authority functionality is limited to signing, sealing, and packaging
artifacts.
6. Receipts (PERs) are primary outputs for auditing and later federation.
---
## 3. Required Components
An authority host MUST provide:
* ASL/HOST store for authority and domain artifacts
* Root authority key material (offline)
* PEL execution environment for deterministic receipts
* Policy hash verification for admission
---
## 4. Operation Modes
The host MAY operate in the following modes:
* `GENESIS` - mint initial domain and keys
* `RESCUE` - ingest external artifacts and produce receipts
* `ADMISSION` - sign DAMs and policy artifacts
* `MAINTENANCE` - rotate keys, seal snapshots, audit state
---
## 5. Output Artifacts
The host MUST be able to produce:
* Root key artifacts (public, encrypted private)
* DAM artifacts and signatures
* Policy hash artifacts
* Environment claim artifacts
* PER receipts and associated TGK edges
---
## 6. Snapshot Discipline
Each authority operation MUST:
1. Append log entries for new artifacts
2. Seal relevant segments
3. Create a snapshot marker capturing CURRENT state
Snapshots MUST be immutable once sealed.
---
## 7. Offline Constraints
* Network interfaces SHOULD be disabled.
* External input and output MUST occur via explicit operator action.
* No background services SHOULD alter authority state.
* Garbage collection SHOULD be disabled for authority domains.
---
## 8. Security Considerations
* Private keys MUST remain offline and encrypted at rest.
* Only signed outputs may leave the host.
* Operator presence is required for authority operations.
---
## 9. Versioning
Backward-incompatible profile changes MUST bump the major version.

161
ops/asl-auth-host-config-1.md Normal file
View file

@ -0,0 +1,161 @@
# ASL/AUTH-HOST-CONFIG/1 - Configuration Schema
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, authority, config]
**Document ID:** `ASL/AUTH-HOST-CONFIG/1`
**Layer:** O2C - Authority host configuration
**Depends on (normative):**
* `ASL/AUTH-HOST/1`
* `ASL/HOST/1`
**Informative references:**
* `ENC-ASL-AUTH-HOST/1`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
---
## 1. Purpose and Scope
This document defines the configuration schema for an ASL authority host.
Configuration is expressed as a single YAML file.
---
## 2. File Format
* UTF-8 YAML 1.2
* Root object with the fields defined below
* Unknown fields SHOULD be ignored with warning
---
## 3. Root Schema
```
host:
name: string
version: string
mode: "rescue" | "admission" | "normal"
domains:
<name>:
id: string
type: "courtesy" | "private" | "authority"
description: string
path: string
snapshot_retention: duration
allowed_operations: [read, write, append, seal, gc]
courtesy_lease: duration
certificates:
root_offline_path: string
domain_authority_path: string
sops_bundle_path: string
policy:
hash_file: string
description: string
logging:
path: string
level: "DEBUG" | "INFO" | "WARN" | "ERROR"
store:
type: "posix" | "zfs"
pools:
- name: string
mount_point: string
enable_snapshotting: boolean
snapshot_prefix: string
hooks:
pre_start: string
post_start: string
```
---
## 4. Semantics
* `host.mode` controls startup behavior.
* `domains` entries are keyed by stable names; `id` is the authoritative domain
identifier.
* `courtesy_lease` is required for `type: courtesy` and MUST be omitted for
`type: authority`.
* `store.type` selects the host backend. If `zfs`, each pool entry MUST be
mounted before starting the host.
---
## 5. Example Configuration
```yaml
host:
name: "asl-auth-host-01"
version: "0.1"
mode: "rescue"
domains:
common:
id: "00000000-0000-0000-0000-000000000001"
type: "courtesy"
description: "Shared courtesy domain"
path: "/var/lib/asl/common"
snapshot_retention: 30d
allowed_operations: [read, write, append]
courtesy_lease: 7d
personal:
id: "00000000-0000-0000-0000-000000000002"
type: "private"
description: "Private rescue domain"
path: "/var/lib/asl/personal"
snapshot_retention: 90d
allowed_operations: [read, write, append, seal, gc]
certificates:
root_offline_path: "/var/lib/asl/certs/root-offline"
domain_authority_path: "/var/lib/asl/certs/domain-authority"
sops_bundle_path: "/var/lib/asl/certs/sops"
policy:
hash_file: "/etc/asl-auth-host/policy.hash"
description: "Offline policy hash"
logging:
path: "/var/log/asl-auth-host.log"
level: "INFO"
store:
type: "zfs"
pools:
- name: "common_pool"
mount_point: "/var/lib/asl/common"
- name: "personal_pool"
mount_point: "/var/lib/asl/personal"
enable_snapshotting: true
snapshot_prefix: "asl_snap"
hooks:
pre_start: "/bin/init-asl-host.sh"
post_start: "/bin/helper-mount.sh"
```
---
## 6. Versioning
Backward-incompatible schema changes MUST bump the major version.

129
ops/asl-auth-host-image-1.md Normal file
View file

@ -0,0 +1,129 @@
# ASL/AUTH-HOST-IMAGE/1 - Bootable Image and Overlay Layout
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, authority, image]
**Document ID:** `ASL/AUTH-HOST-IMAGE/1`
**Layer:** O2I - Authority host image profile
**Depends on (normative):**
* `ASL/AUTH-HOST/1`
* `ENC-ASL-AUTH-HOST/1`
**Informative references:**
* `ASL/AUTH-HOST-CONFIG/1`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
---
## 1. Purpose and Scope
This document defines a bootable, offline authority host image. It specifies
base system requirements, overlay layout, and the boot workflow used to
initialize authority operations.
---
## 2. Base Image Requirements
The base OS MUST:
* Boot in offline mode by default
* Include minimal POSIX tooling
* Disable network services unless explicitly enabled
---
## 3. Overlay Layout
```
/overlay/
├── bin/
│ ├── asl-auth-host
│ ├── asl-rescue
│ └── init-asl-host.sh
├── etc/
│ └── asl-auth-host/
│ ├── config.yaml
│ └── policy.hash
├── var/
│ ├── lib/
│ │ └── asl/
│ │ ├── common/
│ │ ├── personal/
│ │ └── pools/
│ └── log/
│ └── asl-auth-host.log
└── usr/
└── local/
└── bin/
└── asl-admin
```
The overlay MUST be merged into the ISO root at build time.
---
## 4. ISO Root Layout (Runtime)
```
/iso_root/
├── bin/
├── etc/
│ └── asl-auth-host/
├── var/
│ ├── lib/
│ │ └── asl/
│ └── log/
└── usr/local/bin/
```
---
## 5. Boot Workflow
1. Boot offline image.
2. Run `init-asl-host.sh` to mount storage pools and apply config.
3. Initialize or open domain stores per config.
4. Start the authority host service.
5. Enforce witness authority (DAM) before general userspace services start.
---
## 6. Persistence Strategy
Writable storage MUST be mounted separately from the read-only system image.
Examples:
* ZFS datasets mounted under `/var/lib/asl`
* External disk mounted at `/mnt` and bound to `/var/lib/asl`
---
## 7. Build Pipeline (Informative)
A typical pipeline:
1. Create minimal root via debootstrap or equivalent.
2. Merge overlay into ISO root.
3. Optionally wrap build steps with `asl-capture` to record build provenance.
4. Add bootloader config.
5. Build ISO with `xorriso` or equivalent tool.
---
## 8. Versioning
Backward-incompatible image changes MUST bump the major version.

123
ops/asl-auth-host-threat-model-1.md Normal file
View file

@ -0,0 +1,123 @@
# ASL/AUTH-HOST-THREAT-MODEL/1 - Threat Model
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, authority, security]
**Document ID:** `ASL/AUTH-HOST-THREAT-MODEL/1`
**Layer:** O2S - Authority host security profile
**Depends on (normative):**
* `ASL/AUTH-HOST/1`
**Informative references:**
* `ASL/OFFLINE-ROOT-TRUST/1`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
---
## 1. Scope and Assumptions
### 1.1 In Scope
* Offline authority host
* USB-mediated intake and output
* DAM signing and admission artifacts
* PEL execution for receipt generation
* Snapshot and log sealing
### 1.2 Assumptions
1. Physical access to hardware is controlled.
2. The host is offline (no network interfaces).
3. Root keys are uncompromised.
4. Operator presence is required for authority actions.
---
## 2. Assets
* Root authority keys
* Domain signing keys
* DAM and policy artifacts
* PER receipts and environment claims
* Domain identity bindings
---
## 3. Adversary Model
The adversary MAY:
* Supply malicious USB content
* Replay old requests
* Provide malformed PEL programs
* Attempt to confuse domain identity
The adversary MUST NOT:
* Access signing keys without operator approval
* Modify host binaries without physical compromise
---
## 4. Trust Boundaries
```
[ USB INPUT ] -> [ AUTH HOST ] -> [ USB OUTPUT ]
```
Data flows are unidirectional per phase. The host MUST treat input as untrusted
until verification succeeds.
---
## 5. Threats and Mitigations
### 5.1 Spoofing
* Mitigation: DAM signature verification and policy hash checks.
### 5.2 Tampering
* Mitigation: hash all inputs, sign outputs, mount USB read-only.
### 5.3 Repudiation
* Mitigation: PER receipts include program hash, input hashes, and snapshot ID.
### 5.4 Information Disclosure
* Mitigation: no network, explicit publish rules, encrypted private artifacts.
### 5.5 Denial of Service
* Mitigation: operator-mediated execution, size limits, deterministic PEL subset.
### 5.6 Elevation of Privilege
* Mitigation: PEL is declarative, no syscalls or I/O primitives.
---
## 6. Residual Risk
* Physical compromise of hardware is out of scope.
* Operator error remains a risk and SHOULD be mitigated with checklists.
---
## 7. Versioning
Backward-incompatible changes MUST bump the major version.

248
ops/asl-host-1.md Normal file
View file

@ -0,0 +1,248 @@
# ASL/HOST/1 - Host Runtime Interface
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, host, admission, storage]
**Document ID:** `ASL/HOST/1`
**Layer:** O1 - Host runtime profile (node boundary)
**Depends on (normative):**
* `ASL/1-STORE`
* `ASL/LOG/1`
* `ASL/DAP/1`
* `ASL/DAM/1`
* `ASL/POLICY-HASH/1`
**Informative references:**
* `ASL/SYSTEM/1`
* `ASL/OFFLINE-ROOT-TRUST/1`
* `ENC-ASL-HOST/1`
* `ENC-ASL-LOG`
* `ASL/AUTH-HOST/1`
* `ASL/RESCUE-NODE/1`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
ASL/HOST/1 defines host responsibilities and boundaries. It does not define
artifact semantics, encoding formats, or cryptographic algorithms.
---
## 1. Purpose and Scope
ASL/HOST/1 specifies the runtime contract between an ASL node and its host
environment. It covers:
* Domain lifecycle and admission state tracking
* Store handle provisioning for ASL/1-STORE and ASL/LOG/1
* Snapshot coordination and log append guarantees
* Resource and lease enforcement at the host boundary
Out of scope:
* Artifact semantics (ASL/1-CORE)
* On-disk encoding and byte layouts (ENC specs)
* Policy definition and authority semantics (ASL/AUTH layers)
---
## 2. Position in the Stack
ASL/HOST is the membrane between host services and ASL semantics.
```
+--------------------------+
| ASL/AUTH (policy, keys) |
+--------------------------+
| ASL/HOST (this spec) |
+--------------------------+
| ASL/1-STORE + ASL/LOG |
+--------------------------+
| Host FS / ZFS / POSIX |
+--------------------------+
```
---
## 3. Core Responsibilities (Normative)
An ASL host implementation MUST:
1. Provide stable store handles for ASL/1-STORE and ASL/LOG/1 operations.
2. Maintain domain lifecycle state and admission status.
3. Enforce admission outcomes and courtesy leases without leaking those
semantics into ASL/1-STORE.
4. Provide atomic append guarantees for log operations.
5. Coordinate snapshot creation and mounting.
6. Enforce local resource limits and error handling.
---
## 4. Core Concepts
| Concept | Definition |
| ----------------- | ------------------------------------------------------------------------- |
| **StoreHandle** | Opaque reference to a host-provided store instance |
| **StoreLocation** | Host-defined location where a store exists (path, URI, mount point, etc.) |
| **AppendUnit** | Minimum atomic write unit for the append-only log |
| **SnapshotID** | Opaque identifier of a host-provided snapshot |
| **HostClock** | Monotonic counter or timestamp source |
| **HostIdentity** | Unique machine or user identity for signing or domain minting |
---
## 5. Domain Model
### 5.1 Domain States
A host MUST track the following domain states:
* `UNRECOGNIZED`
* `COURTESY`
* `FULL`
* `SUSPENDED`
* `REVOKED`
### 5.2 Domain Descriptor
Host-owned metadata MUST include:
```
domain_id
state
created_at
admitted_at
root_key_fingerprint
policy_hash
current_snapshot
current_logseq
```
The descriptor is derived state and MUST NOT be treated as authoritative
artifact content.
---
## 6. Domain Lifecycle Operations
### 6.1 Create
`CreateDomain(location) -> domain_id`
* MUST allocate an isolated domain root.
* MUST initialize empty store, log, and snapshot markers.
### 6.2 Admit
`AdmitDomain(dam, signature) -> AdmissionResult`
* MUST validate DAM schema and signature per `ASL/DAM/1`.
* MUST enforce policy hash compatibility per `ASL/POLICY-HASH/1`.
Admission outcomes MUST have the following effects:
| Outcome | Host Behavior |
| ---------------- | --------------------------------------- |
| ACCEPTED | Enable publishing, indexing, federation |
| ACCEPTED_LIMITED | Enable courtesy-only storage |
| DEFERRED | Domain exists but blocked |
| REJECTED | Domain remains isolated |
### 6.3 Suspend and Revoke
* `SUSPENDED` MUST block new writes.
* `REVOKED` MUST block all access except local inspection.
---
## 7. Store Handle Interface
A host MUST expose at least the following operations:
* `CreateStore(location) -> StoreHandle`
* `OpenStore(location) -> StoreHandle`
* `CloseStore(handle)`
The StoreHandle is opaque and scoped to a domain. Admission state MUST gate
capabilities exposed by the StoreHandle (see Section 7).
---
## 8. Admission-Gated Capabilities
Capabilities MUST be gated as follows:
| Capability | Courtesy | Full |
| ---------------- | -------- | ---- |
| allocate_block | yes | yes |
| seal_block | yes | yes |
| append_log | yes | yes |
| publish_snapshot | no | yes |
| federate_log | no | yes |
ASL/1-STORE and ASL/LOG MUST remain unaware of admission semantics.
---
## 9. Courtesy Leases
Courtesy leases are host-owned metadata attached to a domain. The host MUST
enforce lease limits without exposing courtesy state to ASL/1-STORE.
Enforcement MAY include:
* Storage caps
* Snapshot count limits
* Write blocking after expiry
---
## 10. Snapshot and Log Coordination
The host MUST ensure:
* Append-only log semantics with strict ordering
* Snapshot creation captures a consistent view of sealed segments
* Snapshot mounts are read-only and bounded by a log sequence
---
## 11. Error Model
Host operations MUST report deterministic error codes. Minimum set:
* `HOST_OK`
* `HOST_EXISTS`
* `HOST_NOT_FOUND`
* `HOST_IO_ERROR`
* `HOST_CONCURRENT_MODIFICATION`
* `HOST_ADMISSION_REJECTED`
* `HOST_LEASE_EXPIRED`
---
## 12. Security Considerations
* Admission verification MUST be performed before enabling federation or
publication.
* Private key material SHOULD NOT be required on the host except for explicit
authority operations.
* The host MUST treat all imported artifacts as untrusted until admission and
policy validation succeed.
---
## 13. Versioning
Backward-incompatible changes MUST bump the major version of ASL/HOST.

107
ops/asl-rescue-node-1.md Normal file
View file

@ -0,0 +1,107 @@
# ASL/RESCUE-NODE/1 - Deployment Profile
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, rescue, deployment]
**Document ID:** `ASL/RESCUE-NODE/1`
**Layer:** O3 - Rescue node deployment
**Depends on (normative):**
* `ASL/HOST/1`
* `ASL/1-STORE`
* `ASL/LOG/1`
**Informative references:**
* `ASL/AUTH-HOST/1`
* `ASL/SYSTEMRESCUE-OVERLAY/1`
* `ASL/RESCUE-OP/1`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
---
## 1. Purpose and Scope
ASL/RESCUE-NODE/1 defines the deployment profile for a rescue node that boots
from a minimal OS and provides local intake into ASL stores.
---
## 2. Node Roles
A rescue node MAY host:
* A personal domain (new or existing)
* A courtesy or common domain (shared, e.g. Common/Unity/Rakeroot)
* Optional read-only caches for foreign domains
---
## 3. Domain Types
* **Personal domain** - private, authoritative store
* **Courtesy domain** - temporary storage with lease enforcement, may store
encrypted blocks during bootstrap
* **Foreign domain** - read-only imported artifacts
---
## 4. Storage Layout (Informative)
```
/mnt/rescue/
personal/
blocks/
segments/
logs/
common/
blocks/
segments/
logs/
foreign/
<domain-id>/
blocks/
segments/
```
---
## 5. Snapshot Strategy
* Personal domain snapshots SHOULD be created at intake boundaries.
* Courtesy domain snapshots SHOULD be pinned until admission is complete.
* Foreign domain snapshots MUST be read-only and pinned by trust.
---
## 6. Trust and Admission
* Admission decisions MUST be verified before publishing to shared domains.
* Foreign artifacts MUST be pinned by policy hash and offline roots.
---
## 7. PER and TGK Integration
Rescue nodes SHOULD generate PER receipts for intake operations. TGK edges
MAY be produced to capture provenance across personal and common domains.
Sedelpress (or equivalent deterministic tooling) MAY be used to normalize
legacy inputs into artifacts before storage.
---
## 8. Versioning
Backward-incompatible changes MUST bump the major version.

89
ops/asl-rescue-operation-1.md Normal file
View file

@ -0,0 +1,89 @@
# ASL/RESCUE-OP/1 - Rescue Operation Flow
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, rescue, operations]
**Document ID:** `ASL/RESCUE-OP/1`
**Layer:** O3 - Rescue operation profile
**Depends on (normative):**
* `ASL/RESCUE-NODE/1`
* `ASL/HOST/1`
**Informative references:**
* `PEL/1-CORE`
* `TGK/1-CORE`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
---
## 1. Purpose and Scope
ASL/RESCUE-OP/1 defines the operational flow for personal rescue and bootstrap
into a personal domain with optional courtesy storage.
---
## 2. Phases
### 2.1 Intake
* Collect legacy material and intent artifacts.
* Normalize inputs into artifacts for deterministic processing (e.g. Sedelpress).
### 2.2 Deterministic Processing
* Execute PEL programs over the intake snapshot.
* Generate PER receipts and optional TGK edges.
### 2.3 Courtesy Bootstrap (Optional)
* Store encrypted blocks in a courtesy domain (Common/Unity/Rakeroot).
* Seal segments and pin snapshots for determinism.
### 2.4 Personal Domain Minting
* Create a personal domain and copy sealed artifacts.
* Generate DAM and policy artifacts.
* Produce receipts that bind provenance to the new domain.
### 2.5 Publication (Optional)
* Publish selected artifacts to a common domain.
* Enforce policy hash and visibility rules.
---
## 3. Constraints
* Intake artifacts MUST be treated as untrusted until verified.
* Courtesy storage MUST enforce lease limits.
* Publication MUST be gated by admission and policy compatibility.
---
## 4. Outputs
A rescue operation SHOULD produce:
* PER receipts for each processing phase
* Sealed snapshots for replay
* DAM and policy artifacts for domain admission
---
## 5. Versioning
Backward-incompatible changes MUST bump the major version.

134
ops/asl-systemrescue-overlay-1.md Normal file
View file

@ -0,0 +1,134 @@
# ASL/SYSTEMRESCUE-OVERLAY/1 - Intake Overlay Layout
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, rescue, overlay]
**Document ID:** `ASL/SYSTEMRESCUE-OVERLAY/1`
**Layer:** O3 - Rescue overlay profile
**Depends on (normative):**
* `ASL/HOST/1`
**Informative references:**
* `ASL/RESCUE-NODE/1`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
---
## 1. Purpose and Scope
This overlay defines what exists at boot for a rescue intake environment. It
separates immutable tools from mutable runtime state and defines mount points
for local or remote ASL stores.
---
## 2. Overlay Layout
```
overlay/
├── usr/
│ └── local/
│ ├── bin/
│ │ ├── asl-intake
│ │ ├── asl-admin
│ │ └── asl-debug
│ └── lib/
│ └── libasl.so
├── etc/
│ └── asl/
│ ├── asl.conf
│ ├── federation.conf
│ └── logging.conf
├── etc/systemd/system/
│ ├── asl-intake.service
│ └── asl-preflight.service
├── var/
│ └── lib/
│ └── asl/
│ ├── runtime/
│ ├── cache/
│ └── locks/
├── run/
│ └── asl/
│ └── sockets/
└── mnt/
└── asl/
├── local/
└── remote/
```
---
## 3. Directory Semantics
* `/usr/local/bin` is immutable and MUST NOT be written at runtime.
* `/etc/asl` contains declarative configuration only.
* `/var/lib/asl` contains all mutable state for the rescue session.
* `/mnt/asl/local` is the mount target for a local ASL store.
* `/mnt/asl/remote` is an optional remote mount.
---
## 4. Local Store Layout (Informative)
When mounted, a local store typically exposes:
```
/mnt/asl/local/
├── blocks/
├── segments/
├── snapshots/
└── logs/
```
This internal layout is backend-defined and not mandated by this overlay.
---
## 5. Services
### 5.1 asl-preflight.service
Responsibilities:
* Detect storage backends
* Detect importable pools
* Write mode decisions to `/run/asl/mode`
### 5.2 asl-intake.service
Responsibilities:
* Read `/run/asl/mode`
* Start `asl-intake` with the selected backend
---
## 6. Configuration Defaults
`/etc/asl/asl.conf` SHOULD include at minimum:
```
mode = auto
local.mount = /mnt/asl/local
remote.endpoint = none
```
---
## 7. Versioning
Backward-incompatible overlay changes MUST bump the major version.

169
ops/enc-asl-auth-host-1.md Normal file
View file

@ -0,0 +1,169 @@
# ENC-ASL-AUTH-HOST/1 - Authority Host Layout
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, authority, layout]
**Document ID:** `ENC-ASL-AUTH-HOST/1`
**Layer:** O2E - Authority host layout profile
**Depends on (normative):**
* `ASL/AUTH-HOST/1`
* `ENC-ASL-HOST/1`
**Informative references:**
* `ASL/DAM/1`
* `PEL/1-CORE`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
---
## 1. Purpose and Scope
ENC-ASL-AUTH-HOST/1 extends ENC-ASL-HOST/1 with authority-specific layout
requirements for offline admission and signing workflows.
---
## 2. Authority Root Layout
```
/asl-auth-host/
├── host/
├── domains/
├── env-claims/
├── sops-bundles/
└── tools/
```
This layout may be mounted as a single root or mapped into `/asl-host` with
additional authority directories.
---
## 3. Domains
Domain layout MUST follow ENC-ASL-HOST/1 under:
```
/asl-auth-host/domains/<domain-id>/
```
---
## 4. Environment Claims
```
/asl-auth-host/env-claims/
```
Each claim MUST be stored as an immutable artifact, named by snapshot or
content hash.
---
## 5. SOPS Bundles
```
/asl-auth-host/sops-bundles/
```
Bundles contain DAMs, receipts, and policy artifacts for offline transfer.
---
## 6. Tools
```
/asl-auth-host/tools/
```
Authority binaries and scripts SHOULD be versioned and treated as immutable.
---
## 7. Naming Conventions (Informative)
The following naming conventions are recommended for interop:
### 7.1 Store Blocks
```
<block-id>.bin
<block-id>.meta
```
### 7.2 Index Segments
```
segment-<n>.idx
bloom-<n>.bf
```
### 7.3 Log Files
```
log-<seq>.aol
```
### 7.4 Snapshots
```
snapshot-<id>.meta
snapshot-<id>.blocks
```
### 7.5 Certificates
```
root.pub
root.priv.enc
dam-signer.pub
dam-signer.priv.enc
```
### 7.6 Policies
```
policy-<hash>.json
```
### 7.7 DAM Artifacts
```
dam-<seq>.json.sig
```
### 7.8 Environment Claims
```
<snapshot-id>.claim
```
Environment claims SHOULD include:
* OS image hash
* Boot environment info
* Installed tool hashes
* Store checksum at snapshot
### 7.9 SOPS Bundles
Bundles SHOULD include checksums for integrity validation.
---
## 8. Versioning
Backward-incompatible layout changes MUST bump the major version.

239
ops/enc-asl-host-1.md Normal file
View file

@ -0,0 +1,239 @@
# ENC-ASL-HOST/1 - On-Disk Layout for ASL/HOST
Status: Draft
Owner: Architecture
Version: 0.1.0
SoT: No
Last Updated: 2026-01-17
Tags: [ops, host, layout]
**Document ID:** `ENC-ASL-HOST/1`
**Layer:** O1E - Host layout profile (storage-agnostic)
**Depends on (normative):**
* `ASL/HOST/1`
* `ASL/1-STORE`
* `ASL/LOG/1`
**Informative references:**
* `ASL/DAM/1`
* `ASL/DAP/1`
* `ENC-ASL-LOG`
* `ENC-ASL-CORE-INDEX`
---
## 0. Conventions
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
interpreted as in RFC 2119.
This document defines directory and file placement only. It does not define
byte-level encodings or storage engine internals.
---
## 1. Purpose and Scope
ENC-ASL-HOST/1 specifies a minimal, storage-agnostic on-disk layout for
ASL/HOST implementations. It standardizes where host metadata, domain data,
logs, and snapshots live.
---
## 2. Root Layout
```
/asl-host/
├── host/
├── domains/
├── federation/
└── quarantine/
```
All host-managed state MUST live under `/asl-host`.
---
## 3. Host-Level Metadata
```
/asl-host/host/
├── host-id
├── host-policy
└── trusted-roots/
```
* `host-id` is a stable identifier for the host.
* `host-policy` contains local policy constraints.
* `trusted-roots/` contains offline trust anchors.
---
## 4. Domain Root
Each domain has a single root directory:
```
/asl-host/domains/<domain-id>/
```
Nothing outside this directory MAY be interpreted as part of the domain state.
---
## 5. Domain Descriptor
```
/asl-host/domains/<domain-id>/domain.json
```
The descriptor contains host-derived metadata (not signed):
```
{
"domain_id": "...",
"state": "COURTESY|FULL|SUSPENDED|REVOKED",
"created_at": "...",
"admitted_at": "...",
"root_key_fingerprint": "...",
"policy_hash": "...",
"current_snapshot": "...",
"current_logseq": 0
}
```
---
## 6. Admission Records
```
/asl-host/domains/<domain-id>/admission/
├── dam.cbor
├── dam.sig
├── admission-request.cbor
├── admission-decision.cbor
└── admission-decision.sig
```
Admission records are immutable and MUST be retained.
---
## 7. Authority Material
```
/asl-host/domains/<domain-id>/auth/
├── root.pub
├── operators/
├── device.pub
└── revocations/
```
Private keys MAY exist only temporarily and SHOULD NOT be required for
steady-state operation.
---
## 8. Store Area
```
/asl-host/domains/<domain-id>/store/
├── blocks/
│ ├── open/
│ ├── sealed/
│ └── gc/
├── objects/
└── encryption/
```
* `open/` blocks are writable and may be lost on crash.
* `sealed/` blocks are immutable.
* `gc/` is host-managed reclaim staging.
---
## 9. Index Area
```
/asl-host/domains/<domain-id>/index/
├── segments/
├── bloom/
└── tmp/
```
Segment encodings are defined by `ENC-ASL-CORE-INDEX`.
---
## 10. Log Area
```
/asl-host/domains/<domain-id>/log/
```
Log records and envelopes are defined by `ENC-ASL-LOG`.
---
## 11. Snapshot Area
```
/asl-host/domains/<domain-id>/snapshots/
```
Snapshot metadata MUST include the log sequence boundary and segment set used
for deterministic replay.
---
## 12. Leases
```
/asl-host/domains/<domain-id>/leases/
```
Courtesy lease metadata is stored here and MUST NOT be interpreted by
ASL/1-STORE.
---
## 13. Temporary Workspace
```
/asl-host/domains/<domain-id>/tmp/
```
The host MAY use this directory for temporary, non-authoritative files.
It MUST NOT be required for deterministic replay.
---
## 14. Federation (Optional)
```
/asl-host/federation/
├── peers/
├── exports/
└── imports/
```
Federation caches are optional and MUST NOT change local domain state.
---
## 15. Quarantine
```
/asl-host/quarantine/
```
Untrusted or failed admissions MAY be staged here for inspection.
---
## 16. Versioning
Backward-incompatible layout changes MUST bump the major version.

0
ops/ASL SystemRescue Overlay – Intake Schema.md → ops/legacy/ASL SystemRescue Overlay – Intake Schema.md
View file

0
ops/ASL-AUTH-HOST Configuration.md → ops/legacy/ASL-AUTH-HOST Configuration.md
View file

0
ops/ASL-AUTH-HOST ISO + Overlay Directory Layout.md → ops/legacy/ASL-AUTH-HOST ISO + Overlay Directory Layout.md
View file

0
ops/ASL-AUTH-HOST v0-1 - Threat Model.md → ops/legacy/ASL-AUTH-HOST v0-1 - Threat Model.md
View file

0
ops/ASL-AUTH-HOST v0.1 — Authority Node Profile.md → ops/legacy/ASL-AUTH-HOST v0.1 — Authority Node Profile.md
View file

0
ops/ASL-HOST v0-1.md → ops/legacy/ASL-HOST v0-1.md
View file

0
ops/ASL-HOST v0-2.md → ops/legacy/ASL-HOST v0-2.md
View file

0
ops/Bootable ASL-AUTH-HOST.md → ops/legacy/Bootable ASL-AUTH-HOST.md
View file

0
ops/ENC-ASL-AUTH-HOST.md → ops/legacy/ENC-ASL-AUTH-HOST.md
View file

0
ops/ENC-ASL-HOST.md → ops/legacy/ENC-ASL-HOST.md
View file

0
ops/Rescue Node ASL Deployment.md → ops/legacy/Rescue Node ASL Deployment.md
View file

0
ops/Rescue Node Blueprint v0-1.md → ops/legacy/Rescue Node Blueprint v0-1.md
View file

0
ops/Rescue Operation Architecture.md → ops/legacy/Rescue Operation Architecture.md
View file

0
ops/bootable authority host image.md → ops/legacy/bootable authority host image.md
View file