# ENC-ASL-AUTH-HOST/1 - Authority Host Layout Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2026-01-17 Tags: [ops, authority, layout] **Document ID:** `ENC-ASL-AUTH-HOST/1` **Layer:** O2E - Authority host layout profile **Depends on (normative):** * `ASL/AUTH-HOST/1` * `ENC-ASL-HOST/1` **Informative references:** * `ASL/DAM/1` * `PEL/1-CORE` --- ## 0. Conventions The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be interpreted as in RFC 2119. --- ## 1. Purpose and Scope ENC-ASL-AUTH-HOST/1 extends ENC-ASL-HOST/1 with authority-specific layout requirements for offline admission and signing workflows. --- ## 2. Authority Root Layout ``` /asl-auth-host/ ├── host/ ├── domains/ ├── env-claims/ ├── sops-bundles/ └── tools/ ``` This layout may be mounted as a single root or mapped into `/asl-host` with additional authority directories. --- ## 3. Domains Domain layout MUST follow ENC-ASL-HOST/1 under: ``` /asl-auth-host/domains// ``` --- ## 4. Environment Claims ``` /asl-auth-host/env-claims/ ``` Each claim MUST be stored as an immutable artifact, named by snapshot or content hash. --- ## 5. SOPS Bundles ``` /asl-auth-host/sops-bundles/ ``` Bundles contain DAMs, receipts, and policy artifacts for offline transfer. --- ## 6. Tools ``` /asl-auth-host/tools/ ``` Authority binaries and scripts SHOULD be versioned and treated as immutable. --- ## 7. Naming Conventions (Informative) The following naming conventions are recommended for interop: ### 7.1 Store Blocks ``` .bin .meta ``` ### 7.2 Index Segments ``` segment-.idx bloom-.bf ``` ### 7.3 Log Files ``` log-.aol ``` ### 7.4 Snapshots ``` snapshot-.meta snapshot-.blocks ``` ### 7.5 Certificates ``` root.pub root.priv.enc dam-signer.pub dam-signer.priv.enc ``` ### 7.6 Policies ``` policy-.json ``` ### 7.7 DAM Artifacts ``` dam-.json.sig ``` ### 7.8 Environment Claims ``` .claim ``` Environment claims SHOULD include: * OS image hash * Boot environment info * Installed tool hashes * Store checksum at snapshot ### 7.9 SOPS Bundles Bundles SHOULD include checksums for integrity validation. --- ## 8. Versioning Backward-incompatible layout changes MUST bump the major version.