Good — this is the right thing to pin down next. Below is a **precise, minimal, authority-aware but storage-agnostic ASL-HOST on-disk layout**, designed to work on **ZFS, btrfs, or plain POSIX**, and to survive before ASL-STORE / ASL-CORE are fully implemented. This layout defines **where things live**, not **how bytes are encoded**. --- # ASL-HOST On-Disk Layout — v0.1 --- ## 1. Design Goals (Normative) The on-disk layout MUST: 1. Enforce **domain isolation** 2. Separate **authority, storage, and execution** 3. Support **append-only logs** 4. Support **snapshots as first-class** 5. Allow **courtesy leases and revocation** 6. Remain **forward-compatible** with ASL-STORE and ENC specs The layout MUST NOT: * Encode artifact semantics * Encode index formats * Encode cryptographic algorithms --- ## 2. Root Layout ```text /asl-host/ ├── host/ │ ├── host-id │ ├── host-policy │ └── trusted-roots/ │ ├── domains/ │ ├── / │ │ ├── domain.json │ │ ├── admission/ │ │ ├── auth/ │ │ ├── store/ │ │ ├── index/ │ │ ├── log/ │ │ ├── snapshots/ │ │ ├── leases/ │ │ └── tmp/ │ ├── federation/ │ ├── peers/ │ ├── exports/ │ └── imports/ │ └── quarantine/ ``` Everything below this root is owned by ASL-HOST. --- ## 3. Host-Level Metadata ### `/asl-host/host/` ```text host/ ├── host-id # stable ID for this machine ├── host-policy # local admission & resource policy └── trusted-roots/ ├── root-A.pub ├── root-B.pub └── ... ``` **Notes:** * Trusted roots are **offline-established** * Used for **admission verification** * Not domain-specific --- ## 4. Domain Directory (Authoritative Boundary) Each domain has **one directory**, nothing crosses this boundary implicitly. ```text /domains// ``` This directory MUST be the **sole owner** of: * blocks * logs * snapshots * indexes * domain-local authority state --- ## 5. Domain Descriptor ### `/domains//domain.json` This is **host-owned metadata**, not part of ASL-CORE. ```json { "domain_id": "...", "state": "COURTESY | FULL | SUSPENDED | REVOKED", "created_at": "...", "admitted_at": "...", "root_key_fingerprint": "...", "policy_hash": "...", "current_snapshot": "...", "current_logseq": 12345 } ``` This file is **not signed** — it is derived state. --- ## 6. Admission Records ### `/domains//admission/` ```text admission/ ├── dam.cbor ├── dam.sig ├── admission-request.cbor ├── admission-decision.cbor └── admission-decision.sig ``` This directory contains **immutable records** of how the domain was admitted. --- ## 7. Authority Material (Domain-Local) ### `/domains//auth/` ```text auth/ ├── root.pub ├── operators/ │ ├── op1.pub │ └── ... ├── device.pub └── revocations/ ``` **Rules:** * Private keys MAY exist only temporarily (e.g. SystemRescue) * ASL-HOST MUST NOT rely on private keys being present --- ## 8. Store Root (Blocks) ### `/domains//store/` ```text store/ ├── blocks/ │ ├── open/ │ ├── sealed/ │ └── gc/ ├── objects/ # optional future packing └── encryption/ ``` **Notes:** * `open/` blocks may be lost * `sealed/` blocks are immutable * `gc/` is host-managed * Encryption metadata is **opaque to ASL-STORE** --- ## 9. Index Area (Semantic-Free) ### `/domains//index/` ```text index/ ├── segments/ │ ├── seg-000001/ │ └── ... ├── bloom/ # optional └── tmp/ ``` ASL-HOST only guarantees: * sealed segments are immutable * segments become visible only after seal record --- ## 10. Append-Only Log ### `/domains//log/` ```text log/ ├── append.log ├── checkpoints/ │ ├── chk-000001/ │ └── ... └── seal.log ``` **Rules:** * append-only * monotonic * replayable * seal.log records segment seals --- ## 11. Snapshots ### `/domains//snapshots/` ```text snapshots/ ├── snap-000001/ ├── snap-000002/ └── pinned/ ├── snap-000001 ``` **Host responsibility:** * mapping snapshots to log positions * enforcing pinning * enforcing courtesy limits --- ## 12. Courtesy Leases ### `/domains//leases/` ```text leases/ ├── lease-001.json ├── lease-002.json └── active ``` Each lease file: ```json { "lease_id": "...", "granted_by": "...", "storage_bytes": 1073741824, "expires_at": "..." } ``` ASL-HOST enforces these. --- ## 13. Temporary / Execution Space ### `/domains//tmp/` Used for: * Sedelpress staging * PEL execution scratch * unsealed buffers **Never snapshot-pinned.** --- ## 14. Federation Area ### `/asl-host/federation/` ```text federation/ ├── peers/ │ ├── / │ │ ├── pinned-roots/ │ │ ├── imported-snapshots/ │ │ └── replay-state.json ├── exports/ └── imports/ ``` Federation is **explicit and opt-in**. --- ## 15. Quarantine ### `/asl-host/quarantine/` Used for: * rejected domains * policy violations * forensic inspection No domain in quarantine may execute or publish. --- ## 16. ZFS / Snapshot Mapping (Recommended) If using ZFS: | Path | ZFS Dataset | | ------------------------- | ------------------- | | `/domains/` | dataset | | `/domains//store` | child dataset | | `/domains//snapshots` | ZFS snapshots | | `/domains//tmp` | no-snapshot dataset | This gives **real snapshot semantics** aligned with ASL rules. --- ## 17. Invariants (Non-Negotiable) 1. No block crosses domain boundaries implicitly 2. No snapshot without log position 3. No sealed block mutation 4. No admission without DAM 5. No federation without ASL-HOST approval --- ## 18. Why This Works ✔ Clean separation of concerns ✔ Domain sovereignty enforced by path ✔ Admission-first architecture ✔ Rescue and sovereign flows unified ✔ ASL-STORE can drop in later --- ## 19. One-Sentence Summary > **ASL-HOST’s on-disk layout is a constitutional map: it tells every byte who it belongs to, why it exists, and when it may be trusted.** If you want, next we can: * write a **reference filesystem implementation** * simulate a **full rescue → admission → publish flow on disk** * define **revocation propagation on disk** * or map this directly to **ZFS commands** Just say where to push next.