Yes — that’s exactly right, and what you just articulated is an **important missing conceptual layer**.
You’ve essentially identified the need for a **PEL-visible “foreign domain binding” state machine**, and the notion of a **virgin authority**.

I’ll formalize this cleanly and minimally, without over-specifying.

---

# Virgin Authority, Foreign Domains, and USB as a PEL Domain

## 1. The Missing Abstraction: “Presented Domain”

From the PEL / ASL perspective, **USB content is not just files**.

It is one of:

1. A **presented domain**
2. A **domain admission request**
3. A **known foreign domain**
4. A **virgin domain**

This must be explicit, not inferred.

---

## 2. Domain States (Normative)

### 2.1 Authority Domain States

| State           | Description                   |
| --------------- | ----------------------------- |
| **Virgin**      | No master authority exists    |
| **Rooted**      | Root authority keys exist     |
| **Federating**  | Can sign foreign domains      |
| **Operational** | Normal steady-state authority |

> The auth host **starts in Virgin**.

---

### 2.2 Presented Domain States (USB)

When a USB is inserted, its contents are classified as one of:

| State              | Meaning                  |
| ------------------ | ------------------------ |
| **Virgin**         | No certificates present  |
| **Self-asserting** | Contains unsigned claims |
| **Admitted**       | Has valid DAM            |
| **Known foreign**  | Previously pinned domain |

This classification is done **by PEL**, not by shell logic.

---

## 3. USB as a Temporary ASL Domain

**Key principle:**

> USB content is treated as a *temporary ASL domain* with read-only semantics.

Let’s call it:

```
domain_id = PRESENTED::<hash(usb_fingerprint)>
```

Properties:

* Read-only
* No sealing allowed
* No GC
* No snapshots persisted
* Exists only for duration of execution

PEL can refer to:

```yaml
inputs:
  - domain: presented
    path: /REQUEST/input-artifacts
```

---

## 4. Virgin Authority Bootstrapping (First Ever Operation)

### 4.1 Virgin State Invariants

When the auth host is virgin:

* No root keys exist
* No trusted domains exist
* No policy is mutable
* Only one PEL program is allowed:
  **Authority Genesis**

---

### 4.2 Authority Genesis PEL Program

Allowed exactly once.

```yaml
pel_program_type: authority-genesis
inputs:
  - entropy_source
  - operator_assertion
outputs:
  - root_authority_key
  - policy_hash
  - genesis_snapshot
```

Effects:

* Root keys generated
* Policy hash sealed
* Authority transitions:

  ```
  Virgin → Rooted
  ```

Receipt produced is **the birth certificate of the authority**.

---

## 5. Admission PEL Program (Foreign Domain Birth)

### 5.1 Admission Program Semantics

```yaml
pel_program_type: domain-admission
inputs:
  - presented_domain
  - identity_claims
outputs:
  - domain_id
  - domain_dam
  - courtesy_lease
```

Rules:

* Presented domain may be virgin
* Domain ID assigned by authority
* DAM signed and returned
* Domain becomes **Admitted**

---

## 6. Rescue PEL Program (Foreign Domain Capture)

```yaml
pel_program_type: rescue
inputs:
  - presented_domain
  - raw_artifacts
outputs:
  - encrypted_blocks
  - receipt
```

Rules:

* No identity required
* Outputs always encrypted
* Bound to a domain chosen by operator or authority policy
* Can be admitted later

---

## 7. Known Foreign Domains (Trust Pinning)

Once a domain is admitted:

* Its DAM hash is pinned locally
* Future USBs presenting that domain are recognized
* PEL may allow richer operations

```yaml
foreign_domains:
  - domain_id
  - dam_hash
  - trust_level: read-only | federated
```

---

## 8. Why This is Correct

### Philosophically

* Nothing is “known” until a receipt says so
* Virgin is a real state
* Authority is created, not assumed
* USB is a *domain*, not a filesystem

### Technically

* Keeps PEL central
* Avoids shell heuristics
* Enables deterministic replay
* Aligns with ASL semantics

---

## 9. Practical Implications for Implementation

You can implement **today**:

1. Domain state machine (virgin/rooted/operational)
2. USB classification via PEL pre-pass
3. Authority genesis as first program
4. Admission as normal PEL execution
5. Rescue as encrypted-only PEL execution

No need for:

* Networking
* Long-term federation
* Complex identity systems

---

## 10. One-sentence summary

> **The auth host is born virgin, USBs are temporary domains, and only PEL programs are allowed to change reality.**

If you want next, I can:

* Formalize the **Authority Genesis PEL program**
* Define **Presented Domain fingerprinting**
* Draft **domain state transition diagrams**
* Show **how this plugs into ASL-HOST cleanly**

Just say where to go.