niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/Clarify the differences between Common, Group, and Personal domains.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

292 lines
6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Excellent question. This is exactly the right place to tighten the model.
Ill do three things, in order:
1. **Specify how ASL-HOST enforces witness authority at boot (normative)**
2. **Explain how this generalizes to non-Common domains**
3. **Clarify the differences between Common, Group, and Personal domains (and why they are *not* fundamentally different)**
Ill keep it crisp and spec-like, but readable.
---
# ASL-HOST Witness Enforcement at Boot (v0.1)
## 1. Purpose
This section defines how an **ASL-HOST** determines whether it is allowed to:
* accept snapshots
* advance CURRENT
* emit new snapshots
for any domain, with **Common as the canonical example**.
The same mechanism applies to **personal and group domains**, with different policies.
---
## 2. Core rule (universal)
> **An ASL-HOST MUST NOT advance a domain unless it can prove authority to do so from domain-local artifacts.**
There is **no implicit authority**, no “trusted runtime”, and no network trust.
Authority is always:
* explicit
* artifact-backed
* snapshot-bound
---
## 3. Boot-time domain authority resolution
At boot, for each configured domain, ASL-HOST performs the following steps.
### 3.1 Load domain state
For each domain `D`:
1. Mount domain store (filesystem, ZFS dataset, etc.)
2. Load:
* last sealed snapshot `D@N`
* append-only log (if present)
3. Reconstruct `CURRENT(D)` deterministically
If this fails → domain is **read-only**.
---
## 4. Authority discovery
### 4.1 Authority source artifacts
ASL-HOST MUST locate, for domain `D`:
1. **Domain Authority Manifest (DAM)**
2. **Current Policy Artifact**
3. **Witness-related artifacts** (if any)
These MUST be:
* sealed
* visible at or below `D@N`
* valid under ASL-STORE rules
---
## 5. Witness model (generalized)
Every domain operates under **exactly one authority mode** at any snapshot:
| Mode | Meaning |
| ---------------- | --------------------------------------------- |
| `single-witness` | One domain/key may emit snapshots |
| `quorum-witness` | A threshold of domains may authorize emission |
| `self-authority` | This hosts domain is the witness |
This is **policy-defined**, not hard-coded.
---
## 6. Common domain (special only in policy)
### 6.1 Common authority rules
For `common`:
* Authority mode: `quorum-witness`
* Emission rights:
* granted only to the active witness domain
* Witness rotation:
* only via `asl.common.witness-rotation` artifacts
### 6.2 Boot enforcement
At boot, ASL-HOST MUST:
1. Identify current witness from last snapshot
2. Verify:
* witness domain ID
* witness public key
3. Lock Common domain into one of:
| State | Meaning |
| ----------- | ---------------------------- |
| **Passive** | May consume Common snapshots |
| **Active** | May emit Common snapshots |
| **Invalid** | Must refuse Common entirely |
An ASL-HOST **MUST NOT** emit Common unless explicitly Active.
---
## 7. Personal domains (important clarification)
Personal domains are **not special**.
They differ only in **policy defaults**.
### 7.1 Typical personal domain policy
```yaml
authority_mode: self-authority
authorized_keys:
- owner-key
```
This means:
* Any host holding the private key may emit snapshots
* Multiple machines can advance the domain
* Conflicts are resolved via:
* snapshot ordering
* logseq
* or explicit merge PELs
### 7.2 Boot behavior
At boot, ASL-HOST:
* checks whether it holds a valid private key
* if yes → Active
* if no → Passive (read-only replica)
This allows:
* laptops
* desktops
* VMs
* rescue environments
to all participate safely.
---
## 8. Group domains
Group domains sit *between* Common and Personal.
### 8.1 Group authority models
Common patterns:
| Model | Use case |
| ---------------- | ------------------------ |
| single-witness | One maintainer |
| quorum-witness | Shared governance |
| rotating-witness | Time-based or role-based |
### 8.2 Enforcement is identical
ASL-HOST does **not care** whether a domain is:
* Common
* Group
* Personal
It only evaluates:
* current snapshot
* policy artifact
* authority proofs
---
## 9. Snapshot emission decision (normative)
Before emitting a snapshot for domain `D`, ASL-HOST MUST verify:
1. It holds a private key authorized by policy
2. No conflicting authority artifact exists above `D@N`
3. For quorum:
* required endorsements are present and valid
4. The snapshot references:
* authority context
* policy version
* (if applicable) witness rotation artifact
If any check fails → emission is forbidden.
---
## 10. Read vs write separation (important)
An ASL-HOST may always:
* store artifacts
* verify snapshots
* mirror domains
But may only:
* **emit snapshots**
* **advance CURRENT**
when authority is proven.
This allows:
* mirrors
* caches
* rescue systems
* offline nodes
to coexist safely.
---
## 11. Why this scales to “personal everywhere”
Your intuition is correct:
> personal domains may live on many machines and need the same sync guarantees.
This model gives you:
* snapshot identity
* deterministic replay
* conflict-free history **by construction**
* explicit governance when needed
There is **no need** for a different mechanism.
---
## 12. One mental model to keep
> **Every domain is Common to someone.**
> The difference is only *who is allowed to speak for it*.
---
## 13. What this enables next
With this in place, you can cleanly specify:
* personal multi-device sync
* offline-first workflows
* rescue-domain bootstrap
* federation without global servers
* gradual transition from single-owner → group → common
---
If you want, next good steps would be:
* formalize **Domain Authority Manifest (DAM) enforcement at boot**
* specify **multi-writer personal domain merge semantics**
* walk through **one personal domain on 3 machines**
* or describe **Common startup from zero (genesis)**
Youre no longer mixing projects here — this is now one coherent system.
Reference in a new issue View git blame Copy permalink