niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/ops/ENC-ASL-HOST.md
Carl Niklas Rydberg 4cba1f45eb Move host/rescue docs to ops tier
2026-01-17 09:04:19 +01:00

6.7 KiB
Raw Blame History

Good — this is the right thing to pin down next. Below is a precise, minimal, authority-aware but storage-agnostic ASL-HOST on-disk layout, designed to work on ZFS, btrfs, or plain POSIX, and to survive before ASL-STORE / ASL-CORE are fully implemented.

This layout defines where things live, not how bytes are encoded.

ASL-HOST On-Disk Layout — v0.1

1. Design Goals (Normative)

The on-disk layout MUST:

  1. Enforce domain isolation
  2. Separate authority, storage, and execution
  3. Support append-only logs
  4. Support snapshots as first-class
  5. Allow courtesy leases and revocation
  6. Remain forward-compatible with ASL-STORE and ENC specs

The layout MUST NOT:

  • Encode artifact semantics
  • Encode index formats
  • Encode cryptographic algorithms

2. Root Layout

/asl-host/
├── host/
│   ├── host-id
│   ├── host-policy
│   └── trusted-roots/
│
├── domains/
│   ├── <domain-id>/
│   │   ├── domain.json
│   │   ├── admission/
│   │   ├── auth/
│   │   ├── store/
│   │   ├── index/
│   │   ├── log/
│   │   ├── snapshots/
│   │   ├── leases/
│   │   └── tmp/
│
├── federation/
│   ├── peers/
│   ├── exports/
│   └── imports/
│
└── quarantine/

Everything below this root is owned by ASL-HOST.

3. Host-Level Metadata

/asl-host/host/

host/
├── host-id              # stable ID for this machine
├── host-policy          # local admission & resource policy
└── trusted-roots/
    ├── root-A.pub
    ├── root-B.pub
    └── ...

Notes:

  • Trusted roots are offline-established
  • Used for admission verification
  • Not domain-specific

4. Domain Directory (Authoritative Boundary)

Each domain has one directory, nothing crosses this boundary implicitly.

/domains/<domain-id>/

This directory MUST be the sole owner of:

  • blocks
  • logs
  • snapshots
  • indexes
  • domain-local authority state

5. Domain Descriptor

/domains/<domain-id>/domain.json

This is host-owned metadata, not part of ASL-CORE.

{
  "domain_id": "...",
  "state": "COURTESY | FULL | SUSPENDED | REVOKED",
  "created_at": "...",
  "admitted_at": "...",
  "root_key_fingerprint": "...",
  "policy_hash": "...",
  "current_snapshot": "...",
  "current_logseq": 12345
}

This file is not signed — it is derived state.

6. Admission Records

/domains/<domain-id>/admission/

admission/
├── dam.cbor
├── dam.sig
├── admission-request.cbor
├── admission-decision.cbor
└── admission-decision.sig

This directory contains immutable records of how the domain was admitted.

7. Authority Material (Domain-Local)

/domains/<domain-id>/auth/

auth/
├── root.pub
├── operators/
│   ├── op1.pub
│   └── ...
├── device.pub
└── revocations/

Rules:

  • Private keys MAY exist only temporarily (e.g. SystemRescue)
  • ASL-HOST MUST NOT rely on private keys being present

8. Store Root (Blocks)

/domains/<domain-id>/store/

store/
├── blocks/
│   ├── open/
│   ├── sealed/
│   └── gc/
├── objects/          # optional future packing
└── encryption/

Notes:

  • open/ blocks may be lost
  • sealed/ blocks are immutable
  • gc/ is host-managed
  • Encryption metadata is opaque to ASL-STORE

9. Index Area (Semantic-Free)

/domains/<domain-id>/index/

index/
├── segments/
│   ├── seg-000001/
│   └── ...
├── bloom/            # optional
└── tmp/

ASL-HOST only guarantees:

  • sealed segments are immutable
  • segments become visible only after seal record

10. Append-Only Log

/domains/<domain-id>/log/

log/
├── append.log
├── checkpoints/
│   ├── chk-000001/
│   └── ...
└── seal.log

Rules:

  • append-only
  • monotonic
  • replayable
  • seal.log records segment seals

11. Snapshots

/domains/<domain-id>/snapshots/

snapshots/
├── snap-000001/
├── snap-000002/
└── pinned/
    ├── snap-000001

Host responsibility:

  • mapping snapshots to log positions
  • enforcing pinning
  • enforcing courtesy limits

12. Courtesy Leases

/domains/<domain-id>/leases/

leases/
├── lease-001.json
├── lease-002.json
└── active

Each lease file:

{
  "lease_id": "...",
  "granted_by": "...",
  "storage_bytes": 1073741824,
  "expires_at": "..."
}

ASL-HOST enforces these.

13. Temporary / Execution Space

/domains/<domain-id>/tmp/

Used for:

  • Sedelpress staging
  • PEL execution scratch
  • unsealed buffers

Never snapshot-pinned.

14. Federation Area

/asl-host/federation/

federation/
├── peers/
│   ├── <peer-domain-id>/
│   │   ├── pinned-roots/
│   │   ├── imported-snapshots/
│   │   └── replay-state.json
├── exports/
└── imports/

Federation is explicit and opt-in.

15. Quarantine

/asl-host/quarantine/

Used for:

  • rejected domains
  • policy violations
  • forensic inspection

No domain in quarantine may execute or publish.

16. ZFS / Snapshot Mapping (Recommended)

If using ZFS:

Path ZFS Dataset
/domains/<id> dataset
/domains/<id>/store child dataset
/domains/<id>/snapshots ZFS snapshots
/domains/<id>/tmp no-snapshot dataset

This gives real snapshot semantics aligned with ASL rules.

17. Invariants (Non-Negotiable)

  1. No block crosses domain boundaries implicitly
  2. No snapshot without log position
  3. No sealed block mutation
  4. No admission without DAM
  5. No federation without ASL-HOST approval

18. Why This Works

✔ Clean separation of concerns ✔ Domain sovereignty enforced by path ✔ Admission-first architecture ✔ Rescue and sovereign flows unified ✔ ASL-STORE can drop in later

19. One-Sentence Summary

ASL-HOSTs on-disk layout is a constitutional map: it tells every byte who it belongs to, why it exists, and when it may be trusted.

If you want, next we can:

  • write a reference filesystem implementation
  • simulate a full rescue → admission → publish flow on disk
  • define revocation propagation on disk
  • or map this directly to ZFS commands

Just say where to push next.