niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/ops/legacy/ASL-HOST v0-2.md
Carl Niklas Rydberg 74efedf62c Rework ops specs
2026-01-17 09:21:47 +01:00

5.9 KiB
Raw Blame History

Good — this is the right integration point. What follows is a clean, minimal integration of DAP + DAM + Courtesy Leases into ASL-HOST, without leaking authority into ASL-CORE or policy into ASL-STORE.

Think of ASL-HOST as the membrane where authority, storage, and execution meet but do not mix.

ASL-HOST v0.1 (Integrated with Admission & Authority)

1. Purpose of ASL-HOST

ASL-HOST defines the responsibilities of a node that hosts ASL domains.

It is responsible for:

  • Domain lifecycle
  • Admission and recognition
  • Block and log materialization
  • Snapshot discipline
  • Resource enforcement
  • Separation of authority from storage semantics

It explicitly does not define:

  • Artifact encoding (ASL-CORE)
  • Index layout (ENC-ASL-STORE)
  • PER or TGK semantics (PEL / TGK layers)
  • Cryptographic algorithms (delegated to ASL-AUTH)

2. ASL-HOST Position in the Stack

+-------------------------+
| ASL-AUTH                |  ← identity, keys, policy
+-------------------------+
| ASL-HOST                |  ← THIS SPEC
+-------------------------+
| ASL-STORE / INDEX       |  ← blocks, logs, snapshots
+-------------------------+
| ASL-CORE / PEL / TGK    |  ← semantics & execution
+-------------------------+
| Filesystem / ZFS / POSIX|
+-------------------------+

ASL-HOST is where domains become real.

3. Domain Lifecycle in ASL-HOST

3.1 Domain States

UNRECOGNIZED
ADMITTED (COURTESY)
ADMITTED (FULL)
SUSPENDED
REVOKED

ASL-HOST tracks domain state explicitly.

3.2 Domain Creation (Local)

A domain MAY be created locally without admission:

asl-host domain create

This creates:

  • DomainID
  • Empty storage namespace
  • Empty log
  • No external recognition

This domain is self-contained only.

4. Domain Admission Integration (DAP)

4.1 Admission Request Handling

ASL-HOST MUST provide:

AdmissionResult asl_host_admit(DAM, signature, request);

Responsibilities:

  • Validate DAM schema
  • Verify signature
  • Check policy compatibility
  • Decide admission outcome

ASL-HOST does not inspect artifacts.

4.2 Admission Outcome Effects

Outcome ASL-HOST Behavior
ACCEPTED Enable publishing, indexing, federation
ACCEPTED_LIMITED Enable courtesy-only storage
DEFERRED Domain exists but blocked
REJECTED Domain remains isolated

5. Courtesy Leases in ASL-HOST

5.1 Courtesy Lease Attachment

A courtesy lease is attached to a domain in ASL-HOST, not to ASL-STORE.

Domain {
  domain_id
  admission_state
  courtesy_lease?
}

5.2 Enforcement Responsibilities

ASL-HOST MUST enforce:

  • Storage limits
  • Snapshot count
  • Lease expiry
  • Encryption-only constraint (if specified)

ASL-STORE must not be aware of courtesy semantics.

5.3 Courtesy Lease Expiry

On expiry, ASL-HOST MAY:

  • unpin snapshots
  • block new writes
  • mark domain as SUSPENDED

ASL-STORE is not required to preserve data.

6. StoreHandle Integration

6.1 StoreHandle Is Scoped to a Domain

ASL-HOST provides:

StoreHandle *asl_host_open_domain(domain_id);

The StoreHandle is:

  • domain-scoped
  • snapshot-aware
  • admission-aware

6.2 Admission-Gated Capabilities

Capabilities exposed via StoreHandle depend on admission state:

Capability Courtesy Full
allocate_block yes yes
seal_block yes yes
append_log yes yes
publish_snapshot no yes
federate_log no yes

ASL-CORE and PEL never see this distinction.

7. Snapshots and CURRENT (ASL-HOST Role)

ASL-HOST defines:

  • Snapshot creation
  • Snapshot pinning
  • Snapshot association with log position

ASL-HOST guarantees:

CURRENT = snapshot + replay(log)

This is host-level truth, not an ASL-CORE concern.

8. Block Ownership and Movement

8.1 Block Ownership

Every block belongs to exactly one domain.

Block ownership is enforced by:

  • filesystem layout
  • StoreHandle scoping
  • ASL-HOST policy

8.2 Block Migration Between Domains

Block migration is an ASL-HOST operation:

asl-host migrate-block --from A --to B

Rules:

  • Source block must be sealed
  • Destination domain must accept the block
  • Policy compatibility enforced
  • Provenance preserved

9. Federation Boundary

ASL-HOST is the only layer allowed to federate.

It decides:

  • which logs may be exported
  • which snapshots may be published
  • which foreign roots are trusted

ASL-STORE and ASL-CORE remain oblivious.

10. Revocation and Suspension

ASL-HOST MAY:

  • suspend a domain (stop new writes)
  • revoke federation
  • invalidate admission

Already-sealed artifacts remain immutable.

11. SystemRescue Mapping (Concrete)

Your patched SystemRescue image now hosts:

  • ASL-HOST runtime
  • Local domains (personal, courtesy, common)
  • Admission client
  • Offline authority material

On boot, SystemRescue may:

  1. Create a local domain
  2. Load DAM + keys
  3. Submit admission request
  4. Receive courtesy lease
  5. Begin sealed ingestion
  6. Snapshot and wait

You are literally standing ready.

12. Why This Integration Is Clean

✔ ASL-CORE untouched ✔ ASL-STORE unaware of authority ✔ Authority never touches block bytes ✔ Admission precedes trust ✔ Rescue and sovereign modes unified

13. Mental Model (One Sentence)

ASL-HOST is the constitutional layer that turns storage into a domain, and a domain into a participant.

If you want next, we can:

  • define ASL-HOST on-disk layout
  • specify revocation propagation
  • map PEL execution to admission state
  • or walk a full rescue → admission → federation scenario end-to-end

Just point the direction.