niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/ops/legacy/ENC-ASL-HOST.md
Carl Niklas Rydberg 74efedf62c Rework ops specs
2026-01-17 09:21:47 +01:00

371 lines
6.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Good — this is the right thing to pin down next.
Below is a **precise, minimal, authority-aware but storage-agnostic ASL-HOST on-disk layout**, designed to work on **ZFS, btrfs, or plain POSIX**, and to survive before ASL-STORE / ASL-CORE are fully implemented.
This layout defines **where things live**, not **how bytes are encoded**.
---
# ASL-HOST On-Disk Layout — v0.1
---
## 1. Design Goals (Normative)
The on-disk layout MUST:
1. Enforce **domain isolation**
2. Separate **authority, storage, and execution**
3. Support **append-only logs**
4. Support **snapshots as first-class**
5. Allow **courtesy leases and revocation**
6. Remain **forward-compatible** with ASL-STORE and ENC specs
The layout MUST NOT:
* Encode artifact semantics
* Encode index formats
* Encode cryptographic algorithms
---
## 2. Root Layout
```text
/asl-host/
├── host/
│ ├── host-id
│ ├── host-policy
│ └── trusted-roots/
├── domains/
│ ├── <domain-id>/
│ │ ├── domain.json
│ │ ├── admission/
│ │ ├── auth/
│ │ ├── store/
│ │ ├── index/
│ │ ├── log/
│ │ ├── snapshots/
│ │ ├── leases/
│ │ └── tmp/
├── federation/
│ ├── peers/
│ ├── exports/
│ └── imports/
└── quarantine/
```
Everything below this root is owned by ASL-HOST.
---
## 3. Host-Level Metadata
### `/asl-host/host/`
```text
host/
├── host-id # stable ID for this machine
├── host-policy # local admission & resource policy
└── trusted-roots/
├── root-A.pub
├── root-B.pub
└── ...
```
**Notes:**
* Trusted roots are **offline-established**
* Used for **admission verification**
* Not domain-specific
---
## 4. Domain Directory (Authoritative Boundary)
Each domain has **one directory**, nothing crosses this boundary implicitly.
```text
/domains/<domain-id>/
```
This directory MUST be the **sole owner** of:
* blocks
* logs
* snapshots
* indexes
* domain-local authority state
---
## 5. Domain Descriptor
### `/domains/<domain-id>/domain.json`
This is **host-owned metadata**, not part of ASL-CORE.
```json
{
"domain_id": "...",
"state": "COURTESY | FULL | SUSPENDED | REVOKED",
"created_at": "...",
"admitted_at": "...",
"root_key_fingerprint": "...",
"policy_hash": "...",
"current_snapshot": "...",
"current_logseq": 12345
}
```
This file is **not signed** — it is derived state.
---
## 6. Admission Records
### `/domains/<domain-id>/admission/`
```text
admission/
├── dam.cbor
├── dam.sig
├── admission-request.cbor
├── admission-decision.cbor
└── admission-decision.sig
```
This directory contains **immutable records** of how the domain was admitted.
---
## 7. Authority Material (Domain-Local)
### `/domains/<domain-id>/auth/`
```text
auth/
├── root.pub
├── operators/
│ ├── op1.pub
│ └── ...
├── device.pub
└── revocations/
```
**Rules:**
* Private keys MAY exist only temporarily (e.g. SystemRescue)
* ASL-HOST MUST NOT rely on private keys being present
---
## 8. Store Root (Blocks)
### `/domains/<domain-id>/store/`
```text
store/
├── blocks/
│ ├── open/
│ ├── sealed/
│ └── gc/
├── objects/ # optional future packing
└── encryption/
```
**Notes:**
* `open/` blocks may be lost
* `sealed/` blocks are immutable
* `gc/` is host-managed
* Encryption metadata is **opaque to ASL-STORE**
---
## 9. Index Area (Semantic-Free)
### `/domains/<domain-id>/index/`
```text
index/
├── segments/
│ ├── seg-000001/
│ └── ...
├── bloom/ # optional
└── tmp/
```
ASL-HOST only guarantees:
* sealed segments are immutable
* segments become visible only after seal record
---
## 10. Append-Only Log
### `/domains/<domain-id>/log/`
```text
log/
├── append.log
├── checkpoints/
│ ├── chk-000001/
│ └── ...
└── seal.log
```
**Rules:**
* append-only
* monotonic
* replayable
* seal.log records segment seals
---
## 11. Snapshots
### `/domains/<domain-id>/snapshots/`
```text
snapshots/
├── snap-000001/
├── snap-000002/
└── pinned/
├── snap-000001
```
**Host responsibility:**
* mapping snapshots to log positions
* enforcing pinning
* enforcing courtesy limits
---
## 12. Courtesy Leases
### `/domains/<domain-id>/leases/`
```text
leases/
├── lease-001.json
├── lease-002.json
└── active
```
Each lease file:
```json
{
"lease_id": "...",
"granted_by": "...",
"storage_bytes": 1073741824,
"expires_at": "..."
}
```
ASL-HOST enforces these.
---
## 13. Temporary / Execution Space
### `/domains/<domain-id>/tmp/`
Used for:
* Sedelpress staging
* PEL execution scratch
* unsealed buffers
**Never snapshot-pinned.**
---
## 14. Federation Area
### `/asl-host/federation/`
```text
federation/
├── peers/
│ ├── <peer-domain-id>/
│ │ ├── pinned-roots/
│ │ ├── imported-snapshots/
│ │ └── replay-state.json
├── exports/
└── imports/
```
Federation is **explicit and opt-in**.
---
## 15. Quarantine
### `/asl-host/quarantine/`
Used for:
* rejected domains
* policy violations
* forensic inspection
No domain in quarantine may execute or publish.
---
## 16. ZFS / Snapshot Mapping (Recommended)
If using ZFS:
| Path | ZFS Dataset |
| ------------------------- | ------------------- |
| `/domains/<id>` | dataset |
| `/domains/<id>/store` | child dataset |
| `/domains/<id>/snapshots` | ZFS snapshots |
| `/domains/<id>/tmp` | no-snapshot dataset |
This gives **real snapshot semantics** aligned with ASL rules.
---
## 17. Invariants (Non-Negotiable)
1. No block crosses domain boundaries implicitly
2. No snapshot without log position
3. No sealed block mutation
4. No admission without DAM
5. No federation without ASL-HOST approval
---
## 18. Why This Works
✔ Clean separation of concerns
✔ Domain sovereignty enforced by path
✔ Admission-first architecture
✔ Rescue and sovereign flows unified
✔ ASL-STORE can drop in later
---
## 19. One-Sentence Summary
> **ASL-HOSTs on-disk layout is a constitutional map: it tells every byte who it belongs to, why it exists, and when it may be trusted.**
If you want, next we can:
* write a **reference filesystem implementation**
* simulate a **full rescue → admission → publish flow on disk**
* define **revocation propagation on disk**
* or map this directly to **ZFS commands**
Just say where to push next.
Reference in a new issue View git blame Copy permalink