niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/ops/legacy/Rescue Node ASL Deployment.md
Carl Niklas Rydberg 74efedf62c Rework ops specs
2026-01-17 09:21:47 +01:00

173 lines
7.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Perfect. Lets map out a **Rescue Node ASL Deployment** for your scenario, integrating **personal domain, common domain (Unity/Rakeroot), foreign-domain trust, and ASL layers**. Ill keep it clear and structured.
---
# Rescue Node ASL Deployment Conceptual Diagram
## 1. Overview
Goal: A rescue node (e.g., old laptop booted with SystemRescue) can:
* Read old material and register it in a **new personal domain**
* Store **resurrected artifacts** safely
* Interact with **common/shared domains** (Unity / Rakeroot)
* Respect **foreign-domain trust** (read-only imported artifacts)
* Produce **signed PERs** for auditing and traceability
---
## 2. Layered Architecture
```
┌───────────────────────────────────────────────────────────────┐
│ Rescue Node / SystemRescue Runtime │
│ (ASL-HOST) │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ Store Handles / Filesystems (POSIX/ZFS) │ │
│ │ - personal domain store │ │
│ │ - common / Unity store │ │
│ │ - optional foreign domain caches │ │
│ └───────────────────────────────────────────────────────────┘ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ ASL-STORE(-INDEX) │ │
│ │ - Handles blocks, snapshots, sealed segments │ │
│ │ - CURRRENT reconstruction, GC │ │
│ │ - Uses store handles provided by ASL-HOST │ │
│ └───────────────────────────────────────────────────────────┘ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ ASL-AUTH │ │
│ │ - Domain authority (personal / common / foreign) │ │
│ │ - PER signing and verification │ │
│ │ - Policy hash and offline root enforcement │ │
│ └───────────────────────────────────────────────────────────┘ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ PEL / TGK Execution │ │
│ │ - Generates PERs from recovered artifacts │ │
│ │ - TGK edges record provenance │ │
│ │ - Deterministic DAG execution │ │
│ └───────────────────────────────────────────────────────────┘ │
└───────────────────────────────────────────────────────────────┘
```
---
## 3. Domains
| Domain | Purpose | Storage / Backing |
| ------------------------------ | ----------------------------------------------------------- | ------------------------------------------------ |
| **Personal Domain** | Newly minted domain on rescue node; stores rescued material | ZFS dataset or POSIX store, encrypted optionally |
| **Common / Unity Domain** | Group-shared artifacts; Unity / Rakeroot | ZFS dataset shared among users, snapshot-based |
| **Foreign Domains (optional)** | Imported read-only artifacts; pinned by trust | Cache store / ASL-HOST mount |
---
## 4. Domain Initialization
1. **Personal Domain**
* Create store: `CreateStore("/mnt/rescue/personal")`
* Generate DA manifest
* Sign manifest with offline root
* Mount snapshot overlay if needed
2. **Common / Unity Domain**
* Mount read-only: `OpenStore("/mnt/common")`
* Synchronize snapshot to local host
* Pin trusted foreign domains if group members exist
3. **Foreign Domains**
* Configure trust pin: Domain ID + Policy hash
* Mount local cache for imported artifacts
* Access **read-only**, verified via ASL-AUTH
---
## 5. Storage / Filesystem Layout
```
/mnt/rescue/
personal/ <-- personal domain store (ZFS/POSIX)
blocks/
segments/
logs/
common/ <-- Unity / Rakeroot (shared read-only store)
blocks/
segments/
logs/
foreign/ <-- optional cache for foreign domains
domainX/
blocks/
segments/
```
* **Blocks**: immutable, sealed by ASL-STORE
* **Segments**: index entries + metadata
* **Logs**: append-only, monotonic ordering
---
## 6. Snapshot Strategy
* ZFS snapshots (or overlayfs copies) per domain
* Personal domain snapshots allow **deterministic recovery**
* Common domain snapshots define **group-visible CURRENT**
* Foreign domain snapshots pinned by trust
```
personal@rescue-snap-2025-12-28
common@unity-snap-2025-12-28
foreign-domainX@snap-2025-12-01
```
---
## 7. PER Signing & Provenance
1. PEL executes DAG over rescued artifacts
2. Generates PERs
3. ASL-AUTH signs PERs with:
* Personal domain authority key
* Policy hash embedded
4. PERs stored in **personal domain**, optionally referencing:
* Common / Unity artifacts
* Foreign pinned artifacts (read-only)
---
## 8. Optional Encryption / Public Domain Courtesy
* Blocks from personal domain can be encrypted when storing in **common domain**
* Ensures **privacy while allowing shared indexing**
* Encryption keys managed by **personal DA**
---
## 9. Trust & Governance
* Offline root(s) provide deterministic trust
* Policy hash enforces publishing and cross-domain rules
* Personal domain can safely publish selected artifacts to Unity / Rakeroot
* Foreign-domain pins enforce **read-only deterministic import**
---
## 10. Summary
* Rescue node can bootstrap **personal + common + foreign domains**
* Storage handled by ASL-HOST (POSIX/ZFS)
* Indexing, snapshots, sealing by ASL-STORE(-INDEX)
* PER signing and cross-domain trust by ASL-AUTH
* Execution provenance tracked via PEL/TGK
* Flexible architecture for **personal, group, and federated domains**
---
If you want, I can **draw a fully labeled diagram** showing **how artifacts flow from the rescued home directory into personal domain, common domain, and PER generation**, including snapshots, seals, and trust pins. This would be a visual reference for your rescue mission.
Do you want me to do that next?
Reference in a new issue View git blame Copy permalink