niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/Any node can become a system.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

291 lines
5.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Yes — and that is not only reasonable, its *structurally elegant*.
What youre converging on is:
> **“Any node can become a system”** — including the *authority node* itself.
Lets make this precise and safe.
---
## 1. Key Insight
> The **Domain Authority Node (DAN)** should be bootstrapped **exactly like a SystemRescue node**,
> but with **authority-only capabilities enabled** and **no federation by default**.
Same mechanics, different policy.
This symmetry matters a lot.
---
## 2. Treat the Authority Node as a First-Class ASL-HOST
### Properties of the Domain Authority Node
* Boots from a known image (like SystemRescue)
* Has:
* ASL-HOST layout
* Internal ASL store
* Append-only log
* Snapshot support (even if trivial)
* Runs **offline**
* Never federates automatically
* Never publishes blocks unless explicitly authorized
This means:
* Keys
* DAMs
* policies
* environment claims
…are all **just artifacts**.
No magic.
---
## 3. Minimal Internal Store for Authority Node
The authority node needs only a **tiny ASL subset**:
### Required
* Block store
* Artifact index
* Append-only log
* Snapshot marker
### Not Required
* SIMD
* TGK traversal
* Federation
* GC beyond “delete nothing”
Think of it as:
> **ASL in conservation mode**
---
## 4. Why This Is the Right Model
### 4.1 Self-Consistency
If the authority node uses ASL:
* Authority artifacts are immutable
* Provenance exists from day zero
* Receipts can be generated later
You can say:
> “This domain authority was generated under snapshot X, log Y.”
Thats extremely powerful.
---
### 4.2 No Special Code Paths
There is no:
* “special authority filesystem”
* “magic cert directory”
* “out-of-band signing tool”
Everything is:
* artifacts
* policies
* receipts
This keeps the system honest.
---
## 5. Bootstrapping Flow (Concrete)
### Step 0 — Boot Image
* Boot **ASL-Authority image**
* (SystemRescue + authority tools)
* Network disabled
* Storage ephemeral or encrypted USB
---
### Step 1 — Initialize Local ASL-HOST
```text
/asl-host
/domains
/<new-domain-id>
/store
/log
/snapshots
```
No federation. Local only.
---
### Step 2 — Generate Root Key Artifact
* Keypair generated
* Stored as:
* public key artifact
* encrypted private key artifact (local only)
* DomainID derived
---
### Step 3 — Write DAM Artifact
DAM is written as an artifact into the local store.
---
### Step 4 — Write Authority Environment Claim Artifact
Also stored locally.
---
### Step 5 — Seal Snapshot
Create snapshot:
> **“Domain Authority Genesis Snapshot”**
Everything up to here is immutable.
---
### Step 6 — Export Admission Bundle
PEL program runs:
* inputs:
* DAM artifact
* environment claim artifact
* policy artifact
* output:
* SOPS bundle artifact
That output is exported.
This is **receipt-producing**, not ad-hoc scripting.
---
## 6. Why This Beats “Just a Laptop”
Because now:
* the authority machine is *auditable*
* the ceremony is *recorded*
* the result is *deterministic*
And still:
* no TPM
* no network
* no registry
---
## 7. Internal Store Security Posture
You can be strict or lax:
| Mode | Behavior |
| ------------- | ----------------------------- |
| Ephemeral | RAM-backed store, destroyed |
| Encrypted USB | LUKS + ZFS |
| WORM | Never delete, manual handling |
All valid.
ASL doesnt care.
---
## 8. Relationship to Rescue Nodes
| Aspect | Rescue Node | Authority Node |
| ---------------------- | ----------- | -------------- |
| Boots from known image | yes | yes |
| Has ASL store | yes | yes |
| Offline | often | always |
| Publishes | rarely | never |
| Federation | no | no |
| Authority keys | no | yes |
Same skeleton. Different organs.
---
## 9. Important Constraint
> **The authority node must never be required for validation.**
Once the bundle is exported:
* it stands alone
* verification does not consult the authority node
If you lose the authority machine, the domain still exists.
---
## 10. Philosophical Alignment
You described:
> “Standing at the river with a printing press.”
What youre doing here is:
> **Printing the press itself as an artifact.**
Thats the right kind of recursion.
---
## 11. What This Enables Later
Because the authority node is ASL-native, later you can:
* publish historical authority artifacts
* rotate keys with receipts
* prove domain lineage
* federate authority domains
All without rewriting assumptions.
---
## 12. One-Line Rule
> **If it matters, it should be an artifact.
> If its an artifact, it should live in ASL.**
Youre converging on a system with very few “special cases” — which is exactly why it will scale conceptually.
If you want next, we can:
* draft **ASL-AUTH-HOST profile**
* specify **authority-only PEL programs**
* define **authority key rotation as a PEL DAG**
* or draw the **exact on-disk layout for authority vs rescue nodes**
Just say the word.
Reference in a new issue View git blame Copy permalink