niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/walk a single artifact all the way.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

390 lines
6.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Great, lets do this **concretely and end-to-end**, but still faithful to the specs youve been shaping. Ill walk a **single artifact** all the way through its lifecycle:
* creation
* witnessing (certificate case)
* indexing
* snapshotting
* eviction from local storage
* later rehydration
* reuse in a new program
Ill label **what is normative** vs **implementation choice**, and Ill keep the mental model consistent: **blocks are physical, artifacts are semantic**.
---
# End-to-End Artifact Lifecycle Walkthrough
Well use a **certificate artifact** because it exercises *authority*, *witnessing*, and *reuse*.
Assume we are on a **personal domain** `alice.personal`, on an ASL-HOST.
---
## Phase 0 Initial state (before anything happens)
On disk:
```
/asl/domains/alice.personal/
├── blocks/
│ ├── open/
│ └── sealed/
├── index/
├── log/
├── snapshots/
└── meta/
└── dam/
```
Current snapshot:
```
alice.personal@42
```
Authority:
* DAM says `self-authority`
* Host holds Alices private key
* Host is **Active**
---
## Phase 1 Artifact creation (certificate is generated)
### What happens conceptually
A **PEL program** is run that generates a certificate:
* Input: key material, policy parameters
* Output: certificate bytes
This is *just data* at this stage.
---
### On disk: block writing (physical layer)
1. ASL allocates an **open block**:
```
blocks/open/blk_tmp_7f3a.tmp
```
2. Certificate bytes are appended to the open block.
3. The artifact bytes occupy:
```
offset = 8192
length = 1432
```
At this moment:
* No artifact exists yet (semantically)
* Bytes are **not visible**
* Crash here is allowed
---
### Block sealing (normative)
4. Block is sealed:
```
block_id = H(block_bytes)
```
File moved to:
```
blocks/sealed/7f/7f3a9c...blk
```
**Invariant satisfied:** sealed blocks are immutable.
---
## Phase 2 Artifact becomes real (indexing)
### Artifact identity
Artifact key is computed from:
```
H(certificate_bytes + type_tag + metadata)
```
Example:
```
artifact_key = a9c4…
```
---
### Index entry written
An index entry is appended to an **open index segment**:
```
index/shard-012/segment-0042.idx (open)
```
Entry:
```
ArtifactKey → (BlockID, offset, length)
type_tag = cert.x509
```
Still **not visible**.
---
### Log append (normative visibility point)
A log record is appended:
```
log-0000000000001200.asl
```
Record:
```
ADD_INDEX_ENTRY artifact_key=a9c4… segment=0042
```
Then:
```
SEAL_SEGMENT segment=0042
```
**Now the artifact exists.**
---
## Phase 3 Snapshot & witnessing
### Snapshot creation
A snapshot is emitted:
```
alice.personal@43
```
Snapshot pins:
* index segment 0042
* block 7f3a…
Snapshot manifest includes:
```
authority:
domain: alice.personal
key: alice-root-key
```
---
### Witnessing from elsewhere (certificate use case)
Now the **certificate is taken aboard** by another domain, say:
```
common
```
How?
1. The certificate artifact is **published** (policy allows this)
2. `common` imports the artifact:
* artifact bytes are fetched (or referenced)
* artifact key is preserved
3. A **cross-domain reference** is indexed in `common`
No copying is required if blocks are addressable, but often they are copied.
Witnessing here means:
> The certificate is now **provably present in two domains**, each with their own snapshot history.
---
## Phase 4 Time passes (artifact becomes cold)
A week passes.
A **local retention policy** runs (implementation choice, but policy-guided).
### GC decision (normative constraints)
The artifact:
* is sealed
* is referenced by snapshot `@43`
* is not referenced by CURRENT workflows
Policy allows **cold eviction** if:
* snapshot still exists
* artifact can be re-fetched from trusted domains
So…
---
### Block eviction (implementation choice)
Local block file is removed:
```
blocks/sealed/7f/7f3a9c...blk ← deleted
```
But:
* index entry remains
* snapshot remains
* artifact is still **logically present**
This is allowed because:
> **ASL defines availability separately from existence.**
---
## Phase 5 Artifact is needed again
Later, a new PEL program runs:
* Input: certificate artifact `a9c4…`
* Purpose: sign something new
### Artifact lookup
1. Index lookup finds:
```
ArtifactKey → (BlockID, offset, length)
```
2. Block is missing locally.
---
### Rehydration (normative + policy)
ASL-HOST:
1. Consults **domain policy**
2. Finds trusted source:
* `common`
* or a personal mirror
3. Fetches block by `BlockID`
Block is restored to:
```
blocks/sealed/7f/7f3a9c...blk
```
**Block hash verified.**
---
## Phase 6 Artifact reused in a new program
The certificate bytes are read from the block.
A new PEL program runs:
* Inputs:
* certificate artifact `a9c4…`
* new data
* Outputs:
* new artifact(s)
* new PER
These outputs repeat the **same lifecycle**.
---
## Phase 7 Index & snapshot continuity
Now:
* Snapshot `@44` references:
* old certificate
* new artifacts
* Old artifact remains immutable
* Provenance is intact
At no point did we:
* rewrite bytes
* change meaning
* trust runtime state
---
## What was witnessed, exactly?
Three things were witnessed, independently:
1. **Bytes** (block hash)
2. **Meaning** (artifact key → index)
3. **Authority** (snapshot + DAM + signatures)
This is why the system holds together.
---
## Why this works for *everything*
This same flow works for:
* certificates
* home directory tarballs
* shell command outputs
* TGK edges
* PERs
* witness rotation artifacts
Nothing special happens for “important” artifacts.
---
## The key invariants you just saw
1. **Artifacts never move**
2. **Blocks may come and go**
3. **Snapshots pin meaning, not bytes**
4. **Witnessing is just another artifact**
5. **Time does not weaken correctness**
---
## One sentence to take away
> An artifact can disappear from disk, reappear a year later, and still mean exactly the same thing.
If you want next, we can:
* walk the **same artifact across two personal machines**
* show **what breaks if someone cheats**
* map this onto **ZFS send/receive**
* or show **how PEL receipts stitch all this together**
Youre now fully “above the filesystem” — exactly where you wanted to be.
Reference in a new issue View git blame Copy permalink