niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/ASL-COMMON-WITNESS-ROTATION.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

5.2 KiB
Raw Blame History

Great — lets formalize it cleanly and minimally, in the same style as your other specs.

Below is a normative artifact specification. Ill keep it tight, auditable, and compatible with ASL / PEL thinking.

ASL-COMMON-WITNESS-ROTATION v0.1

1. Purpose

The Witness Rotation Artifact (WRA) authorizes a change of the active Common Witness Emitter while preserving:

  • single linear Common history
  • offline operation
  • auditability
  • fork prevention

The WRA is the only mechanism by which witness authority may change.

2. Scope and guarantees

This artifact:

  • does not modify artifacts, blocks, or snapshots directly
  • authorizes who may emit the next Common snapshot
  • is snapshot-bound and immutable
  • is evaluated only by ASL-HOST instances handling the Common domain

3. Definitions

Term Meaning
Witness Emitter The domain authorized to emit the next common@N+1
Witness Authority A domain whose key may endorse witness changes
Quorum A threshold of valid endorsements
Rotation Snapshot The first snapshot emitted under new witness authority

4. Artifact identity

Artifact type: asl.common.witness-rotation Artifact key: content-addressed (CAS) Visibility: published (Common domain only)

5. Canonical structure (logical)

artifact_type: asl.common.witness-rotation
version: 0.1

common_domain_id: <domain-id>

previous_snapshot:
  snapshot_id: common@N
  snapshot_hash: <hash>

rotation:
  old_witness:
    domain_id: <domain-id>
    pubkey_id: <key-id>

  new_witness:
    domain_id: <domain-id>
    pubkey_id: <key-id>

policy_ref:
  artifact_key: <common-policy-artifact>

reason: <utf8-string, optional>

endorsements:
  threshold: <uint>
  endorsements:
    - domain_id: <domain-id>
      pubkey_id: <key-id>
      signature: <bytes>
    - ...

created_at_logseq: <uint64>

6. Cryptographic requirements

6.1 Endorsement signature

Each endorsement signs exactly:

H(
  artifact_type
  || version
  || common_domain_id
  || previous_snapshot.snapshot_id
  || previous_snapshot.snapshot_hash
  || new_witness.domain_id
  || new_witness.pubkey_id
  || policy_ref.artifact_key
)
  • Hash function: same as ASL block hash
  • Signature scheme: per ASL-AUTH (e.g. Ed25519)

7. Validation rules (normative)

An ASL-HOST MUST accept a witness rotation artifact if and only if:

  1. previous_snapshot matches the current trusted Common snapshot
  2. All endorsement signatures are valid
  3. Endorsing keys are authorized by the referenced policy
  4. Endorsement count ≥ policy quorum threshold
  5. new_witness is not revoked in policy
  6. Artifact hash matches CAS key

Otherwise the artifact MUST be rejected.

8. Application semantics

8.1 When applied

The WRA does not immediately advance Common.

It becomes effective only when a snapshot is emitted by new_witness.

8.2 Rotation snapshot

The first snapshot emitted by the new witness:

common@N+1

MUST include:

witness:
  domain_id: <new_witness.domain_id>
  pubkey_id: <new_witness.pubkey_id>
  rotation_artifact: <artifact_key>

This snapshot:

  • seals the rotation
  • permanently records authority transfer
  • invalidates emissions by the old witness

9. Failure and recovery semantics

9.1 Old witness emits after rotation

Such snapshots:

  • MUST be rejected
  • MUST NOT be indexed
  • MAY be retained as foreign artifacts for audit

9.2 New witness fails before emitting

Rotation remains pending.

Quorum may:

  • re-endorse another WRA
  • or extend grace period (policy-defined)

No fork occurs.

10. Interaction with snapshots and CURRENT

  • CURRENT resolution MUST consider only the active witness
  • Snapshot ordering remains strictly monotonic
  • Rotation artifacts do not affect artifact visibility

11. Minimal policy requirements

The referenced Common policy artifact MUST define:

witness_policy:
  authorities:
    - domain_id
    - pubkey_id
  quorum_threshold: uint
  rotation_allowed: true

12. Security properties

This design guarantees:

  • No split-brain: only one valid witness at a time
  • Offline survivability: endorsements are asynchronous
  • Auditability: every rotation is permanently recorded
  • Revocability: compromised witnesses can be replaced

13. Why this fits ASL cleanly

  • Rotation is an artifact
  • Authority is data, not code
  • History is explicit, not inferred
  • No special network protocol required

14. One-sentence invariant (the one to remember)

A Common snapshot is valid if and only if its witness authority is provable from the previous snapshot.

If you want next, we can:

  • formalize the Common Policy Artifact
  • define the recovery-from-silence artifact
  • specify how ASL-HOST enforces witness authority at boot
  • or walk through a concrete rotation with real keys and USB transfers

This piece is now solid.