niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/only place where coordination is actually required.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

5 KiB
Raw Blame History

Yes — this is exactly the right pressure point, and youve named it correctly.

Youre seeing the only place where coordination is actually required, and its much narrower than it first appears.

Let me be very precise and a bit formal here, because this is subtle and important.

1. First: your observation is correct

If Alice and James are both on:

common@1

and both independently “add something”, then naïvely you get:

Alice → common@2a
James → common@2b

Those are two different histories.

That would be a fork if both were considered “Common”.

So yes: 👉 something must serialize Common.

2. The crucial clarification: who is allowed to advance Common?

Common is not advanced by participants. It is advanced by a witness.

This is the architectural line that resolves the paradox.

3. Common is a witnessed log, not a shared workspace

Think of Common as:

  • an append-only log
  • with a single logical writer
  • that accepts signed submissions

Participants submit, they do not commit.

4. The minimal roles (exactly three)

1. Proposers (Alice, James, anyone)

They can:

  • create artifacts
  • create snapshots in their own domains
  • create proposals for Common

They cannot:

  • advance Commons snapshot number

2. Witness (one domain, possibly replicated)

The witness:

  • verifies signatures
  • checks policy
  • assigns the next snapshot number
  • emits common@N+1

This can be:

  • a single offline authority
  • a small quorum-backed authority
  • a rotating authority (later)

But logically it is one voice.

3. Consumers (everyone, including Alice and James)

They:

  • pin to specific common@N
  • choose when to advance
  • may ignore updates forever

5. Why this is still “distributed enough”

The witness does not need to be:

  • online all the time
  • fast
  • highly available

Because:

  • Common updates are rare
  • nothing blocks local work
  • proposals queue safely

This matches your rescue / offline-first worldview.

6. What actually happens in your scenario

Lets replay it correctly.

Initial state

common@1

Alice and James are both pinned to it.

Alice acts

Alice creates:

alice@42

She then creates:

proposal_A
  references: alice@42
  signed by: Alice

She submits this proposal to the Common witness (USB, sync later, whatever).

James acts

James independently creates:

james@17

He creates:

proposal_B
  references: james@17
  signed by: James

He submits it too.

The witness (later, offline is fine)

The witness receives both proposals.

It chooses an order (any deterministic rule):

apply proposal_A
emit common@2

apply proposal_B
emit common@3

No fork. No conflict. No simultaneity problem.

7. What if the witness is offline for a month?

Nothing breaks.

  • Alice and James continue working
  • They exchange artifacts directly if they want
  • Common just doesnt advance

When the witness comes back:

  • proposals are processed
  • snapshots advance

Time is explicit, not implicit.

8. What about multiple witnesses?

You anticipated this correctly.

There are two safe models, and one unsafe one.

Unsafe: multiple independent writers

This causes forks. We dont do this.

Safe model A: single designated witness

  • Simplest
  • Best for now
  • Matches your offline authority laptop perfectly

This is what you should start with.

Safe model B: quorum → single emitter

Multiple authorities may:

  • co-sign approval
  • vote on proposals

But only one entity actually emits common@N+1.

Quorum decides what is accepted. Emitter decides when it is numbered.

Still no fork.

9. Why we do NOT use consensus protocols here

This is important philosophically.

Consensus (Raft, Paxos, blockchain):

  • assumes frequent updates
  • assumes always-on participants
  • assumes global liveness

Your system:

  • assumes offline
  • assumes slow social processes
  • assumes human-scale trust

So:

Serialization is intentional, not a limitation.

10. How this fits your “SystemRescue + offline authority” story

Perfectly.

Your offline auth host is a natural Common witness.

  • It boots rarely
  • It accepts USB proposals
  • It emits signed Common snapshots
  • It goes dark again

Thats not a hack.

Thats the ideal operating mode.

11. Final mental model (keep this one)

Common is not a shared folder. It is a notarized ledger.

People bring papers. The notary timestamps them. The archive grows. No pages are torn out. No two page numbers collide.

12. One-line answer to your concern

Yes — without a witness you get forks. With a witness, simultaneity collapses into sequence, even offline.

If you want next, we can:

  • formalize the Common Witness role in ASL-AUTH
  • specify proposal artifact schemas
  • define exact snapshot numbering rules
  • design how a witness rotates or retires safely

Youre asking the right questions.