amduat/tier1/asl-federation-1.md

ASL/FEDERATION/1 -- Core Federation Semantics

Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2025-01-17 Tags: [federation, domains, visibility, determinism]

Document ID: ASL/FEDERATION/1 Layer: L2 -- Federation semantics (no transport, no encodings)

Depends on (normative):

• ASL/1-CORE
• ASL/1-CORE-INDEX
• ASL/LOG/1
• ASL-STORE-INDEX

Informative references:

• ENC-ASL-CORE-INDEX -- domain/visibility fields (tier1/enc-asl-core-index.md)
• ASL/SYSTEM/1 -- unified system view
• ASL/FEDERATION-REPLAY/1 -- cross-node deterministic replay
• ASL/DAM/1 -- Domain Authority Manifest
• ASL/POLICY-HASH/1 -- policy hash

---

0. Conventions

The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be interpreted as in RFC 2119.

ASL/FEDERATION/1 defines semantic rules for multi-domain visibility and cross-domain references. It does not define transport, replication, or encodings.

---

1. Purpose

ASL/FEDERATION/1 defines the multi-domain model for ASL-based systems:

• Domain isolation and visibility rules
• Published vs internal state
• Cross-domain reference constraints
• Snapshot identity and deterministic reconstruction

---

2. Core Concepts

Term	Definition
Domain	Logical namespace with its own ASL store, log, and snapshot lineage.
Internal state	Artifacts/snapshots visible only within the domain.
Published state	Artifacts/snapshots visible to other domains.
Federated snapshot	Snapshot with visibility state that may be imported by other domains.
Cross-domain reference	Reference to a published artifact from another domain.
Federation view	A deterministic view constructed by combining local internal state with admitted published state from other domains.

---

3. Domain Semantics

1. Domain isolation

   • Each domain has its own store, index, and log.
   • Internal state is invisible outside the domain.

2. Published state

   • Published artifacts and snapshots are visible to other domains.
   • Published artifacts MUST satisfy ASL immutability and snapshot safety rules.

3. Cross-domain references

   • Only published artifacts MAY be referenced by other domains.
   • Cross-domain references are read-only and immutable.
   • The consuming domain indexes imported artifacts using normal ASL index semantics.
   • Imported entries MUST preserve origin metadata (domain identity and visibility) for deterministic replay.

---

4. Snapshot Identity

• Snapshot IDs are unique per domain.
• Federated snapshot identity is (DomainID, SnapshotID).
• A federated snapshot MAY include cross-domain references only to published artifacts.
• Replay of federated state MUST be bounded by the source domain's {SnapshotID, LogPrefix}.

---

5. Visibility Rules

Object	Internal Domain	Other Domains
Internal artifact	visible	hidden
Published artifact	visible	visible (read-only)
Internal snapshot	visible	hidden
Published snapshot	visible	visible
Block supporting published artifact	visible	visible
Block supporting internal artifact	visible	hidden

• Index entries follow the same visibility rules.
• Determinism is defined per-domain and per-snapshot view.

---

6. Federation View Construction

To construct a federation view for a domain:

1. Start with the local domain's internal + published state at {SnapshotID, LogPrefix}.

2. For each admitted foreign domain, include only published state that is:

   • Visible under that domain's {SnapshotID, LogPrefix}, and
   • Allowed by the receiving domain's admission and policy rules.

3. Apply normal ASL index shadowing and tombstone rules within each domain's log order.

Federation MUST NOT bypass ASL/LOG/1 ordering or ASL/1-CORE-INDEX semantics.

---

7. Cross-Domain Operations

1. Import published artifacts

   • A domain MAY import a published artifact from another domain.
   • Imported artifacts MUST be treated as immutable.
   • Import MUST be gated by admission and policy compatibility (see ASL/DAP/1 and ASL/POLICY-HASH/1).

2. Export published artifacts

   • Internal artifacts MAY be promoted to published state.
   • Promotion MUST be snapshot-bound and log-ordered.
   • Publication MUST respect the domain's policy hash and DAM roles.

3. Federation log propagation

   • Each domain maintains its own append-only log.
   • Federation MAY replicate published log-visible state.

---

8. Provenance and Traceability

• Execution receipts MAY include cross-domain inputs.
• Provenance MUST preserve origin domain and snapshot identity.
• Deterministic replay MUST be possible given {Snapshot, LogPrefix} for each domain.

---

9. Normative Invariants

1. Determinism: Reconstructing CURRENT in a domain yields the same visible state given the same snapshot and log prefix.
2. Immutability: Published artifacts and snapshots are immutable.
3. Domain isolation: Internal artifacts and snapshots are never visible to other domains.
4. Federation safety: Cross-domain references are read-only.
5. Snapshot integrity: Federated snapshots reference only published artifacts.

---

10. Integration with Other Layers

Layer	Role in Federation
ASL/1-CORE	Artifact immutability and identity
ASL/1-CORE-INDEX	Semantic mapping and shadowing
ASL-STORE-INDEX	Sealing, retention, snapshot pinning
ASL/LOG/1	Log-ordered visibility
ENC-ASL-CORE-INDEX	Domain/visibility metadata in records

---

11. Non-Goals

• Transport protocols
• Network replication
• Witness signatures
• Domain admission and trust policy

Middle layer (informative): the daemon/service boundary around core logic that owns network transport, admission workflows, and operational policy.

Implementation note (informative): core federation primitives live in include/amduat/fed/{registry,ingest,replay,view}.h.

---

12. Summary

ASL/FEDERATION/1 defines the semantic rules for multi-domain visibility and cross-domain reference. It keeps federation deterministic, snapshot-safe, and read-only across domain boundaries.