HPPR Ring1 Repository Authentication

Tags: repo, auth

Ring1 is the repository-auth scheme. Ring1 requests are Seals signed by a Ring1 member verifier and carried in the Ring1 session envelope defined in 042.

The signing secret can be derived from a password or set up explicitly.

Request Envelope

Ring1 uses:

Group: repo
API: 🖧<COMMAND>
Key: <repo-name>/<ring1-name>/<session-id>
Seal-By: <member-verifier>

Rules:

Group is repo.
API names the protocol command.
Key carries repo name, Ring1 name, and HELLO session.
Seal-By must be a configured member verifier or derived member verifier.

Built-in Ring1 Names

Two names are repository-service built-ins:

ring0: full repository access, ACL bypass
anyone: unauthenticated fallback ACL identity

Built-in existence is repository-service behavior. Policy for both built-ins lives in policy packets. Other Ring1 names are configured through the packet families below.

Ring1-Name constraints for any name:

max 128 bytes
must match one Key segment
must not contain / { } |
must not equal . or ..

Packet Families

Ring1 auth, membership, and policy are in separate packet families. All three are signed by the repo verifier.

All Ring1 packet families use:

Group: repo
API: admin/ring1
Key prefix: <name>/...

Auth Config

Coordinate: //repo/admin/ring1//<name>/auth/|

Required:

Ring1-Name — must match coordinate <name>, appears exactly once

Optional:

Ring1-Secret-Token — appears at most once
Ring1-Expire — appears at most once

Validation:

Member headers are invalid here
ACL-Rule headers are invalid here

Members

Coordinate: //repo/admin/ring1//<name>/members/|/seal/<repo-verifier>

Required:

Member (repeatable) — at least one required

Validation:

ACL-Rule headers are invalid here
Auth-config headers (Ring1-Name, Ring1-Secret-Token, Ring1-Expire) are invalid here

Member carries a verifier. Password-derived membership uses Ring1-Secret-Token from the auth config packet for derivation parameters.

Policy

Coordinate: //repo/admin/ring1//<name>/policy/|

Required:

ACL-Rule (repeatable) — at least one required

Validation:

Member headers are invalid here
Auth-config headers are invalid here

ACL-Rule format and evaluation are defined in 050.

Operational Signing Material

The repo-owned signing secret lives in local operational storage, not in a canonical auth packet family.

The public repo verifier is derived from that local signing secret and maintained in //repo/admin/identity//root/|.

Auth, member, and policy packets are signed by the repo verifier. They do not carry secret material and are not the canonical source of repo signing-secret state.

Secret Token Derivation

Ring1-Secret-Token format:

<derived-token> <original-secret>

Split on first ASCII space.

left side: V.<b64a>.H3
right side: original secret, may contain spaces

Client derives <derived-token> using Argon2id with HELLO PHC. Repo does not recompute Argon2id. Repo uses <derived-token> directly.

Argon2id:

password: UTF-8 original secret
salt: first 16 bytes of BLAKE3.derive_key("hppr-🖧/phc-salt", "<ring1>/<repo-verifier>")
output length: 32 bytes

Then HSB3 signing secret derivation input is:

<derived-token>/<ring1-name>/<repo-verifier>

Pre-ACL Defaults

These apply before policy-packet evaluation and are final. They are repository-service runtime code, not packets.

ddd //repo/admin/ring1//ring0/
dwd //repo/admin/request//join/
rd. //repo/admin/ring1//
rd. //repo/admin/identity//root
r.. //<group>/admin/members//root/|

Request/reply provisional access for join workflows is also runtime code, not packetized auth state.

Watch/Reload Trigger Map

Packet coordinate	Effect
`//repo/admin/identity//root/\|`	refresh repo identity; refresh repo verifier view
`//repo/admin/ring1//<name>/auth/\|`	reload Ring1 auth-config cache for `<name>`
`//repo/admin/ring1//<name>/members/\|/seal/<repo-verifier>`	reload Ring1 membership/auth cache for `<name>`
`//repo/admin/ring1//<name>/policy/\|`	reload ACL snapshot; apply ACL changes to active WATCH streams

Load and Evaluation Order

parse the repository request envelope
read auth config from //repo/admin/ring1//<name>/auth/|
resolve membership from //repo/admin/ring1//<name>/members/|/seal/<repo-verifier>
derive or verify member verifier; produce authenticated principal or reject
load policy from //repo/admin/ring1//<name>/policy/|
evaluate read / write / list per 050
workflow packets under //repo/admin/request//... are ordinary stored packets subject to policy, not auth-config state

Ring1-only Commands

These commands require Ring1 ring0 authentication:

🖧DETACH
🖧AUDIT

🖧ADD may use Seal-By: ring0 packet creation mode only with Ring1 ring0 authentication. Command details are defined in 041.

Errors

Common Ring1 failures:

HELLO_REQUIRED
UNAUTHORIZED invalid signature
UNAUTHORIZED not a member
NOT_FOUND ring1
NOT_FOUND inner packet
INVALID config
INVALID session
UNAUTHORIZED ring1

Security

Ring1 expects encrypted transport for confidentiality. Replay resistance uses HELLO-bound session IDs in request Key.