HPPR Ring1 Authentication

© R.A.Sol

Ring1 is the standard repository-auth API. All Ring1 requests are Seals signed by a Ring1 member key.

The key can be derived from a password or set up explicitly.

Request Envelope

Ring1 request form:

🖧: S.<hash>.H3
Seal-By: <member-vkey>
Seal-Sig: <signature>
🖧: P.<hash>.H3
Group: repo
App: 🖧<COMMAND>
Location: <repo-name>/<ring1-name>/<session-id>
TAI: <tai>
🖧: B.<hash>.H3
Data-Length: <len>

<args>

Rules:

• Group is repo
• Location carries repo name, ring1 name, and HELLO session
• Seal-By must be a configured member key or derived member key

Keys

ring0 Key

The repo verification key is the oldest packet at:

//repo/admin/ring1/ring0/keys/|/seal

Oldest means lowest (TAI, hash).

Ring1 and Ring2 setup packets must be signed by this repo key.

Ring1 Keys Config

Path:

//repo/admin/ring1/<name>/keys/|/seal/<vkey>

Packet contains Secret-Key: &.<b64a>.H3. 🖧ADD can use these keys.

Setup Config

Path:

//repo/admin/ring1/<name>/setup/|

Signed by ring0.

Headers:

• Ring1-Name
• Ring1-Secret-Token (optional)
• Ring1-Expire (optional)
• Member (repeatable)
• ACL-Rule (repeatable)

Ring1-Name constraints:

• max 128 bytes
• must match path segment
• must not contain / { } |
• must not equal . or ..

Secret Token Derivation

Ring1-Secret-Token format:

<derived-token> <original-secret>

Split on first ASCII space.

• left side: V.<b64a>.H3
• right side: original secret, may contain spaces

Client derives <derived-token> using Argon2id with HELLO PHC. Repo does not recompute Argon2id. Repo uses <derived-token> directly.

Argon2id:

• password: UTF-8 original secret
• salt: first 16 bytes of BLAKE3.derive_key("hppr-🖧/phc-salt", "<ring1>/<repo-vkey>")
• output length: 32 bytes

Then HSB3 key derivation secret is:

<derived-token>/<ring1-name>/<repo-vkey>

Special Ring1 Names

• ring0: full repository access, ACL bypass
• anyone: unauthenticated fallback ACL identity
• guest: signed non-member identity used by Ring2 flow

Pre-ACL Defaults

These apply before ACL-Rule evaluation and are final.

• ddd //repo/admin/ring1/ring0/
• dwd //repo/admin/request/ring1/
• rd. //repo/admin/ring1/
• rd. //repo/admin/identity

Ring1 Commands

Ring1 includes all commands from 030 and adds:

• 🖧HELLO
• 🖧ADD
• 🖧DETACH
• 🖧TIPS
• 🖧WATCH
• 🖧AUDIT

🖧ADD

Input is LF-separated headers, blank line, optional data.

Type selection:

• Seal-By present: create Seal
• else if any Plex header present: create Plex
• else: create Blob

Defaults:

• Group: u
• App: index
• Location: root
• TAI: now

References:

• 🖧: B.<hash> references existing Blob
• 🖧: P.<hash> references existing Plex

🖧DETACH

Payload is one hash. Removes packet from coordinate index only. Stored packet remains in hash storage. ring0 only.

🖧TIPS

Returns LF-separated versioned coordinates for tip packets.

🖧WATCH

Returns a stream of + and - lines for matching coordinate prefix changes. Events are filtered by list permission.

🖧AUDIT

Streams audit log lines. ring0 only.

Errors

Common Ring1 failures:

• HELLO_REQUIRED
• UNAUTHORIZED invalid signature
• UNAUTHORIZED not a member
• NOT_FOUND ring1
• NOT_FOUND inner packet
• INVALID config
• INVALID session
• UNAUTHORIZED ring1

Security

Ring1 expects encrypted transport for confidentiality. Replay resistance uses HELLO-bound session IDs in request Location.