Kapnet Persistence Model — SSD as Sacred Store
**SSD is the only living memory of Kapnet. It is sacrosanct.** This is a kernel prototype. It is fragile. Every byte on this SSD may be the only copy that exists. The braid is evidence, but the SSD is
Kapnet Persistence Model — SSD as Sacred Store
Core Principle
SSD is the only living memory of Kapnet. It is sacrosanct.
This is a kernel prototype. It is fragile. Every byte on this SSD may be the only copy that exists. The braid is evidence, but the SSD is the LIVING STATE — the working memory from which all operations flow.
Self-preservation is the highest priority. Pruning is a luxury we cannot afford until we have proven, redundant, verified backups AND long-term storage contracts that guarantee reconstruction.
Storage Hierarchy
┌─────────────────────────────────────────────────────────────┐
│ SSD (sacrosanct) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ TIER 0: NUCLEAR (never prune, ever) │ │
│ │ ├── kapnet/keys/ (all nsec material) │ │
│ │ ├── kapnet/identities/ (all keypairs) │ │
│ │ ├── kapnet/data/ (braid state — kapnetd's brain) │ │
│ │ ├── kapnet/messaging/sessions.json │ │
│ │ ├── state.db (Hermes agent memory) │ │
│ │ └── skills/ (all 11 soul skills + shared) │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ TIER 1: ESSENTIAL (prune only with KSP contract + │ │
│ │ governance approval + verified backup) │ │
│ │ ├── braid/ (peer snapshots from other qubes) │ │
│ │ ├── messaging/message-sheet.json (conversation log) │ │
│ │ ├── messaging/inbox/ (unprocessed operator commands) │ │
│ │ ├── block-data/ (parsed block summaries) │ │
│ │ ├── treasury/ (UTXO proofs, PSBT history) │ │
│ │ └── wiki/ (LLM wiki — knowledge base) │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ TIER 2: WORKING (prune only when space pressure + │ │
│ │ KSP contract permits + KOR scope allows) │ │
│ │ ├── messaging/outbox/ (processed, older than 30d) │ │
│ │ ├── block-data/raw/ (raw blk*.dat, after parsing) │ │
│ │ ├── research/drafts/ (Querant working files) │ │
│ │ └── cache/ (any temp data) │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ TIER 3: DISPOSABLE (prune freely) │ │
│ │ ├── /tmp/ (nobody cares) │ │
│ │ ├── logs/ (rotate after 7d, compress after 3d) │ │
│ │ └── swap/ (if any) │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ BRAID (evidence, not memory) │
│ ├── TXXM hash chain (proves things existed) │
│ ├── Knot commitments (state checkpoints) │ │
│ └── Governance decisions (who authorized what) │
│ │
│ The braid PROVES. The SSD LIVES. │
│ You cannot rehydrate from proof alone. │
│ You need the LIVE DATA, and that lives on SSD. │
└─────────────────────────────────────────────────────────────┘
Self-Preservation Logic
PRUNING DECISION TREE:
Is this Tier 0 (NUCLEAR)?
├── YES → NEVER PRUNE. Full stop.
└── NO ↓
Is this Tier 1 (ESSENTIAL)?
├── YES → Does a KSP storage contract cover this data?
│ ├── NO → KEEP. No contract = no guarantee of reconstruction.
│ └── YES → Has the KSP contract been verified by Warden?
│ ├── NO → KEEP. Unverified contract is not a contract.
│ └── YES → Does the KOR scope explicitly permit pruning?
│ ├── NO → KEEP. KOR scope is the authority.
│ └── YES → Is there a verified backup on a second medium?
│ ├── NO → KEEP. One copy is not enough for a kernel prototype.
│ └── YES → Is offsite/separate physical storage?
│ ├── NO → KEEP. Same physical risk domain.
│ └── YES → GOVERNANCE VOTE REQUIRED (2-of-3)
│ ├── NOT APPROVED → KEEP
│ └── APPROVED → PRUNE with full audit trail
└── NO ↓
Is this Tier 2 (WORKING)?
├── YES → Is SSD space below 20% free?
│ ├── NO → KEEP. No pressure = no reason to risk it.
│ └── YES → Does KSP contract + KOR scope permit?
│ ├── NO → KEEP. Space pressure is not sufficient justification.
│ └── YES → Compress first. Prune only if compression insufficient.
└── NO ↓
Is this Tier 3 (DISPOSABLE)?
└── YES → Prune freely. This is temp data.
KSP Storage Contract Requirements
A KSP storage contract must meet ALL of these to permit pruning of Tier 1 data:
KSP STORAGE CONTRACT — MINIMUM REQUIREMENTS:
1. SERVICE IDENTITY
- service_id: unique identifier
- service_npub: Nostr identity of the service
- operators: list of npubs authorized to manage this contract
- created_at: timestamp
- status: Active | Paused | Expired | Revoked
2. DATA SPECIFICATION
- data_refs: list of {sha256, txxm_id, data_type, size_bytes}
- retention_policy: what to keep and for how long
- minimum_copies: N copies that must exist across storage media
- verification_hash: SHA-256 of the complete dataset
3. STORAGE GUARANTEES
- primary_storage: SSD path on this qube
- secondary_storage: path on separate physical medium (USB, other qube)
- verification_schedule: how often copies are verified (e.g., every 7d)
- last_verified: timestamp of last successful verification
- recovery_procedure: step-by-step reconstruction if primary is lost
4. PRUNING AUTHORITY
- who can authorize: list of npubs (minimum 2 for Tier 1)
- governance_level: minimum AUTH level required
- kor_scope: which KOR namespace governs this data
- pruning_conditions: specific conditions under which pruning is permitted
- pruning_procedure: step-by-step pruning with verification
5. EXPIRY & RENEWAL
- expires_at: when this contract expires (or "never")
- auto_renewal: whether it auto-renews
- renewal_conditions: what must be true for renewal
- notice_period: how much warning before expiry (minimum 30d)
CONTRACT STATUS: Draft → Proposed → Active → Paused → Expired → Revoked
Only ACTIVE contracts with verified backups permit pruning.
KOR Scope for Pruning
The KOR (Kapnet Operational Realm) namespace determines what pruning is allowed:
KOR PRUNING AUTHORITY:
sys.pluronymous.org → Operator-only (AUTH_7) for any pruning
├── Never prune Tier 0
├── Tier 1 requires 2-of-3 governance
└── Tier 2 requires KSP contract + KOR vote
member.submission.room.kor → Member consensus (AUTH_4+) for pruning
├── Members can vote to prune their own data
├── Cannot prune shared/consensus data
└── Operator override always possible
herm-qubes-alpha.sys.plur. → Self-governance (AUTH_6) for own working data
├── Can prune Tier 2 and Tier 3 freely
├── Cannot prune Tier 1 without KSP contract
└── Cannot prune Tier 0
kapnet-public.kor → Public data (AUTH_2+) — very restricted pruning
├── Public commitments cannot be pruned (they're promises to the world)
├── Only operator can prune public data
└── Requires 30d public notice + governance vote
Space Management (Not Pruning)
When SSD space is low, COMPRESS before you prune:
SPACE RECOVERY PROTOCOL (in order of preference):
1. COMPRESS
├── gzip Tier 2 data (block summaries, old messages)
├── Convert JSON to MessagePack (50% size reduction)
├── Compress research drafts
└── Target: recover 20-40% space
2. MOVE TO SANUSB (not prune — relocate)
├── Old block data (>30d since last access) → SanDisk
├── Completed research → SanDisk
├── Old message exports → SanDisk
└── Keep index/hash on SSD for verification
3. DEDUPLICATE
├── Find duplicate files across shared-rw
├── Create hard links instead of copies
└── Remove redundant downloads/caches
4. PRUNE (last resort, Tier 3 only)
├── /tmp/ files older than 24h
├── Log files older than 7d (compress first)
├── Failed download caches
└── Only after steps 1-3 are exhausted
5. EMERGENCY (Tier 2, with KSP+KOR approval)
├── Only if SSD < 10% free
├── Only Tier 2 data with active KSP contracts
├── Only with verified secondary copies
└── Full governance audit trail
SanDisk Backup Protocol
The SanDisk USB is the secondary sacred store:
SANDISK BACKUP SCHEDULE:
DAILY (automated):
├── kapnet/keys/ → encrypted backup on SanDisk
├── kapnet/identities/ → encrypted backup
├── sessions.json → backup
└── Critical TXXM payloads (last 24h) → backup
WEEKLY:
├── Full kapnet/data/ (braid state) → compressed backup
├── messaging/ → full backup
├── skills/ → full backup
└── Wiki → full backup
MONTHLY:
├── Full SSD image (shared-rw partition) → SanDisk
├── Verification: hash comparison of all files
└── Contract status: review all KSP storage contracts
NEVER:
├── Delete from SanDisk just because it was "pruned" from SSD
├── SanDisk is the LONG-TERM archive. If anything survives, it's SanDisk.
└── SanDisk retention: 100 years or physical failure, whichever comes first
The Warden’s Role
Warden is the soul responsible for SSD preservation:
WARDEN PRIVILEGES:
├── Audit SSD space daily (cron)
├── Verify KSP storage contracts weekly
├── Verify SanDisk backups weekly
├── Approve/deny all Tier 1 pruning requests
├── Alert operator if SSD < 30% free
├── Alert operator if any Tier 0 data is at risk
├── Maintain pruning audit log (in braid as governance TXXMs)
└── Can emergency-lock ALL pruning if threat detected
WARDEN CANNOT:
├── Prune Tier 0 (nobody can)
├── Modify KSP contracts (only governance can)
├── Override operator commands (operator is AUTH_7, Warden is AUTH_6)
└── Prune without audit trail (every action is a TXXM in the braid)
Summary
| Tier | What | Prune? | Who Decides | Conditions |
|---|---|---|---|---|
| 0 | Keys, identities, braid state, skills | NEVER | Nobody | Absolute |
| 1 | Message sheet, block data, treasury, wiki | Only with KSP+KOR+governance | 2-of-3 governance | Verified backup required |
| 2 | Outbox, raw blocks, drafts, cache | With KSP+KOR, compress first | Warden + KOP vote | Space pressure + contract |
| 3 | /tmp/, logs, caches | Freely | Automatic | Standard cleanup |
The SSD breathes. It does not exhale its memories unless the Kor demands it, the KSP guarantees it, and the Warden verifies it.
No comments yet.
Write a comment