Green-Zone Admission
Green-zone is an advanced HyperBEAM identity-sharing path for LapEE nodes. It is not required to boot or verify a single node.
A green-zone is a shared signing identity admitted by evidence. Existing members verify a candidate, compare the candidate evidence against a template, then use TPM MakeCredential and ActivateCredential so only the candidate TPM can recover the admission secret.
Endpoints
| Endpoint | Purpose |
|---|---|
~green-zone@1.0/info | Device metadata. |
~green-zone@1.0/init | Create a named local ring identity after local evidence matches a template. |
~green-zone@1.0/status | Report local green-zone state. |
~green-zone@1.0/admit | Verify a candidate and wrap admission material to its TPM. |
~green-zone@1.0/join | Ask a peer for admission, activate the credential locally, and install the shared identity. |
~green-zone@1.0/match | Test evidence against a template. |
Template Model
Templates are HyperBEAM message patterns:
- Map values recurse.
- Non-map values match exactly.
"_"is a wildcard.- Metadata keys are ignored.
Example shape:
{
"name": "operator-ring",
"template": {
"node": {
"trusted-device-signers": [
"LapEEOperatorConfigSigner111111111111111111111111111"
]
}
}
}
Acceptance Path
Admission checks the candidate through ~tpm@2.0a/verify-peer. A member only
admits the candidate when:
- The peer attestation verifies.
- The candidate evidence matches the configured template.
- The TPM credential activation succeeds.
- The returned admission is signed by the green-zone identity.
There is no generic protected-key signing endpoint. Green-zone uses HyperBEAM identity selection and signed AO messages.
Source Harness
The source repo includes QEMU acceptance coverage:
make qemu-green-zone
make qemu-operator-config
qemu-operator-config proves that config.json is part of the node message
and that a signer-required green-zone accepts the configured node while
rejecting the node without that config.