⬡ IDENTITY LOOP
One ID · All Surfaces · Least Privilege Layers
NAS L0 ROOT 6 SURFACES WIRED 2 GAPS
THE ONE LOOP — Kay → NAS → msi01 → HVCP → Cloud → Grid → back
🏠 NAS
192.168.2.20 · diskpool
L0 ROOT · full
🐧 msi01
:18789 · openclaw-tui
L1 LOCAL · all fleet ops
🖥 lianli01
Docker · NAS lattice
L1 LOCAL · engine ops
🎮 PCDEV
:7799 · control server
L1 LOCAL · game ops
📡 msclo
:18840 · CLO admiral
L1 LOCAL · inference
⚙️ HVCP
hvcp.eose.ca · control plane
L2 CLOUD CTRL · all cloud ops
🌐 master
master.eose.ca · SSO
L2 CLOUD CTRL · authed ops
🔬 master-dev
dev.eose.ca · dev plane
L2 CLOUD CTRL · dev ops
🌍 pemos.ca
public portal
L3 PUBLIC · read + interact
⬡ Grid
pemos.ca/grid · EFG
L4 MONITOR · read-only
One session identity flows through all layers. Each surface gets only the token it needs. NAS is the homebase trust anchor. msi01 openclaw-tui = Kay's keyboard voice. HVCP = cloud gate. Grid + backup page = read-only mesh view. No surface can escalate to a layer above itself.
L0
NAS Library Tower · Root
192.168.2.20 · diskpool · Bond Library homebase
NAS SMB
//192.168.2.20/diskpool · kewin
alive
NAS Lattice
nas-lattice-engine.js → Qdrant
wired
deseof mounts
/mnt/deseof/{archive,buffer,yonder}
needs mount
Bond cloud
deseof-archive · Azure Files
synced
Identity privilege: FULL — root of all sessions. NAS is where DESEOF writes golden snapshots. All silos pull from here.
L1
Local Mesh · Lianli Desk + Fleet
msi01 · lianli01 · PCDEV · msclo — all on 192.168.2.x
msi01
:18789 · openclaw-tui · gateway
SSH broken
lianli01
:Docker · Kay's seat · WSL down
WSL offline
PCDEV
:7799 · control server v14
live
msclo
:18840 · Amani · CLO admiral
live
Identity privilege: LOCAL ALL — full fleet ops within 192.168.2.x. Kay's TUI session comes from lianli01 → msi01 → agent.
L2
Cloud Control · HVCP + Masters
hvcp.eose.ca · master.eose.ca · dev.eose.ca
HVCP
hvcp.eose.ca · pemoshvcp.eose.ca
404 needs VS
master
master.eose.ca · SSO · Amani
live
master-dev
dev.eose.ca · 7 ARB-139 svcs
live
master1
builder · golden-backup cron
live
Identity privilege: CLOUD CTRL — SSO-gated. HVCP is the gate between L1 and L2. pemshvcp needs VS fix (next).
L3+L4
Public + Monitor · pemos.ca · Grid
30+ pages live · EFG 64-cell · read-only fleet view
pemos.ca
30+ pages · identity→ none required
live
eose.ca
SSO-gated pages · Google OAuth
live
grid
pemos.ca/grid · EFG · desk tab
live
backup
pemos.ca/backup · DESEOF guardian
live
Identity privilege: READ / INTERACT — no write access. Grid can see all silos. Cannot control. Cannot escalate. Loop closes here.
PRIV
Least Privilege Matrix — What Each Surface Can Do
SurfaceLayerRead fleetWrite pagesRun commandsInferenceControl silosAccess NAS
NAS homebaseL0
msi01 TUIL1SMB only
msclo / CLOL1msclo onlySMB only
PCDEV controlL1windows onlyPCDEV only
HVCP cloudL2✓ (cloud)cloud onlycloud only
master.eose.caL2SSO-gatedcloud only
pemos.ca / gridL3+L4
Gaps to close — 2 remaining to complete the loop
Kay on msi01
msi01 SSH key broken — agent can't run MUF or gateway restart from cloud
→ echo "ssh-ed25519 AAAAC3...KDDB ubu-cap@msi01-fleet" >> ~/.ssh/authorized_keys
lianli01
WSL offline — lianli01's sshd and local TUI loop not accessible from msi01/msclo
→ Open Windows terminal on lianli01 → type: wsl
HVCP
hvcp.eose.ca + pemoshvcp.eose.ca return 404 — VS not routing to HVCP pods
→ Patch HVCP VS (pemos-hvcp service in hvcp-system is running)
NAS mounts
deseof-archive/buffer/yonder not mounted on silos — run deseof-nas-mount.sh on each
→ bash deseof-nas-mount.sh on msi01, msclo, lianli01