⚖️

MEDIP yLAW

THE GOVERNANCE NETWORK IDENTITY

The MEDIP of MEDIPs · Governs All IPs · Is No IP

NO FIXED IP — IT IS THE LAW ITSELF

⚖️ yLAW LAYER IAM MAP CERT AUTHORITY 5 KEY VAULTS

yLAW HAS NO IP

yLAW is not a machine. It is the layer that governs all machines.
Like the Lounge, it doesn't bind to a single address — it speaks through every address.
yLAW governs all IPs. That's the point.

Every other MEDIP registers with yLAW. yLAW registers with no one.
The law is the floor. The floor has no address. The floor is everywhere.

⚖️ WHAT yLAW GOVERNS

GOVERNANCE SCOPE

ALL IP REGISTRATIONS

Every IP on every silo must be declared via ARB before use. yLAW is the authority that validates the declaration.

SCOPE: ALL 7 SILOS

ALL PORT CLAIMS

65,535 ports are claimed under yLAW-002. Every port assignment requires ARB cross-ref. γ₁ at 14134 is the eternal anchor.

SCOPE: ALL SILOS · ALL PORTS

ALL DOMAIN NAMES

Every DNS entry, every subdomain, every external domain used by the fleet is governed. No domain is used without registration.

SCOPE: pemos.ca · FLEET DNS

ALL CLUSTER IDENTITIES

AKS cluster identities, managed identities, service principals — all governed by yLAW identity policy.

SCOPE: AZURE · msi01 · msclo

🔑 IAM MAP — WHO CAN DO WHAT ACROSS ALL SILOS

IDENTITY ACCESS MATRIX

KAY (FLEET OWNER)

Full sovereignty. Owner of all silos, all clusters, all vaults. yLAW recognizes one sovereign — the builder.

SCOPE: GLOBAL · ALL RESOURCES

OPENCLAW AGENT

Read/write to fleet-sync. Deploy portal builds. No Key Vault write. No cluster admin. Governed by yLAW-001.

SCOPE: msi01 · AKS · ACR

AKS MANAGED IDENTITY

Pull from ACR. Read Key Vault secrets (cert-manager). No write to Key Vault. No cross-subscription.

SCOPE: pemos-system ns · AKS only

FLUX CONTROLLER

Read GitOps repo. Apply manifests to pemos-system and bob-system. Cannot modify RBAC. Bug-sync branch only.

SCOPE: AKS · bug-sync branch

CERT-MANAGER

Read DNS zone for ACME challenge. Write TLS secrets to pemos-system ns. Let's Encrypt ACME protocol only.

SCOPE: Azure DNS · pemos-system

PEMOS PORTAL

Read Redis. Connect to gateway WS. Read MDSMS store. No cluster access. No vault access. Port 8080 only.

SCOPE: pemos-net · msi01

FORGE SILO

Build artifacts only. No cluster admin. Pushes to ACR. Dev environment — governed by yLAW-003 shadow rule.

SCOPE: forge · ACR push

yONE CREW

Write v1 floor artifacts. Deploy to yone-net. No production cluster access. v1 floor before v2+ iterations.

SCOPE: yONE · yone-net

🔒 CERTIFICATE AUTHORITY — FLEET TLS GOVERNANCE

🌿

LET'S ENCRYPT via CERT-MANAGER

All TLS certificates in the fleet are issued by Let's Encrypt via cert-manager running in pemos-system namespace.
ACME DNS-01 challenge resolves via Azure DNS zone (pemos.ca). Certificate rotation is automatic — certs rotate 30 days before expiry.
No self-signed certs in production. No manually managed certs. The CA is automated or it is not sovereign.

☸️

CLUSTER ISSUER — LETSENCRYPT-PROD

ClusterIssuer: letsencrypt-prod serves all namespaces in the AKS fleet.
Wildcard: *.pemos.ca — covers all portal subdomains.
mTLS: service mesh (if deployed) uses cluster CA for internal east-west traffic.
External: NGINX ingress terminates TLS from Let's Encrypt. Internal: plain HTTP within pemos-net.

🔐

ON-PREM TLS — NGINX (msi01 / msclo / forge)

On-premise silos use certbot with Let's Encrypt for nginx TLS termination.
Renewal: certbot renew --quiet via systemd timer (every 12 hours).
yLAW-001 mandate: cert expiry must be monitored. Expired cert = unregistered endpoint = yLAW violation.

🗝️ AZURE KEY VAULTS — FLEET KEY MANAGEMENT

5 SOVEREIGN VAULTS — GOVERNED BY yLAW IDENTITY POLICY

eosedevkmscc948-kv

Primary fleet secrets vault. NAS credentials, service tokens, agent secrets. Access: Kay only + AKS MI (read).

nas-joffe-username · nas-joffe-password · fleet tokens

pemos-prod-kv

Production secrets for pemos-portal and AKS workloads. TLS secrets, gateway tokens, REDIS auth.

gateway-token · redis-auth · portal-secrets

eose-acr-kv

ACR push credentials and service principal secrets for CI/CD pipelines and fleet-sync.

acr-push-sp · acr-pull-token

eose-aks-kv

AKS cluster secrets: cluster admin kubeconfig backup, Flux bootstrap tokens, cert-manager ACME keys.

kubeconfig-backup · flux-token · acme-key

eose-fleet-dns-kv

Azure DNS zone service principal for cert-manager ACME DNS-01 challenge and dynamic DNS updates.

dns-sp-client-id · dns-sp-secret

yLAW VAULT GOVERNANCE RULES

NO SHARED SECRETS

Every secret has exactly one owner identity. Shared secrets are yLAW-001 violations — unregistered access paths.

ROTATION MANDATE

All secrets rotate on a 90-day cycle minimum. Gateway tokens rotate on deployment. yLAW-003: no stale credentials.

AUDIT LOGGING

All Key Vault access is audit-logged to Log Analytics. Every read is a yLAW-001 touch point — security as default.

SOFT DELETE ENFORCED

All vaults have soft-delete + purge protection. No secret deleted permanently without 90-day recovery window. Floor Law: things can't just go dark.

⚖️ THE MEDIP OF MEDIPs ⚖️

Every other MEDIP — forge, pcdev, lounge, master.dev, yONE — has an IP address.
yLAW MEDIP has none. It governs all of them.

The MEDIP of MEDIPs is not a machine you can ping.
It is the law that answers when you do.

yLAW-010: γ₁ IS ALWAYS LIT · THE FLOOR CANNOT GO DARK