Svalinn

Post-Cloud Security Architecture: A ReScript-powered edge shield (Deno) guarding container operations via Vörðr.

Svalinn is the edge-facing gateway that receives container operation requests and delegates verification to Vörðr. It provides HTTP/3 API access, request validation, and AI-assisted orchestration via MCP.

Important

Architecture Change (2025-01-15): The Vörðr container engine has been extracted to its own repository. Container engine code → hyperpolymath/vordr Protocol specification → hyperpolymath/verified-container-spec See REFERENCE.adoc for integration guidelines.

Project Status

Component	Status	Description
Edge Shield	In Development	ReScript/Deno HTTP/3 gateway
Request Validation	In Development	Validates requests against verified-container-spec
Vörðr Integration	Architecture Complete	Delegates to external Vörðr service
MCP Server	Complete	AI-assisted container management tool definitions
Authentication	Pending	OAuth2/OIDC integration

Architecture

                    ┌─────────────────────────────────────────────┐
                    │         VERIFIED CONTAINER ECOSYSTEM        │
                    └─────────────────────────────────────────────┘
                                          │
          ┌───────────────────────────────┼───────────────────────────────┐
          │                               │                               │
          ▼                               ▼                               ▼
  ┌───────────────┐            ┌─────────────────┐            ┌─────────────────┐
  │   SVALINN     │            │     VÖRÐR       │            │  CERRO TORRE    │
  │  Edge Shield  │───────────▶│   Container     │◀───────────│    Builder      │
  │ (ReScript/    │  delegates │    Engine       │  produces  │   (Ada/SPARK)   │
  │    Deno)      │            │  (Rust/Ada)     │            │                 │
  └───────┬───────┘            └────────┬────────┘            └─────────────────┘
          │                             │                               │
          │         ┌───────────────────┴───────────────────┐           │
          │         │                                       │           │
          ▼         ▼                                       ▼           ▼
  ┌───────────────────────────────────────────────────────────────────────────┐
  │                      VERIFIED-CONTAINER-SPEC                              │
  │                   (Protocol Specification)                                │
  │         Attestation Format │ Trust Model │ Verification Semantics         │
  └───────────────────────────────────────────────────────────────────────────┘

What Svalinn Does

• Edge Gateway — HTTP/3 API for container operations

• Request Validation — Validates against verified-container-spec

• Delegation — Forwards verified requests to Vörðr

• MCP Integration — AI-assisted orchestration

• Policy Enforcement — Applies edge-specific security policies

What Svalinn Does NOT Do

• Container Runtime — That’s Vörðr

• Image Building — That’s Cerro Torre

• Protocol Definition — That’s verified-container-spec

Technology Stack

Layer	Technology	Purpose
Edge API	Deno + OpenLiteSpeed	HTTP/3 serving, edge compute
Business Logic	ReScript	Type-safe request handling
Validation	verified-container-spec	Protocol conformance
Container Ops	Vörðr (external)	Delegated container management
AI Integration	MCP	AI-assisted management

Getting Started

Prerequisites

# Deno runtime
curl -fsSL https://deno.land/install.sh | sh

# ReScript compiler
npm install -g rescript

# Vörðr service (external dependency)
# See https://github.com/hyperpolymath/vordr

Configuration

# Set Vörðr endpoint
export VORDR_ENDPOINT="http://localhost:8080"

# Set verification spec
export SPEC_VERSION="v0.1.0"

Run

# Development
just dev

# Production
just build
just serve

Project Structure

svalinn/
├── src/                    # ReScript source (pending)
│   ├── gateway/            # HTTP/3 gateway
│   ├── validation/         # Request validation
│   ├── vordr/              # Vörðr client
│   └── mcp/                # MCP server
├── spec/                   # Local spec reference
├── docs/                   # Documentation
├── evidence/               # Security evidence
├── .meta/                  # Project metadata
├── ECOSYSTEM.scm           # Ecosystem positioning
├── REFERENCE.adoc          # External dependencies
├── Justfile                # Build orchestration
└── README.adoc             # This file

External Dependencies

See REFERENCE.adoc for complete dependency documentation.

Dependency	Purpose	Repository
Vörðr	Container engine (runtime, verification, proofs)	hyperpolymath/vordr
verified-container-spec	Protocol specification	hyperpolymath/verified-container-spec
Cerro Torre	Provenance-verified builds	hyperpolymath/cerro-torre

MCP Integration

Svalinn exposes MCP tools that delegate to Vörðr:

{
  "tools": [
    "svalinn_run",        // Validate and delegate to vordr_run
    "svalinn_ps",         // List via Vörðr
    "svalinn_stop",       // Validate and delegate
    "svalinn_verify",     // Check attestation via Vörðr
    "svalinn_policy"      // Edge policy management
  ]
}

Security Model

Edge Validation

All requests pass through Svalinn’s validation layer before reaching Vörðr:

1. Schema Validation — Request matches verified-container-spec

2. Policy Check — Edge-specific policies applied

3. Attestation Verification — Delegated to Vörðr

4. Audit Logging — All operations logged

Trust Boundaries

Boundary	Owner	Requirements
Public Edge	Svalinn	Request validation, rate limiting
Verification	Vörðr	Formal proofs, attestation checks
Build	Cerro Torre	Provenance, signing

Development

Justfile Commands

just                    # List all commands
just dev                # Development server
just build              # Production build
just test               # Run tests
just lint               # Lint code
just fmt                # Format code

Contributing

See CONTRIBUTING.md for guidelines.

• Language Policy: ReScript, Deno only. No TypeScript, Go, or Python.

• Security: HTTPS only, no hardcoded secrets.

• Licensing: MIT OR AGPL-3.0-or-later, SPDX headers required.

License

This project is dual-licensed under:

• MIT License

• AGPL-3.0-or-later

See LICENSE.txt for details.

References

• Vörðr Container Engine

• Verified Container Specification

• Cerro Torre Builder

• ReScript

• Deno

• Model Context Protocol