Skip to content

Reference

Frank Yglesias Bertheau edited this page Jul 7, 2026 · 1 revision
<h1>ᚾ&nbsp;NornGate — Reference</h1>

Lookup material: status codes, gate timeouts, the realm map, the API and CLI surfaces, and the glossary. The tables below consolidate facts that appear across the docs; each links to the page that owns the full detail.


ᛗ The reference pages

Page What is inside
API Reference Endpoints, request/response shapes, auth, pagination.
Configuration YAML schemas for gates, realms, policy, and the Spine.
Glossary Terms of art, Norse → system mappings.
Error Codes Every status and failure code, with cause and remedy.
CLI Tools norngate-cli commands and flags.

Standards referenced across the docs. SPIFFE/SPIRE; Ed25519 / RFC 8032; Certificate Transparency / RFC 6962; NIST SP 800-162 (ABAC); GDPR Art. 17. Naming doctrine: Prose Edda / Poetic Edda, per Norse Cosmology & Platform Design.

ᚾ NornGate — Reference

Lookup material: status codes, gate timeouts, the realm map, the API and CLI surfaces, and the glossary. The tables below consolidate facts that appear across the docs; each links to the page that owns the full detail.


ᛗ The reference pages

Page What is inside
[API Reference](API-Reference) Endpoints, request/response shapes, auth, pagination.
[Configuration](Configuration) YAML schemas for gates, realms, policy, and the Spine.
[Glossary](Glossary) Terms of art, Norse → system mappings.
[Error Codes](Error-Codes) Every status and failure code, with cause and remedy.
[CLI Tools](CLI-Tools) norngate-cli commands and flags.

ᚺ HTTP status codes

Two failure modes, both fail-closed: a rule denial returns a semantic code; a timeout / dependency failure trips the circuit breaker.

Code Meaning Gate Mode
400 Malformed request G0 denial
401 Unauthenticated (no valid SVID / key) G0 denial
403 Policy or approval denial G1 / G2 denial
408 Approval timed out (pending expired) G2 timeout
409 Write conflict / stale fencing token G4 denial + timeout
429 Rate limited G0 denial
500 Sandbox failure or disallowed effect G3 denial + timeout
503 Gate could not decide in budget G0 / G1 timeout

Full list with causes and remedies: [Error Codes](Error-Codes).


ᛁ Gate timeouts

Deny ceilings, not expected latencies — a gate that exceeds its budget denies. Separate from per-realm route timeouts (e.g. Muspelheim 300s for GPU jobs — see [The Spine](The-Spine)).

Gate Timeout On timeout
G0 Ingress 5s 503
G1 Policy 10s 503
G2 Approval 30s 408
G3 Sandbox 60s 500
G4 Arbitration 10s 409

Behavior and rationale: [The Five Gates](The-Five-Gates).


ᛟ Realms and subdomains

Subdomain = trust zone. Ten realms (nine Eddic worlds + Valhalla, the archive).

Realm Subdomain Role
Asgard asgard.* Control plane, policy, Urd signing
Vanaheim vanir.* External integrations (federated trust)
Alfheim alfheim.* Edge tier, cached reads
Midgard app.* User-facing runtime
Jotunheim jotun.* Untrusted execution (G3 sandbox)
Muspelheim muspel.* GPU compute
Niflheim nifl.* Cold storage, Urd backup
Svartalfheim forge.* Builds and artifacts
Hel hel.* Dead-letter / failed work
Valhalla valhalla.* Completed-job archive

Full model: [The Nine Worlds (Trust Zones)](The-Nine-Worlds).


ᚲ API and CLI

API — the audit surface (the complete API is on [API Reference](API-Reference)):

GET /v1/audit?gate=policy&decision=deny&from=2026-07-06T00:00:00Z&to=2026-07-06T23:59:59Z

Filters: gate, decision, requestId, tenant, from, to. Reads are authenticated, authorized, and themselves audited. Record shape: [Urd Ledger](Urd-Ledger).

CLI — norngate-cli (full command set on [CLI Tools](CLI-Tools)):

Command Purpose
norngate-cli audit replay <requestId> Re-derive a historical verdict from pinned snapshots
norngate-cli drill ragnarok --target=<env> --duration=<dur> Run a disaster-recovery drill

ᚨ Glossary (preview)

Term Meaning
Gate (G0–G4) One of the five ordered checks before commit
Realm A trust zone bound to a subdomain
Spine (Yggdrasil) The single control path all traffic crosses
Urd The centralized, signed, append-only audit ledger
Norns Urd (past/ledger), Verdandi (present/metrics), Skuld (future/forecast)
SVID A short-lived SPIFFE workload identity
Approval budget The allowance that keeps G2 human transits under ~5%
Fail-closed Any non-ALLOW — deny, timeout, error — stops the request
Crypto-shredding Erasing PII by deleting its key while the hash chain stays intact

Full list and Norse → system mappings: [Glossary](Glossary).


Iconography

Section glyphs are Elder Futhark runes (Unicode Runic block, U+16A0–U+16FF) — semantic, not emoji. Full set on [Home](Home#iconography):

Rune Name Gloss Marks
Nauðiz need, constraint the platform mark
Mannaz the record, knowledge the reference pages
Hagalaz hail, failure states HTTP status codes
Isa ice, fixed ceilings gate timeouts
Othala enclosed estate, boundary realms and subdomains
Kenaz the torch, access API and CLI
Ansuz the word, definitions glossary

Standards referenced across the docs. [SPIFFE](https://spiffe.io/)/SPIRE; [Ed25519 / RFC 8032](https://www.rfc-editor.org/rfc/rfc8032); [Certificate Transparency / RFC 6962](https://www.rfc-editor.org/rfc/rfc6962); [NIST SP 800-162](https://csrc.nist.gov/pubs/sp/800/162/final) (ABAC); [GDPR Art. 17](https://gdpr-info.eu/art-17-gdpr/). Naming doctrine: Prose Edda / Poetic Edda, per [Norse Cosmology & Platform Design](Norse-Cosmology-and-Platform-Design).

Clone this wiki locally