-
Notifications
You must be signed in to change notification settings - Fork 0
The Nine Worlds
Each realm is a trust zone bound to a subdomain. Routing is not a networking detail — it is the security boundary: your topology is your threat model. A request's subdomain fixes which realm serves it, and the realm fixes its trust posture, network policy, quota, and retention.
Realms connect only through the single spine (The Spine); there is no lateral path between them that skips the gates.
The mapping is deterministic and one-directional: app.* always reaches Midgard, jotun.* always reaches Jotunheim, asgard.* always reaches the control plane. Because the boundary is the subdomain, a reader can infer the trust model from the URL alone — and an operator can reason about blast radius by realm.
Three properties follow:
- Containment, not deletion — untrusted work runs in Jotunheim (sandboxed), not blocked outright.
- Federation, not absorption — partner systems live in Vanaheim under negotiated trust, never assumed.
- Use, not trust — expensive/dangerous compute (Muspelheim) is quota-fenced, not implicitly trusted.
Ten realms across three tiers. The banner keeps the mythic "Nine Worlds"; the tenth is Valhalla — Óðinn's hall within Asgard in the Eddic sources, promoted here to an operational archive realm.
| Tier | Realm | Subdomain | Role | Trust posture |
|---|---|---|---|---|
| Heavens | Asgard | asgard.* | Control plane, policy, gate config, Urd signing | Highest trust; no agent code |
| Heavens | Vanaheim | vanir.* | External integrations, OAuth2/OIDC, partner APIs | Federated; trust negotiated per integration |
| Heavens | Alfheim | alfheim.* | Edge tier, cached reads | Low-latency, stateless, aggressively autoscaled |
| Middle | Midgard | app.* | User-facing runtime; the only human-facing realm | PII encrypted; G2 human approvals surface here |
| Middle | Jotunheim | jotun.* | Untrusted code execution (G3 sandbox) | Firecracker microVMs; zero standing credentials |
| Middle | Muspelheim | muspel.* | GPU compute, training, batch inference | Quota- and billing-fenced; job-scoped credentials |
| Middle | Niflheim | nifl.* | Cold storage, Urd backups, checkpoints | Immutable after write; writes in, no general egress |
| Below | Svartalfheim | forge.* | CI/CD, builds, artifacts, images | Secrets vaulted (never standing); checksummed artifacts |
| Below | Hel | hel.* | Dead-letter, failed jobs, reprocessing | Triage and retry; records the failure reason |
| Below | Valhalla | valhalla.* | Completed-job archive, golden datasets, baselines | Mostly read-only; feeds training/eval |
References. Kubernetes NetworkPolicy / ResourceQuota; Istio AuthorizationPolicy (per The Spine); SPIFFE/SPIRE workload identity; Firecracker microVM isolation. Naming doctrine: Prose Edda / Poetic Edda, per Norse Cosmology & Platform Design.
Each realm is a trust zone bound to a subdomain. Routing is not a networking detail — it is the security boundary: your topology is your threat model. A request's subdomain fixes which realm serves it, and the realm fixes its trust posture, network policy, quota, and retention.
Realms connect only through the single spine ([The Spine](The-Spine)); there is no lateral path between them that skips the gates.
The mapping is deterministic and one-directional: app.* always reaches Midgard, jotun.* always reaches Jotunheim, asgard.* always reaches the control plane. Because the boundary is the subdomain, a reader can infer the trust model from the URL alone — and an operator can reason about blast radius by realm.
Three properties follow:
- Containment, not deletion — untrusted work runs in Jotunheim (sandboxed), not blocked outright.
- Federation, not absorption — partner systems live in Vanaheim under negotiated trust, never assumed.
- Use, not trust — expensive/dangerous compute (Muspelheim) is quota-fenced, not implicitly trusted.
Ten realms across three tiers. The banner keeps the mythic "Nine Worlds"; the tenth is Valhalla — Óðinn's hall within Asgard in the Eddic sources, promoted here to an operational archive realm.
| Tier | Realm | Subdomain | Role | Trust posture |
|---|---|---|---|---|
| Heavens | Asgard | asgard.* |
Control plane, policy, gate config, Urd signing | Highest trust; no agent code |
| Heavens | Vanaheim | vanir.* |
External integrations, OAuth2/OIDC, partner APIs | Federated; trust negotiated per integration |
| Heavens | Alfheim | alfheim.* |
Edge tier, cached reads | Low-latency, stateless, aggressively autoscaled |
| Middle | Midgard | app.* |
User-facing runtime; the only human-facing realm | PII encrypted; G2 human approvals surface here |
| Middle | Jotunheim | jotun.* |
Untrusted code execution (G3 sandbox) | Firecracker microVMs; zero standing credentials |
| Middle | Muspelheim | muspel.* |
GPU compute, training, batch inference | Quota- and billing-fenced; job-scoped credentials |
| Middle | Niflheim | nifl.* |
Cold storage, Urd backups, checkpoints | Immutable after write; writes in, no general egress |
| Below | Svartalfheim | forge.* |
CI/CD, builds, artifacts, images | Secrets vaulted (never standing); checksummed artifacts |
| Below | Hel | hel.* |
Dead-letter, failed jobs, reprocessing | Triage and retry; records the failure reason |
| Below | Valhalla | valhalla.* |
Completed-job archive, golden datasets, baselines | Mostly read-only; feeds training/eval |
Per-realm route timeouts (e.g. Muspelheim 300s for long GPU jobs) are on [The Spine](The-Spine).
-
Asgard (
asgard.*) — the only realm that can issue policy and gate configuration. Hostsistiod, the policy engine, and the Urd signing HSM. No agent workloads run here; every access is audited. Accepts traffic only from approved internal realms. -
Vanaheim (
vanir.*) — the negotiated boundary with the outside world. Inbound is validated at G0/G1; outbound to third parties goes through a brokered egress proxy. Credentials are scoped per integration and never shared across partners. -
Alfheim (
alfheim.*) — stateless, low-latency read paths with response caching (50–100ms saved on cached reads) and sampled logging. No durable state, so replicas scale up and down freely.
-
Midgard (
app.*) — the only realm humans interact with directly: sessions, agent front-ends, and the surfaces where G2 human-in-the-loop approvals appear. PII is encrypted in transit and at rest. -
Jotunheim (
jotun.*) — untrusted execution, and the realm that runs the G3 sandbox. Firecracker microVMs, zero standing credentials, no privileged containers, read-only root filesystem, no public ingress, egress only to storage and audit. Workloads are ephemeral and destroyed after each job. -
Muspelheim (
muspel.*) — GPU-heavy training and batch inference. Its own quota and billing, long route timeouts, and job-scoped credentials — fire is used, not trusted. -
Niflheim (
nifl.*) — cold storage: archival logs, Urd's S3 backup, and checkpoints used by the Ragnarök recovery drill. Immutable after write; it accepts writes but serves no general egress (data goes in and does not casually come back out).
-
Svartalfheim (
forge.*) — the forge: builds, artifacts, and container images. Secrets stay vaulted rather than standing; artifacts are checksummed (Hvergelmir). -
Hel (
hel.*) — the dead-letter realm. Failed messages and jobs land here for triage and reprocessing (Hermóðr's ride), and the ledger records why each failed. -
Valhalla (
valhalla.*) — the archive that gives back: completed jobs become golden datasets, eval baselines, and rewarded trajectories that flow into training and testing. Mostly read-only.
Isolation is enforced in four independent layers — a bypass would have to defeat all four.
-
Network — per-realm Kubernetes
NetworkPolicy, default-deny ingress and egress. -
Resource — CPU/memory/GPU/storage
ResourceQuotaper realm. -
Service — Istio
AuthorizationPolicynarrows service-to-service access by SPIFFE identity (see [The Spine](The-Spine)). - Secrets — per-realm scoped credentials; none standing in untrusted realms.
# Layer 1 — default-deny for a realm namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: { name: default-deny, namespace: jotunheim }
spec:
podSelector: {}
policyTypes: [Ingress, Egress] # no rules => deny all in and out
---
# Jotunheim may reach only storage (Niflheim) and audit (Asgard)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: { name: jotunheim-egress, namespace: jotunheim }
spec:
podSelector: {}
policyTypes: [Egress]
egress:
- to:
- namespaceSelector: { matchLabels: { realm: niflheim } }
- namespaceSelector: { matchLabels: { realm: asgard } }# Layer 2 — GPU quota fences Muspelheim
apiVersion: v1
kind: ResourceQuota
metadata: { name: muspel-gpu, namespace: muspelheim }
spec:
hard:
requests.nvidia.com/gpu: "16"
limits.nvidia.com/gpu: "16"Network-policy posture, stated plainly: Asgard accepts traffic only from approved internal realms; Jotunheim has no open ingress from public workloads; Niflheim accepts writes but serves no general egress. Every realm defaults to deny at the network layer — the same posture the gates enforce at the request layer.
Realms never talk laterally. Every cross-realm request rides Yggdrasil and passes the five gates: a Midgard agent that needs a build does not call Svartalfheim directly — it issues a request that traverses G0–G4 on the spine, is authorized by policy, and is mediated by egress control. A direct realm-to-realm socket would be a second tree, and the model permits no second tree ([The Spine](The-Spine), [Security & Fail-closed](Security-and-Fail-Closed) → total mediation).
Mapping trust to topology bounds failure:
- Blast radius is one realm. A compromised Jotunheim workload has zero standing credentials, no public ingress, and egress only to storage/audit — it cannot pivot into Asgard or reach the internet.
- Cross-realm movement requires passing every layer — gates (request), Istio authz (service), NetworkPolicy (network), scoped secrets. Defeating one is not enough.
- The control plane is set apart. Asgard runs no agent code and issues all policy; the Urd signing key lives in its HSM, off every worker path — so no untrusted realm can forge policy or history.
This is the realm-level expression of the platform threat model in [Security & Fail-closed](Security-and-Fail-Closed).
- [The Spine](The-Spine) — routing, mesh identity, and egress control.
- [Security & Fail-closed](Security-and-Fail-Closed) — the full threat model and credential starvation.
- [Norse Cosmology & Platform Design](Norse-Cosmology-and-Platform-Design) — the cosmology behind the realm names.
- [Configuration](Configuration) · [Setting Up Subdomains (Realms)](Setting-Up-Subdomains-Realms) — provisioning a realm.
Section glyphs are Elder Futhark runes (Unicode Runic block, U+16A0–U+16FF) — semantic, not emoji. Full set on [Home](Home#iconography):
| Rune | Name | Gloss | Marks |
|---|---|---|---|
| ᚾ | Nauðiz | need, constraint | the platform mark |
| ᛟ | Othala | enclosed estate, boundary | subdomain = trust zone |
| ᛜ | Ingwaz | enclosure, the whole framework | the realm map |
| ᛋ | Sowilō | the sun, the heights | the Heavens tier |
| ᛗ | Mannaz | humankind (Midgard, the world of men) | the Middle tier |
| ᛚ | Laguz | water, the deep, the below | the lower tier |
| ᛉ | Algiz | protection, warding | realm isolation |
| ᛖ | Ehwaz | conveyance, movement between | how realms connect |
| ᛏ | Tiwaz | order, the guardian | threat model |
| ᚱ | Raidō | the ride, the road | next steps |
References. Kubernetes NetworkPolicy / ResourceQuota; Istio AuthorizationPolicy (per [The Spine](The-Spine)); [SPIFFE](https://spiffe.io/)/SPIRE workload identity; Firecracker microVM isolation. Naming doctrine: Prose Edda / Poetic Edda, per [Norse Cosmology & Platform Design](Norse-Cosmology-and-Platform-Design).
Welcome
Getting Started
Core Concepts
Guides
- Guides
- Configuring Gates
- Setting Up Subdomains (Realms)
- Integrating AI Agents
- Monitoring & Observability
- Disaster Recovery (Ragnarök Drill)
- Custom Domains & TLS
Reference
Silence means no.