Skip to content

The Nine Worlds

Frank Yglesias Bertheau edited this page Jul 7, 2026 · 1 revision
<h1>ᚾ&nbsp;NornGate — The Nine Worlds (Trust Zones)</h1>

Each realm is a trust zone bound to a subdomain. Routing is not a networking detail — it is the security boundary: your topology is your threat model. A request's subdomain fixes which realm serves it, and the realm fixes its trust posture, network policy, quota, and retention.

Realms connect only through the single spine (The Spine); there is no lateral path between them that skips the gates.


ᛟ Overview — subdomain is trust zone

The mapping is deterministic and one-directional: app.* always reaches Midgard, jotun.* always reaches Jotunheim, asgard.* always reaches the control plane. Because the boundary is the subdomain, a reader can infer the trust model from the URL alone — and an operator can reason about blast radius by realm.

Three properties follow:

  • Containment, not deletion — untrusted work runs in Jotunheim (sandboxed), not blocked outright.
  • Federation, not absorption — partner systems live in Vanaheim under negotiated trust, never assumed.
  • Use, not trust — expensive/dangerous compute (Muspelheim) is quota-fenced, not implicitly trusted.

ᛜ The realm map

Ten realms across three tiers. The banner keeps the mythic "Nine Worlds"; the tenth is Valhalla — Óðinn's hall within Asgard in the Eddic sources, promoted here to an operational archive realm.

Tier Realm Subdomain Role Trust posture
Heavens Asgard asgard.* Control plane, policy, gate config, Urd signing Highest trust; no agent code
Heavens Vanaheim vanir.* External integrations, OAuth2/OIDC, partner APIs Federated; trust negotiated per integration
Heavens Alfheim alfheim.* Edge tier, cached reads Low-latency, stateless, aggressively autoscaled
Middle Midgard app.* User-facing runtime; the only human-facing realm PII encrypted; G2 human approvals surface here
Middle Jotunheim jotun.* Untrusted code execution (G3 sandbox) Firecracker microVMs; zero standing credentials
Middle Muspelheim muspel.* GPU compute, training, batch inference Quota- and billing-fenced; job-scoped credentials
Middle Niflheim nifl.* Cold storage, Urd backups, checkpoints Immutable after write; writes in, no general egress
Below Svartalfheim forge.* CI/CD, builds, artifacts, images Secrets vaulted (never standing); checksummed artifacts
Below Hel hel.* Dead-letter, failed jobs, reprocessing Triage and retry; records the failure reason
Below Valhalla valhalla.* Completed-job archive, golden datasets, baselines Mostly read-only; feeds training/eval

References. Kubernetes NetworkPolicy / ResourceQuota; Istio AuthorizationPolicy (per The Spine); SPIFFE/SPIRE workload identity; Firecracker microVM isolation. Naming doctrine: Prose Edda / Poetic Edda, per Norse Cosmology & Platform Design.

ᚾ NornGate — The Nine Worlds (Trust Zones)

Each realm is a trust zone bound to a subdomain. Routing is not a networking detail — it is the security boundary: your topology is your threat model. A request's subdomain fixes which realm serves it, and the realm fixes its trust posture, network policy, quota, and retention.

Realms connect only through the single spine ([The Spine](The-Spine)); there is no lateral path between them that skips the gates.


ᛟ Overview — subdomain is trust zone

The mapping is deterministic and one-directional: app.* always reaches Midgard, jotun.* always reaches Jotunheim, asgard.* always reaches the control plane. Because the boundary is the subdomain, a reader can infer the trust model from the URL alone — and an operator can reason about blast radius by realm.

Three properties follow:

  • Containment, not deletion — untrusted work runs in Jotunheim (sandboxed), not blocked outright.
  • Federation, not absorption — partner systems live in Vanaheim under negotiated trust, never assumed.
  • Use, not trust — expensive/dangerous compute (Muspelheim) is quota-fenced, not implicitly trusted.

ᛜ The realm map

Ten realms across three tiers. The banner keeps the mythic "Nine Worlds"; the tenth is Valhalla — Óðinn's hall within Asgard in the Eddic sources, promoted here to an operational archive realm.

Tier Realm Subdomain Role Trust posture
Heavens Asgard asgard.* Control plane, policy, gate config, Urd signing Highest trust; no agent code
Heavens Vanaheim vanir.* External integrations, OAuth2/OIDC, partner APIs Federated; trust negotiated per integration
Heavens Alfheim alfheim.* Edge tier, cached reads Low-latency, stateless, aggressively autoscaled
Middle Midgard app.* User-facing runtime; the only human-facing realm PII encrypted; G2 human approvals surface here
Middle Jotunheim jotun.* Untrusted code execution (G3 sandbox) Firecracker microVMs; zero standing credentials
Middle Muspelheim muspel.* GPU compute, training, batch inference Quota- and billing-fenced; job-scoped credentials
Middle Niflheim nifl.* Cold storage, Urd backups, checkpoints Immutable after write; writes in, no general egress
Below Svartalfheim forge.* CI/CD, builds, artifacts, images Secrets vaulted (never standing); checksummed artifacts
Below Hel hel.* Dead-letter, failed jobs, reprocessing Triage and retry; records the failure reason
Below Valhalla valhalla.* Completed-job archive, golden datasets, baselines Mostly read-only; feeds training/eval

Per-realm route timeouts (e.g. Muspelheim 300s for long GPU jobs) are on [The Spine](The-Spine).


ᛋ The Heavens — control, integration, edge

  • Asgard (asgard.*) — the only realm that can issue policy and gate configuration. Hosts istiod, the policy engine, and the Urd signing HSM. No agent workloads run here; every access is audited. Accepts traffic only from approved internal realms.
  • Vanaheim (vanir.*) — the negotiated boundary with the outside world. Inbound is validated at G0/G1; outbound to third parties goes through a brokered egress proxy. Credentials are scoped per integration and never shared across partners.
  • Alfheim (alfheim.*) — stateless, low-latency read paths with response caching (50–100ms saved on cached reads) and sampled logging. No durable state, so replicas scale up and down freely.

ᛗ The Middle — where work and users meet

  • Midgard (app.*) — the only realm humans interact with directly: sessions, agent front-ends, and the surfaces where G2 human-in-the-loop approvals appear. PII is encrypted in transit and at rest.
  • Jotunheim (jotun.*) — untrusted execution, and the realm that runs the G3 sandbox. Firecracker microVMs, zero standing credentials, no privileged containers, read-only root filesystem, no public ingress, egress only to storage and audit. Workloads are ephemeral and destroyed after each job.
  • Muspelheim (muspel.*) — GPU-heavy training and batch inference. Its own quota and billing, long route timeouts, and job-scoped credentials — fire is used, not trusted.
  • Niflheim (nifl.*) — cold storage: archival logs, Urd's S3 backup, and checkpoints used by the Ragnarök recovery drill. Immutable after write; it accepts writes but serves no general egress (data goes in and does not casually come back out).

ᛚ Below — build, failure, archive

  • Svartalfheim (forge.*) — the forge: builds, artifacts, and container images. Secrets stay vaulted rather than standing; artifacts are checksummed (Hvergelmir).
  • Hel (hel.*) — the dead-letter realm. Failed messages and jobs land here for triage and reprocessing (Hermóðr's ride), and the ledger records why each failed.
  • Valhalla (valhalla.*) — the archive that gives back: completed jobs become golden datasets, eval baselines, and rewarded trajectories that flow into training and testing. Mostly read-only.

ᛉ Realm isolation

Isolation is enforced in four independent layers — a bypass would have to defeat all four.

  1. Network — per-realm Kubernetes NetworkPolicy, default-deny ingress and egress.
  2. Resource — CPU/memory/GPU/storage ResourceQuota per realm.
  3. Service — Istio AuthorizationPolicy narrows service-to-service access by SPIFFE identity (see [The Spine](The-Spine)).
  4. Secrets — per-realm scoped credentials; none standing in untrusted realms.
# Layer 1 — default-deny for a realm namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: { name: default-deny, namespace: jotunheim }
spec:
  podSelector: {}
  policyTypes: [Ingress, Egress]   # no rules => deny all in and out
---
# Jotunheim may reach only storage (Niflheim) and audit (Asgard)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: { name: jotunheim-egress, namespace: jotunheim }
spec:
  podSelector: {}
  policyTypes: [Egress]
  egress:
    - to:
        - namespaceSelector: { matchLabels: { realm: niflheim } }
        - namespaceSelector: { matchLabels: { realm: asgard } }
# Layer 2 — GPU quota fences Muspelheim
apiVersion: v1
kind: ResourceQuota
metadata: { name: muspel-gpu, namespace: muspelheim }
spec:
  hard:
    requests.nvidia.com/gpu: "16"
    limits.nvidia.com/gpu: "16"

Network-policy posture, stated plainly: Asgard accepts traffic only from approved internal realms; Jotunheim has no open ingress from public workloads; Niflheim accepts writes but serves no general egress. Every realm defaults to deny at the network layer — the same posture the gates enforce at the request layer.


ᛖ How realms connect

Realms never talk laterally. Every cross-realm request rides Yggdrasil and passes the five gates: a Midgard agent that needs a build does not call Svartalfheim directly — it issues a request that traverses G0–G4 on the spine, is authorized by policy, and is mediated by egress control. A direct realm-to-realm socket would be a second tree, and the model permits no second tree ([The Spine](The-Spine), [Security & Fail-closed](Security-and-Fail-Closed) → total mediation).


ᛏ Threat model — topology as boundary

Mapping trust to topology bounds failure:

  • Blast radius is one realm. A compromised Jotunheim workload has zero standing credentials, no public ingress, and egress only to storage/audit — it cannot pivot into Asgard or reach the internet.
  • Cross-realm movement requires passing every layer — gates (request), Istio authz (service), NetworkPolicy (network), scoped secrets. Defeating one is not enough.
  • The control plane is set apart. Asgard runs no agent code and issues all policy; the Urd signing key lives in its HSM, off every worker path — so no untrusted realm can forge policy or history.

This is the realm-level expression of the platform threat model in [Security & Fail-closed](Security-and-Fail-Closed).


ᚱ Next steps


Iconography

Section glyphs are Elder Futhark runes (Unicode Runic block, U+16A0–U+16FF) — semantic, not emoji. Full set on [Home](Home#iconography):

Rune Name Gloss Marks
Nauðiz need, constraint the platform mark
Othala enclosed estate, boundary subdomain = trust zone
Ingwaz enclosure, the whole framework the realm map
Sowilō the sun, the heights the Heavens tier
Mannaz humankind (Midgard, the world of men) the Middle tier
Laguz water, the deep, the below the lower tier
Algiz protection, warding realm isolation
Ehwaz conveyance, movement between how realms connect
Tiwaz order, the guardian threat model
Raidō the ride, the road next steps

References. Kubernetes NetworkPolicy / ResourceQuota; Istio AuthorizationPolicy (per [The Spine](The-Spine)); [SPIFFE](https://spiffe.io/)/SPIRE workload identity; Firecracker microVM isolation. Naming doctrine: Prose Edda / Poetic Edda, per [Norse Cosmology & Platform Design](Norse-Cosmology-and-Platform-Design).

Clone this wiki locally