Nomadic Operator Model

Level 1 (Concept) — Operator-as-nomad: portable identity across environments.

Concept

The TazLab operator identity is not tied to a specific machine or container. It is portable — carried by the encrypted vault, AWS SSO credentials, and S3-backed persistence. A fresh machine needs only Docker, a checkout of the project, and the vault passphrase to rebuild the full environment.

The Four Pillars

PillarWhatHow
Encrypted vaultPortable secret storevault.tar.aes — AES-256-GCM, PBKDF2
S3 persistenceRemote durabilitytazpod push vault / tazpod pull vault
AWS SSOCloud identityaws sso login — no static keys
GitOpsDesired state in GitFlux reconciles cluster from tazlab-k8s

Recovery Sequence

On a fresh machine:

  1. tazpod init (if .tazpod/ missing)
  2. tazpod login (AWS SSO)
  3. tazpod pull vault (S3 → local)
  4. tazpod unlock (decrypt RAM)
  5. tazpod enter (shell with full identity)

This sequence is encoded in smartEntry() — the nomadic recovery path is the default entry path.

Why It Matters

The container is disposable, the host is replaceable, but the operator identity survives because the encrypted vault remains portable and the recovery sequence is built into the CLI.

See Also