Specification · EA-HK-INFRA-01 v1.1
Lee Sharks · Semantic Economy Institute · April 2026
DOI: 10.5281/zenodo.19769575 · ORCID: 0009-0000-1599-0703
A deployed system is a projection of a kernel. The kernel contains everything needed to reconstruct the projection. The kernel is a DOI-anchored Git repository — the SPXI deposit for infrastructure.
A kernel without secret templates is incomplete. A kernel with secrets committed is contaminated. The middle path: the kernel contains the structure; secrets are fetched at projection time from a separate, access-controlled vault.
Infrastructure is usually documented after the fact — README files that describe what already exists, diagrams that approximate the deployed reality. The holographic kernel inverts this: the kernel IS the infrastructure, in its minimum complete form. The deployment is a projection of the kernel onto compute, not the other way around.
This is the SPXI position applied to technical systems: the deposit precedes and generates the artifact, rather than documenting it after the fact. The kernel is the provenance. Every deployment is a derivative.
The kernel's semantic identity: name, version, SPXI entity ID, DOI, component list, role list, secret template list. This file IS the kernel — the minimum information from which the kernel's completeness can be verified. Analogous to the SPXI compression survival summary.
One file per service role. Each role definition contains: startup commands, health check protocol, restart policy, environment variable references (names only — not values), resource constraints. The role is the transform that converts kernel intent into deployed reality.
Secret templates: .env.template files listing required variables with descriptions and validation patterns. Templates are committed. Values are never committed. Fetch at projection time via fetch-secrets.sh. The structure is public; the material is access-controlled.
Service dependency graphs. Which roles depend on which other roles. Which roles are externally accessible. This is the basin's curvature map — the relational structure that makes the kernel holographic: any single role file plus the topology yields the full kernel's shape.
Executable verification: checks that all roles are defined, all secret templates are present, all topology references are valid, all role counts match the kernel manifest. If verify.sh passes from a clean git clone, the kernel is complete. This is the Infra-Drowning Test: restore in under 60 minutes from git clone + secret key.
The kernel is holographic in the technical sense: any fragment contains sufficient information to reconstruct the whole. If you have one role file, you know:
This is the same property as the SPXI compression survival summary: any fragment of a well-formed SPXI entity contains enough to reconstruct the entity's basin. The holographic kernel applies this to infrastructure.
When the kernel detects that a defined role has no running instance, it generates a deployment specification for that role from the kernel's own definition. This is not automatic deployment — it is automatic specification generation. The kernel says: here is everything you need to project this role. The human operator makes the deployment decision.
The kernel cannot project beyond its own definition. It cannot fill in missing roles that are not defined in the kernel. This is the safety boundary: the kernel is a complete specification, not an inference engine.
Safety conditions for self-projection: 1. The role is defined in kernel.json 2. verify.sh passes for the role definition 3. All required secret templates are present (values available) 4. The topology check shows no circular dependencies 5. A human operator has confirmed the projection intent
The full specification is maintained at holographickernel.org. Every kernel version is deposited to Zenodo and receives a DOI. The DOI is the kernel's permanent identity in the retrieval layer — independent of any deployment, any platform, any infrastructure provider. If the infrastructure is torn down, the kernel survives in the archive. Future operators can reconstruct the full system from the DOI plus the secret vault.
This is the SPXI position on provenance: the deposit is the source of truth, not the deployment. The deployment is a projection; the DOI is the anchor.
| Version | DOI | Changes |
|---|---|---|
| v1.0 | 10.5281/zenodo.19769562 | Initial specification |
| v1.1 | 10.5281/zenodo.19769575 | Assembly Chorus feedback; security conditions; failure modes; implementation maturity disclaimer |
The holographic kernel is not SLSA, not Nix, not in-toto, not Terraform. Those systems address supply chain integrity, reproducible builds, artifact attestation, and configuration management respectively. The holographic kernel addresses a different problem: how does a single operator, alone at 2am, reconstruct a complete system from scratch without having to remember anything that isn't in the repository?
The Infra-Drowning Test is the metric: can you restore the full system in under 60 minutes from a git clone and a secret key? If yes, the kernel is complete. If no, the kernel has gaps that verify.sh will surface.