azaion/loader
1
0
Fork 0
mirror of https://github.com/azaion/loader.git synced 2026-04-22 08:16:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
loader/_docs/00_problem/problem.md
T
Oleksandr Bezdieniezhnykh 8f7deb3fca Add E2E tests, fix bugs 
Made-with: Cursor
2026-04-13 05:17:48 +03:00

28 lines
2.0 KiB
Markdown
Raw Permalink Blame History

# Problem Statement
## What is this system?
Azaion.Loader is a secure resource distribution service for Azaion's edge computing platform. It runs on edge devices (ARM64) to manage the lifecycle of encrypted AI model resources and Docker service images.
## What problem does it solve?
Azaion distributes proprietary AI models and Docker-based services to edge devices deployed in the field. These assets must be:
1. **Protected in transit and at rest** — models and service images are intellectual property that must not be extractable if a device is compromised
2. **Bound to authorized hardware** — decryption keys are derived from the device's hardware fingerprint, preventing resource extraction to unauthorized machines
3. **Efficiently distributed** — large model files are split between an authenticated API (small encrypted part) and a CDN (large part), reducing API bandwidth costs while maintaining security
4. **Self-service deployable** — edge devices need to authenticate, download, decrypt, and load Docker images autonomously via a single unlock workflow
## Who are the users?
- **Edge devices** — autonomous ARM64 systems running Azaion services (drones, companion PCs, ground stations)
- **Operators/Admins** — human users who trigger authentication and unlock via HTTP API
- **Other Azaion services** — co-located containers that call the loader API to fetch model resources
## How does it work (high level)?
1. A client authenticates via `/login` with email/password → the loader obtains a JWT from the Azaion Resource API
2. For resource access: the loader downloads an encrypted "small" part from the API (using a per-user, per-machine key) and a "big" part from CDN, reassembles them, and decrypts with a shared resource key
3. For initial deployment: the `/unlock` endpoint triggers a background workflow that downloads a key fragment, decrypts a pre-deployed encrypted Docker image archive, and loads all service images into the local Docker daemon
4. All security-sensitive logic is compiled as Cython native extensions for IP protection
Reference in New Issue View Git Blame Copy Permalink