azaion/loader
1
0
Fork 0
mirror of https://github.com/azaion/loader.git synced 2026-04-22 22:06:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8a4f4f910d68a2272af2cbd0ba0a838c08c781f4
loader/_docs/00_problem/problem.md
T
Oleksandr Bezdieniezhnykh 8f7deb3fca Add E2E tests, fix bugs 
Made-with: Cursor
2026-04-13 05:17:48 +03:00

2.0 KiB
Raw Blame History

Problem Statement

What is this system?

Azaion.Loader is a secure resource distribution service for Azaion's edge computing platform. It runs on edge devices (ARM64) to manage the lifecycle of encrypted AI model resources and Docker service images.

What problem does it solve?

Azaion distributes proprietary AI models and Docker-based services to edge devices deployed in the field. These assets must be:

  1. Protected in transit and at rest — models and service images are intellectual property that must not be extractable if a device is compromised
  2. Bound to authorized hardware — decryption keys are derived from the device's hardware fingerprint, preventing resource extraction to unauthorized machines
  3. Efficiently distributed — large model files are split between an authenticated API (small encrypted part) and a CDN (large part), reducing API bandwidth costs while maintaining security
  4. Self-service deployable — edge devices need to authenticate, download, decrypt, and load Docker images autonomously via a single unlock workflow

Who are the users?

  • Edge devices — autonomous ARM64 systems running Azaion services (drones, companion PCs, ground stations)
  • Operators/Admins — human users who trigger authentication and unlock via HTTP API
  • Other Azaion services — co-located containers that call the loader API to fetch model resources

How does it work (high level)?

  1. A client authenticates via /login with email/password → the loader obtains a JWT from the Azaion Resource API
  2. For resource access: the loader downloads an encrypted "small" part from the API (using a per-user, per-machine key) and a "big" part from CDN, reassembles them, and decrypts with a shared resource key
  3. For initial deployment: the /unlock endpoint triggers a background workflow that downloads a key fragment, decrypts a pre-deployed encrypted Docker image archive, and loads all service images into the local Docker daemon
  4. All security-sensitive logic is compiled as Cython native extensions for IP protection
Reference in New Issue View Git Blame Copy Permalink