DeReticular Academy

DeReticular Academy

Certified RIOS Administrator (CRA) Briefing Document

by

Sovereign Mesh Security Architecture The Watchtower Protocol and Physical-First Defense

Executive Summary

The Certified RIOS Administrator (CRA) program, specifically the Level 1 Version 2.4 (Sovereign Release), establishes a rigorous framework for managing the RIOS-CC-1000 Compute Cluster. Unlike traditional “Old World” IT infrastructure—which relies on climate-controlled datacenters and stable grids—the RIOS system is a field-deployable “survival tool” designed for “Kinetic Environments.”

The core philosophy of the RIOS system is the Sovereign Stack: a self-contained ecosystem that prioritizes local-first applications, self-healing mesh networking, and resilient hardware. Key pillars of the system include:

  • Ruggedized Hardware: An IP67-rated Exo-Shell providing protection against dust, vibration, and EMPs.
  • Autonomous Connectivity: Primary satellite (Starlink) integration with automated 5G/LTE failover and a local self-healing mesh.
  • Project Phoenix: A local-first application suite (Comm, Storage, Finance) that functions without internet dependency.
  • Watchtower Security: A physical-layer defense system utilizing RF Fingerprinting to identify and ban hostile devices based on radio signatures.
  • The 15-Minute Promise: A Service Level Agreement (SLA) guaranteeing full system restoration from total darkness in under 15 minutes.
The RIOS Sovereign Stack Survival Guide

——————————————————————————–

I. Hardware Anatomy and Maintenance

The RIOS-CC-1000 is engineered as a ruggedized compute cluster rather than a standard server. It is built to withstand environments lacking reliable infrastructure.

Physical Architecture

  • The Exo-Shell: An IP67-rated aluminum casing that serves as a Faraday cage, shielding internal components from light EMPs and RF interference.
  • Compute Blades: The unit contains 4x hot-swappable NVMe-native blades. These operate as independent nodes, allowing the cluster to re-balance workloads instantly if a single blade fails.
  • Thermal Management: The system utilizes a Positive Pressure Cycle for cooling rather than traditional fans or liquid cooling. This requires a physical maintenance check of the intake filters every 30 days.

Safety and Field Protocols (SOP-HW-01)

A critical safety feature is the Seal Integrity system.

  • Warning: The chassis must never be opened while the Seal Integrity light is Green. Opening the unit without engaging “Maintenance Mode” triggers an intrusion detection system that may lock the encryption keys.
  • Hot-Swap Procedure: When a drive failure occurs (e.g., Blade 2 Drive Failure), the administrator must wait for the physical LED to turn SOLID BLUE before removal. This ensures the data write cache is flushed to the parity drive, preventing corruption.

——————————————————————————–

II. Connectivity and the Sovereign Mesh

The RIOS Sovereign Stack Survival Guide

The RIOS network architecture establishes a “Zero-Trust Bubble” that balances high-speed external uplinks with a resilient local local area network (LAN).

WAN: The Starlink Bridge

The CC-1000 prioritizes Starlink for its low latency and grid independence.

  1. Bypass Mode: The Starlink router must be disabled, allowing the RIOS unit to act as the primary router.
  2. Failover: WAN Port 2 is reserved for LTE/5G modems.
  3. Command: rios-cli net configure --primary wan1 --secondary wan2 --mode failover

LAN: The Sovereign Mesh

The local network is built on a self-healing, isolated architecture:

  • Self-Healing: If a node (e.g., North Node) fails, traffic is automatically rerouted through available nodes (South or East) to maintain connectivity.
  • Client Isolation: Enabled by default to prevent lateral movement of malware; clients cannot see each other’s devices on the network.
  • Relay Mode: Admins can re-establish links in “dead zones” by deploying mobile RIOS-repeaters (drones or mobile units) and using the command: rios-mesh link --target [Repeater_ID] --bridge.

——————————————————————————–

III. Sovereign Operations: Project Phoenix

Project Phoenix represents the application layer of the Sovereign Stack, utilizing a “Local-First” paradigm. This ensures that essential services remain available even if the global internet is severed.

The Core Application Suite

ApplicationService ProviderFunction
CommMatrix/ElementEncrypted Chat
StorageNextcloudFiles & Documents
FinanceBTC/Lightning NodeLocal Ledger / Trade Credits

Synchronization and Deployment

  • Sync Concept: When internet access is available, Project Phoenix syncs encrypted backups to off-site storage. When offline, it functions with zero interruption locally.
  • Rapid Deployment: Administrators can deploy services like the “Village Ledger” via the CLI: rios-app deploy btcpay --network mainnet --prune.
  • Local DNS: Services are mapped to local URLs (e.g., https://finance.local) for easy community access.

——————————————————————————–

IV. Security and the Watchtower Protocol

RIOS security transcends traditional firewalls by focusing on the physical domain of Radio Frequency (RF).

RF Fingerprinting

Traditional firewalls block IP addresses, which can be spoofed. RIOS scans the RF spectrum to identify the unique physical signature of every device (phone, laptop, drone).

  • Green List: Known community devices.
  • Grey List: Unknown guests (restricted to internet access only).
  • Red List: Hostile devices, spoofers, or jamming equipment.

Intrusion Response

When an intruder is detected (e.g., high-volume login attempts with a spoofed MAC address), administrators use “Spectrum View” to triangulate the signal source. The device is then banned by its RF signature:

  • Command: rios-sec ban --rf-sig [Signature_ID] --duration permanent
  • Result: The device is disassociated from all access points even if it changes its MAC address.

——————————————————————————–

V. Disaster Recovery: The Black Start

In the event of total system collapse, the “Black Start” procedure allows for the restoration of civilization-critical services within 15 minutes.

The Red Card Protocol

A physical “Red Card” is attached to every RIOS unit with a 7-step emergency checklist:

  1. Isolate: Disconnect all WAN cables.
  2. Power: Verify the Agra Dot Energy Generator is stable at 60Hz.
  3. Boot: Insert the “Master Key” USB into Port 0.
  4. Engage: Hold the physical Reset Button for 10 seconds.
  5. Wait: Listen for the “Heartbeat” beep code (3 short, 1 long).
  6. Broadcast: The system broadcasts the SSID “SOS_BEACON.”
  7. Restore: Connect the terminal and run rios-phoenix restore --latest.

The 15-Minute Promise (SLA)

  • 0-5 Minutes: Power Stabilization (Agra SPS).
  • 5-10 Minutes: Compute Boot and File System Check.
  • 10-15 Minutes: Mesh Network Broadcast and Application Availability.

——————————————————————————–

VI. Administrative Resources: The CRA Field Kit

The CRA certification provides a 1.2 GB Digital Resource Bundle designed for offline use by technicians in the field.

Field Kit Contents

  • Quick Reference Cards: Port maps, CLI cheat sheets, and LED blink/beep code guides.
  • Operational Forms: Site surveys, maintenance logs (tracking thermal paste and filter changes), and Incident Reports.
  • Simulation Assets: Data files for practicing bulk user imports and identifying SQL injection attempts in logs.
  • Starter Pack Scripts: Pre-configured docker-compose and Nginx files for rapid deployment.
  • Agra Integration: Schematics for connecting the RIOS UPS to Agra Micro-GTL inverters and auto-shutdown scripts for low-fuel scenarios.

Critical Security Requirement: All deployment scripts in the Field Kit contain default passwords (“change_me”). Failure to update these credentials in a live environment results in immediate certification revocation.