# AIPhone No・where Logicnoid — Blue Book v0.1

## 1. Product

AIPhone No・where Logicnoid Project

## 2. Technical Definition

AIPhone is a phone-number non-exposure display/session interlock engine.

The engine converts original MSISDN input into a non-reversible token fingerprint, maps text identifiers to tokenized identity anchors, requires Display Ready Proof, issues one-time Tunnel Tickets, authorizes sessions through one-time opaque handles, blocks reuse, and records security-relevant decisions as audit receipts.

## 3. Runtime Architecture

Current production-near deployment:

| Component | Value |
|---|---|
| Host OS | Ubuntu |
| Public domain | logicnoid.kr |
| Engine service | gnx-aiphone |
| Engine bind | 127.0.0.1:3400 |
| Reverse proxy | Nginx |
| TLS | Let's Encrypt / Certbot |
| Product root | /opt/gnx/aiphone-nowhere |
| Engine source | /opt/gnx/aiphone-nowhere/engine/src/server.mjs |
| Runtime state | /opt/gnx/aiphone-nowhere/runtime |
| Public surface | /opt/gnx/aiphone-nowhere/surface/public |
| OpenAPI | /opt/gnx/aiphone-nowhere/engine/openapi/openapi.yaml |

## 4. Core Security Properties

### 4.1 No Raw MSISDN Storage

The engine must not store raw MSISDN values in runtime state or audit logs.

The verified engine returns tokenFingerprint and rawMsisdnStored: false.

### 4.2 Text Identifier Mapping

Text identifiers are normalized and mapped to non-reversible token fingerprints.

Text identifiers provide a communication identity surface that does not expose the underlying MSISDN.

### 4.3 Display Ready Interlock

The engine requires Display Ready Proof before Tunnel Ticket issuance.

Without Display Ready Proof, the session cannot progress to authorization.

### 4.4 One-time Tunnel Ticket

Tunnel Tickets are opaque and short-lived.

A Tunnel Ticket must not be reusable.

### 4.5 One-time Session Authorization

Session authorization handles are opaque and short-lived.

A consumed authorization cannot be used again.

### 4.6 Audit Receipt

Security-relevant decisions generate audit receipts.

Receipts are retrievable through the audit receipt endpoint.

### 4.7 Admin Signed Challenge

Protected admin readiness requires challenge-response verification.

The engine does not expose a simple public admin fallback token.

## 5. API Surface

Primary endpoints:

| Endpoint | Purpose |
|---|---|
| GET /health/ready | Runtime readiness |
| POST /v1/msisdn/tokenize | No-raw-MSISDN tokenization |
| POST /v1/identity/claim | Claim text identifier |
| POST /v1/identity/resolve | Resolve text identifier |
| POST /v1/session/intent | Create session intent |
| POST /v1/display/ready | Submit Display Ready Proof |
| POST /v1/tunnel/ticket | Issue one-time Tunnel Ticket |
| POST /v1/session/authorize | Authorize session |
| POST /v1/session/consume | Consume session authorization once |
| GET /v1/audit/{receipt} | Retrieve audit receipt |
| POST /v1/admin/challenge | Issue admin challenge |
| POST /v1/admin/session/verify | Verify admin signature |
| GET /v1/admin/readiness | Protected admin readiness |

## 6. State Machine

AIPhone session state follows this sequence:

1. Identity claimed
2. Session intent created
3. Display Ready Proof created
4. Tunnel Ticket issued
5. Session authorization issued
6. Session authorization consumed
7. Reuse attempt blocked
8. Audit receipt generated

Any missing prerequisite must block the next stage.

## 7. Threat Model Summary

Threat classes:

- Spoofing
- Tampering
- Repudiation
- Information disclosure
- Denial of service
- Elevation of privilege

Implemented controls:

- No raw MSISDN storage
- HMAC-based tokenization
- Opaque handles
- One-time proof/ticket/authorization flow
- TTL-based transient state
- Admin challenge-response
- Audit receipt retrieval
- HTTPS
- SSH hardening
- Public non-claims

Pending controls:

- External security audit
- Carrier-core integration review
- Native dialer integration review
- Advanced WAF/rate-limit hardening
- Enterprise persistence layer
- Partner acceptance trial

## 8. Deployment Model

The current deployment is production-near and suitable for enterprise review, technical validation, security review, and acceptance-trial preparation.

Deployment models may include:

- GNX-hosted review environment
- Customer VPC deployment
- On-prem/private cloud deployment
- OEM/device/dialer integration package
- Telecom or financial institution pilot environment

## 9. Operational Controls

Current operational controls:

- systemd service
- Nginx reverse proxy
- HTTPS certificate
- SSH hardening
- Backup/restore script
- Restore dry-run script
- Incident snapshot tool
- Deployment guide
- Threat model
- OpenAPI
- Production readiness gate

## 10. Backup and Recovery

The product has:

- Backup script
- SHA256 manifest
- Restore dry-run script
- Backup/restore runbook
- Recovery acceptance criteria

Backups must not be published.

Backups contain production secrets and runtime state.

## 11. Incident Response

The product has:

- Incident snapshot tool
- Incident response runbook
- Triage commands
- Containment procedures
- Recovery verification
- Non-claims and escalation rules

Incident snapshots must not be published.

## 12. Verification Package

Public verification package includes:

- Runtime health
- OpenAPI
- Threat Model
- Deployment Guide
- Backup/Restore Runbook
- Incident Response Runbook
- SSH Hardening
- Commercial Review Surface
- License Package v0.1
- Executive Brief
- White Book
- Blue Book

## 13. Current PASS Gates

- Runtime Health API
- HTTPS Runtime Health API
- No-raw-MSISDN Tokenization Path
- Text Identifier Claim
- Session Intent
- Display Ready Interlock
- One-time Tunnel Ticket
- One-time Session Consume
- Reuse Block
- Audit Receipt Creation/Retrieval
- HTTPS Full Evidence Chain
- TLS/HTTPS Certificate
- SSH Hardening
- Admin Signed Challenge
- Protected Admin Readiness
- OpenAPI
- Threat Model
- Deployment Guide
- Backup/Restore Runbook
- Incident Response Runbook
- Enterprise UX/UI Surface v1
- License Package v0.1
- Public Verification Surface v1.1
- Public License Package v0.1
- Enterprise Review Package v0.1 Repack
- Executive Brief v0.1

## 14. Current PENDING Items

The following are intentionally pending:

- Native Dialer Integration
- Apple CallKit Production Approval
- Android Telecom Framework Production Approval
- Carrier Core Integration
- Telecom Partner Acceptance Trial
- Financial Institution Acceptance Trial
- External Security Audit

## 15. Technical Non-claims

This Blue Book does not claim that carrier production integration is complete.

This Blue Book does not claim that native dialer integration is complete.

This Blue Book does not claim that external security audit is complete.

This Blue Book documents the production-near technical and security architecture currently deployed for enterprise review.