Components

What runs where. A map of the IronIP system as deployed.

Core libraries

Module	Role
`src/lib/bca-core.js`	Paper-correct BCA implementation: Hash1 computation, interface ID derivation, 32 modifiers and Merkle tree, 8-step verification. No AWS dependencies.
`src/lib/bca-wallet.js`	BSV mainnet wallet: UTXO fetch, OP_RETURN transaction creation, ARC broadcast, block header + TSC Merkle proof retrieval.
`src/lib/block-fetcher.js`	WhatsOnChain integration for block headers and Merkle proofs after anchor confirmation.
`src/lib/bca-verifier.js` (planned)	Strict-mode shared verifier used by all adapters. Consolidates lookup/matching.
`src/lib/bca-extractor.js` (planned)	Transport-agnostic BCA-address extraction from HTTP headers, MQTT usernames, IKE ID payloads, X.509 certs.

Lambda functions

Endpoint	Handler	Purpose
POST /register	register.handler	Anchor device identity to Bitcoin mainnet. Generates modifiers + Merkle tree, builds OP_RETURN, broadcasts, stores BCA Parameters.
POST /bulk-register	bulk-register.handler	Anchor up to 32 devices in a single Bitcoin transaction. Cost-efficient batch operation.
POST /generate	generate.handler	Generate a BCA IPv6 address from registered parameters for a given subnet prefix and modifier index.
POST /verify	verify.handler	Run 8-step BCA verification against an IPv6 address.
POST /confirm	confirm.handler	Fetch block header + Merkle proof from WhatsOnChain after anchor tx is mined. Promotes pending → confirmed.
POST /provision	provision.handler	Assign BCA IPv6 address to a real EC2 ENI via AssignIpv6Addresses + SSM reapply.
POST /ping	ping.handler	Issue `ping6` between Devices via SSM command.
POST /demo-verify	demo-verify.handler	End-to-end: find BCA addresses on ENIs, ping Device A → Device B, verify source address.
POST /wallet	wallet.handler	Wallet status, balance, funding address.
POST /export	export.handler	Export BCA Parameters as JSON for standalone verification.
POST /iot-test	iot-test.handler	Invoke IoT Custom Authorizer directly for demo purposes.
POST /iot-connect	iot-connect.handler	Device A publishes to IoT Core via HTTPS using BCA Custom Authorizer.
(internal) iotAuthorizer	iot-authorizer.handler	IoT Core Custom Authorizer. Extracts BCA address, runs 8-step verification, returns IoT policy.
POST /pool/claim (planned)	pool-refresher.handler	Atomically claim a pre-confirmed anchor from the pool for a demo session.

Storage

Resource	Purpose
DynamoDB `bca-anchors-dev`	BCA Parameters for every registration. Keyed by device token ID. Contains modifiers, Merkle proofs, raw tx, block header, confirmation status.
DynamoDB `ironip-anchor-pool` (planned)	Pool of pre-confirmed anchors available for demo sessions. Refilled by scheduled `pool-refresher`.
DynamoDB `ironip-proof-log` (planned)	Per-adapter verification attempt log with TTL. Backs the proof pages' live activity feeds.
SSM Parameter `/bca-demo/wallet-wif`	Encrypted BSV wallet WIF. Used by register + bulk-register to sign anchor transactions.

Network infrastructure

Resource	Purpose
VPC1 (existing, us-east-1)	Hosts Device A, Device B on real ENIs. IPv6 /64 subnet. Egress-only IGW.
VPC2 (planned, us-east-1)	Isolated second trust domain. Device C. No peering to VPC1.
VPC3 (planned, eu-west-1)	Cross-region trust domain. Device D. Demonstrates region-independent verification.
IoT Core endpoint	Configured via `window.IRONIP_CONFIG.iotEndpoint`. Custom authorizer `bca-authorizer` (signing disabled).

Frontend

Path	Purpose
`public/index.html`	Main UI — live demo flow.
`public/js/app.js`	Demo flow logic, wired to API Gateway endpoints. Config-driven via `window.IRONIP_CONFIG`.
`public/js/config.example.js`	Template for local deployment configuration. Real `config.js` is gitignored.
`public/docs/`	Knowledge base (this site).
`public/proofs/` (planned)	Per-adapter proof pages with live verification feeds.

See also

Topology — multi-VPC / multi-region layout
Adapters — shared-verifier pattern
Anchor Pool — how the demo maintains instant UX with strict verification