tasks: mark vault/review-vault-sync and core/auth completed

This commit is contained in:
2026-06-23 14:10:54 +00:00
parent a4b4d89d8f
commit b93a85a280
2 changed files with 20 additions and 4 deletions

View File

@@ -1,7 +1,7 @@
---
id: core/auth
name: Implement AuthContext, Identity, AuthToken, IdentityProvider trait, and ConfigIdentityProvider
status: pending
status: completed
depends_on: [core/core-types]
scope: moderate
risk: medium
@@ -159,4 +159,12 @@ per-request identity takes precedence for ACL.
## Summary
> To be filled on completion
Implemented `AuthContext`, `Identity`, `AuthToken`, `IdentityProvider` trait,
and `ConfigIdentityProvider` in `auth.rs`. ConfigIdentityProvider reads from
`ArcSwap<DynamicConfig>` on every call (hot-reloadable): fingerprint resolution
via `authorized_fingerprints` HashSet, token resolution via `alk_` prefix +
SHA-256 hash + expiry check. Also implemented minimal `config.rs` types
(`DynamicConfig`, `AuthPolicy`, `ApiKeyEntry`, `RateLimitConfig`,
`ConfigReloadHandle`) needed by auth — aligned with architecture docs for the
parallel `core/config` task to extend. 27 unit tests pass; clippy clean.
Merged to develop.

View File

@@ -1,7 +1,7 @@
---
id: vault/review-vault-sync
name: Review vault implementation against specs after all drift fixes
status: pending
status: completed
depends_on: [vault/irpc-removal, vault/osrng-iv-generation, vault/poisoned-lock-recovery, vault/remove-password-derivation, vault/unlock-new-zeroizing-return, vault/key-versioning-rotation, vault/derivedkey-serialization, vault/cache-zeroization-test]
scope: moderate
risk: low
@@ -109,4 +109,12 @@ items were missed or incompletely fixed.
## Summary
> To be filled on completion
Reviewed vault crate against all architecture specs. Fixed 5 spec-conformance
deviations: (1) EncryptionKey removed Clone (now move-only), added redacting
Debug; (2) EncryptionKey::new made private (cfg(test)), added pub(crate)
key_bytes(); (3) encrypt/decrypt made pub(crate) per encryption.md, crypto tests
moved to unit tests; (4) CachedKey refactored to wrap DerivedKey with
cached_at/last_accessed fields per service.md; (5) Mnemonic::to_seed() unwrap()
eliminated by storing validated Bip39Mnemonic (enabled bip39 zeroize feature).
All 10 drift items verified resolved. 79 lib + 12 integration tests pass; clippy
clean with all features. Merged to develop.