alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: sync architecture docs with Phase 2 implementation state

Browse Source
This commit is contained in:
glm-5.1
2026-06-09 11:37:14 +00:00
parent dc3c8208df
commit bcbe2f1761
4 changed files with 40 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/architecture/auth.md
View File

@@ -1,6 +1,6 @@
---
status: draft
last_updated: 2026-06-07
last_updated: 2026-06-09
---
# Authentication
@@ -318,6 +318,13 @@ security consideration:
| [035](decisions/035-streaminterface-messageinterface-split.md) | StreamInterface/MessageInterface | Credential presentation differs per (Transport, Interface) pair |
| [037](decisions/037-api-keys-dynamic-config.md) | API keys in DynamicConfig | Hash-verified bearer tokens for service accounts |
## Phase 2 Implementation Notes
- `ConfigIdentityProvider::resolve_from_token()` now handles API keys (`alk_` prefix) via SHA-256 hash verification with expiry checking
- `ApiKeyEntry` struct added to `AuthPolicy` with prefix, hash, scopes, description, expires_at fields
- API keys produce `Identity { id: prefix, scopes: from_entry, resources: {} }`
- Both AuthTokens (Ed25519 signed) and API keys (hash-verified bearer) go through `resolve_from_token()`, discriminated by format/prefix
## References
- [identity.md](identity.md) — Canonical Identity and IdentityProvider definitions