docs: complete Phase 0 architecture — spec updates, review fixes, and link portability

Update four existing specs (overview, server, napi-and-pubsub, call-protocol) to
reflect Phase 0 decisions: three-layer model, IdentityProvider, ForwardingPolicy,
OperationEnv, static/dynamic config split. Review all 9 Phase 0a ADRs (026-034)
for consistency. Fix 4 critical issues from architecture review: missing OQ-SVC-05
in open-questions.md, deprecated hub terminology, undefined AuthService and noq
terms. Replace inline OQ text with cross-references per format rules. Add
ConfigServiceImpl definition to configuration.md. Port absolute workspace paths
to project-relative links by copying referenced docs (feasibility, certbot,
fail2ban, event_source_types) into docs/research/.

docs/architecture/decisions/001-pluggable-transport.md

@@ -23,4 +23,4 @@ This makes adding a new transport (e.g., WebSocket, QUIC directly) a matter of i
 
 ## References
 - [transport.md](../transport.md)
-- [Feasibility assessment §3](../../../../conversations/research/ssh-tunnel-vpn-alternative-feasibility.md)
+- [Feasibility assessment §3](../../research/feasibility/ssh-tunnel-vpn-alternative-feasibility.md)

docs/architecture/decisions/003-iroh-stream-join.md

@@ -28,4 +28,4 @@ Option 3 was rejected because it would require modifying russh to understand iro
 
 ## References
 - [transport.md](../transport.md)
-- [Feasibility assessment §11](../../../../conversations/research/ssh-tunnel-vpn-alternative-feasibility.md)
+- [Feasibility assessment §11](../../research/feasibility/ssh-tunnel-vpn-alternative-feasibility.md)

docs/architecture/decisions/004-ssh-over-transport.md

@@ -25,4 +25,4 @@ This is directly enabled by russh's `connect_stream()` and `run_stream()` APIs,
 
 ## References
 - [transport.md](../transport.md)
-- [Feasibility assessment §3.4](../../../../conversations/research/ssh-tunnel-vpn-alternative-feasibility.md)
+- [Feasibility assessment §3.4](../../research/feasibility/ssh-tunnel-vpn-alternative-feasibility.md)

docs/architecture/decisions/008-acme-lets-encrypt.md

@@ -4,7 +4,7 @@
 Accepted
 
 ## Context
-TLS transport mode requires certificates. Manual certificate management is error-prone — users need to obtain, install, and renew certificates. Our production setup uses certbot with Let's Encrypt (documented in `/workspace/system/dev1/certbot.md`), which automates this via the ACME protocol.
+TLS transport mode requires certificates. Manual certificate management is error-prone — users need to obtain, install, and renew certificates. Our production setup uses certbot with Let's Encrypt (documented in [certbot.md](../../research/ops/certbot.md)), which automates this via the ACME protocol.
 
 There are two ACME flows:
 1. **Domain-based**: Standard flow with DNS-01 or HTTP-01 challenge. Certificate is tied to a domain name, auto-renews via certbot/systemd timer. Requires port 80 or DNS access for challenges.
@@ -35,4 +35,4 @@ The implementation should use the `rustls-acme` crate (or similar pure-Rust ACME
 - [server.md](../server.md)
 - [OQ-01](../open-questions.md) — resolved by this ADR
 - [OQ-07](../open-questions.md) — resolved by this ADR
-- Production certbot setup: `/workspace/system/dev1/certbot.md`
+- Production certbot setup: [certbot.md](../../research/ops/certbot.md)

docs/architecture/decisions/013-fail2ban-friendly-logging.md

@@ -4,7 +4,7 @@
 Accepted
 
 ## Context
-The server needs to handle abuse on public-facing deployments. Our production infrastructure uses fail2ban on Linux (documented in `/workspace/system/dev1/fail2ban.md`) with nftables and systemd journal backend. fail2ban needs structured, parseable logs to identify abusive IP addresses.
+The server needs to handle abuse on public-facing deployments. Our production infrastructure uses fail2ban on Linux (documented in [fail2ban.md](../../research/ops/fail2ban.md)) with nftables and systemd journal backend. fail2ban needs structured, parseable logs to identify abusive IP addresses.
 
 However, fail2ban is Linux-specific. On other platforms (macOS, Windows, BSD), users need a different approach to reject abusive connections. The server should provide enough logging for fail2ban on Linux and enough built-in protection for other platforms.
 
@@ -36,4 +36,4 @@ This ensures that even without fail2ban, the server rejects obviously abusive co
 ## References
 - [server.md](../server.md)
 - [OQ-08](../open-questions.md) — resolved by this ADR
-- Production fail2ban setup: `/workspace/system/dev1/fail2ban.md`
+- Production fail2ban setup: [fail2ban.md](../../research/ops/fail2ban.md)

docs/architecture/decisions/027-crate-decomposition.md

@@ -64,17 +64,30 @@ format, but not as a crate dependency.
 ### Dependency Graph
 
 ```
-                  alknet-secret
-                 /             \
-                /               \
-alknet-core ←────                ←── alknet-storage
-     ↑               \           /
-     │                alknet-flowgraph
-     │
-alknet-napi
-alknet (CLI binary — assembles everything)
+alknet-secret       alknet-storage      alknet-flowgraph
+   (standalone)        (standalone)        (standalone)
+        │                   │                  │
+        │  (feature flags   │   (trait impl    │  (type compat
+        │   in CLI binary)  │    via CLI wire)  │   via JSON)
+        ▼                   ▼                  ▼
+                 ┌─────────────────────┐
+                 │    alknet-core       │
+                 │  (transport, SSH,     │
+                 │   call protocol,     │
+                 │   Identity, Config)  │
+                 └─────────┬───────────┘
+                           │
+              ┌────────────┼────────────┐
+              ▼            ▼            ▼
+        alknet-napi    alknet (CLI binary — assembles everything)
 ```
 
+All four library crates (core, secret, storage, flowgraph) are independent of
+each other. Dependencies flow **upward** only. The CLI binary sits at the top
+and wires concrete implementations together. alknet-storage implements
+alknet-core's `IdentityProvider` trait without a crate dependency — the CLI
+binary provides the bridge.
+
 ### Narrow Interface Points
 
 Three types serve as the narrow interface points between crates:
@@ -147,4 +160,5 @@ alknet-storage does NOT depend on alknet-secret as a crate. Instead:
 - [research/services.md](../../research/services.md) — Service protocols
 - [research/storage.md](../../research/storage.md) — alknet-storage contents
 - [research/flow.md](../../research/flow.md) — alknet-flowgraph contents
+- [ADR-028](028-auth-irpc-service.md) — Auth as irpc service (service protocol enabled by decomposition)
 - [ADR-029](029-identity-core-type.md) — Identity as core type (narrow interface point)

docs/architecture/decisions/032-event-boundary-discipline.md

@@ -93,4 +93,4 @@ propagate beyond the service boundary without projection.
 - [research/services.md](../../research/services.md) — Event boundary discipline section
 - [research/storage.md](../../research/storage.md) — Honker integration, event boundaries
 - [research/integration-plan.md](../../research/integration-plan.md) — ADR 032 entry
-- [event_source_types.md](/workspace/research/event_sourcing/event_source_types.md) — Event-driven architecture patterns
+- [event_source_types.md](../../research/event-sourcing/event_source_types.md) — Event-driven architecture patterns

docs/architecture/decisions/033-operationenv-irpc-call-protocol.md

@@ -125,6 +125,8 @@ operations universally composable across all interfaces.
 
 - [research/services.md](../../research/services.md) — OperationContext, OperationEnv
 - [research/integration-plan.md](../../research/integration-plan.md) — Phase 1.5, OperationEnv wiring
+- [ADR-026](026-transport-interface-separation.md) — Three-layer model (OperationEnv is Layer 3)
+- [ADR-028](028-auth-irpc-service.md) — Auth as irpc service (one dispatch backend)
 - [ADR-032](032-event-boundary-discipline.md) — Event boundary discipline
 - [ADR-024](024-bidirectional-call-protocol.md) — Bidirectional call protocol
 - [ADR-025](025-handler-spec-separation.md) — Handler/spec separation