docs(arch): ADR-030..033 — repo/adapter pattern, PeerEntry, CredentialStore, forwarded-for
Land the storage and auth strategy research (findings.md) as four accepted ADRs and amend the core and call specs to match: - ADR-030: PeerEntry and Identity.id decoupling. Replaces authorized_fingerprints with peers: Vec<PeerEntry>; Identity.id becomes the stable peer_id, decoupled from the rotating fingerprint. Supersedes ADR-029 Assumption 1's UUID source (one-way door preserved, source changes). Resolves OQ-33 and the storage-boundary half of OQ-34. Records the API-key asymmetry as deliberate (OQ-35). - ADR-031: CredentialStore repo trait + InMemoryCredentialStore default adapter in core. Second repo trait alongside IdentityProvider. Vault encrypts; the store persists the EncryptedData blob; assembly layer loads into Capabilities. EncryptedData core mirror includes salt for wire-format compat. - ADR-032: Forwarded-for identity. forwarded_for field on call.requested and OperationContext — metadata only, never read by AccessControl::check (enforced structurally via the check signature). The from_call handler populates it. Wire-format one-way door, folded into the ADR-029 migration window. - ADR-033: Storage boundary and repo/adapter pattern. Core defines repo traits + in-memory defaults; persistence adapters are separate crates; assembly layer wires. Resolves OQ-34. Concrete adapter shapes deferred for exploration (OQ-36). Amends auth.md, config.md, operation-registry.md, client-and-adapters.md, open-questions.md, README.md, crates/core/README.md. Marks ADR-029 Accepted (Assumption 1 carries the ADR-030 superseded note). Marks the research findings doc reviewed.
This commit is contained in:
@@ -2,7 +2,8 @@
|
||||
|
||||
## Status
|
||||
|
||||
Proposed (supersedes ADR-028)
|
||||
Accepted (supersedes ADR-028; Assumption 1's `PeerId` source is superseded
|
||||
by ADR-030 on the source dimension — the one-way door is preserved)
|
||||
|
||||
## Context
|
||||
|
||||
@@ -243,6 +244,14 @@ with attribution, filtered by the calling peer's authorization).
|
||||
The one-way door: `PeerId` is logical, not crypto — this determines the
|
||||
`PeerCompositeEnv` key type and `PeerRef::Specific` payload. See OQ-33.
|
||||
|
||||
> **Superseded by ADR-030 on the `PeerId` source dimension.** The
|
||||
> one-way door (`PeerId` is logical, not crypto) is preserved. The v1
|
||||
> UUID source is replaced by `Identity.id` from `PeerEntry.peer_id`
|
||||
> (stable across key rotation). The "no-storage workaround" framing is
|
||||
> no longer accurate — the storage boundary is now `config + in-memory
|
||||
> adapter` (ADR-030 + ADR-033), with persistence adapters additive. See
|
||||
> ADR-030 and OQ-33 (resolved).
|
||||
|
||||
2. **`PeerRef::Any` = insertion-order first-match.** Deterministic but
|
||||
order-dependent (worker A connects before worker B → `Any` routes to A
|
||||
until A disconnects). This is the simplest routing policy and is correct for
|
||||
|
||||
Reference in New Issue
Block a user