8.3 KiB
id, name, status, depends_on, scope, risk, impact, level
| id | name | status | depends_on | scope | risk | impact | level | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| call/review-call-sync | Review alknet-call ADR-029/030/032/034 sync for spec conformance | completed |
|
broad | low | phase | review |
Description
Review the alknet-call implementation after the ADR-029/030/032/034 sync for spec conformance, pattern consistency, and correctness. This is the quality checkpoint at the end of the call phase — the most complex sync in this batch.
Review Checklist
-
remote_safe/trusted_peer retirement (ADR-029 §3):
- No
remote_safefield onHandlerRegistration - No
trusted_peeronCallClient - No
RemoteFilterin dispatch - No
list_operations_peer_scoped/services_list_handler_peer_scoped - No ADR-028 test remnants
- Peer authorization via
AccessControl::check(peer_identity)only
- No
-
PeerCompositeEnv conformance (ADR-029 §1, ADR-030 §4-5):
PeerCompositeEnvwith peer-keyedconnections: HashMap<PeerId, ...>connection_order: Vec<PeerId>(insertion order forPeerRef::Any)PeerId = Identity.id(stablepeer_id, not UUID)compose_root_envbuildsPeerCompositeEnvper call- Connection with no resolved identity → not attached (no PeerId)
CompositeOperationEnvremoved (all call sites migrated)- Singular-connection case works (degenerate single-entry map)
-
invoke_peer / PeerRef conformance (ADR-029 §2):
PeerRef::Specific(PeerId)/PeerRef::AnyenumOperationEnv::invoke_peerwith default-impl (back-compat)OperationEnv::peer_containswith default-implPeerCompositeEnvoverrides with real peer-keyed routingPeerRef::Specific→ no fallthrough (NOT_FOUND if peer doesn't serve op)PeerRef::Any→ insertion-order first-match- Reachability check (
scoped_env.allows) gates before routing
-
forwarded_for conformance (ADR-032):
OperationContext.forwarded_for: Option<Identity>fieldbuild_root_contextpopulates fromcall.requested.forwarded_forOperationEnv::invokesetsNonefor composed children (wire-ingress only)AccessControl::checknever readsforwarded_for(structural invariant)from_callhandler populatesforwarded_forfromcontext.identity
-
services/list AccessControl-filtered (ADR-029 §6):
services/listfilters byAccessControl::check(calling_peer_identity)- Op with
AccessControl::default()listed to any peer - Op with
required_scopeshidden from unauthorized peers services/list-peersopt-in (peer-attributed, AccessControl-filtered)services/schemaunchanged
-
CallClient verifier selection (OQ-29, ADR-034):
- Client presents Ed25519 key as RFC 7250 raw public key client cert
AcceptAnyServerCertVerifierremoved (security hole)- Verifier by
PeerEntrypresence:Some→ fingerprint pin,None+ X.509 → CA,None+ Ed25519 → fail closed CallCredentials.remote_identity: Noneis load-bearing (not placeholder)- No-env-vars invariant preserved (credentials from Capabilities)
-
from_call peer-keyed registration (ADR-029 §5):
from_callregisters into peer's sub-overlay- Same-peer collision = error (
SamePeerCollision) - Cross-peer collision dissolves (separate sub-overlays)
namespace_prefixdefaults toNone(optional local-naming sugar)forwarded_forpopulated from hub'scontext.identity
-
dispatch_peer_identity (ADR-029 §3, ADR-030 §5):
dispatch_requestedresolves peerIdentityAccessControl::check(peer_identity)is the sole authorization gatePeerIdfromconnection.identity().id(not UUID)- Connection with no identity → no PeerId, not in PeerCompositeEnv
-
ADR conformance:
- ADR-029: peer-keyed overlays, PeerRef routing, AccessControl-based peer auth, retire remote_safe
- ADR-030: PeerId = Identity.id = PeerEntry.peer_id (stable)
- ADR-032: forwarded_for (metadata only, wire-ingress only, never in ACL)
- ADR-034: three remote roles, verifier selection by PeerEntry presence
-
Security constraints:
- Capabilities non-serializable, zeroized, immutable (unchanged)
- No secret material on wire (unchanged)
forwarded_foris metadata, not authority (AccessControl::check never reads it)- Internal ops → NOT_FOUND from wire (unchanged)
- Reachability check bounds composition (unchanged)
- No-env-vars invariant (credentials from Capabilities, not env vars)
AcceptAnyServerCertVerifierremoved (no security hole for X.509)
-
Pattern consistency:
OperationEnvis a trait (not concrete) — preservedPeerCompositeEnvusescontains()probe before dispatch — preserved- Authority switch on
internal: true— preserved - Deadline inheritance — preserved
- Metadata fresh on composition (
HashMap::new()) — preserved
-
Test coverage:
- PeerCompositeEnv routing (session, peers in order, base fallthrough)
- PeerRef::Specific (routes, NOT_FOUND on missing peer)
- PeerRef::Any (insertion-order first-match)
- forwarded_for (populated, None for composed children, never in ACL)
- services/list AccessControl-filtered
- AccessControl::check peer authorization (allowed, FORBIDDEN, Internal NOT_FOUND)
- CallClient verifier selection (fingerprint pin, CA, fail closed)
- from_call forwarded_for + peer-keyed registration + collision rules
Acceptance Criteria
- No
remote_safe/trusted_peer/RemoteFilterreferences remain PeerCompositeEnvmatches ADR-029 §1 (peer-keyed, insertion order)PeerId = Identity.id(stable, not UUID)invoke_peer/peer_contains/PeerRefmatch ADR-029 §2forwarded_formatches ADR-032 (metadata only, wire-ingress only, never in ACL)services/listAccessControl-filtered;services/list-peersopt-in- CallClient verifier selection matches ADR-034 §3
from_callpeer-keyed registration + forwarded_for + collision rulesAccessControl::check(peer_identity)is the sole authorization gateAcceptAnyServerCertVerifierremoved- No-env-vars invariant preserved
OperationEnvis a trait (not concrete)- Test coverage adequate for all new functionality
cargo fmt --check -p alknet-callpassescargo clippy -p alknet-callpasses with no warnings- All tests pass
References
- docs/architecture/crates/call/README.md
- docs/architecture/crates/call/call-protocol.md
- docs/architecture/crates/call/operation-registry.md
- docs/architecture/crates/call/client-and-adapters.md
- docs/architecture/decisions/029-peer-graph-routing-model.md
- docs/architecture/decisions/030-peerentry-and-identity-id-decoupling.md
- docs/architecture/decisions/032-forwarded-for-identity.md
- docs/architecture/decisions/034-outgoing-only-x509-and-three-peer-roles.md
Notes
This is the most complex sync in this batch. The review should verify that the peer-keyed routing model (ADR-029), the stable PeerId (ADR-030), the forwarded_for metadata field (ADR-032), and the verifier selection (ADR-034) all work correctly together. The
OperationEnvtrait-object design is load-bearing — verify it's still a trait, not concrete. TheAccessControl::check-based peer authorization is the security property — verify no parallel gate remains. If deviations are found, document and fix before considering the call sync complete.
Summary
All 12 checklist sections PASS. Negative criteria verified: no remote_safe/trusted_peer/RemoteFilter/list_operations_peer_scoped/AcceptAnyServerCertVerifier/CompositeOperationEnv in code. PeerCompositeEnv matches ADR-029 §1. PeerId = Identity.id (stable). invoke_peer/PeerRef match ADR-029 §2. forwarded_for matches ADR-032. services/list filters by AccessControl::check. CallClient verifier selection matches ADR-034 §3. from_call peer-keyed registration with SamePeerCollision. dispatch_peer_identity: AccessControl::check is sole gate. FIXES APPLIED: ran cargo fmt to fix 3 drifts in adapter.rs (2 spots) and env.rs (1 spot) — pure formatting, no semantic change. No large deviations — implementation is conformant with ADR-029/030/032/034. 389 tests pass, clippy clean.