2.7 KiB
id, name, status, depends_on, scope, risk, impact, level
| id | name | status | depends_on | scope | risk | impact | level | |
|---|---|---|---|---|---|---|---|---|
| vault/remove-password-derivation | Remove derive_password and site_password_path methods (password-manager pattern not relevant) | completed |
|
single | trivial | isolated | implementation |
Description
Fix drift item #7: the vault currently has derive_password,
derive_password_string, and site_password_path methods. These implement a
password-manager pattern (deriving site-specific passwords from the seed) that
is not relevant to an RPC system's vault. Remove them entirely per ADR-025
(resolves review #002 C9).
What to remove
derive_passwordmethod fromVaultServiceHandle(inservice.rs)derive_password_stringmethod fromVaultServiceHandle(inservice.rs)site_password_pathfunction (inmnemonic-derivation.rsorderivation.rs, wherever it's defined)- Any associated path constants for password derivation
- Any tests for these methods
- Any references in
lib.rsre-exports
Why
The vault's purpose in alknet is to derive cryptographic keys (Ed25519 for identity, AES-256-GCM for encryption) and encrypt/decrypt external credentials. Site-specific password derivation is a password-manager feature that doesn't belong in a networking toolkit's vault. Keeping it expands the attack surface and API surface for no benefit.
Scope
This task touches service.rs and possibly derivation.rs /
mnemonic-derivation.rs. It depends on the irpc removal task (drift #4) because
both modify service.rs.
Acceptance Criteria
derive_passwordmethod removed fromVaultServiceHandlederive_password_stringmethod removed fromVaultServiceHandlesite_password_pathfunction removed- Any password-derivation path constants removed
- Tests for password derivation removed
- No references to password derivation remain in
lib.rsre-exports cargo checksucceeds (no dangling references)cargo testsucceedscargo clippysucceeds with no warnings
References
- docs/architecture/crates/vault/README.md — Known Source Drift table item #7
- docs/architecture/decisions/025-vault-local-only-dispatch.md — ADR-025 (resolves C9)
Notes
Straightforward removal. The password-manager pattern was inherited from the POC and is not relevant to alknet's vault use case. Depends on irpc removal because both modify
service.rs.
Summary
Removed derive_password, derive_password_string from VaultServiceHandle
(service.rs), site_password_path from derivation.rs, the doc-table row, all 5
password-derivation tests, and the now-unused base64 URL_SAFE_NO_PAD import.
109 lines deleted. All tests pass; clippy clean. Merged to develop.