alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
alknet/tasks/architecture/spec-update-auth.md
glm-5.1 19b3d3a078 docs: write Phase 0 architecture foundation — ADRs 026-034, spec docs, and task updates 
Phase 0a — ADRs (9 new):
- ADR-026: Transport/interface separation (three-layer model)
- ADR-027: Crate decomposition (core, secret, storage, flowgraph, napi, CLI)
- ADR-028: Auth as irpc service (AuthProtocol behind feature flag)
- ADR-029: Identity as core type (Identity + IdentityProvider in alknet-core)
- ADR-030: Static/dynamic config split (ArcSwap, ConfigReloadHandle)
- ADR-031: Forwarding policy (rule-based allow/deny, TransportKind-aware)
- ADR-032: Event boundary discipline (domain, irpc, call protocol boundaries)
- ADR-033: OperationEnv universal composition (three dispatch paths)
- ADR-034: Head/worker terminology (replace hub/spoke)

Phase 0b — New spec documents (7):
- identity.md, services.md, interface.md, configuration.md,
  storage.md, flowgraph.md, secret-service.md

Updated existing docs:
- auth.md: reference identity.md for canonical definitions, add AuthProtocol
- open-questions.md: resolve OQ-12, OQ-16, OQ-18, OQ-22, OQ-23-25
- README.md: add all new docs, ADRs 026-034

Marked 19 architecture tasks as completed.
2026-06-07 09:32:58 +00:00

2.5 KiB
Raw Permalink Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
architecture/spec-update-auth Update auth.md — add IdentityProvider vs AuthService relationship completed
architecture/spec-identity
architecture/adr-028-auth-irpc-service
narrow low component implementation

Description

Update docs/architecture/auth.md to add the IdentityProvider vs AuthService relationship and update for the AuthProtocol irpc service per ADR-028.

The current auth.md already defines IdentityProvider trait and Identity struct — which is good. After identity.md exists as the canonical home for those definitions, auth.md should reference identity.md instead of defining them inline.

Changes needed:

  1. Replace inline Identity and IdentityProvider definitions with references to identity.md
  2. Add section on AuthProtocol irpc service (VerifyPubkey, VerifyToken, ReloadKeys, CheckAccess) behind irpc feature flag
  3. Add section on ConfigIdentityProvider as the default impl (ArcSwap-backed)
  4. Clarify the relationship: IdentityProvider is the contract, irpc AuthProtocol is one way to implement it, ConfigIdentityProvider is another
  5. Remove inline decision rationale about IdentityProvider placement — reference ADR-029
  6. Reference ADR-028 for the irpc service decision

What stays the same: Token authentication design, AuthPolicy structure, browser-side token construction, WebTransport session request inspection, security considerations, all existing constraints.

Acceptance Criteria

  • Identity and IdentityProvider definitions reference identity.md (canonical) rather than defining inline
  • AuthProtocol irpc service documented with variants (VerifyPubkey, VerifyToken, ReloadKeys, CheckAccess) per ADR-028
  • ConfigIdentityProvider documented as default implementation (ArcSwap path)
  • Relationship between trait-based path and irpc path clearly stated
  • irpc feature flag mentioned for AuthProtocol
  • Inline decision rationale replaced with ADR references (028, 029)
  • last_updated in YAML frontmatter updated
  • No hub/spoke terminology
  • References section updated to include identity.md, ADR-028, ADR-029

References

  • docs/architecture/auth.md — current content to update
  • docs/research/integration-plan.md — auth.md update entry
  • docs/architecture/decisions/028-auth-irpc-service.md
  • docs/architecture/decisions/029-identity-core-type.md

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink