alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
19b3d3a078afbc1cee842f3e195b9ea09fcbdf94
alknet/tasks/architecture/spec-update-auth.md
glm-5.1 19b3d3a078 docs: write Phase 0 architecture foundation — ADRs 026-034, spec docs, and task updates 
Phase 0a — ADRs (9 new):
- ADR-026: Transport/interface separation (three-layer model)
- ADR-027: Crate decomposition (core, secret, storage, flowgraph, napi, CLI)
- ADR-028: Auth as irpc service (AuthProtocol behind feature flag)
- ADR-029: Identity as core type (Identity + IdentityProvider in alknet-core)
- ADR-030: Static/dynamic config split (ArcSwap, ConfigReloadHandle)
- ADR-031: Forwarding policy (rule-based allow/deny, TransportKind-aware)
- ADR-032: Event boundary discipline (domain, irpc, call protocol boundaries)
- ADR-033: OperationEnv universal composition (three dispatch paths)
- ADR-034: Head/worker terminology (replace hub/spoke)

Phase 0b — New spec documents (7):
- identity.md, services.md, interface.md, configuration.md,
  storage.md, flowgraph.md, secret-service.md

Updated existing docs:
- auth.md: reference identity.md for canonical definitions, add AuthProtocol
- open-questions.md: resolve OQ-12, OQ-16, OQ-18, OQ-22, OQ-23-25
- README.md: add all new docs, ADRs 026-034

Marked 19 architecture tasks as completed.
2026-06-07 09:32:58 +00:00

55 lines
2.5 KiB
Markdown
Raw Blame History

---
id: architecture/spec-update-auth
name: Update auth.md — add IdentityProvider vs AuthService relationship
status: completed
depends_on:
- architecture/spec-identity
- architecture/adr-028-auth-irpc-service
scope: narrow
risk: low
impact: component
level: implementation
---
## Description
Update `docs/architecture/auth.md` to add the IdentityProvider vs AuthService relationship and update for the `AuthProtocol` irpc service per ADR-028.
The current auth.md already defines `IdentityProvider` trait and `Identity` struct — which is good. After identity.md exists as the canonical home for those definitions, auth.md should reference identity.md instead of defining them inline.
**Changes needed**:
1. Replace inline `Identity` and `IdentityProvider` definitions with references to identity.md
2. Add section on `AuthProtocol` irpc service (VerifyPubkey, VerifyToken, ReloadKeys, CheckAccess) behind `irpc` feature flag
3. Add section on `ConfigIdentityProvider` as the default impl (ArcSwap-backed)
4. Clarify the relationship: `IdentityProvider` is the contract, irpc `AuthProtocol` is one way to implement it, `ConfigIdentityProvider` is another
5. Remove inline decision rationale about IdentityProvider placement — reference ADR-029
6. Reference ADR-028 for the irpc service decision
**What stays the same**: Token authentication design, AuthPolicy structure, browser-side token construction, WebTransport session request inspection, security considerations, all existing constraints.
## Acceptance Criteria
- [ ] `Identity` and `IdentityProvider` definitions reference identity.md (canonical) rather than defining inline
- [ ] `AuthProtocol` irpc service documented with variants (VerifyPubkey, VerifyToken, ReloadKeys, CheckAccess) per ADR-028
- [ ] `ConfigIdentityProvider` documented as default implementation (ArcSwap path)
- [ ] Relationship between trait-based path and irpc path clearly stated
- [ ] `irpc` feature flag mentioned for AuthProtocol
- [ ] Inline decision rationale replaced with ADR references (028, 029)
- [ ] `last_updated` in YAML frontmatter updated
- [ ] No hub/spoke terminology
- [ ] References section updated to include identity.md, ADR-028, ADR-029
## References
- docs/architecture/auth.md — current content to update
- docs/research/integration-plan.md — auth.md update entry
- docs/architecture/decisions/028-auth-irpc-service.md
- docs/architecture/decisions/029-identity-core-type.md
## Notes
> To be filled by implementation agent
## Summary
> To be filled on completion
Reference in New Issue View Git Blame Copy Permalink