Decompose the source-to-spec sync for the core and call crates into atomic, dependency-ordered tasks for implementation agents: Core (7 tasks + review): - peer-entry-model: PeerEntry struct, AuthPolicy.peers (ADR-030 keystone) - credential-store-trait: CredentialStore/InMemoryCredentialStore/StoreError (ADR-031/035) - identity-store-trait: IdentityStore async write trait (ADR-035) - config-identity-provider-peerentry: ConfigIdentityProvider PeerEntry resolution (ADR-030) - fingerprint-normalization: ed25519:hex for raw keys across quinn/iroh (ADR-030 §6) - three-remote-roles-docs: document ADR-034 roles and verifier selection - review-core-sync: phase gate before call consumes new identity semantics Call (9 tasks + review): - retire-remote-safe: remove ADR-028 machinery, AccessControl is the gate (ADR-029 §3) - operation-context-forwarded-for: forwarded_for field, wire-ingress only (ADR-032) - peer-composite-env: PeerCompositeEnv, PeerId=Identity.id, remove UUID (ADR-029/030) - operation-env-invoke-peer: invoke_peer/peer_contains/PeerRef (ADR-029 §2) - services-list-accesscontrol-filtered: AccessControl filter, list-peers opt-in (ADR-029 §6) - call-client-verifier-selection: TLS client-auth, verifier by PeerEntry (OQ-29, ADR-034) - from-call-forwarded-for: populate forwarded_for, peer-keyed registration (ADR-029 §5, ADR-032) - dispatch-peer-identity: AccessControl::check(peer_identity), PeerId from resolution (ADR-029 §3, ADR-030 §5) - review-call-sync: phase gate for the call sync Validated: 58 tasks, no cycles, logical topo order, two review checkpoints.
5.7 KiB
id, name, status, depends_on, scope, risk, impact, level
| id | name | status | depends_on | scope | risk | impact | level | |
|---|---|---|---|---|---|---|---|---|
| call/retire-remote-safe | Retire remote_safe/trusted_peer/RemoteFilter — peer authorization via AccessControl (ADR-029 §3) | pending |
|
moderate | medium | component | implementation |
Description
Remove the ADR-028 peer-authorization machinery from alknet-call. Per ADR-029
§3, peer authorization now flows through the existing AccessControl::check (peer_identity) — the same mechanism that gates every other call. No
remote_safe flag, no trusted_peer bypass, no RemoteFilter gate.
This task is the "remove the old" step before the "build the new" (PeerCompositeEnv,
invoke_peer). Removing the ADR-028 machinery first means the new
AccessControl-based authorization replaces the old model rather than
coexisting.
What to remove
-
HandlerRegistration.remote_safe: bool(registry/registration.rs):- Remove the field
- Remove
HandlerRegistration::remote_safe()setter - Remove
OperationRegistryBuilder::remote_safe()method - Remove all tests asserting
remote_safedefaults/setter
-
OperationRegistry::list_operations_peer_scoped(registry/registration.rs):- Remove the method (replaced by AccessControl-filtered
services/listincall/services-list-accesscontrol-filtered)
- Remove the method (replaced by AccessControl-filtered
-
services_list_handler_peer_scoped(registry/discovery.rs):- Remove the function (replaced by single AccessControl-filtered handler in
call/services-list-accesscontrol-filtered)
- Remove the function (replaced by single AccessControl-filtered handler in
-
RemoteFilter(protocol/dispatch.rs):- Remove the
RemoteFilterstruct and itsdefault_deny()/trusted()/allows()methods - Remove the
remote_filterfield fromDispatcher - Remove the
RemoteFilterparameter fromDispatcher::new() - Remove the
remote_filter.allows(registration.remote_safe)gate indispatch_requested(the AccessControl gate inOperationRegistry::invokealready handles authorization — this task removes the parallel gate)
- Remove the
-
CallClient::trusted_peer(client/call_client.rs):- Remove the
trusted_peer: boolfield - Remove
CallClient::trusted_peer()constructor - Remove
CallClient::is_trusted_peer()method - Remove the
RemoteFilter::trusted()/default_deny()selection inspawn_dispatch CallClient::new()stays;spawn_dispatchconstructsDispatcher::newwithoutRemoteFilter
- Remove the
-
All ADR-028 tests:
- Remove tests asserting
remote_safebehavior,trusted_peermode,RemoteFilterfiltering,list_operations_peer_scoped,services_list_handler_peer_scoped - These tests verify the old model; the new model's tests land in the
consuming tasks (
call/services-list-accesscontrol-filtered,call/dispatch-peer-identity)
- Remove tests asserting
Transient state
After this task, the dispatch path authorizes via AccessControl::check (which
OperationRegistry::invoke already runs) — no parallel gate. The
PeerCompositeEnv and invoke_peer are not yet built (those are
call/peer-composite-env and call/operation-env-invoke-peer), so the
composition env is still CompositeOperationEnv (singular connection). The
services/list handler is the unfiltered services_list_handler until
call/services-list-accesscontrol-filtered adds the AccessControl filter.
This transient state compiles and is correct — it's just the ADR-028 model
removed without the ADR-029 peer-keyed routing yet added. The
AccessControl::check gate in OperationRegistry::invoke is the authorization
mechanism throughout.
ADR-029 §3 mapping (the three remote_safe cases)
remote_safe case |
Replacement (already in place via AccessControl) |
|---|---|
Op callable by any peer (was remote_safe: true) |
AccessControl::default() — no restrictions |
| Op callable only by some peers | AccessControl { required_scopes: [...] } — peer's Identity.scopes must satisfy |
| Op never callable from wire | Visibility::Internal — NOT_FOUND before ACL |
Acceptance Criteria
HandlerRegistration.remote_safefield removedHandlerRegistration::remote_safe()setter removedOperationRegistryBuilder::remote_safe()removedOperationRegistry::list_operations_peer_scopedremovedservices_list_handler_peer_scopedremovedRemoteFilterstruct removed fromprotocol/dispatch.rsDispatcher.remote_filterfield removedDispatcher::new()no longer takesRemoteFilterCallClient.trusted_peerfield removedCallClient::trusted_peer()constructor removedCallClient::is_trusted_peer()removeddispatch_requestedno longer has theremote_filter.allowsgate- All ADR-028 tests removed
- No
remote_safe/trusted_peer/RemoteFilterreferences remain in the crate cargo test -p alknet-callsucceeds (remaining tests pass — the AccessControl gate in invoke still works)cargo clippy -p alknet-callsucceeds with no warnings
References
- docs/architecture/decisions/029-peer-graph-routing-model.md — ADR-029 §3 (retire remote_safe/trusted_peer)
- docs/architecture/crates/call/operation-registry.md — HandlerRegistration (remote_safe removed)
- docs/architecture/crates/call/client-and-adapters.md — CallClient (trusted_peer removed)
Notes
This is the "remove the old" step. The new model (PeerCompositeEnv, invoke_peer, AccessControl-filtered services/list) lands in subsequent tasks. The transient state after this task compiles and is correct —
AccessControl::checkinOperationRegistry::invokeis the authorization mechanism throughout. The ADR-028 tests are removed because they verify the old model; the new model's tests land in the consuming tasks.
Summary
To be filled on completion