glm-5.1
19b3d3a078
Phase 0a — ADRs (9 new): - ADR-026: Transport/interface separation (three-layer model) - ADR-027: Crate decomposition (core, secret, storage, flowgraph, napi, CLI) - ADR-028: Auth as irpc service (AuthProtocol behind feature flag) - ADR-029: Identity as core type (Identity + IdentityProvider in alknet-core) - ADR-030: Static/dynamic config split (ArcSwap, ConfigReloadHandle) - ADR-031: Forwarding policy (rule-based allow/deny, TransportKind-aware) - ADR-032: Event boundary discipline (domain, irpc, call protocol boundaries) - ADR-033: OperationEnv universal composition (three dispatch paths) - ADR-034: Head/worker terminology (replace hub/spoke) Phase 0b — New spec documents (7): - identity.md, services.md, interface.md, configuration.md, storage.md, flowgraph.md, secret-service.md Updated existing docs: - auth.md: reference identity.md for canonical definitions, add AuthProtocol - open-questions.md: resolve OQ-12, OQ-16, OQ-18, OQ-22, OQ-23-25 - README.md: add all new docs, ADRs 026-034 Marked 19 architecture tasks as completed.
3.0 KiB
id, name, status, depends_on, scope, risk, impact, level
| id | name | status | depends_on | scope | risk | impact | level | ||
|---|---|---|---|---|---|---|---|---|---|
| architecture/spec-identity | Create identity.md architecture spec | completed |
|
narrow | low | phase | implementation |
Description
Create docs/architecture/identity.md — a new architecture spec defining the Identity type, IdentityProvider trait, and the auth flows for SSH key-based and token-based authentication.
This is mostly a carry-forward from auth.md (which already defines IdentityProvider trait and Identity struct) plus the Identity section from research/services.md. The key addition is making the IdentityProvider vs AuthService relationship explicit per ADR-028: IdentityProvider is the contract, ConfigIdentityProvider is the default ArcSwap-backed impl, and AuthProtocol irpc service is one way to satisfy the trait (behind feature flag).
Source material:
auth.mdsections: IdentityProvider Trait, AuthPolicy Structure, Auth Flow in the Server, Token Authenticationresearch/services.mdAuthService section (AuthProtocol enum, AuthResult type)- ADR-029 (identity as core type), ADR-028 (auth as irpc service), ADR-023 (unified auth)
Relationship to auth.md: After identity.md exists, auth.md should be updated to reference identity.md for the Identity and IdentityProvider definitions rather than defining them inline. This is handled in the auth.md update task.
Acceptance Criteria
docs/architecture/identity.mdexists with YAML frontmatter (status: draft)- Follows spec format: What, Why, Architecture, Constraints, Open Questions, Design Decisions
- Defines
Identitystruct:{ id, scopes, resources }— canonical definition per ADR-029 - Defines
IdentityProvidertrait:resolve_from_fingerprint(),resolve_from_token() - Documents default implementation:
ConfigIdentityProviderreading fromArcSwap<DynamicConfig.auth> - Documents head implementation:
StorageIdentityProviderbacked by SQLitepeer_credentials+ ACL graph (in alknet-storage, not core) - Documents irpc service path:
AuthProtocolenum (VerifyPubkey, VerifyToken, ReloadKeys, CheckAccess) behindirpcfeature flag per ADR-028 - Shows both auth flows: SSH key path and token auth path, both resolving to same
Identity - Consistent head/worker terminology
- References ADR-029, ADR-028, ADR-023
docs/architecture/README.mdupdated to include identity.md
References
- docs/architecture/auth.md — existing IdentityProvider and Identity definitions
- docs/research/services.md — AuthService, AuthProtocol enum
- docs/architecture/decisions/029-identity-core-type.md — identity placement decision
- docs/architecture/decisions/028-auth-irpc-service.md — auth as irpc service
- docs/architecture/decisions/023-unified-auth-shared-key-material.md — unified auth
Notes
To be filled by implementation agent
Summary
To be filled on completion