alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
47968ee48df2b8e50b9fab4b5ee1329833083fb4
alknet/tasks/architecture/spec-identity.md
glm-5.1 19b3d3a078 docs: write Phase 0 architecture foundation — ADRs 026-034, spec docs, and task updates 
Phase 0a — ADRs (9 new):
- ADR-026: Transport/interface separation (three-layer model)
- ADR-027: Crate decomposition (core, secret, storage, flowgraph, napi, CLI)
- ADR-028: Auth as irpc service (AuthProtocol behind feature flag)
- ADR-029: Identity as core type (Identity + IdentityProvider in alknet-core)
- ADR-030: Static/dynamic config split (ArcSwap, ConfigReloadHandle)
- ADR-031: Forwarding policy (rule-based allow/deny, TransportKind-aware)
- ADR-032: Event boundary discipline (domain, irpc, call protocol boundaries)
- ADR-033: OperationEnv universal composition (three dispatch paths)
- ADR-034: Head/worker terminology (replace hub/spoke)

Phase 0b — New spec documents (7):
- identity.md, services.md, interface.md, configuration.md,
  storage.md, flowgraph.md, secret-service.md

Updated existing docs:
- auth.md: reference identity.md for canonical definitions, add AuthProtocol
- open-questions.md: resolve OQ-12, OQ-16, OQ-18, OQ-22, OQ-23-25
- README.md: add all new docs, ADRs 026-034

Marked 19 architecture tasks as completed.
2026-06-07 09:32:58 +00:00

55 lines
3.0 KiB
Markdown
Raw Blame History

---
id: architecture/spec-identity
name: Create identity.md architecture spec
status: completed
depends_on:
- architecture/adr-029-identity-core-type
- architecture/adr-028-auth-irpc-service
scope: narrow
risk: low
impact: phase
level: implementation
---
## Description
Create `docs/architecture/identity.md` — a new architecture spec defining the `Identity` type, `IdentityProvider` trait, and the auth flows for SSH key-based and token-based authentication.
This is mostly a carry-forward from `auth.md` (which already defines `IdentityProvider` trait and `Identity` struct) plus the Identity section from `research/services.md`. The key addition is making the IdentityProvider vs AuthService relationship explicit per ADR-028: `IdentityProvider` is the contract, `ConfigIdentityProvider` is the default ArcSwap-backed impl, and `AuthProtocol` irpc service is one way to satisfy the trait (behind feature flag).
**Source material**:
- `auth.md` sections: IdentityProvider Trait, AuthPolicy Structure, Auth Flow in the Server, Token Authentication
- `research/services.md` AuthService section (AuthProtocol enum, AuthResult type)
- ADR-029 (identity as core type), ADR-028 (auth as irpc service), ADR-023 (unified auth)
**Relationship to auth.md**: After identity.md exists, auth.md should be updated to reference identity.md for the `Identity` and `IdentityProvider` definitions rather than defining them inline. This is handled in the `auth.md` update task.
## Acceptance Criteria
- [ ] `docs/architecture/identity.md` exists with YAML frontmatter (`status: draft`)
- [ ] Follows spec format: What, Why, Architecture, Constraints, Open Questions, Design Decisions
- [ ] Defines `Identity` struct: `{ id, scopes, resources }` — canonical definition per ADR-029
- [ ] Defines `IdentityProvider` trait: `resolve_from_fingerprint()`, `resolve_from_token()`
- [ ] Documents default implementation: `ConfigIdentityProvider` reading from `ArcSwap<DynamicConfig.auth>`
- [ ] Documents head implementation: `StorageIdentityProvider` backed by SQLite `peer_credentials` + ACL graph (in alknet-storage, not core)
- [ ] Documents irpc service path: `AuthProtocol` enum (VerifyPubkey, VerifyToken, ReloadKeys, CheckAccess) behind `irpc` feature flag per ADR-028
- [ ] Shows both auth flows: SSH key path and token auth path, both resolving to same `Identity`
- [ ] Consistent head/worker terminology
- [ ] References ADR-029, ADR-028, ADR-023
- [ ] `docs/architecture/README.md` updated to include identity.md
## References
- docs/architecture/auth.md — existing IdentityProvider and Identity definitions
- docs/research/services.md — AuthService, AuthProtocol enum
- docs/architecture/decisions/029-identity-core-type.md — identity placement decision
- docs/architecture/decisions/028-auth-irpc-service.md — auth as irpc service
- docs/architecture/decisions/023-unified-auth-shared-key-material.md — unified auth
## Notes
> To be filled by implementation agent
## Summary
> To be filled on completion
Reference in New Issue View Git Blame Copy Permalink