glm-5.1
596c89ce24
Rename all crates, CLI commands, constants, type names, doc comments, and documentation from wraith to alknet. Includes wire-protocol changes: ALPN wraith-ssh -> alknet-ssh, reserved destination prefix wraith- -> alknet-, SSH auth username wraith -> alknet.
4.5 KiB
4.5 KiB
status, last_updated
| status | last_updated |
|---|---|
| draft | 2026-06-04 |
Alknet Architecture
Current State
Architecture specification in active development. 22 ADRs accepted. Unified auth and call protocol architecture being specified — see auth.md and call-protocol.md. Configuration architecture under exploration — see research/configuration.md.
Architecture Documents
| Document | Status | Description |
|---|---|---|
| overview.md | reviewed | Package purpose, exports, dependencies |
| transport.md | reviewed | Transport abstraction: TCP, TLS, iroh |
| auth.md | draft | Unified auth: SSH + token, IdentityProvider trait |
| call-protocol.md | draft | Bidirectional call/event protocol, operation registry |
| client.md | reviewed | Client connection, SOCKS5, port forwarding |
| server.md | reviewed | Server acceptance, channel handling, proxy |
| tun-shim.md | deprecated | TUN interface wrapper — deferred, use tun2proxy |
| napi-and-pubsub.md | reviewed | NAPI wrapper and pubsub event target adapter |
Research Documents
| Document | Status | Description |
|---|---|---|
| configuration.md | draft | Configuration architecture: static/dynamic split, hot reload, forwarding policy |
ADR Table
| ADR | Title | Status |
|---|---|---|
| 001 | Pluggable transport via AsyncRead+AsyncWrite trait |
Accepted |
| 002 | TUN shim as separate process | Superseded by ADR-014 |
| 003 | iroh stream via tokio::io::join |
Accepted |
| 004 | SSH runs over transport, not alongside | Accepted |
| 005 | SOCKS5 as primary interface, TUN as add-on | Accepted |
| 006 | No logging of tunnel destinations | Accepted |
| 007 | NAPI exposes single duplex stream | Accepted |
| 008 | ACME/Let's Encrypt certificate provisioning | Accepted |
| 009 | Default iroh relay with override | Accepted |
| 010 | Transport chaining in CLI | Accepted |
| 011 | Programmatic-first API, no file-based config | Accepted |
| 012 | Ed25519 keys + OpenSSH cert-authority, no password auth | Accepted |
| 013 | Fail2ban-friendly logging + built-in rate limiting | Accepted |
| 014 | Defer TUN, recommend local SOCKS5 + tun2proxy | Accepted |
| 015 | napi-rs for FFI bridge | Accepted |
| 016 | NAPI exposes both connect() and serve() | Accepted |
| 017 | Stealth mode — protocol multiplexing on port 443 | Accepted |
| 018 | Control channel for pubsub over SSH | Accepted |
| 019 | --proxy dual semantics (client vs server) |
Accepted |
| 023 | Unified auth with shared key material + token auth | Accepted |
| 024 | Bidirectional call protocol (EventEnvelope) | Accepted |
| 025 | Handler/spec separation for downstream service registration | Accepted |
Open Questions
Most open questions have been resolved. Open questions remain for configuration, auth, and call protocol — see open-questions.md for details.
Lifecycle Definitions
| Status | Meaning | Transitions |
|---|---|---|
draft |
Under active development. May change significantly. | → reviewed when open questions resolved |
reviewed |
Architecture final. Implementation may begin. Changes require review. | → stable when implementation verified |
stable |
Locked. Changes require review and may warrant an ADR. | → deprecated when superseded |
deprecated |
Superseded. Kept for reference. | Removed when no longer referenced |