First speccing pass for alknet-http (HTTP interface crate: h2/http1.1/h3 server + from_openapi/to_openapi/from_mcp/to_mcp adapters). Specs (crates/http/): - README.md, overview.md — crate index, two-roles-in-one-crate framing, adapter location map, feature gates (h3, mcp), no-env-vars invariant - http-server.md — HttpAdapter for h2/http1.1, axum over QUIC stream, Bearer auth, SSE projection for subscriptions, /healthz, stealth decoy - http-adapters.md — from_openapi (reqwest) and to_openapi (projection), error fidelity (HTTP_<status> per ADR-023), type definitions - http-mcp.md — from_mcp/to_mcp (feature-gated), streamable-HTTP-only - webtransport.md — h3/WebTransport handler, browser streaming path, HTTP/3 request vs WebTransport session distinguished at framing layer ADRs: - ADR-036 HTTP-to-Call Operation Mapping (Proposed) — direct path mapping; to_openapi is projection, not router (the load-bearing one-way door from Phase 0 DH-3) - ADR-037 MCP Stdio Transport Exclusion (Proposed) — streamable HTTP only; stdio is not built (RCE-vector security position) - ADR-038 HTTP/3 and WebTransport as First-Class HTTP Transports (Proposed) — corrects the Phase 0 DH-2 deferral framing; h3 is in scope, not deferred, per ADR-009 §'What this framework is NOT' - ADR-039 HTTP Server and Client Host Colocated in alknet-http (Proposed) — one crate for server + client host (shared HTTP deps, shared operation-spec->HTTP mapping) - ADR-003 Amendment 1 — clarifies alknet-call is a protocol-foundation crate (the alknet-http -> alknet-call dependency edge) Open questions (OQ-38, OQ-39, OQ-40 added under 'Theme: alknet-http'): - OQ-38 WebTransport relay-as-proxy scope (genuine scope question, not a deferral — the decision is made when the use case becomes concrete) - OQ-39 to_openapi published-spec versioning (one-way after first publication) - OQ-40 reqwest client config and connection pooling (two-way-door) Architecture README and overview updated with doc table, ADR table (036-039), current-state note, and crate graph (alknet-http -> alknet-call edge). Reviewed by architecture-reviewer subagent: 3 critical, 4 warning, 5 suggestion issues found and fixed (missing ADR-039, WebTransport stream routing conflation, undefined types, stale OQ-37 deferral language, README OQ table completeness, Bearer-only attribution, cross-references, ADR-038 ALPN quote, feature-gate placeholder, MCP temporal language).
7.8 KiB
ADR-039: HTTP Server and Client Host Colocated in alknet-http
Status
Proposed
Context
alknet-http has two roles: an HTTP server (the HttpAdapter
ProtocolHandler for h2/http/1.1/h3, built on axum/hyper)
and an HTTP client host (the from_openapi/from_mcp forwarding
handlers, built on reqwest). The question is whether these two
directions live in one crate (alknet-http) or are split into two
crates (alknet-http-server + alknet-http-client).
ADR-003 lists alknet-http as a single crate with dependency
alknet-core, axum and justifies the per-handler-crate decomposition
with "each handler is self-contained — it receives a byte stream and
manages its own protocol." That rationale covers the server side (the
HttpAdapter is self-contained), but it does not address the
within-crate dual-role question: should the inbound HTTP server and
the outbound HTTP client (the adapter forwarding handlers) be
colocated, or split?
This is a load-bearing choice. Once published, downstream consumers
build import paths against the crate boundary; the shared reqwest::Client
and the no-env-vars invariant boundary (ADR-014) are scoped by it; the
to_openapi/to_mcp projections are pure-registry-consumers that
describe the server surface but live where the adapter types do.
Splitting later would be a rewrite of every consumer's import paths,
not a cheap revert. It needs an ADR.
Decision
One crate — alknet-http houses both the HTTP server and the HTTP
client host (the adapter forwarding handlers and the to_* projections).
The two directions share the HTTP dependencies and HTTP-specific concerns that make splitting them counterproductive:
- Shared HTTP dependencies. Both
axum(server) andreqwest(client) pull inhyper,http,http-body,rustls/TLS stack types, and the HTTP header/status code types. A split into two crates would either duplicate these dependencies across both crates or force a third shared-types crate, neither of which is an improvement. - Shared HTTP-specific concerns. Both directions care about HTTP
headers, status codes, content types, SSE framing, streaming vs
non-streaming bodies, and TLS trust stores. The
from_openapiforwarding handler's error mapping (HTTP status →HTTP_<status>error codes, ADR-023) and theto_openapiprojection's error mapping (ErrorDefinition.http_status→ HTTP response status) are the same mapping read in two directions — splitting them would put the two halves in different crates. - The
to_*projections describe the server surface.to_openapigenerates an OpenAPI doc whose paths mirror the/{service}/{op}HTTP routes theHttpAdapterserves (ADR-036).to_mcpexposes the same operations as MCP tools. These projections consume theOperationRegistryand produce specs; they live with the adapter types (inalknet-http, per the adapter location map — see client-and-adapters.md) because they share the operation-spec→HTTP mapping logic with the server's request dispatch. - The no-env-vars invariant boundary is crate-scoped. The
from_openapi/from_mcpforwarding handlers are the credential injection point (ADR-014). The invariant — "no handler reads outbound credentials from any source other thanOperationContext.capabilities" — is verified against the handler implementations in this crate. A split would put the invariant verification boundary across two crates.
What this does NOT change
- ADR-003's rule "no handler crate depends on another handler crate"
applies to peer handler crates (
alknet-httpdoes not depend onalknet-ssh). Thealknet-http→alknet-calledge is the protocol-foundation exception (ADR-003 Amendment 1). This ADR is about the internal structure ofalknet-http, not its dependency edges. - The adapter location map (the
OperationAdaptertrait inalknet-call; the HTTP-backed adapter implementations inalknet-http) is unchanged. This ADR records why the HTTP-backed adapters live in the same crate as the HTTP server, not whether they live inalknet-httpvsalknet-call.
Consequences
Positive:
- One crate, one set of HTTP dependencies, one HTTP-specific concern
surface. No duplicated
hyper/httptypes across two crates, no shared-types crate needed. - The
to_*projections live with the server whose surface they describe, and with the adapter types they consume. The operation-spec → HTTP mapping logic is in one place. - The no-env-vars invariant verification boundary is one crate. The
from_openapi/from_mcphandlers and the credential injection logic they share are co-located. - A downstream consumer wires one crate (
alknet-http) into theHandlerRegistryand gets the full HTTP surface — server + adapters + projections. No two-crate wiring.
Negative:
- A deployment that only needs the HTTP server (no
from_openapi/from_ mcpforwarding) still compiles thereqwestdependency. Mitigated: themcpfeature is already gated (ADR-037); thefrom_openapiforwarding is always available but thereqwestclient is only constructed if afrom_openapi/from_mcpadapter is registered at assembly time. The dependency is compiled, the client is lazy. - A deployment that only needs the HTTP client (e.g., an agent crate
that only uses
from_openapiforwarding, no inbound HTTP) still compilesaxum/hyper. This is the rarer case — the agent crate (alknet-agent) consumesalknet-calldirectly for tool dispatch and usesfrom_openapiviaalknet-http's adapter, but doesn't serve inbound HTTP itself. In practice, the agent deployment wiresalknet-httpfor the adapters and the CLI wires it for the server; the compile cost is paid once per workspace, not once per deployment. - The crate is larger than a single-direction crate would be. This is
the cost of colocating shared concerns; the alternative (two crates
- a shared types crate) is more crates, not less code.
Assumptions
-
The shared-HTTP-dependencies argument holds.
axumandreqwestboth pull inhyperand thehttpcrate's types; the shared types (headers, status codes, method, URI) are the same. If a future version ofaxumorreqwestdiverges its HTTP types (e.g.,axummoves to a different HTTP implementation), this argument weakens. As ofaxum0.7+ andreqwest0.12+, both are built onhyper1.x and sharehttptypes. -
The
to_*projections share enough mapping logic with the server to justify colocation. The operation-spec → HTTP path/method/ error-status mapping is the same in both directions. If the projections turn out to be pure registry-consumers with no HTTP-mapping logic (just spec serialization), the colocation argument is weaker — but the current design (ADR-036, ADR-023) has them sharing the mapping.
References
- ADR-003 — crate decomposition (this
ADR addresses the within-
alknet-httpdual-role question, not the dependency edge; Amendment 1 covers thealknet-calledge) - ADR-014 — the no-env-vars invariant whose verification boundary is crate-scoped
- ADR-017 — the
adapter contract;
to_*are projections - ADR-023 — the error mapping shared
between
from_openapi(status → code) andto_openapi(code → status) - ADR-036 — the HTTP path =
operation path mapping shared between server dispatch and
to_openapi - ADR-037 — the
mcpfeature gate crates/http/overview.md— the crate overview (the inline rationale for this decision is replaced by a pointer to this ADR)