alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
84f16d66e79e19dbdbddb9e25bbb3254ef0be760
alknet/tasks/architecture/spec-identity.md
glm-5.1 84f16d66e7 tasks: decompose Phase 0b spec documents and Phase 0c review 
Add 15 new tasks under tasks/architecture/ for Phase 0b (spec writing)
and Phase 0c (review):

Phase 0b — New specs (6):
  - spec-configuration: promote from research, cleanup, align with ADRs
  - spec-identity: carry from auth.md + services.md, canonical Identity
  - spec-secret-service: from research/services.md SecretProtocol
  - spec-storage: from research/storage.md, contract-level
  - spec-flowgraph: from research/flow.md, pure computation crate
  - spec-interface: new Layer 2 spec (highest risk new spec)
  - spec-services: irpc service layer + OperationEnv (broadest scope)

Phase 0b — Spec updates (6):
  - spec-update-overview: add crate structure, Layer 3, services
  - spec-update-auth: IdentityProvider vs AuthService relationship
  - spec-update-call-protocol: OperationEnv dispatch paths
  - spec-update-server: DynamicConfig, ForwardingPolicy, IdentityProvider
  - spec-update-napi: reload API, call protocol references
  - spec-update-open-questions: resolve OQs per ADR decisions

Phase 0b — Assembly (1):
  - spec-update-readme: add new docs and ADRs to tables

Phase 0c — Review (1):
  - review-spec-foundation: validate consistency checklist

Generation structure (6 total):
  Gen 1: 6 independent ADRs (parallel)
  Gen 2: adr-027, adr-028 (depend on adr-029)
  Gen 3: adr-033 + 6 spec docs + open-questions update (parallel)
  Gen 4: adr review + interface/services specs + 4 spec updates
  Gen 5: call-protocol update + readme update
  Gen 6: spec review
2026-06-07 09:01:01 +00:00

3.0 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
architecture/spec-identity Create identity.md architecture spec pending
architecture/adr-029-identity-core-type
architecture/adr-028-auth-irpc-service
narrow low phase implementation

Description

Create docs/architecture/identity.md — a new architecture spec defining the Identity type, IdentityProvider trait, and the auth flows for SSH key-based and token-based authentication.

This is mostly a carry-forward from auth.md (which already defines IdentityProvider trait and Identity struct) plus the Identity section from research/services.md. The key addition is making the IdentityProvider vs AuthService relationship explicit per ADR-028: IdentityProvider is the contract, ConfigIdentityProvider is the default ArcSwap-backed impl, and AuthProtocol irpc service is one way to satisfy the trait (behind feature flag).

Source material:

  • auth.md sections: IdentityProvider Trait, AuthPolicy Structure, Auth Flow in the Server, Token Authentication
  • research/services.md AuthService section (AuthProtocol enum, AuthResult type)
  • ADR-029 (identity as core type), ADR-028 (auth as irpc service), ADR-023 (unified auth)

Relationship to auth.md: After identity.md exists, auth.md should be updated to reference identity.md for the Identity and IdentityProvider definitions rather than defining them inline. This is handled in the auth.md update task.

Acceptance Criteria

  • docs/architecture/identity.md exists with YAML frontmatter (status: draft)
  • Follows spec format: What, Why, Architecture, Constraints, Open Questions, Design Decisions
  • Defines Identity struct: { id, scopes, resources } — canonical definition per ADR-029
  • Defines IdentityProvider trait: resolve_from_fingerprint(), resolve_from_token()
  • Documents default implementation: ConfigIdentityProvider reading from ArcSwap<DynamicConfig.auth>
  • Documents head implementation: StorageIdentityProvider backed by SQLite peer_credentials + ACL graph (in alknet-storage, not core)
  • Documents irpc service path: AuthProtocol enum (VerifyPubkey, VerifyToken, ReloadKeys, CheckAccess) behind irpc feature flag per ADR-028
  • Shows both auth flows: SSH key path and token auth path, both resolving to same Identity
  • Consistent head/worker terminology
  • References ADR-029, ADR-028, ADR-023
  • docs/architecture/README.md updated to include identity.md

References

  • docs/architecture/auth.md — existing IdentityProvider and Identity definitions
  • docs/research/services.md — AuthService, AuthProtocol enum
  • docs/architecture/decisions/029-identity-core-type.md — identity placement decision
  • docs/architecture/decisions/028-auth-irpc-service.md — auth as irpc service
  • docs/architecture/decisions/023-unified-auth-shared-key-material.md — unified auth

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink