alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
84f16d66e79e19dbdbddb9e25bbb3254ef0be760
alknet/tasks/architecture/spec-identity.md
glm-5.1 84f16d66e7 tasks: decompose Phase 0b spec documents and Phase 0c review 
Add 15 new tasks under tasks/architecture/ for Phase 0b (spec writing)
and Phase 0c (review):

Phase 0b — New specs (6):
  - spec-configuration: promote from research, cleanup, align with ADRs
  - spec-identity: carry from auth.md + services.md, canonical Identity
  - spec-secret-service: from research/services.md SecretProtocol
  - spec-storage: from research/storage.md, contract-level
  - spec-flowgraph: from research/flow.md, pure computation crate
  - spec-interface: new Layer 2 spec (highest risk new spec)
  - spec-services: irpc service layer + OperationEnv (broadest scope)

Phase 0b — Spec updates (6):
  - spec-update-overview: add crate structure, Layer 3, services
  - spec-update-auth: IdentityProvider vs AuthService relationship
  - spec-update-call-protocol: OperationEnv dispatch paths
  - spec-update-server: DynamicConfig, ForwardingPolicy, IdentityProvider
  - spec-update-napi: reload API, call protocol references
  - spec-update-open-questions: resolve OQs per ADR decisions

Phase 0b — Assembly (1):
  - spec-update-readme: add new docs and ADRs to tables

Phase 0c — Review (1):
  - review-spec-foundation: validate consistency checklist

Generation structure (6 total):
  Gen 1: 6 independent ADRs (parallel)
  Gen 2: adr-027, adr-028 (depend on adr-029)
  Gen 3: adr-033 + 6 spec docs + open-questions update (parallel)
  Gen 4: adr review + interface/services specs + 4 spec updates
  Gen 5: call-protocol update + readme update
  Gen 6: spec review
2026-06-07 09:01:01 +00:00

55 lines
3.0 KiB
Markdown
Raw Blame History

---
id: architecture/spec-identity
name: Create identity.md architecture spec
status: pending
depends_on:
- architecture/adr-029-identity-core-type
- architecture/adr-028-auth-irpc-service
scope: narrow
risk: low
impact: phase
level: implementation
---
## Description
Create `docs/architecture/identity.md` — a new architecture spec defining the `Identity` type, `IdentityProvider` trait, and the auth flows for SSH key-based and token-based authentication.
This is mostly a carry-forward from `auth.md` (which already defines `IdentityProvider` trait and `Identity` struct) plus the Identity section from `research/services.md`. The key addition is making the IdentityProvider vs AuthService relationship explicit per ADR-028: `IdentityProvider` is the contract, `ConfigIdentityProvider` is the default ArcSwap-backed impl, and `AuthProtocol` irpc service is one way to satisfy the trait (behind feature flag).
**Source material**:
- `auth.md` sections: IdentityProvider Trait, AuthPolicy Structure, Auth Flow in the Server, Token Authentication
- `research/services.md` AuthService section (AuthProtocol enum, AuthResult type)
- ADR-029 (identity as core type), ADR-028 (auth as irpc service), ADR-023 (unified auth)
**Relationship to auth.md**: After identity.md exists, auth.md should be updated to reference identity.md for the `Identity` and `IdentityProvider` definitions rather than defining them inline. This is handled in the `auth.md` update task.
## Acceptance Criteria
- [ ] `docs/architecture/identity.md` exists with YAML frontmatter (`status: draft`)
- [ ] Follows spec format: What, Why, Architecture, Constraints, Open Questions, Design Decisions
- [ ] Defines `Identity` struct: `{ id, scopes, resources }` — canonical definition per ADR-029
- [ ] Defines `IdentityProvider` trait: `resolve_from_fingerprint()`, `resolve_from_token()`
- [ ] Documents default implementation: `ConfigIdentityProvider` reading from `ArcSwap<DynamicConfig.auth>`
- [ ] Documents head implementation: `StorageIdentityProvider` backed by SQLite `peer_credentials` + ACL graph (in alknet-storage, not core)
- [ ] Documents irpc service path: `AuthProtocol` enum (VerifyPubkey, VerifyToken, ReloadKeys, CheckAccess) behind `irpc` feature flag per ADR-028
- [ ] Shows both auth flows: SSH key path and token auth path, both resolving to same `Identity`
- [ ] Consistent head/worker terminology
- [ ] References ADR-029, ADR-028, ADR-023
- [ ] `docs/architecture/README.md` updated to include identity.md
## References
- docs/architecture/auth.md — existing IdentityProvider and Identity definitions
- docs/research/services.md — AuthService, AuthProtocol enum
- docs/architecture/decisions/029-identity-core-type.md — identity placement decision
- docs/architecture/decisions/028-auth-irpc-service.md — auth as irpc service
- docs/architecture/decisions/023-unified-auth-shared-key-material.md — unified auth
## Notes
> To be filled by implementation agent
## Summary
> To be filled on completion
Reference in New Issue View Git Blame Copy Permalink