alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
84f16d66e79e19dbdbddb9e25bbb3254ef0be760
alknet/tasks/architecture/spec-secret-service.md
glm-5.1 84f16d66e7 tasks: decompose Phase 0b spec documents and Phase 0c review 
Add 15 new tasks under tasks/architecture/ for Phase 0b (spec writing)
and Phase 0c (review):

Phase 0b — New specs (6):
  - spec-configuration: promote from research, cleanup, align with ADRs
  - spec-identity: carry from auth.md + services.md, canonical Identity
  - spec-secret-service: from research/services.md SecretProtocol
  - spec-storage: from research/storage.md, contract-level
  - spec-flowgraph: from research/flow.md, pure computation crate
  - spec-interface: new Layer 2 spec (highest risk new spec)
  - spec-services: irpc service layer + OperationEnv (broadest scope)

Phase 0b — Spec updates (6):
  - spec-update-overview: add crate structure, Layer 3, services
  - spec-update-auth: IdentityProvider vs AuthService relationship
  - spec-update-call-protocol: OperationEnv dispatch paths
  - spec-update-server: DynamicConfig, ForwardingPolicy, IdentityProvider
  - spec-update-napi: reload API, call protocol references
  - spec-update-open-questions: resolve OQs per ADR decisions

Phase 0b — Assembly (1):
  - spec-update-readme: add new docs and ADRs to tables

Phase 0c — Review (1):
  - review-spec-foundation: validate consistency checklist

Generation structure (6 total):
  Gen 1: 6 independent ADRs (parallel)
  Gen 2: adr-027, adr-028 (depend on adr-029)
  Gen 3: adr-033 + 6 spec docs + open-questions update (parallel)
  Gen 4: adr review + interface/services specs + 4 spec updates
  Gen 5: call-protocol update + readme update
  Gen 6: spec review
2026-06-07 09:01:01 +00:00

2.9 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
architecture/spec-secret-service Create secret-service.md architecture spec pending
architecture/adr-027-crate-decomposition
architecture/adr-032-event-boundary-discipline
narrow low component implementation

Description

Create docs/architecture/secret-service.md — a new architecture spec for the alknet-secret crate and its SecretProtocol irpc service.

This slides from the research in docs/research/services.md (SecretProtocol definition) and docs/research/storage.md (secrets section, key derivation paths). The secret service is well-bounded: BIP39 mnemonics, SLIP-0010 Ed25519 HD key derivation, AES-256-GCM encryption for external credentials, and a lock/unlock lifecycle.

Scope: alknet-secret crate definition, not alknet-core changes.

Key content from research:

  • SecretProtocol enum: Unlock, Lock, DeriveEd25519, DeriveEncryptionKey, DeriveEthereumKey, DerivePassword, Encrypt, Decrypt
  • DerivedKey, KeyType, EncryptedData types
  • Security model: locked/unlocked states, seed in RAM only, never on disk
  • Derivation path constants (SLIP-0044 coin type 74')
  • Event boundary: SecretService domain events (honker streams for key derivation notifications) stay internal. External consumers use irpc calls or call protocol operations that project to integration events.

Acceptance Criteria

  • docs/architecture/secret-service.md exists with YAML frontmatter (status: draft)
  • Follows spec format: What, Why, Architecture, Constraints, Open Questions, Design Decisions
  • Documents BIP39 mnemonic generation and seed derivation
  • Documents SLIP-0010 Ed25519 HD key derivation (SLIP-0044 coin type 74')
  • Documents AES-256-GCM encryption/decryption for external credentials
  • Documents SecretProtocol irpc service: Unlock, Lock, DeriveEd25519, DeriveEncryptionKey, Encrypt, Decrypt variants
  • Documents EncryptedData type (key_version, salt, iv, ciphertext)
  • Documents derivation path constants
  • Documents security model: locked/unlocked states, seed lifecycle, never persisted
  • States crate dependencies: bip39, ed25519-bip32, aes-gcm, sha2, irpc
  • States crate does NOT depend on alknet-core or alknet-storage
  • States interface back to core: EncryptedData format referenced by alknet-storage (wire format compatibility, not crate dependency)
  • Event boundary per ADR-032: honker streams internal, irpc calls internal, no direct EventEnvelope emission
  • References ADR-027, ADR-032
  • docs/architecture/README.md updated to include secret-service.md

References

  • docs/research/services.md — SecretProtocol definition, DerivedKey, KeyType, EncryptedData
  • docs/research/storage.md — secrets section, key derivation paths
  • docs/research/integration-plan.md — Phase 2.1 (alknet-secret)

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink