2.1 KiB
id, name, status, depends_on, scope, risk, impact, level
| id | name | status | depends_on | scope | risk | impact | level | |
|---|---|---|---|---|---|---|---|---|
| core/auth-service-irpc | Implement AuthProtocol irpc service enum behind feature flag | completed |
|
narrow | medium | component | implementation |
Description
Define AuthProtocol irpc service enum behind the irpc feature flag in alknet-core, per ADR-028 and identity.md.
The AuthProtocol provides an async boundary for auth verification. ConfigIdentityProvider wraps ArcSwap<DynamicConfig> directly in Phase 1 (the trait-based path). When the service layer is enabled, AuthServiceImpl delegates to ConfigIdentityProvider via irpc. The trait-based path and the irpc path produce identical Identity results.
Key additions (behind irpc feature flag):
AuthProtocolenum:VerifyPubkey,VerifyToken,ReloadKeys,CheckAccessAuthResultenum:Ok(Identity),Denied(String)AuthServiceImplbacked byConfigIdentityProvider(ArcSwap path)
What stays the same: The IdentityProvider trait is the contract. Without the irpc feature, auth goes through ConfigIdentityProvider directly. With the feature, AuthServiceImpl provides an irpc entry point.
Acceptance Criteria
AuthProtocolenum defined incrates/alknet-core/src/auth/auth_protocol.rs(behindirpcfeature flag)AuthResulttype defined (matching identity.md spec)AuthServiceImplimplemented, wrappingConfigIdentityProvider(ArcSwap path)irpcfeature flag added to alknet-core'sCargo.toml- Without
irpcfeature, the code compiles and all existing tests pass unchanged - With
irpcfeature,AuthProtocolandAuthServiceImplare available AuthServiceImpl::verify_pubkey()produces the sameIdentityasConfigIdentityProvider::resolve_from_fingerprint()
References
- docs/architecture/decisions/028-auth-irpc-service.md — ADR-028
- docs/architecture/identity.md — AuthProtocol enum, AuthResult, AuthServiceImpl
- docs/architecture/services.md — Service definition pattern
Notes
To be filled by implementation agent
Summary
To be filled on completion