glm-5.1
a7f0dcdeb9
Phase 1 of the integration plan modifies alknet-core to support the architectural changes from Phase 0 ADRs and specs. Decomposed into dependency-ordered tasks across config split, identity, forwarding policy, OperationEnv, interface abstraction, and NAPI reload API. Critical path: config-split → identity → forwarding → wire-into-handler → interface-trait → ssh-interface-extraction → review. Two highest-risk tasks (interface-trait-definition, ssh-interface-extraction) are split from §1.8 per the integration plan's note that it may need sub-phases. OperationEnv is split into types and runtime per Phase 1 local-dispatch-only constraint.
3.4 KiB
3.4 KiB
id, name, status, depends_on, scope, risk, impact, level
| id | name | status | depends_on | scope | risk | impact | level |
|---|---|---|---|---|---|---|---|
| core/config-static-dynamic-split | Implement StaticConfig / DynamicConfig split with ArcSwap hot-reload | pending | moderate | medium | component | implementation |
Description
Split alknet-core's configuration into StaticConfig (immutable after startup) and DynamicConfig (hot-reloadable at runtime via ArcSwap). This is the foundational change for Phase 1 — ForwardingPolicy, IdentityProvider, and ConfigService all depend on DynamicConfig being ArcSwap-backed.
Per ADR-030 and configuration.md:
StaticConfig (constructed from ServeOptions, never changes):
- Transport mode, listen address
- TLS config (cert, key)
- iroh config (relay URL)
- Stealth mode flag
- Host key, host key algorithm
- Max auth attempts, max connections per IP
- Proxy config
DynamicConfig (ArcSwap-wrapped, hot-reloadable):
AuthPolicy— authorized keys, certificate authorities (replaces currentArc<ServerAuthConfig>)ForwardingPolicy— allow/deny rules for channel targets (new, Phase 1.3)RateLimitConfig— rate limiting parameters
Key changes:
ServerHandlercurrently holdsArc<ServerAuthConfig>. Replace withArc<ArcSwap<DynamicConfig>>so it can reload auth policy without restarting.ServeOptionsbuilder pattern is preserved.ServeOptions→StaticConfigat startup.- Add
ConfigReloadHandlewithreload(DynamicConfig)method, obtained fromServer::run(). DynamicConfigstarts with what was inServerAuthConfigand gainsForwardingPolicy(added in task 1.3).
What stays the same: All existing tests should continue to pass. The default behavior is unchanged — DynamicConfig::default() should produce ForwardingPolicy::allow_all() and equivalent auth to the current ServerAuthConfig.
Acceptance Criteria
StaticConfigstruct defined incrates/alknet-core/src/config/static_config.rswith all fields per ADR-030DynamicConfigstruct defined incrates/alknet-core/src/config/dynamic_config.rswithAuthPolicyandForwardingPolicy(initiallyForwardingPolicy::allow_all()— detailed rules in task 1.3)ArcSwap<DynamicConfig>used inServerHandlerinstead ofArc<ServerAuthConfig>ConfigReloadHandlestruct withreload(&self, DynamicConfig)method, obtained fromServer::run()ServeOptions::build()(or similar) produces(StaticConfig, DynamicConfig)from builder- All existing server/auth tests pass with the new config structure
AuthPolicystruct defined withauthorized_keysandcert_authoritiesfields (migrated fromServerAuthConfig)RateLimitConfigstruct defined with rate limiting parameters- No behavioral changes — default config produces identical behavior to current code
References
- docs/architecture/configuration.md — StaticConfig, DynamicConfig, ConfigReloadHandle
- docs/architecture/decisions/030-static-dynamic-config-split.md — ADR-030
- docs/architecture/decisions/031-forwarding-policy.md — ForwardingPolicy in DynamicConfig
- docs/architecture/identity.md — DynamicConfig.auth consumed by IdentityProvider
- crates/alknet-core/src/server/handler.rs — current ServerHandler with Arc
- crates/alknet-core/src/server/serve.rs — current ServeOptions and Server
Notes
To be filled by implementation agent
Summary
To be filled on completion