Files
alknet/tasks/vault/remove-password-derivation.md
glm-5.2 098fd8b9b9 tasks: decompose vault, core, call crates into 28 atomic implementation tasks
Break down the three initial crates (alknet-vault, alknet-core, alknet-call)
into dependency-ordered task files for implementation agents.

Structure:
- tasks/vault/ (10 tasks) — drift fixes from ADR-025/026 refactor, review,
  spec sync. Vault is independent and can run fully in parallel with core/call.
- tasks/core/ (6 tasks) — crate init, core types, config, auth, endpoint,
  review. Core is foundational; call depends on it.
- tasks/call/ (12 tasks) — split into registry/ and protocol/ topic subdirs
  reflecting the two subsystems. CallAdapter is the merge point.

Key decisions:
- Drifts 3+9+10 grouped as one task (key-versioning-rotation) — the complete
  ADR-021 rotation feature that doesn't compile in pieces
- Reviews injected at end of each crate phase (vault, core, call)
- Vault spec-sync task removes the drift table and bumps doc status to stable
- ACME deferred in core/endpoint (noted as TODO; X509 manual certs for now)
- OperationEnv kept as a trait (load-bearing for ADR-024 layering)

Validated: 28 tasks, no cycles, 11 generations of parallel work.
Critical path runs through call (11 tasks). Vault completes by generation 4.
6 high-risk tasks identified (21%): irpc-removal, endpoint, operation-context,
operation-env, call-adapter, abort-cascade.
2026-06-23 12:41:47 +00:00

2.4 KiB

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
vault/remove-password-derivation Remove derive_password and site_password_path methods (password-manager pattern not relevant) pending
vault/irpc-removal
single trivial isolated implementation

Description

Fix drift item #7: the vault currently has derive_password, derive_password_string, and site_password_path methods. These implement a password-manager pattern (deriving site-specific passwords from the seed) that is not relevant to an RPC system's vault. Remove them entirely per ADR-025 (resolves review #002 C9).

What to remove

  • derive_password method from VaultServiceHandle (in service.rs)
  • derive_password_string method from VaultServiceHandle (in service.rs)
  • site_password_path function (in mnemonic-derivation.rs or derivation.rs, wherever it's defined)
  • Any associated path constants for password derivation
  • Any tests for these methods
  • Any references in lib.rs re-exports

Why

The vault's purpose in alknet is to derive cryptographic keys (Ed25519 for identity, AES-256-GCM for encryption) and encrypt/decrypt external credentials. Site-specific password derivation is a password-manager feature that doesn't belong in a networking toolkit's vault. Keeping it expands the attack surface and API surface for no benefit.

Scope

This task touches service.rs and possibly derivation.rs / mnemonic-derivation.rs. It depends on the irpc removal task (drift #4) because both modify service.rs.

Acceptance Criteria

  • derive_password method removed from VaultServiceHandle
  • derive_password_string method removed from VaultServiceHandle
  • site_password_path function removed
  • Any password-derivation path constants removed
  • Tests for password derivation removed
  • No references to password derivation remain in lib.rs re-exports
  • cargo check succeeds (no dangling references)
  • cargo test succeeds
  • cargo clippy succeeds with no warnings

References

  • docs/architecture/crates/vault/README.md — Known Source Drift table item #7
  • docs/architecture/decisions/025-vault-local-only-dispatch.md — ADR-025 (resolves C9)

Notes

Straightforward removal. The password-manager pattern was inherited from the POC and is not relevant to alknet's vault use case. Depends on irpc removal because both modify service.rs.

Summary

To be filled on completion