alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bd38c94caec845e930d8bfa2cd9ecfb0f3ce1571
alknet/tasks/core/config-identity-provider-into-handler.md
glm-5.1 a7f0dcdeb9 tasks: decompose Phase 1 core modifications into 12 atomic implementation tasks 
Phase 1 of the integration plan modifies alknet-core to support the
architectural changes from Phase 0 ADRs and specs. Decomposed into
dependency-ordered tasks across config split, identity, forwarding
policy, OperationEnv, interface abstraction, and NAPI reload API.

Critical path: config-split → identity → forwarding → wire-into-handler
→ interface-trait → ssh-interface-extraction → review.

Two highest-risk tasks (interface-trait-definition, ssh-interface-extraction)
are split from §1.8 per the integration plan's note that it may need
sub-phases. OperationEnv is split into types and runtime per Phase 1
local-dispatch-only constraint.
2026-06-07 13:29:58 +00:00

2.5 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
core/config-identity-provider-into-handler Wire IdentityProvider and ForwardingPolicy into ServerHandler pending
core/forwarding-policy
narrow low component implementation

Description

Wire the IdentityProvider and ForwardingPolicy into ServerHandler and the server accept loop. This is the integration task that connects the config split, identity trait, and forwarding policy to the actual runtime behavior.

Key changes:

  • Server::run() (or serve()) constructs ConfigIdentityProvider from ArcSwap<DynamicConfig> and passes it to ServerHandler
  • ServerHandler holds Arc<dyn IdentityProvider> instead of Arc<ServerAuthConfig>
  • auth_publickey() calls identity_provider.resolve_from_fingerprint() and stores the resulting Identity on the session
  • channel_open_direct_tcpip() evaluates ForwardingPolicy::check() using the session's Identity
  • ConfigReloadHandle is threaded through from Server::run() so callers can reload DynamicConfig
  • The ServerHandler::new() API takes IdentityProvider + DynamicConfig instead of ServerAuthConfig

This is a wiring/integration task — the pieces exist from tasks 1.1-1.3, this connects them.

Acceptance Criteria

  • ServerHandler holds Arc<dyn IdentityProvider> and Arc<ArcSwap<DynamicConfig>> instead of Arc<ServerAuthConfig>
  • auth_publickey() delegates to IdentityProvider::resolve_from_fingerprint() and stores Identity on the session
  • channel_open_direct_tcpip() evaluates ForwardingPolicy::check() before proxying; logs rejection with principal and target
  • ServeOptions produces (StaticConfig, DynamicConfig) at startup
  • ConfigReloadHandle returned from Server::run() for external reload
  • ConfigIdentityProvider constructed at startup from initial DynamicConfig
  • All existing integration tests pass
  • New integration test: reload DynamicConfig → new auth keys take effect on next connection
  • New integration test: ForwardingPolicy deny rule blocks channel open

References

  • docs/architecture/identity.md — IdentityProvider wiring into ServerHandler
  • docs/architecture/configuration.md — ConfigReloadHandle, ConfigIdentityProvider
  • crates/alknet-core/src/server/handler.rs — current handler to be refactored
  • crates/alknet-core/src/server/serve.rs — ServeOptions and Server::run()

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink