Files
alknet/tasks/vault/remove-password-derivation.md

2.7 KiB

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
vault/remove-password-derivation Remove derive_password and site_password_path methods (password-manager pattern not relevant) completed
vault/irpc-removal
single trivial isolated implementation

Description

Fix drift item #7: the vault currently has derive_password, derive_password_string, and site_password_path methods. These implement a password-manager pattern (deriving site-specific passwords from the seed) that is not relevant to an RPC system's vault. Remove them entirely per ADR-025 (resolves review #002 C9).

What to remove

  • derive_password method from VaultServiceHandle (in service.rs)
  • derive_password_string method from VaultServiceHandle (in service.rs)
  • site_password_path function (in mnemonic-derivation.rs or derivation.rs, wherever it's defined)
  • Any associated path constants for password derivation
  • Any tests for these methods
  • Any references in lib.rs re-exports

Why

The vault's purpose in alknet is to derive cryptographic keys (Ed25519 for identity, AES-256-GCM for encryption) and encrypt/decrypt external credentials. Site-specific password derivation is a password-manager feature that doesn't belong in a networking toolkit's vault. Keeping it expands the attack surface and API surface for no benefit.

Scope

This task touches service.rs and possibly derivation.rs / mnemonic-derivation.rs. It depends on the irpc removal task (drift #4) because both modify service.rs.

Acceptance Criteria

  • derive_password method removed from VaultServiceHandle
  • derive_password_string method removed from VaultServiceHandle
  • site_password_path function removed
  • Any password-derivation path constants removed
  • Tests for password derivation removed
  • No references to password derivation remain in lib.rs re-exports
  • cargo check succeeds (no dangling references)
  • cargo test succeeds
  • cargo clippy succeeds with no warnings

References

  • docs/architecture/crates/vault/README.md — Known Source Drift table item #7
  • docs/architecture/decisions/025-vault-local-only-dispatch.md — ADR-025 (resolves C9)

Notes

Straightforward removal. The password-manager pattern was inherited from the POC and is not relevant to alknet's vault use case. Depends on irpc removal because both modify service.rs.

Summary

Removed derive_password, derive_password_string from VaultServiceHandle (service.rs), site_password_path from derivation.rs, the doc-table row, all 5 password-derivation tests, and the now-unused base64 URL_SAFE_NO_PAD import. 109 lines deleted. All tests pass; clippy clean. Merged to develop.