alknet/docs/architecture/definitions.md

---
status: draft
last_updated: 2026-06-09
---

# Definitions: Terminology and Concept Disambiguation

## Purpose

Several terms are overloaded across alknet's architecture. This document defines
each term precisely and states the rule for using it in architecture specs. When
ambiguity is possible, specs must use the full qualifier.

This is a normative reference — other architecture documents link here rather
than repeating definitions inline.

## Term Definitions

### Interface (Layer 2)

An **Interface** consumes a Transport stream (Layer 1) or manages its own
transport, and produces call protocol sessions or handles discrete requests.
It is a _protocol parser_, not a network service.

Two subtypes:

| Subtype | Trait | Lifecycle | Transport ownership | Examples |
|---------|-------|-----------|---------------------|----------|
| `StreamInterface` | `accept(stream) → Session` | Long-lived session | Provided by caller | SshInterface, RawFramingInterface |
| `MessageInterface` | `handle_request(req) → Response` | Stateless per-request | Self-managed | HttpInterface, DnsInterface |

**Rule**: In alknet architecture docs, "Interface" (capitalized) refers to
Layer 2. Rust trait definitions use "trait" or "contract." Network URLs use
"endpoint." When discussing auth mechanisms per transport/interface pair, use
"credential presentation" (not "auth interface").

See: [interface.md](interface.md), ADR-035.

### Transport (Layer 1)

A **Transport** produces a byte stream (`AsyncRead + AsyncWrite + Unpin + Send`).
It is a _wire mechanism_, not a protocol. `TransportKind` enumerates:
`Tcp`, `Tls`, `Iroh`, `WebTransport`.

DNS is **not** a transport — it is a `MessageInterface` that manages its own
transport (UDP/TCP port 53).

**Rule**: Never use "transport" to refer to HTTP, DNS, or any protocol that
doesn't produce a `TransportStream`. Use "MessageInterface" instead.

See: [transport.md](transport.md), ADR-026, ADR-035.

### Service (irpc service)

An **irpc service** is an in-cluster, Rust-to-Rust service defined by an irpc
protocol enum. Dispatched by enum variant with postcard serialization. Examples:
`AuthProtocol`, `SecretProtocol`, `ConfigProtocol`.

**Rule**: Always qualify: "irpc service" (in-cluster, enum-dispatched),
"application service" (operation-registered handler), or "external service"
(third-party endpoint). Never use bare "service" in architecture docs.

See: [services.md](services.md), ADR-028, ADR-033.

### Operation (call protocol)

An **operation** is a path-based handler registered in `OperationRegistry`,
dispatched by `namespace + name`. Cross-node, cross-language, JSON
`EventEnvelope` framing.

**Rule**: Use "operation" for call protocol handlers. Use "irpc service method"
for enum-dispatched calls. These are different dispatch mechanisms unified by
OperationEnv.

See: [call-protocol.md](call-protocol.md), ADR-033.

### Identity (core type)

The `Identity` struct `{ id, scopes, resources }` represents an authenticated
principal. Produced by `IdentityProvider` (inbound auth resolution).

| Identity field | Config-backed auth | Database-backed auth |
|---------------|-------------------|---------------------|
| `id` | SSH key fingerprint | Account UUID |
| `scopes` | From authorized_keys entry | From peer_credentials + ACL |
| `resources` | From authorized_keys entry | From organization membership |

**Rule**: "Identity" (capitalized, code font) = the alknet struct. "identity
service" = a full identity management system (Keystone, etc.). Never conflate
the two.

See: [identity.md](identity.md), ADR-029.

### IdentityProvider (inbound auth)

`IdentityProvider` resolves **inbound** authentication: given a credential
(fingerprint or token), produce an `Identity`.

**Direction**: Inbound (who is calling alknet).

**Rule**: Never use "IdentityProvider" to describe outbound auth. That is
`CredentialProvider`.

See: [identity.md](identity.md), ADR-029.

### CredentialProvider (outbound auth)

`CredentialProvider` resolves **outbound** credentials: given a service name,
produce a `CredentialSet` for authenticating _to_ that service.

**Direction**: Outbound (how alknet calls others).

**Rule**: Never use "CredentialProvider" for inbound auth. That is
`IdentityProvider`.

See: [credentials.md](credentials.md), ADR-036.

### AuthToken

`AuthToken = base64url(key_id || timestamp || signature)` — an Ed25519-signed
timestamp token used for non-SSH auth. Self-signed by the client, verified
server-side.

**Rule**: Use "AuthToken" (capitalized) for this specific format. Use "API key"
for hash-verified bearer tokens. Never use bare "token" in architecture docs.

See: [auth.md](auth.md), ADR-023.

### API Key

A hash-verified bearer token with a prefix like `alk_...`. Simpler than
AuthToken (no Ed25519 key pair needed). Stored as SHA-256 hash in
`DynamicConfig.auth.api_keys` or `api_keys` table.

**Rule**: Always "API key" (two words) for hash-verified bearer tokens.
"AuthToken" for Ed25519-signed tokens.

See: [auth.md](auth.md), ADR-037.

### Domain Event vs Integration Event

| Type | Scope | Serialization | Example |
|------|-------|---------------|---------|
| Domain event | Within a service boundary | Any format (Honker streams) | `KeyRotated`, `InventoryAdjusted` |
| Integration event | Across service or node boundaries | JSON `EventEnvelope` | `call.requested`, `UserCreated` |

irpc service calls are synchronous request-response, not events.

**Rule**: "Domain event" for internal Honker streams. "Integration event" for
call protocol `EventEnvelope`. "irpc call" for synchronous in-cluster calls.
Per ADR-032, domain events never cross service boundaries without projection.

See: ADR-032, [services.md](services.md).

### Scope

A permission string attached to an `Identity`. Flat strings like
`"relay:connect"`, `"secrets:derive"`. Used by `ForwardingPolicy` and
operation-level ACL.

**Rule**: Use "scope" for `Identity.scopes` flat strings. Use "resource" for
`Identity.resources` entries. Do not conflate with hierarchical role models
unless explicitly noting a comparison to Keystone.

See: [identity.md](identity.md), ADR-031.

### OperationRegistry

The central registry mapping `(namespace, operation_name)` to handlers and
specs. All interfaces resolve to the same registry.

**Rule**: "OperationRegistry" for this specific data structure. "Service
catalog" only when explicitly comparing to Keystone or similar external systems.

See: [call-protocol.md](call-protocol.md), ADR-025.

### Credential Presentation

The mechanism by which credentials are presented on each (Transport, Interface)
pair:

| (Transport, Interface) | Credential presentation | Resolves via |
|----------------------|----------------------|-------------|
| (TLS, SSH) | SSH key handshake | `resolve_from_fingerprint()` |
| (TCP, SSH) | SSH key handshake | `resolve_from_fingerprint()` |
| (iroh, SSH) | SSH key handshake | `resolve_from_fingerprint()` |
| (TLS, raw framing) | AuthToken in frame header | `resolve_from_token()` |
| (TCP, raw framing) | AuthToken in frame header | `resolve_from_token()` |
| (WebTransport, raw framing) | AuthToken in CONNECT request | `resolve_from_token()` |
| (—, HTTP) | `Authorization: Bearer` header | `resolve_from_token()` |
| (—, DNS) | AuthToken in query labels | `resolve_from_token()` |

**Rule**: Use "credential presentation" for the mechanism of presenting
credentials on a specific (Transport, Interface) pair. Not "auth interface"
(which overloads "Interface").

See: [auth.md](auth.md), [interface.md](interface.md).

## Cross-cutting Open Questions

These questions affect multiple specs and need resolution before or during
Phase 2 implementation:

- **OQ-DEF-03**: Should `Identity.scopes` be hierarchical (Keystone implied roles)
  or stay flat? Recommendation: Stay flat. Add implied scope resolution in
  alknet-storage when multi-tenant deployment requires it.

- **OQ-DEF-07**: Should the on-chain `IdentityProvider` be a separate impl or a
  `CredentialProvider` extension? Recommendation: Separate `IdentityProvider`
  impl (`OnChainIdentityProvider`). `IdentityProvider` resolves inbound auth,
  not outbound credentials.

- **OQ-DEF-08**: Should "credential presentation" replace overloaded "interface" in
  auth contexts? Recommendation: Yes. Adopted in this document.

See: [open-questions.md](open-questions.md) for tracking.

## References

- [interface.md](interface.md) — StreamInterface / MessageInterface
- [auth.md](auth.md) — AuthToken, credential presentation per interface
- [identity.md](identity.md) — Identity, IdentityProvider
- [credentials.md](credentials.md) — CredentialProvider, CredentialSet
- [services.md](services.md) — irpc services vs application services
- [call-protocol.md](call-protocol.md) — Operations, OperationEnv
- [research/phase2/definitions.md](../research/phase2/definitions.md) — Full research with cross-domain mappings