Delete old source crates (alknet-core, alknet, alknet-napi), old architecture docs (ADRs, specs, open questions), old research docs (phase2, event-sourcing, feasibility, etc.), old tasks, and obsolete reference material (gitserver/MPL, honker, nats, rustfs, polyglot, keystone, distributed-identity). Keep: alknet-secret (standalone, compiles), pivot docs, iroh and ssh references, rudolfs reference (MIT/Apache, fork candidate), ops docs, sdd_process.md, and licenses. Previous implementation preserved at /workspace/@alkdev/alknet-main/ for reference during porting. Workspace compiles: cargo check + 14 tests pass for alknet-secret.
17 KiB
Cleanup Plan: Pre-Pivot Housekeeping
Status: Draft Created: 2026-06-15 Purpose: Clean the workspace before starting the ALPN-as-service refactor so agents have a clear, bias-free starting point.
Guiding Principles
- Delete noise, preserve signal. If a document describes concepts that the pivot replaces or defers, it should be archived — not left in place where agents might pattern-match to the old model.
- Reference docs are a library, not a plan. The
references/directory (iroh, ssh, nats, etc.) is neutral research about external projects. Those stay. But gitserver is MPL — see below. - ADRs that codify discarded abstractions become landmines. An agent reading ADR-026 ("Transport/interface separation") will try to implement the three-layer model. These need to be marked superseded or archived.
- Code that stays should compile cleanly. We're not rewriting yet — we're making the existing code a clean reference implementation to port from.
- Follow the SDD process. This cleanup is preparation for Phase 0→1. After cleanup, the architect role will produce proper architecture specs following the format in
docs/sdd_process.md— modular docs, ADRs, open questions, README index. No ad-hoc spec stubs.
Phase 1: Archive Obsolete Architecture Docs
These documents describe concepts that the ALPN pivot replaces entirely. They're historical record, not guidance. Move to docs/_archived/ (preserved in git history, out of sight for agents).
Architecture docs to archive
| Document | Reason |
|---|---|
docs/architecture/interface.md |
Defines StreamInterface / MessageInterface — replaced by ProtocolHandler |
docs/architecture/services.md |
Defines irpc service layer, OperationEnv three dispatch paths — replaced by ALPN dispatch |
docs/architecture/call-protocol.md |
Describes OperationEnv composition model — will be rewritten for alknet-call |
docs/architecture/storage.md |
Metagraph/data model — deferred per pivot |
docs/architecture/flowgraph.md |
FlowGraph crate — deferred per pivot |
docs/architecture/credentials.md |
CredentialProvider phases A–D — simplifying per pivot |
docs/architecture/napi-and-pubsub.md |
Describes pubsub event target adapter through SSH control channel — old model |
docs/architecture/open-questions.md |
Most open questions are about the old model; will regenerate after pivot |
docs/architecture/tun-shim.md |
Already deprecated |
ADRs to mark superseded
These ADRs codify abstractions that the pivot replaces. Don't delete — mark them with a clear Superseded status and a pointer to the pivot doc so agents don't treat them as current guidance.
| ADR | Title | Superseded by |
|---|---|---|
| 026 | Transport/interface separation (three-layer model) | ALPN dispatch — one trait, one dispatch point |
| 035 | StreamInterface / MessageInterface split | ProtocolHandler trait replaces both |
| 033 | OperationEnv as universal composition mechanism | Call protocol is one ALPN; no three dispatch paths |
| 027 | Crate decomposition (core, storage, flowgraph) | New crate decomposition per pivot |
| 028 | Auth as irpc service behind feature flag | Auth is shared in alknet-core, not an irpc service |
| 032 | Event boundary discipline (domain, irpc, call) | Simplified — each handler manages its own wire format |
| 018 | Control channel for pubsub over SSH | Pubsub is a handler concern, not a SSH control channel |
| 017 | Stealth mode — protocol multiplexing on port 443 | ALPN negotiation replaces byte-peek protocol detection |
ADRs that remain valid
These capture decisions that carry forward regardless of the refactor:
| ADR | Title | Why it stays |
|---|---|---|
| 001 | Pluggable transport via AsyncRead+AsyncWrite |
Still true — BiStream implements these traits |
| 003 | iroh stream via tokio::io::join |
Still relevant for iroh transport |
| 004 | SSH runs over transport, not alongside | Still true — SSH is one ALPN handler |
| 005 | SOCKS5 as primary client interface | Still true for alknet-ssh |
| 006 | No logging of tunnel destinations | Security principle, always valid |
| 008 | ACME/Let's Encrypt certificate provisioning | Still needed for TLS endpoints |
| 012 | Ed25519 keys + OpenSSH cert-authority | Auth model carries forward |
| 013 | Fail2ban-friendly logging | Still relevant |
| 023 | Unified auth with shared key material + token auth | Becomes IdentityProvider in core |
| 024 | Bidirectional call protocol (EventEnvelope) | EventEnvelope framing carries into alknet-call |
| 025 | Handler/spec separation | Still a good pattern — each ALPN handler has its own spec |
| 029 | Identity as core type in alknet-core | Still true |
| 030 | Static/dynamic config split with ArcSwap | Still true — ArcSwap<DynamicConfig> pattern continues |
| 031 | Forwarding policy with rule-based allow/deny | Still relevant for alknet-ssh |
| 037 | API keys as DynamicConfig auth | Carries forward |
| 038 | Seed lifecycle and memory security | alknet-secret is standalone, unchanged |
ADRs to archive (deferred/irrelevant)
| ADR | Title | Reason |
|---|---|---|
| 002 | TUN shim as separate process | Already superseded by ADR-014 |
| 007 | NAPI exposes single duplex stream | Needs rewrite — NAPI becomes call protocol client |
| 009 | Default iroh relay with override | Low-level transport detail, not an architecture decision |
| 010 | Transport chaining in CLI | CLI UX detail, revisit when building new CLI |
| 011 | Programmatic-first API, no file-based config | CLI detail, revisit |
| 014 | Defer TUN, recommend SOCKS5 + tun2proxy | Still valid direction but already noted as deferred |
| 015 | napi-rs for FFI bridge | Implementation detail, revisit |
| 016 | NAPI exposes both connect() and serve() | Needs rewrite for new model |
| 019 | Proxy dual semantics | CLI detail, revisit |
| 034 | Head/worker terminology | Terminology, not architecture; revisit |
| 036 | CredentialProvider as core type | Simplifying per pivot |
Phase 2: Clean Up Research Docs
Keep as-is (neutral external references)
docs/research/references/iroh/— ALPN dispatch, QUIC endpoints, protocol handler patterndocs/research/references/ssh/russh/— SSH implementation reference foralknet-sshdocs/research/references/ssh/russh-sftp/— SFTP protocol reference foralknet-sftpdocs/research/references/ssh/sftp-rs/— SFTP comparison referencedocs/research/references/nats.rs/— Service/pattern reference (not directly used but neutral)docs/research/references/honker/— SQLite pub/sub, queues, streams — may be relevant for in-node event systemdocs/research/references/polyglot/— FFI patterns for NAPI/WASMdocs/research/references/openstack-keystone/— Auth patterns referencedocs/research/references/rustfs/— S3-compatible object storage referencedocs/research/references/gitlfs/rudolfs-reference.md— Git LFS server reference (MIT/Apache-2.0, fork candidate)docs/research/ops/— fail2ban, certbot — production reference, still usefuldocs/research/feasibility/— Historical context, keep
Handle MPL-licensed reference
docs/research/references/gitserver/gitserver-reference.md — This references an MPL-2.0 project. The reference doc itself is our analysis, not derived work. However, since the git adapter will use gix (Apache-2.0/MIT) directly — not gitserver — keeping this doc around creates risk of an agent copying structure or logic from the MPL codebase.
Action: Archive it. Replace with a gix-focused reference when we spec the git adapter. The research value is the git protocol knowledge, not the gitserver code structure.
Archive (biased toward old model)
| Document | Reason |
|---|---|
docs/research/core.md |
Describes the three-layer model in detail — superseded by pivot |
docs/research/services.md |
Describes irpc service layer, OperationEnv — superseded |
docs/research/storage.md |
Metagraph — deferred |
docs/research/flow.md |
FlowGraph — deferred |
docs/research/configuration.md |
Promoted to architecture docs already |
docs/research/integration-plan.md |
Phase-based integration plan for old model — superseded |
docs/research/phase2/interface-model.md |
StreamInterface/MessageInterface analysis — superseded |
docs/research/phase2/credential-provider.md |
CredentialProvider phases — simplifying |
docs/research/phase2/definitions.md |
Promoted to architecture already |
docs/research/phase2/tls-transport.md |
Describes stealth mode — ALPN replaces this |
docs/research/event-sourcing/ |
Event sourcing patterns — not currently needed |
Keep but annotate
| Document | Reason |
|---|---|
docs/research/pivot/alpn-service-architecture.md |
The pivot proposal. Current. |
docs/research/pivot/cleanup-plan.md |
This doc. Current. |
Phase 3: Clean Up Architecture Docs That Stay
These docs describe concepts that carry forward but need updating to reflect the new model. We'll mark them as needs-update and add a note pointing to the pivot. Don't rewrite yet — just annotate so agents know they're partially stale.
| Document | What changes |
|---|---|
docs/architecture/overview.md |
Crate structure, three-layer model references |
docs/architecture/transport.md |
Still valid but needs ALPN endpoint section |
docs/architecture/auth.md |
Auth per-handler table from pivot replaces credential presentation per interface |
docs/architecture/client.md |
Client connects to endpoint, opens stream on ALPN — simpler |
docs/architecture/server.md |
Server becomes ALPN router — fundamentally different |
docs/architecture/identity.md |
Mostly valid, needs IdentityProvider simplification |
docs/architecture/configuration.md |
ListenerConfig → ALPN advertisement config |
docs/architecture/secret-service.md |
Unchanged — alknet-secret is standalone |
docs/architecture/definitions.md |
Terminology needs update (interface, listener, handler → ALPN, handler) |
Phase 4: Greenfield Workspace
Decision: Greenfield rather than in-place migration. The old codebase is preserved at /workspace/@alkdev/alknet-main/ as a reference implementation. The new workspace starts clean with only alknet-secret carried over (it's standalone with no alknet-core dependency).
What was deleted
| What | Reason |
|---|---|
crates/alknet-core/ |
Replaced by new alknet-core v2 with ALPN router |
crates/alknet/ |
CLI will be rebuilt for new model |
crates/alknet-napi/ |
NAPI will be rebuilt as call protocol client |
docs/architecture/ |
Old model specs — will be replaced by SDD process |
docs/research/core.md |
Three-layer model — superseded |
docs/research/services.md |
irpc service layer — superseded |
docs/research/storage.md |
Metagraph — deferred |
docs/research/flow.md |
FlowGraph — deferred |
docs/research/configuration.md |
Promoted to architecture already |
docs/research/integration-plan.md |
Old model integration — superseded |
docs/research/phase2/ |
StreamInterface/MessageInterface, CredentialProvider — superseded |
docs/research/event-sourcing/ |
Not currently needed |
docs/research/references/gitserver/ |
MPL-2.0 licensed — licensing risk |
docs/research/references/gitlfs/ |
MIT/Apache — kept as fork candidate, moved to references |
docs/research/references/honker/ |
Biased toward old irpc model |
docs/research/references/nats.rs/ |
Not directly used |
docs/research/references/distributed-identity/ |
Deferred |
docs/research/references/openstack-keystone/ |
Not directly used |
docs/research/references/polyglot/ |
Not directly used |
docs/research/references/rustfs/ |
Not directly used (may return for alknet-fs) |
docs/references/ |
Stray duplicate directory |
tasks/ |
Old task graph — will be regenerated by SDD process |
What was kept
| What | Reason |
|---|---|
crates/alknet-secret/ |
Standalone crate, no alknet-core dependency, fully working |
docs/research/pivot/ |
The pivot proposal and this cleanup plan |
docs/research/references/iroh/ |
ALPN dispatch, QUIC endpoints — directly relevant |
docs/research/references/ssh/ |
russh, russh-sftp — directly relevant for alknet-ssh |
docs/research/ops/ |
fail2ban, certbot — production reference |
docs/sdd_process.md |
The development process we follow |
Cargo.toml (workspace) |
Updated to only include alknet-secret |
Cargo.lock |
Preserved for alknet-secret dependencies |
LICENSE-MIT, LICENSE-APACHE |
License files |
README.md |
Updated for greenfield state |
Reference implementation
The previous codebase is preserved at /workspace/@alkdev/alknet-main/. When spec'ing and implementing new crates, the architect and implementation specialists can reference the old code to understand what worked and what didn't. Key modules to port:
| Old module | Lines | Port destination |
|---|---|---|
src/interface/ssh.rs |
982 | → alknet-ssh |
src/server/handler.rs |
974 | → alknet-ssh |
src/server/channel_proxy.rs |
555 | → alknet-ssh |
src/server/serve.rs |
1526 | → reference for ALPN router rewrite |
src/call/* |
~1200 | → alknet-call |
src/auth/* |
~1450 | → alknet-core |
src/config/* |
~950 | → alknet-core |
src/transport/* |
~1500 | → alknet-core |
src/client/* |
~1900 | → alknet-ssh |
src/socks5/* |
~800 | → alknet-ssh |
The old code is reference, not constraint. Agents should understand what it did and why, then implement against the new ProtocolHandler trait and ALPN router — not copy-paste the old architecture.
Phase 5: Architecture Specs (Follow SDD Process)
After cleanup, the architect role will produce proper architecture specs following the SDD process defined in docs/sdd_process.md. This means:
- Modular docs in
docs/architecture/— one focused doc per component/area - ADRs in
docs/architecture/decisions/— new ADRs for pivot decisions (ALPN dispatch, ProtocolHandler trait, crate decomposition, etc.) - Open questions centralized in
docs/architecture/open-questions.md - README index in
docs/architecture/README.mdwith doc table, ADR table, lifecycle definitions - YAML frontmatter with
status,last_updatedon every doc
The pivot proposal (docs/research/pivot/alpn-service-architecture.md) serves as Phase 0 research output. The architect will use it as input to produce Phase 1 architecture docs. No ad-hoc spec stubs — proper SDD specs from the start.
Key new ADRs the architect will need to produce:
| ADR | Title |
|---|---|
| 039 | ALPN-based protocol dispatch (replaces ADR-026, ADR-035) |
| 040 | ProtocolHandler trait (replaces StreamInterface/MessageInterface) |
| 041 | New crate decomposition (replaces ADR-027) |
| 042 | Auth as shared core (replaces ADR-028) |
| 043 | Event model per-handler (replaces ADR-032, ADR-018) |
| 044 | ALPN negotiation replaces stealth mode (replaces ADR-017) |
Key architecture docs the architect will need to produce or rewrite:
| Document | Scope |
|---|---|
overview.md |
Rewrite — crate structure, ALPN dispatch model, exports |
server.md |
Rewrite — ALPN router, handler registry, endpoint lifecycle |
client.md |
Rewrite — connect to endpoint, open stream on ALPN |
auth.md |
Update — IdentityProvider, per-handler credential table |
call-protocol.md |
Rewrite — alknet-call as one ALPN, EventEnvelope framing |
configuration.md |
Update — ALPN advertisement, handler config |
identity.md |
Update — IdentityProvider simplification |
definitions.md |
Update — new terminology |
Execution Order
Create→ Greenfield instead. Old code preserved atdocs/_archived/directory/workspace/@alkdev/alknet-main/.Mark superseded ADRs→ Deleted. Old architecture docs removed entirely. New ADRs will be created by the architect per SDD process.Move obsolete research docs→ Deleted. Only kept directly relevant references (iroh, ssh, ops, pivot).Annotate stale-but-keeping architecture docs→ Deleted. No stale docs remain. Architect will produce fresh specs.- Delete old source crates (alknet-core, alknet, alknet-napi) — done
- Update workspace Cargo.toml to only include alknet-secret — done
- Update README.md for greenfield state — done
- Verify compilation —
cargo checkandcargo test -p alknet-secretboth pass — done - Architect produces proper SDD architecture specs per Phase 1 of the SDD process
After this cleanup, the repo:
- Compiles cleanly (alknet-secret passes all 14 tests)
- Has no old architecture docs, ADRs, or task graph
- Has only directly relevant reference material (iroh, ssh, ops)
- Has the pivot proposal and cleanup plan as the starting point
- Has a clean workspace ready for the architect to produce Phase 1 specs
- Has the reference implementation at
/workspace/@alkdev/alknet-main/