Delete old source crates (alknet-core, alknet, alknet-napi), old architecture docs (ADRs, specs, open questions), old research docs (phase2, event-sourcing, feasibility, etc.), old tasks, and obsolete reference material (gitserver/MPL, honker, nats, rustfs, polyglot, keystone, distributed-identity). Keep: alknet-secret (standalone, compiles), pivot docs, iroh and ssh references, rudolfs reference (MIT/Apache, fork candidate), ops docs, sdd_process.md, and licenses. Previous implementation preserved at /workspace/@alkdev/alknet-main/ for reference during porting. Workspace compiles: cargo check + 14 tests pass for alknet-secret.
280 lines
17 KiB
Markdown
280 lines
17 KiB
Markdown
# Cleanup Plan: Pre-Pivot Housekeeping
|
||
|
||
> Status: Draft
|
||
> Created: 2026-06-15
|
||
> Purpose: Clean the workspace before starting the ALPN-as-service refactor so agents have a clear, bias-free starting point.
|
||
|
||
## Guiding Principles
|
||
|
||
1. **Delete noise, preserve signal.** If a document describes concepts that the pivot replaces or defers, it should be archived — not left in place where agents might pattern-match to the old model.
|
||
2. **Reference docs are a library, not a plan.** The `references/` directory (iroh, ssh, nats, etc.) is neutral research about external projects. Those stay. But gitserver is MPL — see below.
|
||
3. **ADRs that codify discarded abstractions become landmines.** An agent reading ADR-026 ("Transport/interface separation") will try to implement the three-layer model. These need to be marked superseded or archived.
|
||
4. **Code that stays should compile cleanly.** We're not rewriting yet — we're making the existing code a clean reference implementation to port from.
|
||
5. **Follow the SDD process.** This cleanup is preparation for Phase 0→1. After cleanup, the architect role will produce proper architecture specs following the format in `docs/sdd_process.md` — modular docs, ADRs, open questions, README index. No ad-hoc spec stubs.
|
||
|
||
---
|
||
|
||
## Phase 1: Archive Obsolete Architecture Docs
|
||
|
||
These documents describe concepts that the ALPN pivot **replaces entirely**. They're historical record, not guidance. Move to `docs/_archived/` (preserved in git history, out of sight for agents).
|
||
|
||
### Architecture docs to archive
|
||
|
||
| Document | Reason |
|
||
|----------|--------|
|
||
| `docs/architecture/interface.md` | Defines `StreamInterface` / `MessageInterface` — replaced by `ProtocolHandler` |
|
||
| `docs/architecture/services.md` | Defines irpc service layer, `OperationEnv` three dispatch paths — replaced by ALPN dispatch |
|
||
| `docs/architecture/call-protocol.md` | Describes `OperationEnv` composition model — will be rewritten for `alknet-call` |
|
||
| `docs/architecture/storage.md` | Metagraph/data model — deferred per pivot |
|
||
| `docs/architecture/flowgraph.md` | FlowGraph crate — deferred per pivot |
|
||
| `docs/architecture/credentials.md` | `CredentialProvider` phases A–D — simplifying per pivot |
|
||
| `docs/architecture/napi-and-pubsub.md` | Describes pubsub event target adapter through SSH control channel — old model |
|
||
| `docs/architecture/open-questions.md` | Most open questions are about the old model; will regenerate after pivot |
|
||
| `docs/architecture/tun-shim.md` | Already deprecated |
|
||
|
||
### ADRs to mark superseded
|
||
|
||
These ADRs codify abstractions that the pivot replaces. Don't delete — mark them with a clear `Superseded` status and a pointer to the pivot doc so agents don't treat them as current guidance.
|
||
|
||
| ADR | Title | Superseded by |
|
||
|-----|-------|---------------|
|
||
| 026 | Transport/interface separation (three-layer model) | ALPN dispatch — one trait, one dispatch point |
|
||
| 035 | StreamInterface / MessageInterface split | `ProtocolHandler` trait replaces both |
|
||
| 033 | OperationEnv as universal composition mechanism | Call protocol is one ALPN; no three dispatch paths |
|
||
| 027 | Crate decomposition (core, storage, flowgraph) | New crate decomposition per pivot |
|
||
| 028 | Auth as irpc service behind feature flag | Auth is shared in `alknet-core`, not an irpc service |
|
||
| 032 | Event boundary discipline (domain, irpc, call) | Simplified — each handler manages its own wire format |
|
||
| 018 | Control channel for pubsub over SSH | Pubsub is a handler concern, not a SSH control channel |
|
||
| 017 | Stealth mode — protocol multiplexing on port 443 | ALPN negotiation replaces byte-peek protocol detection |
|
||
|
||
### ADRs that remain valid
|
||
|
||
These capture decisions that carry forward regardless of the refactor:
|
||
|
||
| ADR | Title | Why it stays |
|
||
|-----|-------|--------------|
|
||
| 001 | Pluggable transport via `AsyncRead+AsyncWrite` | Still true — `BiStream` implements these traits |
|
||
| 003 | iroh stream via `tokio::io::join` | Still relevant for iroh transport |
|
||
| 004 | SSH runs over transport, not alongside | Still true — SSH is one ALPN handler |
|
||
| 005 | SOCKS5 as primary client interface | Still true for `alknet-ssh` |
|
||
| 006 | No logging of tunnel destinations | Security principle, always valid |
|
||
| 008 | ACME/Let's Encrypt certificate provisioning | Still needed for TLS endpoints |
|
||
| 012 | Ed25519 keys + OpenSSH cert-authority | Auth model carries forward |
|
||
| 013 | Fail2ban-friendly logging | Still relevant |
|
||
| 023 | Unified auth with shared key material + token auth | Becomes `IdentityProvider` in core |
|
||
| 024 | Bidirectional call protocol (EventEnvelope) | EventEnvelope framing carries into `alknet-call` |
|
||
| 025 | Handler/spec separation | Still a good pattern — each ALPN handler has its own spec |
|
||
| 029 | Identity as core type in alknet-core | Still true |
|
||
| 030 | Static/dynamic config split with ArcSwap | Still true — `ArcSwap<DynamicConfig>` pattern continues |
|
||
| 031 | Forwarding policy with rule-based allow/deny | Still relevant for `alknet-ssh` |
|
||
| 037 | API keys as DynamicConfig auth | Carries forward |
|
||
| 038 | Seed lifecycle and memory security | `alknet-secret` is standalone, unchanged |
|
||
|
||
### ADRs to archive (deferred/irrelevant)
|
||
|
||
| ADR | Title | Reason |
|
||
|-----|-------|--------|
|
||
| 002 | TUN shim as separate process | Already superseded by ADR-014 |
|
||
| 007 | NAPI exposes single duplex stream | Needs rewrite — NAPI becomes call protocol client |
|
||
| 009 | Default iroh relay with override | Low-level transport detail, not an architecture decision |
|
||
| 010 | Transport chaining in CLI | CLI UX detail, revisit when building new CLI |
|
||
| 011 | Programmatic-first API, no file-based config | CLI detail, revisit |
|
||
| 014 | Defer TUN, recommend SOCKS5 + tun2proxy | Still valid direction but already noted as deferred |
|
||
| 015 | napi-rs for FFI bridge | Implementation detail, revisit |
|
||
| 016 | NAPI exposes both connect() and serve() | Needs rewrite for new model |
|
||
| 019 | Proxy dual semantics | CLI detail, revisit |
|
||
| 034 | Head/worker terminology | Terminology, not architecture; revisit |
|
||
| 036 | CredentialProvider as core type | Simplifying per pivot |
|
||
|
||
---
|
||
|
||
## Phase 2: Clean Up Research Docs
|
||
|
||
### Keep as-is (neutral external references)
|
||
|
||
- `docs/research/references/iroh/` — ALPN dispatch, QUIC endpoints, protocol handler pattern
|
||
- `docs/research/references/ssh/russh/` — SSH implementation reference for `alknet-ssh`
|
||
- `docs/research/references/ssh/russh-sftp/` — SFTP protocol reference for `alknet-sftp`
|
||
- `docs/research/references/ssh/sftp-rs/` — SFTP comparison reference
|
||
- `docs/research/references/nats.rs/` — Service/pattern reference (not directly used but neutral)
|
||
- `docs/research/references/honker/` — SQLite pub/sub, queues, streams — may be relevant for in-node event system
|
||
- `docs/research/references/polyglot/` — FFI patterns for NAPI/WASM
|
||
- `docs/research/references/openstack-keystone/` — Auth patterns reference
|
||
- `docs/research/references/rustfs/` — S3-compatible object storage reference
|
||
- `docs/research/references/gitlfs/rudolfs-reference.md` — Git LFS server reference (MIT/Apache-2.0, fork candidate)
|
||
- `docs/research/ops/` — fail2ban, certbot — production reference, still useful
|
||
- `docs/research/feasibility/` — Historical context, keep
|
||
|
||
### Handle MPL-licensed reference
|
||
|
||
**`docs/research/references/gitserver/gitserver-reference.md`** — This references an MPL-2.0 project. The reference doc itself is our analysis, not derived work. However, since the git adapter will use `gix` (Apache-2.0/MIT) directly — not gitserver — keeping this doc around creates risk of an agent copying structure or logic from the MPL codebase.
|
||
|
||
**Action:** Archive it. Replace with a `gix`-focused reference when we spec the git adapter. The research value is the git protocol knowledge, not the gitserver code structure.
|
||
|
||
### Archive (biased toward old model)
|
||
|
||
| Document | Reason |
|
||
|----------|--------|
|
||
| `docs/research/core.md` | Describes the three-layer model in detail — superseded by pivot |
|
||
| `docs/research/services.md` | Describes irpc service layer, OperationEnv — superseded |
|
||
| `docs/research/storage.md` | Metagraph — deferred |
|
||
| `docs/research/flow.md` | FlowGraph — deferred |
|
||
| `docs/research/configuration.md` | Promoted to architecture docs already |
|
||
| `docs/research/integration-plan.md` | Phase-based integration plan for old model — superseded |
|
||
| `docs/research/phase2/interface-model.md` | StreamInterface/MessageInterface analysis — superseded |
|
||
| `docs/research/phase2/credential-provider.md` | CredentialProvider phases — simplifying |
|
||
| `docs/research/phase2/definitions.md` | Promoted to architecture already |
|
||
| `docs/research/phase2/tls-transport.md` | Describes stealth mode — ALPN replaces this |
|
||
| `docs/research/event-sourcing/` | Event sourcing patterns — not currently needed |
|
||
|
||
### Keep but annotate
|
||
|
||
| Document | Reason |
|
||
|----------|--------|
|
||
| `docs/research/pivot/alpn-service-architecture.md` | **The pivot proposal.** Current. |
|
||
| `docs/research/pivot/cleanup-plan.md` | **This doc.** Current. |
|
||
|
||
---
|
||
|
||
## Phase 3: Clean Up Architecture Docs That Stay
|
||
|
||
These docs describe concepts that carry forward but need updating to reflect the new model. We'll mark them as `needs-update` and add a note pointing to the pivot. Don't rewrite yet — just annotate so agents know they're partially stale.
|
||
|
||
| Document | What changes |
|
||
|----------|--------------|
|
||
| `docs/architecture/overview.md` | Crate structure, three-layer model references |
|
||
| `docs/architecture/transport.md` | Still valid but needs ALPN endpoint section |
|
||
| `docs/architecture/auth.md` | Auth per-handler table from pivot replaces credential presentation per interface |
|
||
| `docs/architecture/client.md` | Client connects to endpoint, opens stream on ALPN — simpler |
|
||
| `docs/architecture/server.md` | Server becomes ALPN router — fundamentally different |
|
||
| `docs/architecture/identity.md` | Mostly valid, needs `IdentityProvider` simplification |
|
||
| `docs/architecture/configuration.md` | ListenerConfig → ALPN advertisement config |
|
||
| `docs/architecture/secret-service.md` | Unchanged — `alknet-secret` is standalone |
|
||
| `docs/architecture/definitions.md` | Terminology needs update (interface, listener, handler → ALPN, handler) |
|
||
|
||
---
|
||
|
||
## Phase 4: Greenfield Workspace
|
||
|
||
**Decision: Greenfield rather than in-place migration.** The old codebase is preserved at `/workspace/@alkdev/alknet-main/` as a reference implementation. The new workspace starts clean with only `alknet-secret` carried over (it's standalone with no alknet-core dependency).
|
||
|
||
### What was deleted
|
||
|
||
| What | Reason |
|
||
|------|--------|
|
||
| `crates/alknet-core/` | Replaced by new `alknet-core` v2 with ALPN router |
|
||
| `crates/alknet/` | CLI will be rebuilt for new model |
|
||
| `crates/alknet-napi/` | NAPI will be rebuilt as call protocol client |
|
||
| `docs/architecture/` | Old model specs — will be replaced by SDD process |
|
||
| `docs/research/core.md` | Three-layer model — superseded |
|
||
| `docs/research/services.md` | irpc service layer — superseded |
|
||
| `docs/research/storage.md` | Metagraph — deferred |
|
||
| `docs/research/flow.md` | FlowGraph — deferred |
|
||
| `docs/research/configuration.md` | Promoted to architecture already |
|
||
| `docs/research/integration-plan.md` | Old model integration — superseded |
|
||
| `docs/research/phase2/` | StreamInterface/MessageInterface, CredentialProvider — superseded |
|
||
| `docs/research/event-sourcing/` | Not currently needed |
|
||
| `docs/research/references/gitserver/` | MPL-2.0 licensed — licensing risk |
|
||
| `docs/research/references/gitlfs/` | MIT/Apache — kept as fork candidate, moved to references |
|
||
| `docs/research/references/honker/` | Biased toward old irpc model |
|
||
| `docs/research/references/nats.rs/` | Not directly used |
|
||
| `docs/research/references/distributed-identity/` | Deferred |
|
||
| `docs/research/references/openstack-keystone/` | Not directly used |
|
||
| `docs/research/references/polyglot/` | Not directly used |
|
||
| `docs/research/references/rustfs/` | Not directly used (may return for alknet-fs) |
|
||
| `docs/references/` | Stray duplicate directory |
|
||
| `tasks/` | Old task graph — will be regenerated by SDD process |
|
||
|
||
### What was kept
|
||
|
||
| What | Reason |
|
||
|------|--------|
|
||
| `crates/alknet-secret/` | Standalone crate, no alknet-core dependency, fully working |
|
||
| `docs/research/pivot/` | The pivot proposal and this cleanup plan |
|
||
| `docs/research/references/iroh/` | ALPN dispatch, QUIC endpoints — directly relevant |
|
||
| `docs/research/references/ssh/` | russh, russh-sftp — directly relevant for alknet-ssh |
|
||
| `docs/research/ops/` | fail2ban, certbot — production reference |
|
||
| `docs/sdd_process.md` | The development process we follow |
|
||
| `Cargo.toml` (workspace) | Updated to only include alknet-secret |
|
||
| `Cargo.lock` | Preserved for alknet-secret dependencies |
|
||
| `LICENSE-MIT`, `LICENSE-APACHE` | License files |
|
||
| `README.md` | Updated for greenfield state |
|
||
|
||
### Reference implementation
|
||
|
||
The previous codebase is preserved at `/workspace/@alkdev/alknet-main/`. When spec'ing and implementing new crates, the architect and implementation specialists can reference the old code to understand what worked and what didn't. Key modules to port:
|
||
|
||
| Old module | Lines | Port destination |
|
||
|------------|-------|-----------------|
|
||
| `src/interface/ssh.rs` | 982 | → `alknet-ssh` |
|
||
| `src/server/handler.rs` | 974 | → `alknet-ssh` |
|
||
| `src/server/channel_proxy.rs` | 555 | → `alknet-ssh` |
|
||
| `src/server/serve.rs` | 1526 | → reference for ALPN router rewrite |
|
||
| `src/call/*` | ~1200 | → `alknet-call` |
|
||
| `src/auth/*` | ~1450 | → `alknet-core` |
|
||
| `src/config/*` | ~950 | → `alknet-core` |
|
||
| `src/transport/*` | ~1500 | → `alknet-core` |
|
||
| `src/client/*` | ~1900 | → `alknet-ssh` |
|
||
| `src/socks5/*` | ~800 | → `alknet-ssh` |
|
||
|
||
**The old code is reference, not constraint.** Agents should understand what it did and why, then implement against the new ProtocolHandler trait and ALPN router — not copy-paste the old architecture.
|
||
|
||
---
|
||
|
||
## Phase 5: Architecture Specs (Follow SDD Process)
|
||
|
||
After cleanup, the architect role will produce proper architecture specs following the SDD process defined in `docs/sdd_process.md`. This means:
|
||
|
||
- **Modular docs** in `docs/architecture/` — one focused doc per component/area
|
||
- **ADRs** in `docs/architecture/decisions/` — new ADRs for pivot decisions (ALPN dispatch, ProtocolHandler trait, crate decomposition, etc.)
|
||
- **Open questions** centralized in `docs/architecture/open-questions.md`
|
||
- **README index** in `docs/architecture/README.md` with doc table, ADR table, lifecycle definitions
|
||
- **YAML frontmatter** with `status`, `last_updated` on every doc
|
||
|
||
The pivot proposal (`docs/research/pivot/alpn-service-architecture.md`) serves as Phase 0 research output. The architect will use it as input to produce Phase 1 architecture docs. No ad-hoc spec stubs — proper SDD specs from the start.
|
||
|
||
Key new ADRs the architect will need to produce:
|
||
|
||
| ADR | Title |
|
||
|-----|-------|
|
||
| 039 | ALPN-based protocol dispatch (replaces ADR-026, ADR-035) |
|
||
| 040 | ProtocolHandler trait (replaces StreamInterface/MessageInterface) |
|
||
| 041 | New crate decomposition (replaces ADR-027) |
|
||
| 042 | Auth as shared core (replaces ADR-028) |
|
||
| 043 | Event model per-handler (replaces ADR-032, ADR-018) |
|
||
| 044 | ALPN negotiation replaces stealth mode (replaces ADR-017) |
|
||
|
||
Key architecture docs the architect will need to produce or rewrite:
|
||
|
||
| Document | Scope |
|
||
|----------|-------|
|
||
| `overview.md` | Rewrite — crate structure, ALPN dispatch model, exports |
|
||
| `server.md` | Rewrite — ALPN router, handler registry, endpoint lifecycle |
|
||
| `client.md` | Rewrite — connect to endpoint, open stream on ALPN |
|
||
| `auth.md` | Update — IdentityProvider, per-handler credential table |
|
||
| `call-protocol.md` | Rewrite — alknet-call as one ALPN, EventEnvelope framing |
|
||
| `configuration.md` | Update — ALPN advertisement, handler config |
|
||
| `identity.md` | Update — IdentityProvider simplification |
|
||
| `definitions.md` | Update — new terminology |
|
||
|
||
---
|
||
|
||
## Execution Order
|
||
|
||
1. ~~Create `docs/_archived/` directory~~ → **Greenfield instead.** Old code preserved at `/workspace/@alkdev/alknet-main/`.
|
||
2. ~~Mark superseded ADRs~~ → **Deleted.** Old architecture docs removed entirely. New ADRs will be created by the architect per SDD process.
|
||
3. ~~Move obsolete research docs~~ → **Deleted.** Only kept directly relevant references (iroh, ssh, ops, pivot).
|
||
4. ~~Annotate stale-but-keeping architecture docs~~ → **Deleted.** No stale docs remain. Architect will produce fresh specs.
|
||
5. **Delete old source crates** (alknet-core, alknet, alknet-napi) — done
|
||
6. **Update workspace Cargo.toml** to only include alknet-secret — done
|
||
7. **Update README.md** for greenfield state — done
|
||
8. **Verify compilation** — `cargo check` and `cargo test -p alknet-secret` both pass — done
|
||
9. **Architect produces proper SDD architecture specs** per Phase 1 of the SDD process
|
||
|
||
After this cleanup, the repo:
|
||
- Compiles cleanly (alknet-secret passes all 14 tests)
|
||
- Has no old architecture docs, ADRs, or task graph
|
||
- Has only directly relevant reference material (iroh, ssh, ops)
|
||
- Has the pivot proposal and cleanup plan as the starting point
|
||
- Has a clean workspace ready for the architect to produce Phase 1 specs
|
||
- Has the reference implementation at `/workspace/@alkdev/alknet-main/` |