alkdev/hub
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Setup repo: migrate architecture specs, code stubs, and tasks from alkhub_ts

Browse Source 
Copy architecture docs, ADRs, storage domain specs, research, reviews,
and 56 storage architecture tasks from the alkhub_ts monorepo. Adapt for
standalone @alkdev/hub repo structure (src/ not packages/hub/).

Sanitize all sensitive information:
- Replace private IPs (10.0.0.1) with localhost defaults
- Remove internal server hostnames (dev1, ns528096)
- Replace /workspace/ private paths with npm package references
- Remove hardcoded credentials from examples
- Rewrite infrastructure.md without private network details

Add Deno project scaffolding: deno.json (pinned deps), .gitignore,
AGENTS.md, entry point. Migrate existing code stubs (crypto, config
types, logger) with updated import paths.
This commit is contained in:
glm-5.1
2026-05-25 10:56:32 +00:00
parent 3e3f12d2d5
commit 2b63cda1c7
120 changed files with 11714 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
tasks/architecture/storage/document-sha256-tradeoff.md Normal file
View File

@@ -0,0 +1,37 @@
---
id: document-sha256-tradeoff
name: Document SHA-256 API Key Hashing Trade-Off
status: completed
depends_on: []
scope: narrow
risk: low
impact: isolated
level: implementation
---
## Description
W13: API keys are stored as SHA-256 hashes — a fast hash, not a deliberately slow KDF (bcrypt/Argon2). If the database is compromised, SHA-256 hashes can be brute-forced faster than slow hashes. However, API keys are high-entropy machine-generated strings (128-bit+), making brute-force infeasible even with a fast hash. No ADR documents this trade-off.
Add documentation to ADR-010 or relevant section explaining why SHA-256 is acceptable for high-entropy API keys.
## Acceptance Criteria
- [ ] ADR-010 (or a new ADR) documents the SHA-256 vs KDF trade-off
- [ ] Rationale includes: high-entropy keys make brute-force infeasible, O(1) verification latency at high throughput
- [ ] Explicitly states this is acceptable because keys are machine-generated, unlike human passwords
- [ ] Cross-reference from `identity.md` api_keys section to the ADR
## References
- docs/reviews/storage-architecture-review-2026-04-21.md#W13
- docs/architecture/storage/identity.md:74
- docs/decisions/ADR-010
## Notes
> To be filled by implementation agent
## Summary
> To be filled on completion