glm-5.1
2b63cda1c7
Copy architecture docs, ADRs, storage domain specs, research, reviews, and 56 storage architecture tasks from the alkhub_ts monorepo. Adapt for standalone @alkdev/hub repo structure (src/ not packages/hub/). Sanitize all sensitive information: - Replace private IPs (10.0.0.1) with localhost defaults - Remove internal server hostnames (dev1, ns528096) - Replace /workspace/ private paths with npm package references - Remove hardcoded credentials from examples - Rewrite infrastructure.md without private network details Add Deno project scaffolding: deno.json (pinned deps), .gitignore, AGENTS.md, entry point. Migrate existing code stubs (crypto, config types, logger) with updated import paths.
1.0 KiB
1.0 KiB
id, name, status, depends_on, scope, risk, impact, level
| id | name | status | depends_on | scope | risk | impact | level |
|---|---|---|---|---|---|---|---|
| document-api-key-expiration-behavior | Document API Key Expiration Behavior | completed | single | trivial | isolated | implementation |
Description
S05: Does an expired API key return "key expired" or a generic "authentication failed"? Without documentation, implementers may leak key state to attackers by returning specific error messages. Recommend documenting that expired keys return a generic authentication failure to avoid information disclosure.
Acceptance Criteria
identity.mdorservices.mddocuments API key expiration error behavior- Recommendation stated: expired keys return generic auth failure, not "key expired"
- Consistent with ADR-008 (key rotation) and keypal integration notes
References
- docs/reviews/storage-architecture-review-2026-04-21.md#S05
- docs/architecture/storage/identity.md (api_keys table)
- docs/decisions/ADR-008
Notes
To be filled by implementation agent
Summary
To be filled on completion