Files

glm-5.1 6aa2fcc6ff Architect storage around SQLite+Honker: remove PG, add multi-tenant identity, scoping

Reorient @alkdev/storage around a single SQLite database host with Honker
for pub/sub, event streams, and task queues. PostgreSQL is removed as a
target (ADR-038), eliminating dual schema maintenance and infrastructure
complexity. Honker provides DB + pubsub + queues in one .db file (ADR-039).

Add system/tenant DB model (ADR-040): identity tables in system.db, all
graph data in tenant-{orgId}.db files. Identity tables move from the hub
into storage (ADR-041). Scoping columns (ownerId, projectId) added to
graphs table (ADR-042). Graph types get scope (system/tenant/user) to
protect infrastructure schemas (ADR-043).

Define Drizzle-Honker session adapter (ADR-044): ~100-line adapter enabling
Drizzle typed queries and Honker pubsub/queue on a single connection with
transactional consistency.

Resolve OQ-03, OQ-04, OQ-19, OQ-21, OQ-22, OQ-23, OQ-24. Add new
open questions OQ-26 through OQ-29 for Honker integration specifics.

New docs: honker-integration.md (adapter, event patterns, migration).
Scrub all PG/jsonb/libsql references from existing spec docs.

2026-05-31 15:41:41 +00:00

9.9 KiB

Raw Blame History

status, last_updated

status	last_updated
draft	2026-05-31

Open Questions Tracker

Cross-cutting compilation of all unresolved questions across the storage architecture documents, organized by theme.

Summary

Status	Count
Open	9
Resolved (this revision)	15
Previously resolved	11

Open questions requiring decisions:

OQ-07 (encryptRaw performance) — low priority, add if needed
OQ-10 (Edit[] classification) — needs POC
OQ-11 (auto-migrate vs explicit) — conditional on OQ-10
OQ-12 (schema evolution vs event-sourced replay) — post-v1 concern
OQ-13 (schema evolution events in event stream) — post-v1
OQ-26 (Honker replaces @alkdev/pubsub Redis transport) — integration design
OQ-27 (tenant DB schema migration strategy) — multi-tenant operations
OQ-28 (cross-tenant delegation with separate DBs) — cross-DB coordination
OQ-29 (standalone drizzle-honker npm package) — community value

Theme 1: Package Boundaries and Dependencies

OQ-01: Should @alkdev/flowgraph export a Type.Module?

Origin: metagraph-module.md
Status: resolved
Priority: high
Resolution: Storage can start with standalone schemas. Adopt Import() when flowgraph provides a Module. No circular dependency.
Cross-references: ADR-003, ADR-010

OQ-02: Should concrete graph type Modules live in storage or their packages?

Origin: metagraph-module.md
Status: resolved
Priority: medium
Resolution: Both. Storage provides reference Modules; packages may also export their own.
Cross-references: ADR-003

Theme 2: Data Model

OQ-03: Should actors be a node type or a standalone table?

Origin: overview.md
Status: resolved
Priority: medium
Resolution: Actors become PrincipalNode in ACL graph. actors table removed. ACTOR_TYPE replaced by IdentityType in AclGraph Module. See ADR-035.
Cross-references: ADR-035, ADR-034

OQ-04: Should the repository layer be host-specific or host-agnostic?

Origin: overview.md
Status: resolved
Priority: medium
Resolution: Single host (SQLite). Question is moot — no dual-host repository needed. ADR-038.

OQ-05: *EdgeConstraints entries use Type.Ref or Type.String?

Origin: metagraph-module.md
Status: resolved
Priority: low
Resolution: Type.String() — constraint arrays contain names, not schemas. ADR-015.

OQ-06: Graph pointer abstraction vs repository layer?

Origin: metagraph-module.md
Status: resolved
Priority: low
Resolution: Direct key-based addressing for v1. Typed pointers post-v1. ADR-017.

Theme 3: Encryption and Security

OQ-07: Add encryptRaw() for performance?

Origin: encrypted-data.md
Status: open
Priority: low
Notes: PBKDF2 adds ~100ms. Add if batch operations demand it.

OQ-08: Should key attribute on secret nodes be encrypted?

Status: resolved
Priority: low
Resolution: Plaintext for now. Add keyHash if names are sensitive.

OQ-09: Should secret nodes have lastUsedAt and expiresAt as columns?

Status: resolved
Priority: low
Resolution: JSON attributes for spoke, standalone table for hub.

Theme 4: Schema Evolution

OQ-10: Can Value.Diff Edit[] be reliably classified as breaking vs non-breaking?

Origin: schema-evolution.md
Status: open
Priority: high
Notes: Theoretical classification needs POC validation.

OQ-11: Auto-migrate data on schema change, or explicit consumer action?

Origin: schema-evolution.md
Status: open
Priority: high
Notes: Conditional on OQ-10 POC outcome.

OQ-12: Schema evolution vs event-sourced replay?

Origin: schema-evolution.md
Status: open
Priority: medium
Notes: Post-v1. Honker streams enable event-sourced replay more naturally than before.

OQ-13: Schema evolution events in event stream?

Origin: schema-evolution.md
Status: open
Priority: low
Notes: Post-v1. Honker streams provide a natural transport for schema change events.

Theme 5: Encrypted Data Scope

OQ-14: Per-attribute, per-node, or per-graph encryption?

Status: resolved
Priority: high
Resolution: Per-attribute. ADR-023.

OQ-15: Key management in this package?

Status: resolved
Priority: high
Resolution: No. Application provides key ring. ADR-026.

Theme 6: Repository Layer

OQ-16: Should repository layer live in storage or consumer?

Status: resolved
Priority: high
Resolution: CRUD in storage; operations bridging in consumer. ADR-033.

OQ-17: Attribute queries — JSON path, native columns, or dbtype-generated?

Status: resolved (v1)
Priority: high
Resolution: JSON path for v1. ADR-033. Long-term hybrid still open but less pressing without PG dual maintenance.

OQ-18: Auto-generated vs hand-written CRUD?

Status: resolved (v1)
Priority: medium
Resolution: Hand-write for v1. ADR-033.

OQ-19: Storage-operations bridge package location?

Status: resolved
Priority: medium
Resolution: Less pressing now that Honker replaces the Redis transport. Can live in the hub for v1. Revisit if an adapter package becomes valuable.

Theme 7: Access Control

OQ-20: Should DelegatesEdge support expiration?

Origin: acl.md
Status: open
Priority: low
Notes: Session-scoped delegation could be modeled by creating/removing edges per session rather than adding expiresAt.

OQ-21: Should ACL evaluator live in storage or hub?

Origin: acl.md
Status: resolved
Priority: high
Resolution: Storage provides traversal primitives; hub composes with operations enforceAccess. The single-host model (no PG/SQLite split) simplifies this — no cross-DB joins needed for ACL evaluation within a tenant DB. ADR-034.

OQ-22: How are ACL graph instances created and managed?

Origin: acl.md
Status: resolved
Priority: medium
Resolution: One ACL graph instance per tenant DB (ADR-040). The tenant DB is inherently org-scoped, so the ACL graph covers one org. No cross-org scoping issue within a single tenant DB.
Cross-references: ADR-040

OQ-23: BelongsToEdge derived or primary?

Origin: acl.md
Status: resolved
Priority: medium
Resolution: Derived. organization_members SQL table is authoritative for indexed lookups; BelongsToEdge in ACL graph enables traversal evaluation. ADR-045.
Cross-references: ADR-045

OQ-24: How does identityId reference hub entities without package dependency?

Origin: acl.md
Status: resolved
Priority: medium
Resolution: Logical string references, consistent with ADR-020. With identity tables now in @alkdev/storage (ADR-041), the PrincipalNode.identityId logically references accounts.id in the system DB. Same pattern, clearer provenance.
Cross-references: ADR-020, ADR-041

OQ-25: Scope string semantics for subset validation?

Origin: acl.md
Status: open
Priority: high
Notes: Keypal's colon-separated hierarchical scope model with * wildcard. ACL evaluator must use same semantics. Scope matching is an evaluator concern, not a storage concern.

Theme 8: Honker and SQLite

OQ-26: Can Honker fully replace @alkdev/pubsub's Redis transport for single-node deployments?

Origin: honker-integration.md
Status: open
Priority: high
Notes: Honker's notify()/listen() and stream()/subscribe() provide the pub/sub primitives. The question is whether @alkdev/pubsub's TypedEventTarget interface can be backed by Honker instead of Redis, and whether multi-node deployments still need Redis for internode communication.

OQ-27: How are schema migrations applied across all tenant DBs?

Origin: honker-integration.md
Status: open
Priority: high
Notes: Each tenant DB has its own migration history. When a schema change is deployed, all tenant DBs need migration. Options: (1) Migration queue — enqueue a migration job per tenant DB, workers claim and execute. (2) Lazy migration — migrate on first access. (3) Startup sweep — hub iterates all tenant DBs at startup and applies pending migrations.

OQ-28: How does cross-tenant delegation work with separate DBs?

Origin: overview.md
Status: open
Priority: medium
Notes: If a user in org A delegates to a user in org B, both tenant DBs are involved. The hub mediates. For v1, cross-tenant delegation can be deferred or handled via the system DB as a coordination point.

OQ-29: Should the Drizzle-Honker adapter be published as a standalone npm package?

Origin: honker-integration.md
Status: open
Priority: low
Notes: The adapter is ~100 lines and useful to anyone combining Drizzle with Honker. Publishing as drizzle-honker would benefit the community. Decision: start inside @alkdev/storage, extract later if there's demand.

ADR Impact

ADR	Resolves	Informs
ADR-003	OQ-01 (partial)
ADR-015	OQ-05
ADR-017	OQ-06
ADR-020	OQ-24
ADR-023	OQ-14
ADR-026	OQ-15
ADR-033	OQ-04, OQ-16, OQ-17, OQ-18
ADR-034	OQ-03, OQ-21	OQ-25
ADR-035	OQ-03
ADR-038	OQ-04 (moot)	OQ-17 (less pressure)
ADR-040	OQ-22	OQ-27, OQ-28
ADR-041	OQ-24
ADR-042		OQ-24
ADR-043
ADR-044	OQ-19 (less pressure)
ADR-045	OQ-23	OQ-20

9.9 KiB Raw Blame History