Decompose architecture into 35 atomic tasks across 10 generations for implementation

2026-06-02 09:02:55 +00:00
parent b5c59ef3bc
commit 14dbd81195
35 changed files with 1636 additions and 0 deletions
--- a/tasks/meta/auth-layer.md
+++ b/tasks/meta/auth-layer.md
@@ -0,0 +1,38 @@
+---
+id: meta/auth-layer
+name: Complete auth layer — error types, key loading, server auth, client auth
+status: pending
+depends_on:
+  - auth/error-types
+  - auth/key-loading
+  - auth/server-auth-handler
+  - auth/client-auth-handler
+scope: system
+risk: medium
+impact: phase
+level: planning
+---
+
+## Description
+
+Meta task that clusters all auth module tasks. Once complete, the auth layer provides key loading from file or memory, server-side Ed25519 key + cert-authority validation, and client-side key-based authentication.
+
+## Acceptance Criteria
+
+- [ ] All auth tasks completed
+- [ ] Key loading supports file paths and in-memory data in OpenSSH format
+- [ ] Server accepts Ed25519 keys and cert-authority signed certificates
+- [ ] Client presents Ed25519 key pairs
+- [ ] Error types cover transport, auth, channel, and config failures
+
+## References
+
+- docs/architecture/client.md, docs/architecture/server.md
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion
--- a/tasks/meta/cli-layer.md
+++ b/tasks/meta/cli-layer.md
@@ -0,0 +1,34 @@
+---
+id: meta/cli-layer
+name: Complete CLI layer — wraith serve and wraith connect commands
+status: pending
+depends_on:
+  - cli/serve-command
+  - cli/connect-command
+scope: moderate
+risk: low
+impact: phase
+level: planning
+---
+
+## Description
+
+Meta task that clusters CLI tasks. Once complete, the `wraith` binary has both `serve` and `connect` subcommands with all flags matching the architecture specs.
+
+## Acceptance Criteria
+
+- [ ] Both CLI tasks completed
+- [ ] `wraith serve --help` and `wraith connect --help` match architecture spec flag lists
+- [ ] End-to-end: `wraith serve` + `wraith connect` establishes working SSH tunnel
+
+## References
+
+- docs/architecture/client.md, docs/architecture/server.md
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion
--- a/tasks/meta/client-layer.md
+++ b/tasks/meta/client-layer.md
@@ -0,0 +1,40 @@
+---
+id: meta/client-layer
+name: Complete client layer — SOCKS5, port forwarding, channel manager, ConnectOptions
+status: pending
+depends_on:
+  - client/socks5-server
+  - client/port-forwarding
+  - client/channel-manager
+  - client/connect-options
+scope: system
+risk: high
+impact: phase
+level: planning
+---
+
+## Description
+
+Meta task that clusters all client module tasks. Once complete, the client establishes SSH sessions via any transport, runs a local SOCKS5 proxy, manages port forwards, handles reconnection with exponential backoff, and shuts down gracefully.
+
+## Acceptance Criteria
+
+- [ ] All client tasks completed
+- [ ] SOCKS5 proxy works with DNS leak prevention (SOCKS5h)
+- [ ] Local and remote port forwarding work
+- [ ] Channel manager handles reconnection with exponential backoff (1s → 30s cap)
+- [ ] Port forwards re-registered after reconnection
+- [ ] ConnectOptions programmatic struct and CLI flags available
+- [ ] Graceful shutdown on SIGTERM/SIGINT
+
+## References
+
+- docs/architecture/client.md
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion
--- a/tasks/meta/napi-layer.md
+++ b/tasks/meta/napi-layer.md
@@ -0,0 +1,37 @@
+---
+id: meta/napi-layer
+name: Complete NAPI layer — project setup, connect(), serve()
+status: pending
+depends_on:
+  - napi/project-setup
+  - napi/connect-function
+  - napi/serve-function
+scope: moderate
+risk: high
+impact: phase
+level: planning
+---
+
+## Description
+
+Meta task that clusters NAPI tasks. Once complete, the `@alkdev/wraith` Node.js native addon provides `connect()` and `serve()` returning duplex streams for TypeScript consumers.
+
+## Acceptance Criteria
+
+- [ ] All NAPI tasks completed
+- [ ] `connect()` returns Duplex stream, no SOCKS5, no port forwarding
+- [ ] `serve()` returns WraithServer with close() and onConnection events
+- [ ] Key material from Buffer (in-memory) and file paths both work
+- [ ] JS-to-Rust and Rust-to-JS error marshalling works correctly
+
+## References
+
+- docs/architecture/napi-and-pubsub.md
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion
--- a/tasks/meta/server-layer.md
+++ b/tasks/meta/server-layer.md
@@ -0,0 +1,43 @@
+---
+id: meta/server-layer
+name: Complete server layer — handler, channel proxy, stealth, rate limiting, control channel, serve loop
+status: pending
+depends_on:
+  - server/handler
+  - server/channel-proxy
+  - server/stealth-mode
+  - server/rate-limiting-and-logging
+  - server/control-channel
+  - server/serve-loop
+scope: system
+risk: high
+impact: phase
+level: planning
+---
+
+## Description
+
+Meta task that clusters all server module tasks. Once complete, the server accepts SSH connections via any transport, authenticates clients, proxies channel traffic to TCP targets (directly or via proxy), handles stealth mode, rate limits connections, routes reserved `wraith-` destinations, and shuts down gracefully.
+
+## Acceptance Criteria
+
+- [ ] All server tasks completed
+- [ ] Server handles SSH connections over TCP, TLS, and iroh transports
+- [ ] Authentication via Ed25519 keys and cert-authority
+- [ ] Channel proxying with direct, SOCKS5, and HTTP CONNECT outbound modes
+- [ ] Stealth mode detects SSH vs HTTP and returns fake nginx 404
+- [ ] Rate limiting and structured logging
+- [ ] Control channel routing for `wraith-*` destinations
+- [ ] Graceful shutdown
+
+## References
+
+- docs/architecture/server.md
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion
--- a/tasks/meta/transport-layer.md
+++ b/tasks/meta/transport-layer.md
@@ -0,0 +1,39 @@
+---
+id: meta/transport-layer
+name: Complete transport layer — trait, TCP, TLS, iroh, ACME
+status: pending
+depends_on:
+  - transport/trait-and-types
+  - transport/tcp-transport
+  - transport/tls-transport
+  - transport/iroh-transport
+  - transport/acme-cert-provisioning
+scope: system
+risk: high
+impact: phase
+level: planning
+---
+
+## Description
+
+Meta task that clusters all transport module tasks. Once complete, the transport layer provides a clean `Transport`/`TransportAcceptor` abstraction with TCP, TLS (feature-gated), iroh (feature-gated), and ACME (feature-gated) implementations. All transports produce the `AsyncRead + AsyncWrite + Unpin + Send` streams that SSH consumes.
+
+## Acceptance Criteria
+
+- [ ] All transport tasks completed
+- [ ] `Transport` trait produces duplex streams consumed by `russh::connect_stream()` / `russh::run_stream()`
+- [ ] TCP, TLS, iroh transports all work end-to-end
+- [ ] ACME cert provisioning integrates with TLS acceptor
+- [ ] Feature flags correctly gate optional transports
+
+## References
+
+- docs/architecture/transport.md
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion