Decompose architecture into 35 atomic tasks across 10 generations for implementation

tasks/review/complete-system.md

@@ -0,0 +1,45 @@
+---
+id: review/complete-system
+name: Review complete system — CLI, NAPI, end-to-end integration
+status: pending
+depends_on:
+  - meta/cli-layer
+  - meta/napi-layer
+  - review/server-and-client
+scope: system
+risk: low
+impact: project
+level: review
+---
+
+## Description
+
+Final review of the complete wraith system. Verify CLI binary works end-to-end, NAPI wrapper provides correct JavaScript API, and both layers properly wrap the core library.
+
+## Acceptance Criteria
+
+- [ ] `wraith serve` + `wraith connect` end-to-end: SSH tunnel established, SOCKS5 proxy routes traffic
+- [ ] All CLI flags work: transport modes (tcp, tls, iroh), auth options, proxy, stealth, rate limits
+- [ ] Environment variables (`WRAITH_SERVER`, `WRAITH_IDENTITY`) work as defaults
+- [ ] `--stealth` validates `--transport tls` requirement
+- [ ] NAPI `connect()` returns Duplex stream; data flows bidirectionally
+- [ ] NAPI `serve()` accepts connections; `onConnection` emits Duplex streams
+- [ ] NAPI key material from Buffer works (not just file paths)
+- [ ] Feature flags: `tls`, `iroh`, `acme` correctly gate optional functionality
+- [ ] Base build (`cargo build -p wraith-core` with no features) compiles and works
+- [ ] All tests pass: `cargo test --workspace`
+- [ ] NAPI tests pass: `cd crates/wraith-napi && npm test`
+- [ ] `cargo clippy --workspace` passes
+- [ ] No logging of tunnel destinations anywhere in the system
+
+## References
+
+- docs/architecture/overview.md, docs/architecture/napi-and-pubsub.md
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion

tasks/review/core-foundation.md

@@ -0,0 +1,45 @@
+---
+id: review/core-foundation
+name: Review core foundation — transport traits, auth, error types, key loading
+status: pending
+depends_on:
+  - meta/transport-layer
+  - meta/auth-layer
+  - setup/test-infrastructure
+scope: broad
+risk: low
+impact: phase
+level: review
+---
+
+## Description
+
+Review the core foundation layer before proceeding to server/client implementation. Verify that transport abstractions match architecture, auth logic is correct, errors follow the layered pattern, and key loading handles all spec'd formats.
+
+This is the critical review before building the higher-level server and client components on top of these foundations.
+
+## Acceptance Criteria
+
+- [ ] Transport trait matches transport.md: correct bounds, object-safety, describe() method
+- [ ] TransportAcceptor matches transport.md: returns TransportInfo with correct metadata
+- [ ] TCP, TLS, iroh transports all produce correct stream types per implementations table
+- [ ] ACME integration with TLS works (or feature gates correctly prevent compilation without it)
+- [ ] Key loading handles file paths and in-memory data, rejects PEM format
+- [ ] authorized_keys parsing handles cert-authority entries with options
+- [ ] Server auth: Ed25519 key matching (constant-time), cert-authority validation (signature, expiry, principal)
+- [ ] Client auth: key pair presentation, Handler implementation
+- [ ] Error types cover all four layers (transport, auth, channel, config)
+- [ ] All tests pass: `cargo test --workspace`
+- [ ] `cargo clippy --workspace` passes with no warnings
+
+## References
+
+- docs/architecture/transport.md, docs/architecture/client.md, docs/architecture/server.md
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion

tasks/review/server-and-client.md

@@ -0,0 +1,46 @@
+---
+id: review/server-and-client
+name: Review server and client implementation — full SSH tunnel functionality
+status: pending
+depends_on:
+  - meta/server-layer
+  - meta/client-layer
+  - review/core-foundation
+scope: broad
+risk: low
+impact: phase
+level: review
+---
+
+## Description
+
+Review the server and client implementations after the core foundation review. This is a critical checkpoint before the CLI and NAPI layers — the server and client must work correctly as a unit before wrapping them in CLI flags or NAPI bindings.
+
+Verify end-to-end SSH tunnel flow: client connects → SOCKS5 proxy works → port forwards work → reconnection works → server handles channels → proxy modes work → stealth mode works.
+
+## Acceptance Criteria
+
+- [ ] Server accepts SSH connections over TCP, TLS, iroh (via integration tests)
+- [ ] Client establishes SSH sessions and runs SOCKS5 proxy
+- [ ] Channel proxy: direct TCP, SOCKS5 proxy, HTTP CONNECT proxy all work
+- [ ] Stealth mode: non-SSH gets nginx 404, SSH connects normally
+- [ ] Rate limiting: connection limits enforced, auth attempt limits enforced
+- [ ] Logging: structured `tracing::info!` events match ADR-013 format
+- [ ] No logging of tunnel destinations (ADR-006)
+- [ ] Reconnection: transport failure → exponential backoff → reconnect → port forwards re-registered
+- [ ] Reserved `wraith-` destinations routed to control channel, not TCP proxy
+- [ ] Graceful shutdown works for both server and client
+- [ ] All tests pass: `cargo test --workspace`
+- [ ] `cargo clippy --workspace` passes
+
+## References
+
+- docs/architecture/server.md, docs/architecture/client.md
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion