glm-5.1
13b0991fb8
Resolved all 11 open questions based on project guidance: Transport: - OQ-01/OQ-07: ACME/Let's Encrypt with domain + IP paths (ADR-008) - OQ-02: Default to n0 relay, --iroh-relay override (ADR-009) - OQ-05: Transport chaining supported natively (ADR-010) Client: - OQ-06: Programmatic-first API, no ~/.ssh/config (ADR-011) Server: - OQ-04: Ed25519 + OpenSSH cert-authority, no password auth (ADR-012) - OQ-08: fail2ban-friendly logging + built-in rate limiting (ADR-013) TUN: - OQ-03/OQ-09: Deferred entirely, recommend tun2proxy (ADR-014) - tun-shim.md marked deprecated NAPI: - OQ-10: Expose both connect() and serve() (ADR-016) - OQ-11: Use napi-rs for FFI bridge (ADR-015) Additional ADRs created during review: - ADR-006: No logging of tunnel destinations (was phantom reference) - ADR-017: Stealth mode protocol multiplexing - ADR-018: Control channel for pubsub over SSH Fixed: ADR-002 status → Superseded, ADR-007 title typo, WRAUTH_SERVER typo, ADR-005 stale wraith-tun refs, undefined ACL feature removed from server.md, --proxy semantic difference documented.
status, last_updated
| status | last_updated |
|---|---|
| draft | 2026-06-01 |
Wraith Architecture
Current State
Pre-implementation. Feasibility assessment complete. Architecture specification drafted — all open questions resolved, pending review.
Architecture Documents
| Document | Status | Description |
|---|---|---|
| overview.md | draft | Package purpose, exports, dependencies |
| transport.md | draft | Transport abstraction: TCP, TLS, iroh |
| client.md | draft | Client connection, SOCKS5, port forwarding |
| server.md | draft | Server acceptance, channel handling, proxy |
| tun-shim.md | deprecated | TUN interface wrapper — deferred, use tun2proxy |
| napi-and-pubsub.md | draft | NAPI wrapper and pubsub event target adapter |
ADR Table
| ADR | Title | Status |
|---|---|---|
| 001 | Pluggable transport via AsyncRead+AsyncWrite trait |
Accepted |
| 002 | TUN shim as separate process | Superseded by ADR-014 |
| 003 | iroh stream via tokio::io::join |
Accepted |
| 004 | SSH runs over transport, not alongside | Accepted |
| 005 | SOCKS5 as primary interface, TUN as add-on | Accepted |
| 006 | No logging of tunnel destinations | Accepted |
| 007 | NAPI exposes single duplex stream | Accepted |
| 008 | ACME/Let's Encrypt certificate provisioning | Accepted |
| 009 | Default iroh relay with override | Accepted |
| 010 | Transport chaining in CLI | Accepted |
| 011 | Programmatic-first API, no file-based config | Accepted |
| 012 | Ed25519 keys + OpenSSH cert-authority, no password auth | Accepted |
| 013 | Fail2ban-friendly logging + built-in rate limiting | Accepted |
| 014 | Defer TUN, recommend local SOCKS5 + tun2proxy | Accepted |
| 015 | napi-rs for FFI bridge | Accepted |
| 016 | NAPI exposes both connect() and serve() | Accepted |
| 017 | Stealth mode — protocol multiplexing on port 443 | Accepted |
| 018 | Control channel for pubsub over SSH | Accepted |
Open Questions
All open questions have been resolved. See open-questions.md for details on each resolution.
Lifecycle Definitions
| Status | Meaning | Transitions |
|---|---|---|
draft |
Under active development. May change significantly. | → reviewed when open questions resolved |
reviewed |
Architecture final. Implementation may begin. Changes require review. | → stable when implementation verified |
stable |
Locked. Changes require review and may warrant an ADR. | → deprecated when superseded |
deprecated |
Superseded. Kept for reference. | Removed when no longer referenced |