phase 1 core platform

Milestone 1.1.6: Argon2id Parameters and Crypto Policy ADR — complete.

Milestone 1.1.6: Argon2id Parameters and Crypto Policy ADR

Status: Complete
Goal: 1.1 Persistence and auth data plane
Phase: 1 — Core Platform

Summary

Centralize Argon2id parameters and approved cryptographic primitives in ADR-0010 and packages/crypto; migrate auth and testutil hash paths; production default parallelism p=4.

Branch

chore/m1-1-6-crypto-policy

PR title

chore(security): Argon2id parameters and crypto policy ADR (m1.1.6)

Prerequisites

  • 1.1.3 merged (Argon2id PHC in use)

Tasks

  • ADR-0010 — parameters, PHC format, approved/forbidden primitives, upgrade procedure
  • Amend ADR-0007 §5 to reference ADR-0010
  • packages/crypto — HashSecret/VerifySecret, token/password aliases, random, ConstantTimeEqual
  • Unit tests — PHC prefix, round-trip, malformed hash, random entropy; advisory timing smoke (skip -short)
  • Migrate services/auth/internal/token and infra/testing/testutil/hash.go
  • Contributor documentation updated

Files affected

PathAction
packages/crypto/Add
docs/adr/ADR-0010-cryptography-policy.mdAdd
docs/adr/ADR-0007-auth-token-validation.mdAmend §5
services/auth/internal/token/hash.go, argon2_params.go, rand.goDelegate to packages/crypto
services/auth/internal/config/config.gocrypto.ProductionParams()
infra/testing/testutil/hash.goUse packages/crypto
contributor workspaceAdd

Testing requirements

bash
go test ./packages/crypto/...
go test ./services/auth/...
go test -tags=integration ./services/auth/...
make repo-guards

Definition of done

  • ADR-0010 accepted; PHC embeds m=65536,t=3,p=4 for new production hashes
  • No direct argon2.IDKey outside packages/crypto
  • Existing DB hashes verify (params from PHC)
  • Docs and env defaults aligned on p=4

Risks

RiskMitigation
Timing test flakyAdvisory; skip in -short
Slower new hashes vs p=2 legacy defaultPHC-embedded params; only new rows use p=4
← Back to roadmap overview
Edit on GitHub

Last updated on

Previous1.1.5 Permission BitmapNext1.1.7 Users Agents

On this page

0%