docs: finalize clawnet refactor doc

2026-01-20 12:35:26 +00:00
parent dcb8d16591
commit ded578b1fa
1 changed files with 0 additions and 20 deletions
--- a/docs/refactor/clawnet.md
+++ b/docs/refactor/clawnet.md
@@ -288,26 +288,6 @@ Same `deviceId` across roles → single “Instance” row:

 ---

-# Execution checklist (ship order)
- [x] **Device‑bound auth (PoP):** nonce challenge + signature verify on connect; remove bearer‑only for non‑local.
- [x] **Role‑scoped creds:** issue per‑role tokens, rotate, revoke, list; UI/CLI surfaced; audit log entries.
- [x] **Scope enforcement:** keep paired scopes in sync on rotation; reject/upgrade flows explicit; tests.
- [x] **Approvals routing:** gateway‑hosted approvals; operator UI prompt/resolve; node stops prompting.
- [x] **TLS pinning for WS:** reuse bridge TLS runtime; discovery advertises fingerprint; client validation.
- [x] **Discovery + allowlist:** WS discovery TXT includes TLS fingerprint + role hints; node commands filtered by server allowlist.
- [x] **Presence unification:** dedupe deviceId across roles; include role/scope metadata; “single instance row”.
- [x] **Docs + examples:** protocol doc, CLI docs, onboarding + security notes; no personal hostnames.
- [x] **Test coverage:** connect auth paths, rotation/revoke, approvals, TLS fingerprint mismatch, presence.
-
-Process per item:
- Do implementation.
- Fresh‑eyes review (scan for regressions + missing tests).
- Fix issues.
- Commit with Conventional Commit.
- Move to next item.
-
---
-
 # Security notes

 - Role/allowlist enforced at gateway boundary.