Summary

Refactor arkavo-rs from a standalone Policy Decision Point (PDP) to a Chain-Driven Policy Enforcement Point (PEP).

Background

In the new architecture, arkavo-rs will no longer evaluate Attribute-Based Access Control (ABAC) policies locally. Instead, it will act as a "Dumb Broker" (Key Access Server) that strictly obeys access grants ("Session Capabilities") issued by the arkavo-node blockchain.

Target Flow

1. User provides a Session ID (issued by Chain) and a Cryptographic Signature
2. KAS queries arkavo-node RPC to fetch the SessionGrant
3. KAS validates Session is active, unexpired, and covers the requested Resource
4. KAS validates the Signature against the Session's EphemeralPublicKey
5. KAS releases key (rewrapped for the User)

Key Changes

• Add subxt for blockchain connectivity to ws://chain.arkavo.net
• New src/chain/ module with ChainClient, SessionCache (6s TTL), SessionValidator
• Refactor all three rewrap endpoints (WebSocket, HTTP REST, Media API)
• Add secure key handling with secrecy crate for KAS private key zeroization
• Add ECDSA signature verification (ES256/384/512)
• Remove legacy local policy evaluation (~180 lines deleted)

Security Requirements

• 6-second cache TTL for pull-based revocation
• Nonce replay prevention via Redis
• RPC node health validation before trusting responses
• TLS 1.3 enforcement for chain RPC

Related

• arkavo-node blockchain at ws://chain.arkavo.net