grpcctl: add auth login and policy commands

- Add auth/login and auth/logout to mciasgrpcctl, calling the existing AuthService.Login/Logout RPCs; password is always prompted interactively (term.ReadPassword), never accepted as a flag, raw bytes zeroed after use - Add proto/mcias/v1/policy.proto with PolicyService (List, Create, Get, Update, Delete policy rules) - Regenerate gen/mcias/v1/ stubs to include policy - Implement internal/grpcserver/policyservice.go delegating to the same db layer as the REST policy handlers - Register PolicyService in grpcserver.go - Add policy list/create/get/update/delete to mciasgrpcctl - Update mciasgrpcctl man page with new commands Security: auth login uses the same interactive password prompt pattern as mciasctl; password never appears in process args, shell history, or logs; raw bytes zeroed after string conversion (same as REST CLI and REST server). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 20:51:10 -07:00
parent cbcb1a0533
commit 7ede54afb2
21 changed files with 1835 additions and 25 deletions
--- a/man/man1/mciasctl.1
+++ b/man/man1/mciasctl.1
@@ -34,7 +34,7 @@ environment variable.
 .It Fl server Ar url
 Base URL of the mciassrv instance.
 Default:
-.Qq https://localhost:8443 .
+.Qq https://mcias.metacircular.net:8443 .
 Can also be set with the
 .Ev MCIAS_SERVER
 environment variable.
--- a/man/man1/mciasgrpcctl.1
+++ b/man/man1/mciasgrpcctl.1
@@ -1,4 +1,4 @@
-.Dd March 11, 2026
+.Dd March 12, 2026
 .Dt MCIASGRPCCTL 1
 .Os
 .Sh NAME
@@ -37,7 +37,7 @@ gRPC server address in
 .Ar host:port
 format.
 Default:
-.Qq localhost:9443 .
+.Qq mcias.metacircular.net:9443 .
 .It Fl token Ar jwt
 Bearer token for authentication.
 Can also be set with the
@@ -58,6 +58,18 @@ and exits 0 if the server is healthy.
 .It Nm Ic pubkey
 Returns the server's Ed25519 public key as a JWK.
 .El
+.Ss auth
+.Bl -tag -width Ds
+.It Nm Ic auth Ic login Fl username Ar name Op Fl totp Ar code
+Authenticates with the server and prints the bearer token to stdout.
+The password is always prompted interactively.
+Suitable for use in scripts:
+.Bd -literal -offset indent
+export MCIAS_TOKEN=$(mciasgrpcctl auth login -username alice)
+.Ed
+.It Nm Ic auth Ic logout
+Revokes the current bearer token.
+.El
 .Ss account
 .Bl -tag -width Ds
 .It Nm Ic account Ic list
@@ -94,6 +106,21 @@ Returns the Postgres credentials for the account.
 .It Nm Ic pgcreds Ic set Fl id Ar uuid Fl host Ar host Op Fl port Ar port Fl db Ar db Fl user Ar user Fl password Ar pass
 Sets Postgres credentials for the account.
 .El
+.Ss policy
+.Bl -tag -width Ds
+.It Nm Ic policy Ic list
+Lists all policy rules.
+.It Nm Ic policy Ic create Fl description Ar str Fl json Ar file Op Fl priority Ar n Op Fl not-before Ar rfc3339 Op Fl expires-at Ar rfc3339
+Creates a new policy rule.
+.Ar file
+must be a path to a file containing a JSON rule body.
+.It Nm Ic policy Ic get Fl id Ar id
+Returns the policy rule with the given ID.
+.It Nm Ic policy Ic update Fl id Ar id Op Fl priority Ar n Op Fl enabled Ar true|false Op Fl not-before Ar rfc3339 Op Fl expires-at Ar rfc3339 Op Fl clear-not-before Op Fl clear-expires-at
+Applies a partial update to a policy rule.
+.It Nm Ic policy Ic delete Fl id Ar id
+Permanently removes a policy rule.
+.El
 .Sh ENVIRONMENT
 .Bl -tag -width Ds
 .It Ev MCIAS_TOKEN