Implement Phase 8: operational artifacts
- Makefile: build/test/lint/generate/man/install/clean/dist/docker; CGO_ENABLED=1 throughout; VERSION from git describe --tags --always - Dockerfile: multi-stage (golang:1.26-bookworm builder -> debian:bookworm-slim runtime); non-root uid 10001 (mcias), VOLUME /data, EXPOSE 8443/9443; no toolchain in final image - dist/mcias.service: hardened systemd unit (ProtectSystem=strict, ProtectHome, PrivateTmp, NoNewPrivileges, MemoryDenyWriteExecute, CapabilityBoundingSet= empty, EnvironmentFile, LimitNOFILE=65536) - dist/mcias.env.example: passphrase env file template - dist/mcias.conf.example: fully-commented production TOML config - dist/mcias-dev.conf.example: local dev config (/tmp, short expiry) - dist/mcias.conf.docker.example: container config template - dist/install.sh: POSIX sh idempotent installer; creates mcias user/group, installs binaries, /etc/mcias, /var/lib/mcias, systemd unit, man pages; prints post-install instructions - man/man1/mciassrv.1: mdoc synopsis/config/API/signals/files - man/man1/mciasctl.1: mdoc all subcommands/env/examples - man/man1/mciasdb.1: mdoc trust model/safety/all subcommands - man/man1/mciasgrpcctl.1: mdoc gRPC commands/grpcurl example - README.md: user-facing quick-start, first-run setup, build instructions, CLI references, Docker deployment, security notes - .gitignore: added /bin/, dist/mcias_*.tar.gz, man/man1/*.gz
This commit is contained in:
58
PROGRESS.md
58
PROGRESS.md
@@ -1,16 +1,10 @@
|
||||
# MCIAS Progress
|
||||
|
||||
Source of truth for current development state.
|
||||
|
||||
---
|
||||
|
||||
## Current Status: Phase 7 Complete — Phases 8–9 Planned
|
||||
|
||||
137 tests pass with zero race conditions. Phase 7 (gRPC dual-stack) is
|
||||
complete. Phases 8–9 are designed and documented; implementation not yet started.
|
||||
|
||||
### Completed Phases
|
||||
|
||||
137 tests pass with zero race conditions. Phase 8 (operational artifacts) is
|
||||
complete. Phase 9 (client libraries) is designed and documented; implementation
|
||||
not yet started.
|
||||
- [x] Phase 0: Repository bootstrap (go.mod, .gitignore, docs)
|
||||
- [x] Phase 1: Foundational packages (model, config, crypto, db)
|
||||
- [x] Phase 2: Auth core (auth, token, middleware)
|
||||
@@ -19,16 +13,46 @@ complete. Phases 8–9 are designed and documented; implementation not yet start
|
||||
- [x] Phase 5: E2E tests, security hardening, commit
|
||||
- [x] Phase 6: mciasdb — direct SQLite maintenance tool
|
||||
- [x] Phase 7: gRPC interface (alternate transport; dual-stack with REST)
|
||||
|
||||
### Planned Phases
|
||||
|
||||
- [ ] Phase 8: Operational artifacts (systemd unit, man pages, Makefile, install script)
|
||||
- [x] Phase 8: Operational artifacts (Makefile, Dockerfile, systemd, man pages, install script)
|
||||
- [ ] Phase 9: Client libraries (Go, Rust, Common Lisp, Python)
|
||||
|
||||
---
|
||||
|
||||
## Implementation Log
|
||||
|
||||
**Makefile**
|
||||
- Targets: build, test, lint, generate, man, install, clean, dist, docker
|
||||
- build: compiles all four binaries to bin/ with CGO_ENABLED=1 and
|
||||
-trimpath -ldflags="-s -w"
|
||||
- dist: cross-compiled tarballs for linux/amd64 and linux/arm64
|
||||
- docker: builds image tagged mcias:$(git describe --tags --always)
|
||||
- VERSION derived from git describe --tags --always
|
||||
**Dockerfile** (multi-stage)
|
||||
- Build stage: golang:1.26-bookworm with CGO_ENABLED=1
|
||||
- Runtime stage: debian:bookworm-slim with only ca-certificates and libc6;
|
||||
no Go toolchain, no source, no build cache in final image
|
||||
- Non-root user mcias (uid/gid 10001)
|
||||
- EXPOSE 8443 (REST/TLS) and EXPOSE 9443 (gRPC/TLS)
|
||||
- VOLUME /data for the SQLite database mount point
|
||||
- ENTRYPOINT ["mciassrv"] CMD ["-config", "/etc/mcias/mcias.conf"]
|
||||
**dist/ artifacts**
|
||||
- dist/mcias.service: hardened systemd unit with ProtectSystem=strict,
|
||||
ProtectHome=true, PrivateTmp=true, NoNewPrivileges=true,
|
||||
CapabilityBoundingSet= (no capabilities), ReadWritePaths=/var/lib/mcias,
|
||||
EnvironmentFile=/etc/mcias/env, Restart=on-failure, LimitNOFILE=65536
|
||||
- dist/mcias.env.example: passphrase env file template
|
||||
- dist/mcias.conf.example: fully-commented production TOML config reference
|
||||
- dist/mcias-dev.conf.example: local dev config (127.0.0.1, short expiry)
|
||||
- dist/mcias.conf.docker.example: container config template
|
||||
- dist/install.sh: idempotent POSIX sh installer; creates user/group,
|
||||
installs binaries, creates /etc/mcias and /var/lib/mcias, installs
|
||||
systemd unit and man pages; existing configs not overwritten (placed .new)
|
||||
**man/ pages** (mdoc format)
|
||||
- man/man1/mciassrv.1: synopsis, options, config, REST API, signals, files
|
||||
- man/man1/mciasctl.1: all subcommands, env vars, examples
|
||||
- man/man1/mciasdb.1: trust model warnings, all subcommands, examples
|
||||
- man/man1/mciasgrpcctl.1: gRPC subcommands, grpcurl examples
|
||||
**Documentation**
|
||||
- README.md: replaced dev-workflow notes with user-facing docs; quick-start,
|
||||
first-run setup, build instructions, CLI references, Docker deployment,
|
||||
man page index, security notes
|
||||
- .gitignore: added /bin/, dist/mcias_*.tar.gz, man/man1/*.gz
|
||||
### 2026-03-11 — Phase 7: gRPC dual-stack
|
||||
|
||||
**proto/mcias/v1/**
|
||||
|
||||
Reference in New Issue
Block a user