Updating ARCHITECTURE.md.

2026-03-11 12:19:17 -07:00
parent f02eff21b4
commit 9ef913c59b
1 changed files with 14 additions and 7 deletions
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -27,13 +27,14 @@ parties that delegate authentication decisions to it.
 │              │   SQLite Database   │               │
 │              └────────────────────┘               │
 └────────────────────────────────────────────────────┘
-         ▲                         ▲
-         │ HTTPS/REST              │ HTTPS/REST
-         │                         │
-  ┌──────┴──────┐          ┌───────┴──────┐
-  │  Personal   │          │   mciasctl   │
-  │    Apps     │          │  (admin CLI) │
-  └─────────────┘          └──────────────┘
+         ▲              ▲                ▲
+         │ HTTPS/REST   │ HTTPS/REST     │ direct file I/O
+         │              │                │
+  ┌──────┴──────┐  ┌────┴─────┐  ┌──────┴──────┐
+  │  Personal   │  │ mciasctl │  │   mciasdb   │
+  │    Apps     │  │  (admin  │  │  (DB tool)  │
+  └─────────────┘  │   CLI)   │  └─────────────┘
+                   └──────────┘
 ```

 **mciassrv** — The authentication server. Exposes a REST API over HTTPS/TLS.
@@ -44,6 +45,12 @@ revocation.
 using an admin JWT. Creates/manages human accounts, system accounts, roles,
 and Postgres credential records.

+**mciasdb** — The database maintenance tool. Operates directly on the SQLite
+file, bypassing the server API. Intended for break-glass recovery, offline
+inspection, schema verification, and maintenance tasks that cannot be
+performed through the live server. Requires the same master key material as
+mciassrv (passphrase or keyfile) to decrypt secrets at rest.
+
 ---

 ## 2. Security Model