MCIAS Progress

Source of truth for current development state.

Current Status: Phase 0 — Repository Bootstrap

CLAUDE.md — project conventions and constraints
.golangci.yaml — linter configuration
PROJECT.md — project specifications
ARCHITECTURE.md — technical design document (token lifecycle, session management, multi-app trust boundaries, database schema)
PROJECT_PLAN.md — discrete implementation steps with acceptance criteria
PROGRESS.md — this file

Phase 1: Foundational packages (internal/model, internal/config, internal/crypto, internal/db)

Wrote ARCHITECTURE.md covering:
- Security model and threat model
- Cryptographic primitive choices with rationale
- Account model (human + system accounts, roles, lifecycle)
- Token lifecycle (issuance, validation, renewal, revocation flows)
- Session management approach (stateless JWT + revocation table)
- Multi-app trust boundaries
- REST API design (all endpoints)
- Database schema (SQLite, all tables with indexes)
- TLS configuration
- TOML configuration format
- Package/directory structure
- Error handling and logging conventions
- Audit event catalog
- Operational considerations
Wrote PROJECT_PLAN.md with 5 phases, 12 steps, each with specific acceptance criteria.

SQLite driver: using modernc.org/sqlite (pure Go, no CGo dependency). This simplifies cross-compilation and removes the need for a C toolchain.
JWT library: github.com/golang-jwt/jwt/v5. The alg header validation is implemented manually before delegating to the library to ensure the library's own algorithm dispatch cannot be bypassed.
No ORM. All database access via the standard database/sql interface with prepared statements.