mc/mc-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update ARCHITECTURE.md and CLAUDE.md for SQLite and gRPC

Browse Source 
Reflect database schema, write-through pattern, startup behavior,
gRPC admin API config, and updated storage layout. Remove completed
items from future work.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-17 03:10:04 -07:00
parent 9cba3241e8
commit dc04a070a3
2 changed files with 80 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
ARCHITECTURE.md
View File

@@ -167,9 +167,10 @@ on which port the client connected to.
### Route Table Source
Route tables are defined inline under each listener in the TOML
configuration file. The design anticipates future migration to a SQLite
database for dynamic route management via the control plane API.
Route tables are persisted in the SQLite database. On first run, they are
seeded from the TOML configuration. On subsequent runs, the database is
the source of truth. Routes can be added or removed at runtime via the
gRPC admin API.
---
@@ -179,7 +180,11 @@ TOML configuration file, loaded at startup. The proxy refuses to start if
required fields are missing or invalid.
```toml
# Listeners. Each has its own route table.
# Database. Required.
[database]
path = "/srv/mc-proxy/mc-proxy.db"
# Listeners. Each has its own route table (seeds DB on first run).
[[listeners]]
addr = ":443"
@@ -205,6 +210,13 @@ addr = ":9443"
hostname = "mcias.metacircular.net"
backend = "127.0.0.1:28443"
# gRPC admin API. Optional — omit addr to disable.
[grpc]
addr = "127.0.0.1:9090"
tls_cert = "/srv/mc-proxy/certs/cert.pem"
tls_key = "/srv/mc-proxy/certs/key.pem"
client_ca = "/srv/mc-proxy/certs/ca.pem"
# Firewall. Global blocklist, evaluated before routing. Default allow.
[firewall]
geoip_db = "/srv/mc-proxy/GeoLite2-Country.mmdb"
@@ -240,17 +252,64 @@ these are structural and must be in the TOML file.
## Storage
mc-proxy has minimal storage requirements. There is no database in the
initial implementation.
### SQLite Database
Listeners, routes, and firewall rules are persisted in a SQLite database
(WAL mode, foreign keys enabled, busy timeout 5000ms). The pure-Go driver
`modernc.org/sqlite` is used (no CGo).
**Startup behavior:**
1. Open the database at the configured path. Run migrations.
2. If the database is empty (first run): seed from the TOML config.
3. If the database has data: load from it. TOML listener/route/firewall
fields are ignored.
The TOML config continues to own operational settings: proxy timeouts,
log level, gRPC config, GeoIP database path.
**Write-through pattern:** The gRPC admin API writes to the database first,
then updates in-memory state. If the database write fails, the in-memory
state is not modified.
### Schema
```sql
CREATE TABLE listeners (
id INTEGER PRIMARY KEY,
addr TEXT NOT NULL UNIQUE
);
CREATE TABLE routes (
id INTEGER PRIMARY KEY,
listener_id INTEGER NOT NULL REFERENCES listeners(id) ON DELETE CASCADE,
hostname TEXT NOT NULL,
backend TEXT NOT NULL,
UNIQUE(listener_id, hostname)
);
CREATE TABLE firewall_rules (
id INTEGER PRIMARY KEY,
type TEXT NOT NULL CHECK(type IN ('ip', 'cidr', 'country')),
value TEXT NOT NULL,
UNIQUE(type, value)
);
```
### Data Directory
```
/srv/mc-proxy/
├── mc-proxy.toml Configuration
├── mc-proxy.db SQLite database
├── certs/ TLS certificates (for gRPC admin API)
├── GeoLite2-Country.mmdb GeoIP database (if using country blocks)
└── backups/ Reserved for future use
└── backups/ Database snapshots
```
No TLS certificates are stored — mc-proxy does not terminate TLS.
mc-proxy does not terminate TLS on the proxy listeners, so no proxy
certificates are needed. The `certs/` directory is for the gRPC admin
API's TLS and optional mTLS keypair.
---
@@ -334,8 +393,7 @@ Items are listed roughly in priority order:
| Item | Description |
|------|-------------|
| **gRPC admin API** | Internal-only API for managing routes and firewall rules at runtime, integrated with the Metacircular Control Plane. |
| **SQLite route storage** | Migrate route table from TOML to SQLite for dynamic management via the admin API. |
| **MCP integration** | Wire the gRPC admin API into the Metacircular Control Plane for centralized management. |
| **L7 HTTPS support** | TLS-terminating mode for selected routes, enabling HTTP-level features (user-agent blocking, header inspection, request routing). |
| **ACME integration** | Automatic certificate provisioning via Let's Encrypt for L7 routes. |
| **User-agent blocking** | Block connections based on user-agent string (requires L7 mode). |