Update ARCHITECTURE.md and CLAUDE.md for SQLite and gRPC
Reflect database schema, write-through pattern, startup behavior, gRPC admin API config, and updated storage layout. Remove completed items from future work. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
17
CLAUDE.md
17
CLAUDE.md
@@ -15,6 +15,8 @@ make build # compile all packages
|
||||
make test # run all tests
|
||||
make vet # go vet
|
||||
make lint # golangci-lint
|
||||
make proto # regenerate gRPC code from proto definitions
|
||||
make devserver # build and run locally with srv/mc-proxy.toml
|
||||
```
|
||||
|
||||
Run a single test:
|
||||
@@ -26,9 +28,10 @@ go test ./internal/sni -run TestExtract
|
||||
|
||||
- **Module path**: `git.wntrmute.dev/kyle/mc-proxy`
|
||||
- **Go with CGO_ENABLED=0**, statically linked, Alpine containers
|
||||
- **No API surface yet** — config-driven via TOML; gRPC admin API planned for future MCP integration
|
||||
- **No auth** — this is pre-auth infrastructure; services behind it handle their own MCIAS auth
|
||||
- **No database** — routes and firewall rules are in the TOML config; SQLite planned for dynamic route management
|
||||
- **gRPC admin API** — manages routes and firewall rules at runtime; TLS with optional mTLS; optional (disabled if `[grpc]` section omitted from config)
|
||||
- **No auth on proxy listeners** — this is pre-auth infrastructure; services behind it handle their own MCIAS auth
|
||||
- **SQLite database** — persists listeners, routes, and firewall rules; pure-Go driver (`modernc.org/sqlite`); seeded from TOML on first run, DB is source of truth thereafter
|
||||
- **Write-through pattern** — gRPC mutations write to DB first, then update in-memory state
|
||||
- **Config**: TOML via `go-toml/v2`, runtime data in `/srv/mc-proxy/`
|
||||
- **Testing**: stdlib `testing` only, `t.TempDir()` for isolation
|
||||
- **Linting**: golangci-lint v2 with `.golangci.yaml`
|
||||
@@ -36,10 +39,13 @@ go test ./internal/sni -run TestExtract
|
||||
## Package Structure
|
||||
|
||||
- `internal/config/` — TOML config loading and validation
|
||||
- `internal/db/` — SQLite database: migrations, CRUD for listeners/routes/firewall rules, seeding, snapshots
|
||||
- `internal/sni/` — TLS ClientHello parser; extracts SNI hostname without consuming bytes
|
||||
- `internal/firewall/` — global blocklist evaluation (IP, CIDR, GeoIP via MaxMind GeoLite2); thread-safe GeoIP reload
|
||||
- `internal/firewall/` — global blocklist evaluation (IP, CIDR, GeoIP via MaxMind GeoLite2); thread-safe mutations and GeoIP reload
|
||||
- `internal/proxy/` — bidirectional TCP relay with half-close propagation and idle timeout
|
||||
- `internal/server/` — orchestrates listeners → firewall → SNI → route → proxy pipeline; graceful shutdown
|
||||
- `internal/server/` — orchestrates listeners → firewall → SNI → route → proxy pipeline; per-listener state with connection tracking
|
||||
- `internal/grpcserver/` — gRPC admin API: route/firewall CRUD, status, write-through to DB
|
||||
- `proto/mc-proxy/v1/` — protobuf definitions; `gen/mc-proxy/v1/` has generated code
|
||||
|
||||
## Signals
|
||||
|
||||
@@ -52,3 +58,4 @@ go test ./internal/sni -run TestExtract
|
||||
- Firewall rules are always evaluated before any routing decision.
|
||||
- SNI matching is exact and case-insensitive.
|
||||
- Blocked connections get a TCP RST — no error messages, no TLS alerts.
|
||||
- Database writes must succeed before in-memory state is updated (write-through).
|
||||
|
||||
Reference in New Issue
Block a user