Switch gRPC admin API to Unix socket only, add client package

- Remove TCP listener support from gRPC server; Unix socket is now the only transport for the admin API (access controlled via filesystem permissions) - Add standard gRPC health check service (grpc.health.v1.Health) - Implement MCPROXY_* environment variable overrides for config - Create client/mcproxy package with full API coverage and tests - Update ARCHITECTURE.md and dev config (srv/mc-proxy.toml) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-19 07:48:11 -07:00
parent b25e1b0e79
commit f24fa2a2b0
9 changed files with 810 additions and 137 deletions
--- a/cmd/mc-proxy/server.go
+++ b/cmd/mc-proxy/server.go
@@ -92,9 +92,7 @@ func serverCmd() *cobra.Command {
 				}()
 				defer func() {
 					grpcSrv.GracefulStop()
-					if cfg.GRPC.IsUnixSocket() {
-						os.Remove(cfg.GRPC.SocketPath())
-					}
+					os.Remove(cfg.GRPC.SocketPath())
 				}()
 			}

--- a/cmd/mc-proxy/status.go
+++ b/cmd/mc-proxy/status.go
@@ -2,15 +2,11 @@ package main

 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
-	"os"
 	"time"

 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"

 	pb "git.wntrmute.dev/kyle/mc-proxy/gen/mc_proxy/v1"
@@ -71,37 +67,6 @@ func statusCmd() *cobra.Command {
 }

 func dialGRPC(cfg config.GRPC) (*grpc.ClientConn, error) {
-	if cfg.IsUnixSocket() {
-		return grpc.NewClient("unix://"+cfg.SocketPath(),
-			grpc.WithTransportCredentials(insecure.NewCredentials()))
-	}
-
-	tlsConfig := &tls.Config{
-		MinVersion: tls.VersionTLS13,
-	}
-
-	// Load CA cert for verifying the server.
-	if cfg.CACert != "" {
-		caCert, err := os.ReadFile(cfg.CACert)
-		if err != nil {
-			return nil, fmt.Errorf("reading CA cert: %w", err)
-		}
-		pool := x509.NewCertPool()
-		if !pool.AppendCertsFromPEM(caCert) {
-			return nil, fmt.Errorf("failed to parse CA certificate")
-		}
-		tlsConfig.RootCAs = pool
-	}
-
-	// Load client cert for mTLS.
-	if cfg.TLSCert != "" && cfg.TLSKey != "" {
-		cert, err := tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
-		if err != nil {
-			return nil, fmt.Errorf("loading client cert: %w", err)
-		}
-		tlsConfig.Certificates = []tls.Certificate{cert}
-	}
-
-	creds := credentials.NewTLS(tlsConfig)
-	return grpc.NewClient(cfg.Addr, grpc.WithTransportCredentials(creds))
+	return grpc.NewClient("unix://"+cfg.SocketPath(),
+		grpc.WithTransportCredentials(insecure.NewCredentials()))
 }