Rift-specific config routes metacrypt.svc.mcp.metacircular.net across
three listeners: L7 TLS-terminating to metacrypt-web on :443, L4
passthrough to API on :8443, and L4 passthrough to gRPC on :9443.
Docker compose uses host networking for direct port binding. Includes
self-signed cert generation script for initial L7 deployment. Updates
example config with metrics section and Unix socket for gRPC admin.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rate limiting: per-source-IP connection rate limiter in the firewall layer
with configurable limit and sliding window. Blocklisted IPs are rejected
before rate limit evaluation to avoid wasting quota. Unix socket: the gRPC
admin API can now listen on a Unix domain socket (no TLS required), secured
by file permissions (0600), as a simpler alternative for local-only access.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Layer 4 TLS SNI proxy with global firewall (IP/CIDR/GeoIP blocking),
per-listener route tables, bidirectional TCP relay with half-close
propagation, and a gRPC admin API (routes, firewall, status) with
TLS/mTLS support.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
