Migrate to mcdsl: auth, config, csrf, web

- Replace internal/auth with mcdsl/auth - Replace internal/config with mcdsl/config (embed config.Base) - Replace internal/webserver/csrf.go with mcdsl/csrf - Use mcdsl/web for session cookies and template rendering - Use mcdsl/httpserver for server setup and StatusWriter - Remove direct mcias client library dependency - Update .golangci.yaml to v2 format (formatters section) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 17:53:15 -07:00
commit 0cada7e64e
21 changed files with 1042 additions and 0 deletions
--- a/RUNBOOK.md
+++ b/RUNBOOK.md
@@ -0,0 +1,68 @@
+# Runbook
+
+## Service Overview
+
+mcat is a web application for testing MCIAS login policies. It runs a TLS
+web server that lets users log in via MCIAS with a configurable service
+name and tag set.
+
+## Health Check
+
+1. Open `https://<host>:8443/login` in a browser.
+2. If the login form renders, the service is healthy.
+
+## Common Operations
+
+### Start
+
+```bash
+systemctl start mcat
+```
+
+### Stop
+
+```bash
+systemctl stop mcat
+```
+
+### View Logs
+
+```bash
+journalctl -u mcat -f
+```
+
+### Run Locally
+
+```bash
+make mcat
+./mcat server --config srv/mcat.toml
+```
+
+## Configuration
+
+Config file: `/srv/mcat/mcat.toml`
+
+After changing config, restart the service:
+
+```bash
+systemctl restart mcat
+```
+
+## TLS Certificate Renewal
+
+1. Replace `/srv/mcat/certs/cert.pem` and `/srv/mcat/certs/key.pem`.
+2. Restart: `systemctl restart mcat`.
+
+## MCIAS Unreachable
+
+If MCIAS is down, logins and token validation will fail. Users will see
+generic error messages. Check MCIAS connectivity:
+
+```bash
+curl -k https://<mcias-host>:8443/v1/health
+```
+
+## Escalation
+
+If the issue is not covered above, check MCIAS logs and status. mcat has
+no local state — all authentication is delegated to MCIAS.