# MCDSL Progress

## Current State

Phase 2 complete. The `db` and `auth` packages are implemented and tested.

## Completed

### Phase 0: Project Setup (2026-03-25)
- Initialized Go module (`git.wntrmute.dev/kyle/mcdsl`)
- Created `.golangci.yaml` matching platform standard (with `exported` rule
  enabled since this is a shared library)
- Created `Makefile` with standard targets (build, test, vet, lint, all)
- Created `.gitignore`
- Created `doc.go` package doc
- `make all` passes clean

### Phase 1: `db` — SQLite Foundation (2026-03-25)
- `Open(path string) (*sql.DB, error)` — opens with WAL, FK, busy timeout
  5000ms, 0600 permissions, creates parent dirs
- `Migration` type with Version, Name, SQL fields
- `Migrate(database *sql.DB, migrations []Migration) error` — sequential,
  transactional, idempotent, records name and timestamp in schema_migrations
- `SchemaVersion(database *sql.DB) (int, error)` — highest applied version
- `Snapshot(database *sql.DB, destPath string) error` — VACUUM INTO with
  0600 permissions, creates parent dirs
- 11 tests covering open, migrate, and snapshot

### Phase 2: `auth` — MCIAS Token Validation (2026-03-25)
- `Config` type matching `[mcias]` TOML section (ServerURL, CACert,
  ServiceName, Tags)
- `TokenInfo` type (Username, Roles, IsAdmin)
- `New(cfg Config, logger *slog.Logger) (*Authenticator, error)` — creates
  MCIAS client with TLS 1.3, custom CA support, 10s timeout
- `Login(username, password, totpCode string) (token, expiresAt, err)` —
  forwards to MCIAS with service context, returns ErrForbidden for policy
  denials, ErrInvalidCredentials for bad creds
- `ValidateToken(token string) (*TokenInfo, error)` — 30s SHA-256-keyed
  cache, lazy eviction, concurrent-safe (RWMutex)
- `Logout(token string) error` — revokes token on MCIAS
- Error types: ErrInvalidToken, ErrInvalidCredentials, ErrForbidden,
  ErrUnavailable
- Context helpers: ContextWithTokenInfo, TokenInfoFromContext
- 14 tests: login (success, invalid creds, forbidden), validate (admin,
  non-admin, expired, unknown), cache (hit, expiry via injectable clock),
  logout, constructor validation, context roundtrip, admin detection
- `make all` passes clean (vet, lint 0 issues, 25 total tests, build)

## Next Steps

- Phase 3: `config` package (TOML loading, env overrides, standard sections)