Full integration tests exercising gRPC services through real server with
mock MCIAS auth. Covers all CRUD operations for zones and records,
health check bypass, auth/admin interceptor enforcement, CNAME
exclusivity conflicts, and method map completeness verification.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Cover all REST handlers with httptest-based tests using real SQLite:
zones (list, get, create, update, delete), records (list, get, create,
update, delete with validation/conflict cases), requireAdmin middleware
(admin, non-admin, missing context), and utility functions (writeJSON,
writeError, extractBearerToken, tokenInfoFromContext).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ARCHITECTURE.md:
- Note optional ?name=/&type= query filters on GET /v1/zones/{zone}/records
- Document ListRecordsRequest name/type fields as optional filters in gRPC service
- Add gRPC usage examples section with grpcurl commands
CLAUDE.md:
- Add mcdsl shared library section
- Add testing patterns (stdlib only, real SQLite, no mocks)
- Add key invariants: SOA serial YYYYMMDDNN format, CNAME exclusivity at DB layer
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Create the two required documentation files for MCNS:
- README.md: project overview, quick-start (build/configure/run), links
to ARCHITECTURE.md and RUNBOOK.md
- RUNBOOK.md: operator-focused procedures with numbered steps covering
health checks, start/stop/restart, backup/restore, log inspection,
and incident playbooks for database corruption, certificate expiry,
MCIAS outage, DNS resolution failures, and port conflicts
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ship mcns.service, mcns-backup.service, mcns-backup.timer, and
deploy/scripts/install.sh adapted from MCR's deployment files.
Includes full security hardening block per engineering standards
and AmbientCapabilities=CAP_NET_BIND_SERVICE for DNS port 53.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ca-certificates and tzdata packages, fix user creation with proper
home directory and nologin shell, combine RUN commands into a single
layer, add VOLUME/WORKDIR declarations, and reorder USER after volume
setup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Populates the database on first run with the two existing zones
(svc.mcp.metacircular.net, mcp.metacircular.net) and all their A
records (metacrypt, mcr, sgard, mcp-agent, rift, ns).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the CoreDNS precursor with a purpose-built authoritative DNS
server. Zones and records (A, AAAA, CNAME) are stored in SQLite and
managed via synchronized gRPC + REST APIs authenticated through MCIAS.
Non-authoritative queries are forwarded to upstream resolvers with
in-memory caching.
Key components:
- DNS server (miekg/dns) with authoritative zone handling and forwarding
- gRPC + REST management APIs with MCIAS auth (mcdsl integration)
- SQLite storage with CNAME exclusivity enforcement and auto SOA serials
- 30 tests covering database CRUD, DNS resolution, and caching
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Design MCNS as a purpose-built authoritative DNS server with SQLite-backed
zone/record storage and a gRPC+REST management API. Supports A, AAAA, and
CNAME records with upstream forwarding for non-authoritative queries.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Port 53 on loopback is used by systemd-resolved on rift. Bind to
192.168.88.181 (LAN) and 100.95.252.120 (Tailscale) specifically.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Serves two internal zones for the Metacircular platform:
- svc.mcp.metacircular.net (service addresses)
- mcp.metacircular.net (node addresses)
Forwards all other queries to 1.1.1.1 and 8.8.8.8. Includes rift
deployment compose with CoreDNS 1.12.1 and zone files mapping
metacrypt and rift to their LAN and Tailscale addresses.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
