Add cert command for Metacrypt TLS provisioning

Checks the configured TLS certificate: provisions a new one if missing, renews if expiring within 7 days, otherwise reports remaining validity. Calls the Metacrypt CA API directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Clean up Dockerfile for rootless podman compatibility
2026-03-29 18:42:39 -07:00 · 2026-03-28 15:55:03 -07:00 · 2026-03-28 15:52:43 -07:00 · 2026-03-27 14:32:01 -07:00 · 2026-03-27 02:54:35 -07:00
15 changed files with 355 additions and 41 deletions
--- a/14
+++ b/14
@@ -13,26 +13,14 @@ RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}"

 FROM alpine:3.21

-RUN apk add --no-cache ca-certificates tzdata \
-    && addgroup -S mcns \
-    && adduser -S -G mcns -h /srv/mcns -s /sbin/nologin mcns \
-    && mkdir -p /srv/mcns && chown mcns:mcns /srv/mcns
+RUN apk add --no-cache ca-certificates tzdata

 COPY --from=builder /build/mcns /usr/local/bin/mcns

-# /srv/mcns is the single volume mount point.
-# It must contain:
-#   mcns.toml  — configuration file
-#   certs/     — TLS certificate and key
-#   mcns.db    — created automatically on first run
-VOLUME /srv/mcns
 WORKDIR /srv/mcns
-
 EXPOSE 53/udp 53/tcp
 EXPOSE 8443
 EXPOSE 9443

-USER mcns
-
 ENTRYPOINT ["mcns"]
 CMD ["server", "--config", "/srv/mcns/mcns.toml"]
--- a/11
+++ b/11
@@ -1,6 +1,8 @@
-.PHONY: build test vet lint proto proto-lint clean docker all devserver
+.PHONY: build test vet lint proto proto-lint clean docker push all devserver

-LDFLAGS := -trimpath -ldflags="-s -w -X main.version=$(shell git describe --tags --always --dirty)"
+MCR     := mcr.svc.mcp.metacircular.net:8443
+VERSION := $(shell git describe --tags --always --dirty)
+LDFLAGS := -trimpath -ldflags="-s -w -X main.version=$(VERSION)"

 mcns:
 	CGO_ENABLED=0 go build $(LDFLAGS) -o mcns ./cmd/mcns
@@ -30,7 +32,10 @@ clean:
 	rm -f mcns

 docker:
-	docker build --build-arg VERSION=$(shell git describe --tags --always --dirty) -t mcns -f Dockerfile .
+	docker build --build-arg VERSION=$(VERSION) -t $(MCR)/mcns:$(VERSION) -f Dockerfile .
+
+push: docker
+	docker push $(MCR)/mcns:$(VERSION)

 devserver: mcns
 	@mkdir -p srv
--- a/cmd/mcns/cert.go
+++ b/cmd/mcns/cert.go
@@ -0,0 +1,221 @@
+package main
+
+import (
+	"bytes"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"git.wntrmute.dev/mc/mcns/internal/config"
+)
+
+func certCmd() *cobra.Command {
+	var (
+		configPath string
+		serverURL  string
+		caCert     string
+		tokenPath  string
+		mount      string
+		issuer     string
+		hostnames  []string
+	)
+
+	cmd := &cobra.Command{
+		Use:   "cert",
+		Short: "Ensure a valid TLS certificate from Metacrypt",
+		Long: `Check the TLS certificate referenced in the config file.
+If the certificate does not exist, provision a new one from Metacrypt.
+If it exists but expires within 7 days, renew it.
+Otherwise, report that the certificate is still valid.`,
+		RunE: func(_ *cobra.Command, _ []string) error {
+			cfg, err := config.Load(configPath)
+			if err != nil {
+				return fmt.Errorf("load config: %w", err)
+			}
+
+			if serverURL == "" {
+				return fmt.Errorf("--server is required")
+			}
+			if tokenPath == "" {
+				return fmt.Errorf("--token is required")
+			}
+			if len(hostnames) == 0 {
+				return fmt.Errorf("--hostname is required")
+			}
+
+			// Check existing certificate.
+			remaining, ok := certTimeRemaining(cfg.Server.TLSCert)
+			if ok && remaining > 7*24*time.Hour {
+				fmt.Printf("Certificate valid for %s, no action needed\n", remaining.Round(time.Hour))
+				return nil
+			}
+
+			if ok {
+				fmt.Printf("Certificate expires in %s, renewing\n", remaining.Round(time.Hour))
+			} else {
+				fmt.Println("No valid certificate found, provisioning")
+			}
+
+			token, err := os.ReadFile(tokenPath) //nolint:gosec // operator-supplied path
+			if err != nil {
+				return fmt.Errorf("read token: %w", err)
+			}
+
+			httpClient, err := metacryptClient(caCert)
+			if err != nil {
+				return err
+			}
+
+			certPEM, keyPEM, err := issueCert(httpClient, strings.TrimRight(serverURL, "/"), strings.TrimSpace(string(token)), mount, issuer, hostnames)
+			if err != nil {
+				return err
+			}
+
+			if err := atomicWrite(cfg.Server.TLSCert, []byte(certPEM), 0644); err != nil {
+				return fmt.Errorf("write cert: %w", err)
+			}
+			if err := atomicWrite(cfg.Server.TLSKey, []byte(keyPEM), 0600); err != nil {
+				return fmt.Errorf("write key: %w", err)
+			}
+
+			fmt.Printf("Certificate written to %s\n", cfg.Server.TLSCert)
+			fmt.Printf("Key written to %s\n", cfg.Server.TLSKey)
+			return nil
+		},
+	}
+
+	cmd.Flags().StringVarP(&configPath, "config", "c", "mcns.toml", "path to configuration file")
+	cmd.Flags().StringVar(&serverURL, "server", "", "Metacrypt server URL")
+	cmd.Flags().StringVar(&caCert, "ca-cert", "", "CA certificate for Metacrypt TLS")
+	cmd.Flags().StringVar(&tokenPath, "token", "", "path to MCIAS token file")
+	cmd.Flags().StringVar(&mount, "mount", "pki", "CA engine mount name")
+	cmd.Flags().StringVar(&issuer, "issuer", "infra", "CA issuer name")
+	cmd.Flags().StringSliceVar(&hostnames, "hostname", nil, "SAN hostnames (repeatable, first is CN)")
+
+	return cmd
+}
+
+func issueCert(client *http.Client, serverURL, token, mount, issuer string, hostnames []string) (chainPEM, keyPEM string, err error) {
+	reqBody := map[string]any{
+		"mount":     mount,
+		"operation": "issue",
+		"data": map[string]any{
+			"issuer":      issuer,
+			"common_name": hostnames[0],
+			"dns_names":   hostnames,
+			"profile":     "server",
+			"ttl":         "2160h",
+		},
+	}
+
+	body, err := json.Marshal(reqBody)
+	if err != nil {
+		return "", "", fmt.Errorf("marshal request: %w", err)
+	}
+
+	req, err := http.NewRequest(http.MethodPost, serverURL+"/v1/engine/request", bytes.NewReader(body))
+	if err != nil {
+		return "", "", fmt.Errorf("create request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer "+token)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", "", fmt.Errorf("issue cert: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", "", fmt.Errorf("read response: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", "", fmt.Errorf("metacrypt returned %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	var result struct {
+		ChainPEM  string `json:"chain_pem"`
+		KeyPEM    string `json:"key_pem"`
+		Serial    string `json:"serial"`
+		ExpiresAt string `json:"expires_at"`
+	}
+	if err := json.Unmarshal(respBody, &result); err != nil {
+		return "", "", fmt.Errorf("parse response: %w", err)
+	}
+
+	if result.ChainPEM == "" || result.KeyPEM == "" {
+		return "", "", fmt.Errorf("response missing chain_pem or key_pem")
+	}
+
+	fmt.Printf("Issued certificate serial=%s expires=%s\n", result.Serial, result.ExpiresAt)
+	return result.ChainPEM, result.KeyPEM, nil
+}
+
+func metacryptClient(caCertPath string) (*http.Client, error) {
+	tlsCfg := &tls.Config{MinVersion: tls.VersionTLS13}
+
+	if caCertPath != "" {
+		pemData, err := os.ReadFile(caCertPath) //nolint:gosec // operator-supplied path
+		if err != nil {
+			return nil, fmt.Errorf("read CA cert: %w", err)
+		}
+		pool := x509.NewCertPool()
+		if !pool.AppendCertsFromPEM(pemData) {
+			return nil, fmt.Errorf("no valid certificates in %s", caCertPath)
+		}
+		tlsCfg.RootCAs = pool
+	}
+
+	return &http.Client{
+		Timeout:   30 * time.Second,
+		Transport: &http.Transport{TLSClientConfig: tlsCfg},
+	}, nil
+}
+
+// certTimeRemaining returns the time until the leaf certificate at
+// path expires. Returns (0, false) if the cert cannot be read or parsed.
+func certTimeRemaining(path string) (time.Duration, bool) {
+	data, err := os.ReadFile(path) //nolint:gosec // operator-supplied path
+	if err != nil {
+		return 0, false
+	}
+
+	block, _ := pem.Decode(data)
+	if block == nil {
+		return 0, false
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return 0, false
+	}
+
+	remaining := time.Until(cert.NotAfter)
+	if remaining <= 0 {
+		return 0, true // expired
+	}
+	return remaining, true
+}
+
+func atomicWrite(path string, data []byte, perm os.FileMode) error {
+	tmp := path + ".tmp"
+	if err := os.WriteFile(tmp, data, perm); err != nil {
+		return fmt.Errorf("write %s: %w", tmp, err)
+	}
+	if err := os.Rename(tmp, path); err != nil {
+		_ = os.Remove(tmp)
+		return fmt.Errorf("rename %s -> %s: %w", tmp, path, err)
+	}
+	return nil
+}
--- a/cmd/mcns/main.go
+++ b/cmd/mcns/main.go
@@ -38,6 +38,7 @@ func main() {
 	root.AddCommand(serverCmd())
 	root.AddCommand(statusCmd())
 	root.AddCommand(snapshotCmd())
+	root.AddCommand(certCmd())

 	if err := root.Execute(); err != nil {
 		os.Exit(1)
--- a/gen/mcns/v1/admin.pb.go
+++ b/gen/mcns/v1/admin.pb.go
@@ -110,7 +110,7 @@ const file_proto_mcns_v1_admin_proto_rawDesc = "" +
 	"\x0eHealthResponse\x12\x16\n" +
 	"\x06status\x18\x01 \x01(\tR\x06status2I\n" +
 	"\fAdminService\x129\n" +
-	"\x06Health\x12\x16.mcns.v1.HealthRequest\x1a\x17.mcns.v1.HealthResponseB/Z-git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
+	"\x06Health\x12\x16.mcns.v1.HealthRequest\x1a\x17.mcns.v1.HealthResponseB-Z+git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"

 var (
 	file_proto_mcns_v1_admin_proto_rawDescOnce sync.Once
--- a/gen/mcns/v1/auth.pb.go
+++ b/gen/mcns/v1/auth.pb.go
@@ -222,7 +222,7 @@ const file_proto_mcns_v1_auth_proto_rawDesc = "" +
 	"\x0eLogoutResponse2\x80\x01\n" +
 	"\vAuthService\x126\n" +
 	"\x05Login\x12\x15.mcns.v1.LoginRequest\x1a\x16.mcns.v1.LoginResponse\x129\n" +
-	"\x06Logout\x12\x16.mcns.v1.LogoutRequest\x1a\x17.mcns.v1.LogoutResponseB/Z-git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
+	"\x06Logout\x12\x16.mcns.v1.LogoutRequest\x1a\x17.mcns.v1.LogoutResponseB-Z+git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"

 var (
 	file_proto_mcns_v1_auth_proto_rawDescOnce sync.Once
--- a/gen/mcns/v1/record.pb.go
+++ b/gen/mcns/v1/record.pb.go
@@ -551,7 +551,7 @@ const file_proto_mcns_v1_record_proto_rawDesc = "" +
 	"\fCreateRecord\x12\x1c.mcns.v1.CreateRecordRequest\x1a\x0f.mcns.v1.Record\x127\n" +
 	"\tGetRecord\x12\x19.mcns.v1.GetRecordRequest\x1a\x0f.mcns.v1.Record\x12=\n" +
 	"\fUpdateRecord\x12\x1c.mcns.v1.UpdateRecordRequest\x1a\x0f.mcns.v1.Record\x12K\n" +
-	"\fDeleteRecord\x12\x1c.mcns.v1.DeleteRecordRequest\x1a\x1d.mcns.v1.DeleteRecordResponseB/Z-git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
+	"\fDeleteRecord\x12\x1c.mcns.v1.DeleteRecordRequest\x1a\x1d.mcns.v1.DeleteRecordResponseB-Z+git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"

 var (
 	file_proto_mcns_v1_record_proto_rawDescOnce sync.Once
--- a/gen/mcns/v1/zone.pb.go
+++ b/gen/mcns/v1/zone.pb.go
@@ -595,7 +595,7 @@ const file_proto_mcns_v1_zone_proto_rawDesc = "" +
 	"\n" +
 	"UpdateZone\x12\x1a.mcns.v1.UpdateZoneRequest\x1a\r.mcns.v1.Zone\x12E\n" +
 	"\n" +
-	"DeleteZone\x12\x1a.mcns.v1.DeleteZoneRequest\x1a\x1b.mcns.v1.DeleteZoneResponseB/Z-git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
+	"DeleteZone\x12\x1a.mcns.v1.DeleteZoneRequest\x1a\x1b.mcns.v1.DeleteZoneResponseB-Z+git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"

 var (
 	file_proto_mcns_v1_zone_proto_rawDescOnce sync.Once
--- a/internal/grpcserver/handlers_test.go
+++ b/internal/grpcserver/handlers_test.go
@@ -769,6 +769,9 @@ func TestMethodMapCompleteness(t *testing.T) {
 		"/mcns.v1.ZoneService/GetZone",
 		"/mcns.v1.RecordService/ListRecords",
 		"/mcns.v1.RecordService/GetRecord",
+		"/mcns.v1.RecordService/CreateRecord",
+		"/mcns.v1.RecordService/UpdateRecord",
+		"/mcns.v1.RecordService/DeleteRecord",
 	}
 	for _, method := range expectedAuth {
 		if !mm.AuthRequired[method] {
@@ -783,9 +786,6 @@ func TestMethodMapCompleteness(t *testing.T) {
 		"/mcns.v1.ZoneService/CreateZone",
 		"/mcns.v1.ZoneService/UpdateZone",
 		"/mcns.v1.ZoneService/DeleteZone",
-		"/mcns.v1.RecordService/CreateRecord",
-		"/mcns.v1.RecordService/UpdateRecord",
-		"/mcns.v1.RecordService/DeleteRecord",
 	}
 	for _, method := range expectedAdmin {
 		if !mm.AdminRequired[method] {
--- a/internal/grpcserver/interceptors.go
+++ b/internal/grpcserver/interceptors.go
@@ -25,11 +25,14 @@ func publicMethods() map[string]bool {

 func authRequiredMethods() map[string]bool {
 	return map[string]bool{
-		"/mcns.v1.AuthService/Logout":      true,
-		"/mcns.v1.ZoneService/ListZones":   true,
-		"/mcns.v1.ZoneService/GetZone":     true,
-		"/mcns.v1.RecordService/ListRecords": true,
-		"/mcns.v1.RecordService/GetRecord":   true,
+		"/mcns.v1.AuthService/Logout":         true,
+		"/mcns.v1.ZoneService/ListZones":      true,
+		"/mcns.v1.ZoneService/GetZone":        true,
+		"/mcns.v1.RecordService/ListRecords":  true,
+		"/mcns.v1.RecordService/GetRecord":    true,
+		"/mcns.v1.RecordService/CreateRecord": true,
+		"/mcns.v1.RecordService/UpdateRecord": true,
+		"/mcns.v1.RecordService/DeleteRecord": true,
 	}
 }

@@ -38,8 +41,5 @@ func adminRequiredMethods() map[string]bool {
 		"/mcns.v1.ZoneService/CreateZone": true,
 		"/mcns.v1.ZoneService/UpdateZone": true,
 		"/mcns.v1.ZoneService/DeleteZone": true,
-		"/mcns.v1.RecordService/CreateRecord": true,
-		"/mcns.v1.RecordService/UpdateRecord": true,
-		"/mcns.v1.RecordService/DeleteRecord": true,
 	}
 }
--- a/internal/grpcserver/records.go
+++ b/internal/grpcserver/records.go
@@ -10,10 +10,36 @@ import (
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/timestamppb"

+	mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
+	mcdslgrpc "git.wntrmute.dev/mc/mcdsl/grpcserver"
+
 	pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
 	"git.wntrmute.dev/mc/mcns/internal/db"
 )

+// authorizeRecordMutation checks whether the caller may create, update,
+// or delete a DNS record with the given name. The rules are:
+//
+//   - admin role: always allowed
+//   - system account "mcp-agent": allowed for any record name
+//   - system account α: allowed only when recordName == α
+//   - all others: denied
+func authorizeRecordMutation(info *mcdslauth.TokenInfo, recordName string) bool {
+	if info == nil {
+		return false
+	}
+	if info.IsAdmin {
+		return true
+	}
+	if info.AccountType != "system" {
+		return false
+	}
+	if info.Username == "mcp-agent" {
+		return true
+	}
+	return recordName == info.Username
+}
+
 type recordService struct {
 	pb.UnimplementedRecordServiceServer
 	db     *db.DB
@@ -55,7 +81,7 @@ func (s *recordService) GetRecord(_ context.Context, req *pb.GetRecordRequest) (
 	return s.recordToProto(*record), nil
 }

-func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
+func (s *recordService) CreateRecord(ctx context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
 	if req.Zone == "" {
 		return nil, status.Error(codes.InvalidArgument, "zone is required")
 	}
@@ -69,6 +95,10 @@ func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequ
 		return nil, status.Error(codes.InvalidArgument, "value is required")
 	}

+	if !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), req.Name) {
+		return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
+	}
+
 	record, err := s.db.CreateRecord(req.Zone, req.Name, req.Type, req.Value, int(req.Ttl))
 	if errors.Is(err, db.ErrNotFound) {
 		return nil, status.Error(codes.NotFound, "zone not found")
@@ -82,7 +112,7 @@ func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequ
 	return s.recordToProto(*record), nil
 }

-func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
+func (s *recordService) UpdateRecord(ctx context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
 	if req.Id <= 0 {
 		return nil, status.Error(codes.InvalidArgument, "id must be positive")
 	}
@@ -96,6 +126,15 @@ func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequ
 		return nil, status.Error(codes.InvalidArgument, "value is required")
 	}

+	info := mcdslgrpc.TokenInfoFromContext(ctx)
+	existing, lookupErr := s.db.GetRecord(req.Id)
+	if lookupErr == nil && !authorizeRecordMutation(info, existing.Name) {
+		return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
+	}
+	if !authorizeRecordMutation(info, req.Name) {
+		return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
+	}
+
 	record, err := s.db.UpdateRecord(req.Id, req.Name, req.Type, req.Value, int(req.Ttl))
 	if errors.Is(err, db.ErrNotFound) {
 		return nil, status.Error(codes.NotFound, "record not found")
@@ -109,11 +148,16 @@ func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequ
 	return s.recordToProto(*record), nil
 }

-func (s *recordService) DeleteRecord(_ context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
+func (s *recordService) DeleteRecord(ctx context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
 	if req.Id <= 0 {
 		return nil, status.Error(codes.InvalidArgument, "id must be positive")
 	}

+	existing, lookupErr := s.db.GetRecord(req.Id)
+	if lookupErr == nil && !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), existing.Name) {
+		return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
+	}
+
 	err := s.db.DeleteRecord(req.Id)
 	if errors.Is(err, db.ErrNotFound) {
 		return nil, status.Error(codes.NotFound, "record not found")
--- a/internal/server/handlers_test.go
+++ b/internal/server/handlers_test.go
@@ -42,6 +42,7 @@ func createTestZone(t *testing.T, database *db.DB) *db.Zone {
 }

 // newChiRequest builds a request with chi URL params injected into the context.
+// An admin TokenInfo is added so that handler-level authorization passes.
 func newChiRequest(method, target string, body string, params map[string]string) *http.Request {
 	var r *http.Request
 	if body != "" {
@@ -51,14 +52,21 @@ func newChiRequest(method, target string, body string, params map[string]string)
 	}
 	r.Header.Set("Content-Type", "application/json")

+	ctx := r.Context()
 	if len(params) > 0 {
 		rctx := chi.NewRouteContext()
 		for k, v := range params {
 			rctx.URLParams.Add(k, v)
 		}
-		r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, rctx))
+		ctx = context.WithValue(ctx, chi.RouteCtxKey, rctx)
 	}
-	return r
+
+	// Inject admin TokenInfo for handler-level authorization.
+	ctx = context.WithValue(ctx, tokenInfoKey, &mcdslauth.TokenInfo{
+		Username: "testadmin",
+		IsAdmin:  true,
+	})
+	return r.WithContext(ctx)
 }

 // decodeJSON decodes the response body into v.
--- a/internal/server/middleware.go
+++ b/internal/server/middleware.go
@@ -48,6 +48,29 @@ func requireAdmin(next http.Handler) http.Handler {
 	})
 }

+// authorizeRecordMutation checks whether the caller may create, update,
+// or delete a DNS record with the given name. The rules are:
+//
+//   - admin role: always allowed
+//   - system account "mcp-agent": allowed for any record name
+//   - system account α: allowed only when recordName == α
+//   - all others: denied
+func authorizeRecordMutation(info *mcdslauth.TokenInfo, recordName string) bool {
+	if info == nil {
+		return false
+	}
+	if info.IsAdmin {
+		return true
+	}
+	if info.AccountType != "system" {
+		return false
+	}
+	if info.Username == "mcp-agent" {
+		return true
+	}
+	return recordName == info.Username
+}
+
 // tokenInfoFromContext extracts the TokenInfo from the request context.
 func tokenInfoFromContext(ctx context.Context) *mcdslauth.TokenInfo {
 	info, _ := ctx.Value(tokenInfoKey).(*mcdslauth.TokenInfo)
--- a/internal/server/records.go
+++ b/internal/server/records.go
@@ -86,6 +86,11 @@ func createRecordHandler(database *db.DB) http.HandlerFunc {
 			return
 		}

+		if !authorizeRecordMutation(tokenInfoFromContext(r.Context()), req.Name) {
+			writeError(w, http.StatusForbidden, "not authorized for record name")
+			return
+		}
+
 		record, err := database.CreateRecord(zoneName, req.Name, req.Type, req.Value, req.TTL)
 		if errors.Is(err, db.ErrNotFound) {
 			writeError(w, http.StatusNotFound, "zone not found")
@@ -132,6 +137,18 @@ func updateRecordHandler(database *db.DB) http.HandlerFunc {
 			return
 		}

+		// Authorize against both old and new record names.
+		info := tokenInfoFromContext(r.Context())
+		existing, lookupErr := database.GetRecord(id)
+		if lookupErr == nil && !authorizeRecordMutation(info, existing.Name) {
+			writeError(w, http.StatusForbidden, "not authorized for record name")
+			return
+		}
+		if !authorizeRecordMutation(info, req.Name) {
+			writeError(w, http.StatusForbidden, "not authorized for record name")
+			return
+		}
+
 		record, err := database.UpdateRecord(id, req.Name, req.Type, req.Value, req.TTL)
 		if errors.Is(err, db.ErrNotFound) {
 			writeError(w, http.StatusNotFound, "record not found")
@@ -159,6 +176,13 @@ func deleteRecordHandler(database *db.DB) http.HandlerFunc {
 			return
 		}

+		// Look up the record to authorize by name.
+		existing, lookupErr := database.GetRecord(id)
+		if lookupErr == nil && !authorizeRecordMutation(tokenInfoFromContext(r.Context()), existing.Name) {
+			writeError(w, http.StatusForbidden, "not authorized for record name")
+			return
+		}
+
 		err = database.DeleteRecord(id)
 		if errors.Is(err, db.ErrNotFound) {
 			writeError(w, http.StatusNotFound, "record not found")
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -44,14 +44,14 @@ func NewRouter(deps Deps) *chi.Mux {
 		r.With(requireAdmin).Put("/v1/zones/{zone}", updateZoneHandler(deps.DB))
 		r.With(requireAdmin).Delete("/v1/zones/{zone}", deleteZoneHandler(deps.DB))

-		// Record endpoints — reads for all authenticated users, writes for admin.
+		// Record endpoints — reads for all authenticated users.
 		r.Get("/v1/zones/{zone}/records", listRecordsHandler(deps.DB))
 		r.Get("/v1/zones/{zone}/records/{id}", getRecordHandler(deps.DB))

-		// Admin-only record mutations.
-		r.With(requireAdmin).Post("/v1/zones/{zone}/records", createRecordHandler(deps.DB))
-		r.With(requireAdmin).Put("/v1/zones/{zone}/records/{id}", updateRecordHandler(deps.DB))
-		r.With(requireAdmin).Delete("/v1/zones/{zone}/records/{id}", deleteRecordHandler(deps.DB))
+		// Record mutations — admin, mcp-agent (any name), or system account (own name).
+		r.Post("/v1/zones/{zone}/records", createRecordHandler(deps.DB))
+		r.Put("/v1/zones/{zone}/records/{id}", updateRecordHandler(deps.DB))
+		r.Delete("/v1/zones/{zone}/records/{id}", deleteRecordHandler(deps.DB))
 	})

 	return r
Author	SHA1	Message	Date
Kyle Isom	b2b52c05c3	Add cert command for Metacrypt TLS provisioning Checks the configured TLS certificate: provisions a new one if missing, renews if expiring within 7 days, otherwise reports remaining validity. Calls the Metacrypt CA API directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-29 18:42:39 -07:00
Kyle Isom	07b0744c78	Clean up Dockerfile for rootless podman compatibility Remove USER, VOLUME, and user creation — rootless podman runs as the host user and bind-mounts /srv/mcns directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 15:55:03 -07:00
Kyle Isom	871b1fb8f4	Add record-level authorization for system accounts Record mutations (create, update, delete) no longer require admin role. Authorization rules: - admin: full access (unchanged) - system mcp-agent: create/delete any record - system account α: create/delete records named α only - human users: read-only (unchanged) Zone mutations remain admin-only. Both REST and gRPC paths enforce the same rules. Update checks authorization against both old and new names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 15:52:43 -07:00
Kyle Isom	baa058d4a4	Standardize Makefile docker/push targets for MCR Add MCR and VERSION variables. Tag images with full MCR registry URL and version. Add push target that builds then pushes to MCR. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-27 14:32:01 -07:00
Kyle Isom	363c680530	Regenerate proto files for mc/ module path Raw descriptor bytes in .pb.go files were corrupted by the sed-based module path rename (string length changed, breaking protobuf binary encoding). Regenerated with protoc to fix. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-27 02:54:35 -07:00