Add undeploy command: full inverse of deploy

Implements `mcp undeploy <service>` which tears down all infrastructure for a service: removes mc-proxy routes, DNS records, TLS certificates, stops and removes containers, releases allocated ports, and marks the service inactive. This fills the gap between `stop` (temporary pause) and `purge` (registry cleanup). Undeploy is the complete teardown that returns the node to the state before the service was deployed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 21:45:42 -07:00
parent b2eaa69619
commit f932dd64cc
8 changed files with 610 additions and 150 deletions
--- a/internal/agent/certs.go
+++ b/internal/agent/certs.go
@@ -176,6 +176,25 @@ func (p *CertProvisioner) issueCert(ctx context.Context, serviceName, commonName
 	return nil
 }

+// RemoveCert removes TLS certificate and key files for a service.
+func (p *CertProvisioner) RemoveCert(serviceName string) error {
+	if p == nil {
+		return nil
+	}
+
+	certPath := filepath.Join(p.certDir, serviceName+".pem")
+	keyPath := filepath.Join(p.certDir, serviceName+".key")
+
+	for _, path := range []string{certPath, keyPath} {
+		if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+			return fmt.Errorf("remove %s: %w", path, err)
+		}
+	}
+
+	p.logger.Info("cert removed", "service", serviceName)
+	return nil
+}
+
 // certTimeRemaining returns the time until the leaf certificate at
 // path expires. Returns (0, false) if the cert cannot be read or parsed.
 func certTimeRemaining(path string) (time.Duration, bool) {