New agent RPCs for v2 multi-node orchestration:
- SetupEdgeRoute: provisions TLS cert from Metacrypt, resolves backend
hostname to Tailnet IP, validates it's in 100.64.0.0/10, registers
L7 route in mc-proxy. Rejects backend_tls=false.
- RemoveEdgeRoute: removes mc-proxy route, cleans up TLS cert, removes
registry entry.
- ListEdgeRoutes: returns all edge routes with cert serial/expiry.
- HealthCheck: returns agent health and container count.
New database table (migration 4): edge_routes stores hostname, backend
info, and cert paths for persistence across agent restarts.
ProxyRouter gains CertPath/KeyPath helpers for consistent cert path
construction.
Security:
- Backend hostname must resolve to a Tailnet IP (100.64.0.0/10)
- backend_tls=false is rejected (no cleartext to backends)
- Cert provisioning failure fails the setup (no route to missing cert)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New top-level command with list, add, remove subcommands. Supports
-n/--node to target a specific node. Adds AddProxyRoute and
RemoveProxyRoute RPCs to the agent. Moves route listing from
mcp node routes to mcp route list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mcp dns queries MCNS via an agent to list all zones and DNS records.
mcp node routes queries mc-proxy on each node for listener/route status,
matching the mcproxyctl status output format.
New agent RPCs: ListDNSRecords, ListProxyRoutes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All import paths updated to git.wntrmute.dev/mc/. Bumps mcdsl to v1.2.0,
mc-proxy to v1.1.0.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The agent connects to mc-proxy via Unix socket and automatically
registers/removes routes during deploy and stop. This eliminates
manual mcproxyctl usage or TOML editing.
- New ProxyRouter abstraction wraps mc-proxy client library
- Deploy: after container starts, registers routes with mc-proxy
using host ports from the registry
- Stop: removes routes from mc-proxy before stopping container
- Config: [mcproxy] section with socket path and cert_dir
- Nil-safe: if mc-proxy socket not configured, route registration
is silently skipped (backward compatible)
- L7 routes use certs from convention path (<cert_dir>/<service>.pem)
- L4 routes use TLS passthrough (backend_tls=true)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
