Phase 1: config loading, database migrations, audit log

- internal/config: TOML config with env overrides (MCR_ prefix),
  required field validation, same-filesystem check, defaults
- internal/db: SQLite via modernc.org/sqlite, WAL mode, 2 migrations
  (core registry tables + policy/audit), foreign key cascades
- internal/db: audit log write/list with filtering and pagination
- deploy/examples/mcr.toml: annotated example configuration
- .golangci.yaml: disable fieldalignment (readability over micro-opt)
- checkpoint skill copied from mcias

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/config/config.go

@@ -0,0 +1,212 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/pelletier/go-toml/v2"
+)
+
+// Config is the top-level MCR configuration.
+type Config struct {
+	Server   ServerConfig   `toml:"server"`
+	Database DatabaseConfig `toml:"database"`
+	Storage  StorageConfig  `toml:"storage"`
+	MCIAS    MCIASConfig    `toml:"mcias"`
+	Web      WebConfig      `toml:"web"`
+	Log      LogConfig      `toml:"log"`
+}
+
+type ServerConfig struct {
+	ListenAddr      string        `toml:"listen_addr"`
+	GRPCAddr        string        `toml:"grpc_addr"`
+	TLSCert         string        `toml:"tls_cert"`
+	TLSKey          string        `toml:"tls_key"`
+	ReadTimeout     time.Duration `toml:"read_timeout"`
+	WriteTimeout    time.Duration `toml:"write_timeout"`
+	IdleTimeout     time.Duration `toml:"idle_timeout"`
+	ShutdownTimeout time.Duration `toml:"shutdown_timeout"`
+}
+
+type DatabaseConfig struct {
+	Path string `toml:"path"`
+}
+
+type StorageConfig struct {
+	LayersPath  string `toml:"layers_path"`
+	UploadsPath string `toml:"uploads_path"`
+}
+
+type MCIASConfig struct {
+	ServerURL   string   `toml:"server_url"`
+	CACert      string   `toml:"ca_cert"`
+	ServiceName string   `toml:"service_name"`
+	Tags        []string `toml:"tags"`
+}
+
+type WebConfig struct {
+	ListenAddr string `toml:"listen_addr"`
+	GRPCAddr   string `toml:"grpc_addr"`
+	CACert     string `toml:"ca_cert"`
+}
+
+type LogConfig struct {
+	Level string `toml:"level"`
+}
+
+// Load reads a TOML config file, applies environment variable overrides,
+// sets defaults, and validates required fields.
+func Load(path string) (*Config, error) {
+	data, err := os.ReadFile(path) //nolint:gosec // config path is operator-supplied, not user input
+	if err != nil {
+		return nil, fmt.Errorf("config: read %s: %w", path, err)
+	}
+
+	var cfg Config
+	if err := toml.Unmarshal(data, &cfg); err != nil {
+		return nil, fmt.Errorf("config: parse %s: %w", path, err)
+	}
+
+	applyEnvOverrides(&cfg)
+	applyDefaults(&cfg)
+
+	if err := validate(&cfg); err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}
+
+func applyDefaults(cfg *Config) {
+	if cfg.Server.ReadTimeout == 0 {
+		cfg.Server.ReadTimeout = 30 * time.Second
+	}
+	// WriteTimeout defaults to 0 (disabled) — no action needed.
+	if cfg.Server.IdleTimeout == 0 {
+		cfg.Server.IdleTimeout = 120 * time.Second
+	}
+	if cfg.Server.ShutdownTimeout == 0 {
+		cfg.Server.ShutdownTimeout = 60 * time.Second
+	}
+	if cfg.Storage.UploadsPath == "" && cfg.Storage.LayersPath != "" {
+		cfg.Storage.UploadsPath = filepath.Join(filepath.Dir(cfg.Storage.LayersPath), "uploads")
+	}
+	if cfg.Log.Level == "" {
+		cfg.Log.Level = "info"
+	}
+}
+
+func validate(cfg *Config) error {
+	required := []struct {
+		name  string
+		value string
+	}{
+		{"server.listen_addr", cfg.Server.ListenAddr},
+		{"server.tls_cert", cfg.Server.TLSCert},
+		{"server.tls_key", cfg.Server.TLSKey},
+		{"database.path", cfg.Database.Path},
+		{"storage.layers_path", cfg.Storage.LayersPath},
+		{"mcias.server_url", cfg.MCIAS.ServerURL},
+	}
+
+	for _, r := range required {
+		if r.value == "" {
+			return fmt.Errorf("config: required field %q is missing", r.name)
+		}
+	}
+
+	return validateSameFilesystem(cfg.Storage.LayersPath, cfg.Storage.UploadsPath)
+}
+
+// validateSameFilesystem checks that two paths reside on the same filesystem
+// by comparing device IDs. If either path does not exist yet, it checks the
+// nearest existing parent directory.
+func validateSameFilesystem(layersPath, uploadsPath string) error {
+	layersDev, err := deviceID(layersPath)
+	if err != nil {
+		return fmt.Errorf("config: stat layers_path: %w", err)
+	}
+
+	uploadsDev, err := deviceID(uploadsPath)
+	if err != nil {
+		return fmt.Errorf("config: stat uploads_path: %w", err)
+	}
+
+	if layersDev != uploadsDev {
+		return fmt.Errorf("config: storage.layers_path and storage.uploads_path must be on the same filesystem")
+	}
+
+	return nil
+}
+
+// deviceID returns the device ID for the given path. If the path does not
+// exist, it walks up to the nearest existing parent.
+func deviceID(path string) (uint64, error) {
+	p := filepath.Clean(path)
+	for {
+		info, err := os.Stat(p)
+		if err == nil {
+			return extractDeviceID(info)
+		}
+		if !os.IsNotExist(err) {
+			return 0, err
+		}
+		parent := filepath.Dir(p)
+		if parent == p {
+			return 0, fmt.Errorf("no existing parent for %s", path)
+		}
+		p = parent
+	}
+}
+
+// applyEnvOverrides walks the Config struct and overrides fields from
+// environment variables with the MCR_ prefix. For example,
+// MCR_SERVER_LISTEN_ADDR overrides Config.Server.ListenAddr.
+func applyEnvOverrides(cfg *Config) {
+	applyEnvToStruct(reflect.ValueOf(cfg).Elem(), "MCR")
+}
+
+func applyEnvToStruct(v reflect.Value, prefix string) {
+	t := v.Type()
+	for i := range t.NumField() {
+		field := t.Field(i)
+		fv := v.Field(i)
+
+		tag := field.Tag.Get("toml")
+		if tag == "" || tag == "-" {
+			continue
+		}
+		envKey := prefix + "_" + strings.ToUpper(tag)
+
+		if field.Type.Kind() == reflect.Struct {
+			applyEnvToStruct(fv, envKey)
+			continue
+		}
+
+		envVal, ok := os.LookupEnv(envKey)
+		if !ok {
+			continue
+		}
+
+		switch fv.Kind() {
+		case reflect.String:
+			fv.SetString(envVal)
+		case reflect.Int64:
+			if field.Type == reflect.TypeOf(time.Duration(0)) {
+				d, err := time.ParseDuration(envVal)
+				if err == nil {
+					fv.Set(reflect.ValueOf(d))
+				}
+			}
+		case reflect.Slice:
+			if field.Type.Elem().Kind() == reflect.String {
+				parts := strings.Split(envVal, ",")
+				fv.Set(reflect.ValueOf(parts))
+			}
+		}
+	}
+}

internal/config/config_test.go

@@ -0,0 +1,279 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+const validTOML = `
+[server]
+listen_addr = ":8443"
+tls_cert = "/srv/mcr/certs/cert.pem"
+tls_key = "/srv/mcr/certs/key.pem"
+
+[database]
+path = "/srv/mcr/mcr.db"
+
+[storage]
+layers_path = "/srv/mcr/layers"
+uploads_path = "/srv/mcr/uploads"
+
+[mcias]
+server_url = "https://mcias.metacircular.net:8443"
+service_name = "mcr"
+tags = ["env:restricted"]
+
+[log]
+level = "debug"
+`
+
+func writeConfig(t *testing.T, content string) string {
+	t.Helper()
+	dir := t.TempDir()
+	path := filepath.Join(dir, "mcr.toml")
+	if err := os.WriteFile(path, []byte(content), 0600); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+	return path
+}
+
+func TestLoadValidConfig(t *testing.T) {
+	path := writeConfig(t, validTOML)
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+
+	if cfg.Server.ListenAddr != ":8443" {
+		t.Fatalf("listen_addr: got %q, want %q", cfg.Server.ListenAddr, ":8443")
+	}
+	if cfg.MCIAS.ServiceName != "mcr" {
+		t.Fatalf("service_name: got %q, want %q", cfg.MCIAS.ServiceName, "mcr")
+	}
+	if len(cfg.MCIAS.Tags) != 1 || cfg.MCIAS.Tags[0] != "env:restricted" {
+		t.Fatalf("tags: got %v, want [env:restricted]", cfg.MCIAS.Tags)
+	}
+	if cfg.Log.Level != "debug" {
+		t.Fatalf("log.level: got %q, want %q", cfg.Log.Level, "debug")
+	}
+}
+
+func TestLoadDefaults(t *testing.T) {
+	path := writeConfig(t, validTOML)
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+
+	if cfg.Server.ReadTimeout.Seconds() != 30 {
+		t.Fatalf("read_timeout: got %v, want 30s", cfg.Server.ReadTimeout)
+	}
+	if cfg.Server.WriteTimeout != 0 {
+		t.Fatalf("write_timeout: got %v, want 0", cfg.Server.WriteTimeout)
+	}
+	if cfg.Server.IdleTimeout.Seconds() != 120 {
+		t.Fatalf("idle_timeout: got %v, want 120s", cfg.Server.IdleTimeout)
+	}
+	if cfg.Server.ShutdownTimeout.Seconds() != 60 {
+		t.Fatalf("shutdown_timeout: got %v, want 60s", cfg.Server.ShutdownTimeout)
+	}
+}
+
+func TestLoadUploadsPathDefault(t *testing.T) {
+	toml := `
+[server]
+listen_addr = ":8443"
+tls_cert = "/srv/mcr/certs/cert.pem"
+tls_key = "/srv/mcr/certs/key.pem"
+
+[database]
+path = "/srv/mcr/mcr.db"
+
+[storage]
+layers_path = "/srv/mcr/layers"
+
+[mcias]
+server_url = "https://mcias.metacircular.net:8443"
+`
+	path := writeConfig(t, toml)
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+
+	want := filepath.Join(filepath.Dir("/srv/mcr/layers"), "uploads")
+	if cfg.Storage.UploadsPath != want {
+		t.Fatalf("uploads_path: got %q, want %q", cfg.Storage.UploadsPath, want)
+	}
+}
+
+func TestLoadMissingRequiredFields(t *testing.T) {
+	tests := []struct {
+		name string
+		toml string
+		want string
+	}{
+		{
+			name: "missing listen_addr",
+			toml: `
+[server]
+tls_cert = "/c"
+tls_key = "/k"
+[database]
+path = "/d"
+[storage]
+layers_path = "/l"
+[mcias]
+server_url = "https://m"
+`,
+			want: "server.listen_addr",
+		},
+		{
+			name: "missing tls_cert",
+			toml: `
+[server]
+listen_addr = ":8443"
+tls_key = "/k"
+[database]
+path = "/d"
+[storage]
+layers_path = "/l"
+[mcias]
+server_url = "https://m"
+`,
+			want: "server.tls_cert",
+		},
+		{
+			name: "missing database.path",
+			toml: `
+[server]
+listen_addr = ":8443"
+tls_cert = "/c"
+tls_key = "/k"
+[storage]
+layers_path = "/l"
+[mcias]
+server_url = "https://m"
+`,
+			want: "database.path",
+		},
+		{
+			name: "missing storage.layers_path",
+			toml: `
+[server]
+listen_addr = ":8443"
+tls_cert = "/c"
+tls_key = "/k"
+[database]
+path = "/d"
+[mcias]
+server_url = "https://m"
+`,
+			want: "storage.layers_path",
+		},
+		{
+			name: "missing mcias.server_url",
+			toml: `
+[server]
+listen_addr = ":8443"
+tls_cert = "/c"
+tls_key = "/k"
+[database]
+path = "/d"
+[storage]
+layers_path = "/l"
+`,
+			want: "mcias.server_url",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			path := writeConfig(t, tt.toml)
+			_, err := Load(path)
+			if err == nil {
+				t.Fatal("expected error, got nil")
+			}
+			if got := err.Error(); !contains(got, tt.want) {
+				t.Fatalf("error %q does not mention %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestEnvOverride(t *testing.T) {
+	path := writeConfig(t, validTOML)
+
+	t.Setenv("MCR_SERVER_LISTEN_ADDR", ":9999")
+	t.Setenv("MCR_LOG_LEVEL", "warn")
+
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+
+	if cfg.Server.ListenAddr != ":9999" {
+		t.Fatalf("listen_addr: got %q, want %q", cfg.Server.ListenAddr, ":9999")
+	}
+	if cfg.Log.Level != "warn" {
+		t.Fatalf("log.level: got %q, want %q", cfg.Log.Level, "warn")
+	}
+}
+
+func TestEnvOverrideDuration(t *testing.T) {
+	path := writeConfig(t, validTOML)
+
+	t.Setenv("MCR_SERVER_READ_TIMEOUT", "5s")
+
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+
+	if cfg.Server.ReadTimeout.Seconds() != 5 {
+		t.Fatalf("read_timeout: got %v, want 5s", cfg.Server.ReadTimeout)
+	}
+}
+
+func TestSameFilesystemCheck(t *testing.T) {
+	dir := t.TempDir()
+	layersPath := filepath.Join(dir, "layers")
+	uploadsPath := filepath.Join(dir, "uploads")
+
+	// Both under the same tmpdir → same filesystem.
+	toml := `
+[server]
+listen_addr = ":8443"
+tls_cert = "/srv/mcr/certs/cert.pem"
+tls_key = "/srv/mcr/certs/key.pem"
+
+[database]
+path = "/srv/mcr/mcr.db"
+
+[storage]
+layers_path = "` + layersPath + `"
+uploads_path = "` + uploadsPath + `"
+
+[mcias]
+server_url = "https://mcias.metacircular.net:8443"
+`
+	path := writeConfig(t, toml)
+	_, err := Load(path)
+	if err != nil {
+		t.Fatalf("expected same-filesystem check to pass: %v", err)
+	}
+}
+
+func contains(s, substr string) bool {
+	return len(s) >= len(substr) && searchString(s, substr)
+}
+
+func searchString(s, substr string) bool {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}

internal/config/device_linux.go

@@ -0,0 +1,15 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+)
+
+func extractDeviceID(info os.FileInfo) (uint64, error) {
+	stat, ok := info.Sys().(*syscall.Stat_t)
+	if !ok {
+		return 0, fmt.Errorf("unable to get device ID: unsupported file info type")
+	}
+	return stat.Dev, nil
+}