The gRPC client was not sending the authorization header, causing
"missing authorization header" errors even when a token was configured.
Also fix config test to isolate from real ~/.config/mcrctl.toml.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Loads defaults from ~/.config/mcrctl.toml (or XDG_CONFIG_HOME).
Resolution order: flag > env (MCR_TOKEN) > config file.
Adds --config flag to specify an explicit path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Client-side purge that keeps the last N tags per repository (excluding
latest) and deletes older manifests. Uses existing MCR APIs — no new
server RPCs needed.
Server-side: added updated_at to TagInfo struct and GetRepositoryDetail
query so tags can be sorted by recency.
Usage: mcrctl purge --keep 3 --dry-run --gc
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Phase 11 implements the admin CLI with dual REST/gRPC transport,
global flags (--server, --grpc, --token, --ca-cert, --json), and
all commands: status, repo list/delete, policy CRUD, audit tail,
gc trigger/status/reconcile, and snapshot.
Phase 12 implements the HTMX web UI with chi router, session-based
auth (HttpOnly/Secure/SameSite=Strict cookies), CSRF protection
(HMAC-SHA256 signed double-submit), and pages for dashboard,
repositories, manifest detail, policy management, and audit log.
Security: CSRF via signed double-submit cookie, session cookies
with HttpOnly/Secure/SameSite=Strict, TLS 1.3 minimum on all
connections, form body size limits via http.MaxBytesReader.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
