Kyle Isom
9d7043a594
The web UI now validates the MCIAS token after login and rejects accounts with the guest role before setting the session cookie. This is defense-in-depth alongside the env:restricted MCIAS tag. The webserver.New() constructor takes a new ValidateFunc parameter that inspects token roles post-authentication. MCIAS login does not return roles, so this requires an extra ValidateToken round-trip at login time (result is cached for 30s). Security: guest role accounts are denied web UI access Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
MCR
Metacircular Container Registry -- an OCI Distribution Spec-compliant container registry for the Metacircular platform. MCR stores and serves container images with authentication delegated to MCIAS and a local policy engine for fine-grained access control. Metadata is stored in SQLite; blobs are stored as content-addressed files on the filesystem.
Quick Start
Build the binaries:
make all
This produces three binaries:
| Binary | Purpose |
|---|---|
mcrsrv |
Registry server (OCI + admin REST + gRPC) |
mcr-web |
Web UI (htmx, communicates with mcrsrv via gRPC) |
mcrctl |
Admin CLI |
Copy and edit the example configuration:
cp deploy/examples/mcr.toml /srv/mcr/mcr.toml
# Edit TLS paths, database path, storage paths, MCIAS URL
Run the server:
./mcrsrv server --config /srv/mcr/mcr.toml
The server starts two listeners:
| Port | Protocol | Purpose |
|---|---|---|
| 8443 | TCP | HTTPS -- OCI Distribution endpoints + admin REST API |
| 9443 | TCP | gRPC admin API (TLS, MCIAS auth) |
Run the web UI:
./mcr-web server --config /srv/mcr/mcr.toml
| Port | Protocol | Purpose |
|---|---|---|
| 8080 | TCP | HTTP -- web UI (repository browsing, policy management) |
Documentation
- ARCHITECTURE.md -- full technical specification, OCI compliance details, database schema, policy engine, and security model.
- RUNBOOK.md -- operational procedures, health checks, backup/restore, incident response, and MCP deployment.
- CLAUDE.md -- context for AI-assisted development.