diff --git a/CLAUDE.md b/CLAUDE.md index a4701b3..5c225ae 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -15,7 +15,8 @@ Metacircular is a multi-service personal infrastructure platform. This root repo | `mc-proxy/` | TLS proxy and router — L4 passthrough or L7 terminating, PROXY protocol, firewall | Go | | `mcr/` | OCI container registry — integrated with MCIAS for auth and policy-based push/pull | Go | | `mcat/` | MCIAS login policy tester — lightweight web app to test and audit login policies | Go | -| `mcdsl/` | Standard library — shared packages for auth, db, config, TLS servers, CSRF, snapshots | Go | +| `mcdsl/` | Standard library — shared packages for auth, db, config, HTTP/gRPC servers, CSRF, snapshots | Go | +| `mcns/` | Networking service — CoreDNS precursor serving internal DNS zones until full MCNS is built | CoreDNS | | `ca/` | PKI infrastructure and secrets for dev/test (not source code, gitignored) | — | Each subproject has its own `CLAUDE.md`, `ARCHITECTURE.md`, `Makefile`, and `go.mod`. When working in a subproject, read its own CLAUDE.md first. @@ -29,6 +30,7 @@ mcias (standalone — no MCIAS dependency) ├── metacrypt (uses MCIAS for auth) ├── mc-proxy (uses MCIAS for admin auth) ├── mcr (uses MCIAS for auth + policy) + ├── mcns (will use MCIAS for auth; CoreDNS precursor for now) └── mcat (tests MCIAS login policies) ``` diff --git a/docs/metacircular.md b/docs/metacircular.md index af8b46c..337288c 100644 --- a/docs/metacircular.md +++ b/docs/metacircular.md @@ -50,8 +50,9 @@ the spec disagree, one of them has a bug. Metacircular infrastructure is built from six core components, plus a shared standard library (**MCDSL**) that provides the common patterns all services -depend on (auth integration, database setup, config loading, TLS server -bootstrapping, CSRF, snapshots): +depend on (auth integration, database setup, config loading, HTTP/gRPC server +bootstrapping, CSRF, web session management, health checks, snapshots, and +service directory archiving): - **MCIAS** — Identity and access. The root of trust for all other services. Handles authentication, token issuance, role management, and login policy @@ -220,15 +221,18 @@ HashiCorp Vault. support. This is how every service in the platform gets its TLS certificates. -- **SSH CA.** (Planned.) SSH certificate signing for host and user - certificates, replacing static SSH key management. +- **SSH CA.** SSH certificate signing for host and user certificates, + replacing static SSH key management. Signing profiles, Key Revocation List + (KRL) support, gRPC/REST APIs, and web UI. -- **Transit encryption.** (Planned.) Encrypt and decrypt data without exposing - keys to the caller. Envelope encryption for services that need to protect +- **Transit encryption.** Encrypt and decrypt data without exposing keys to + the caller. Symmetric encryption with versioned key management, signing, + and HMAC operations. Envelope encryption for services that need to protect data at rest without managing their own key material. -- **User-to-user encryption.** (Planned.) End-to-end encryption between users, - with key management handled by Metacrypt. +- **User-to-user encryption.** End-to-end encryption between users, with key + management handled by Metacrypt. ECDH key exchange with AES-256-GCM + encryption. **Seal/unseal model:** Metacrypt starts sealed. An operator provides a password which derives (via Argon2id) a key-wrapping key, which decrypts the master @@ -250,8 +254,8 @@ core. operations on which engine mounts. Priority-based evaluation, default deny, admin bypass. See Metacrypt's `POLICY.md` for the full model. -**Status:** Implemented. CA engine complete with ACME support. SSH CA, transit, -and user-to-user engines planned. +**Status:** Implemented. All four engine types complete — CA (with ACME +support), SSH CA, transit encryption, and user-to-user encryption. --- @@ -281,7 +285,7 @@ serves the container images that MCP deploys across the platform. is scheduled, MCP tells the node's agent which image to pull and where to get it. MCR sits behind an MC-Proxy instance for TLS routing. -**Status:** Implemented. Phase 12 (web UI) complete. +**Status:** Implemented. Phase 13 (deployment artifacts) complete. --- @@ -370,7 +374,9 @@ services can use stable DNS names in their configs (e.g., `mcias.svc.mcp.metacircular.net` in `[mcias] server_url`) that survive migration without config changes. -**Status:** Not yet implemented. +**Status:** Not yet implemented. A CoreDNS precursor currently serves the +internal zones (`svc.mcp.metacircular.net` and `mcp.metacircular.net`) as an +interim solution until the full MCNS service is built. ---