Update docs to reflect current implementation status
Metacrypt SSH CA, transit, and user-to-user engines are all implemented (not planned). MCR is at phase 13. MCDSL package list was incomplete. Added mcns (CoreDNS precursor) to project map and dependency graph. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -15,7 +15,8 @@ Metacircular is a multi-service personal infrastructure platform. This root repo
|
|||||||
| `mc-proxy/` | TLS proxy and router — L4 passthrough or L7 terminating, PROXY protocol, firewall | Go |
|
| `mc-proxy/` | TLS proxy and router — L4 passthrough or L7 terminating, PROXY protocol, firewall | Go |
|
||||||
| `mcr/` | OCI container registry — integrated with MCIAS for auth and policy-based push/pull | Go |
|
| `mcr/` | OCI container registry — integrated with MCIAS for auth and policy-based push/pull | Go |
|
||||||
| `mcat/` | MCIAS login policy tester — lightweight web app to test and audit login policies | Go |
|
| `mcat/` | MCIAS login policy tester — lightweight web app to test and audit login policies | Go |
|
||||||
| `mcdsl/` | Standard library — shared packages for auth, db, config, TLS servers, CSRF, snapshots | Go |
|
| `mcdsl/` | Standard library — shared packages for auth, db, config, HTTP/gRPC servers, CSRF, snapshots | Go |
|
||||||
|
| `mcns/` | Networking service — CoreDNS precursor serving internal DNS zones until full MCNS is built | CoreDNS |
|
||||||
| `ca/` | PKI infrastructure and secrets for dev/test (not source code, gitignored) | — |
|
| `ca/` | PKI infrastructure and secrets for dev/test (not source code, gitignored) | — |
|
||||||
|
|
||||||
Each subproject has its own `CLAUDE.md`, `ARCHITECTURE.md`, `Makefile`, and `go.mod`. When working in a subproject, read its own CLAUDE.md first.
|
Each subproject has its own `CLAUDE.md`, `ARCHITECTURE.md`, `Makefile`, and `go.mod`. When working in a subproject, read its own CLAUDE.md first.
|
||||||
@@ -29,6 +30,7 @@ mcias (standalone — no MCIAS dependency)
|
|||||||
├── metacrypt (uses MCIAS for auth)
|
├── metacrypt (uses MCIAS for auth)
|
||||||
├── mc-proxy (uses MCIAS for admin auth)
|
├── mc-proxy (uses MCIAS for admin auth)
|
||||||
├── mcr (uses MCIAS for auth + policy)
|
├── mcr (uses MCIAS for auth + policy)
|
||||||
|
├── mcns (will use MCIAS for auth; CoreDNS precursor for now)
|
||||||
└── mcat (tests MCIAS login policies)
|
└── mcat (tests MCIAS login policies)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|||||||
@@ -50,8 +50,9 @@ the spec disagree, one of them has a bug.
|
|||||||
|
|
||||||
Metacircular infrastructure is built from six core components, plus a shared
|
Metacircular infrastructure is built from six core components, plus a shared
|
||||||
standard library (**MCDSL**) that provides the common patterns all services
|
standard library (**MCDSL**) that provides the common patterns all services
|
||||||
depend on (auth integration, database setup, config loading, TLS server
|
depend on (auth integration, database setup, config loading, HTTP/gRPC server
|
||||||
bootstrapping, CSRF, snapshots):
|
bootstrapping, CSRF, web session management, health checks, snapshots, and
|
||||||
|
service directory archiving):
|
||||||
|
|
||||||
- **MCIAS** — Identity and access. The root of trust for all other services.
|
- **MCIAS** — Identity and access. The root of trust for all other services.
|
||||||
Handles authentication, token issuance, role management, and login policy
|
Handles authentication, token issuance, role management, and login policy
|
||||||
@@ -220,15 +221,18 @@ HashiCorp Vault.
|
|||||||
support. This is how every service in the platform gets its TLS
|
support. This is how every service in the platform gets its TLS
|
||||||
certificates.
|
certificates.
|
||||||
|
|
||||||
- **SSH CA.** (Planned.) SSH certificate signing for host and user
|
- **SSH CA.** SSH certificate signing for host and user certificates,
|
||||||
certificates, replacing static SSH key management.
|
replacing static SSH key management. Signing profiles, Key Revocation List
|
||||||
|
(KRL) support, gRPC/REST APIs, and web UI.
|
||||||
|
|
||||||
- **Transit encryption.** (Planned.) Encrypt and decrypt data without exposing
|
- **Transit encryption.** Encrypt and decrypt data without exposing keys to
|
||||||
keys to the caller. Envelope encryption for services that need to protect
|
the caller. Symmetric encryption with versioned key management, signing,
|
||||||
|
and HMAC operations. Envelope encryption for services that need to protect
|
||||||
data at rest without managing their own key material.
|
data at rest without managing their own key material.
|
||||||
|
|
||||||
- **User-to-user encryption.** (Planned.) End-to-end encryption between users,
|
- **User-to-user encryption.** End-to-end encryption between users, with key
|
||||||
with key management handled by Metacrypt.
|
management handled by Metacrypt. ECDH key exchange with AES-256-GCM
|
||||||
|
encryption.
|
||||||
|
|
||||||
**Seal/unseal model:** Metacrypt starts sealed. An operator provides a password
|
**Seal/unseal model:** Metacrypt starts sealed. An operator provides a password
|
||||||
which derives (via Argon2id) a key-wrapping key, which decrypts the master
|
which derives (via Argon2id) a key-wrapping key, which decrypts the master
|
||||||
@@ -250,8 +254,8 @@ core.
|
|||||||
operations on which engine mounts. Priority-based evaluation, default deny,
|
operations on which engine mounts. Priority-based evaluation, default deny,
|
||||||
admin bypass. See Metacrypt's `POLICY.md` for the full model.
|
admin bypass. See Metacrypt's `POLICY.md` for the full model.
|
||||||
|
|
||||||
**Status:** Implemented. CA engine complete with ACME support. SSH CA, transit,
|
**Status:** Implemented. All four engine types complete — CA (with ACME
|
||||||
and user-to-user engines planned.
|
support), SSH CA, transit encryption, and user-to-user encryption.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@@ -281,7 +285,7 @@ serves the container images that MCP deploys across the platform.
|
|||||||
is scheduled, MCP tells the node's agent which image to pull and where to get
|
is scheduled, MCP tells the node's agent which image to pull and where to get
|
||||||
it. MCR sits behind an MC-Proxy instance for TLS routing.
|
it. MCR sits behind an MC-Proxy instance for TLS routing.
|
||||||
|
|
||||||
**Status:** Implemented. Phase 12 (web UI) complete.
|
**Status:** Implemented. Phase 13 (deployment artifacts) complete.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@@ -370,7 +374,9 @@ services can use stable DNS names in their configs (e.g.,
|
|||||||
`mcias.svc.mcp.metacircular.net` in `[mcias] server_url`) that survive
|
`mcias.svc.mcp.metacircular.net` in `[mcias] server_url`) that survive
|
||||||
migration without config changes.
|
migration without config changes.
|
||||||
|
|
||||||
**Status:** Not yet implemented.
|
**Status:** Not yet implemented. A CoreDNS precursor currently serves the
|
||||||
|
internal zones (`svc.mcp.metacircular.net` and `mcp.metacircular.net`) as an
|
||||||
|
interim solution until the full MCNS service is built.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user