Sync docs/metacircular.md versions and add undeploy capability

Update version references to match current git tags: MCIAS v1.9.0,
Metacrypt v1.3.1, MCP v0.7.6. Add Phase D (DNS registration) to MCP
status, update RPC/CLI counts, and document undeploy as a first-class
capability. Also sync STATUS.md and packaging-and-deployment.md with
the same version updates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

STATUS.md

@@ -80,7 +80,7 @@ provisioning, and DNS registration). Multi-node deployment is being planned
 
 ### MCAT — Login Policy Tester
 
-- **Version:** v1.1.0.
+- **Version:** v1.1.1.
 - **Phase:** Complete. Diagnostic tool, not core infrastructure.
 - **Deployment:** Available for ad-hoc use. Lightweight tool for testing
   MCIAS login policy rules.
@@ -89,20 +89,21 @@ provisioning, and DNS registration). Multi-node deployment is being planned
 
 ### MCDSL — Standard Library
 
-- **Version:** v1.2.0.
+- **Version:** v1.4.0.
 - **Phase:** Stable. All 9 packages implemented and tested. Being adopted
   across the platform.
 - **Deployment:** N/A (Go library, imported by other services).
 - **Packages:** auth, db, config, httpserver, grpcserver, csrf, web, health,
   archive.
-- **Adoption:** All services except mcias on v1.2.0. mcias pending.
+- **Adoption:** All services except mcias on v1.4.0. mcias pending.
 
 ### MCNS — Networking Service
 
-- **Version:** v1.1.0.
+- **Version:** v1.1.1.
 - **Phase:** Production. Custom Go DNS server replacing CoreDNS precursor.
 - **Deployment:** Running on rift as a container managed by MCP. Serves two
-  authoritative zones plus upstream forwarding.
+  authoritative zones plus upstream forwarding. REST + gRPC APIs with MCIAS
+  auth and name-scoped system account authorization.
 - **Recent work:** v1.0.0 implementation (custom Go DNS server), engineering
   review, deployed to rift replacing CoreDNS.
 - **Artifacts:** Dockerfile, Docker Compose (rift), MCP service definition,
@@ -110,29 +111,28 @@ provisioning, and DNS registration). Multi-node deployment is being planned
 
 ### MCP — Control Plane
 
-- **Version:** v0.3.0.
-- **Phase:** Production. Phases 0-4 complete. Deployed to rift, managing all
-  platform containers.
+- **Version:** v0.7.6.
+- **Phase:** Production. Phases A–D complete (automated port assignment, route
+  registration, TLS cert provisioning, DNS registration).
 - **Deployment:** Running on rift. Agent as systemd service under `mcp` user
   with rootless podman. Manages metacrypt, mc-proxy, mcr, and mcns containers.
 - **Architecture:** Two components — `mcp` CLI (thin client on vade) and
   `mcp-agent` (per-node daemon with SQLite registry, podman management,
-  monitoring with drift/flap detection). gRPC-only (no REST).
-- **Recent work:** Full v1 implementation (12 RPCs, 15 CLI commands),
-  deployment to rift, container migration from kyle→mcp user, service
-  definition authoring.
+  monitoring with drift/flap detection). gRPC-only (no REST). 15 RPCs, 17+
+  CLI commands.
+- **Recent work:** Phase C (automated TLS cert provisioning via Metacrypt CA),
+  Phase D (automated DNS registration via MCNS), undeploy command, logs
+  command, edit command, auto-login to MCR, system account auth model.
 - **Artifacts:** systemd service (NixOS), TLS cert from Metacrypt, service
   definition files, design docs.
 
-### MCDeploy — Deployment CLI
+### MCDoc — Documentation Server
 
-- **Version:** v0.2.0.
-- **Phase:** Active development. Tactical bridge tool for deploying services
-  while MCP is being built.
-- **Deployment:** N/A (local CLI tool, not a server).
-- **Recent work:** Initial implementation, Nix flake.
-- **Description:** Single-binary CLI that shells out to podman/ssh/scp/git
-  for build, push, deploy, cert renewal, and status. TOML-configured.
+- **Version:** v0.1.0.
+- **Phase:** Active development.
+- **Deployment:** Not yet deployed.
+- **Description:** Documentation server — fetches markdown from Gitea, renders
+  HTML, serves public docs via mc-proxy. No MCIAS auth required.
 
 ## Node Inventory
 
@@ -142,6 +142,10 @@ provisioning, and DNS registration). Multi-node deployment is being planned
 
 ## Rift Port Map
 
+Note: Services deployed via MCP receive dynamically assigned host ports
+(10000–60000). The ports below are for infrastructure services with static
+assignments.
+
 | Port | Protocol | Services |
 |------|----------|----------|
 | 53 | DNS (LAN + Tailscale) | mcns |

docs/metacircular.md

@@ -213,7 +213,7 @@ MCIAS evaluates login policy against the service context, verifies credentials,
 and returns a bearer token. The MCIAS Go client library
 (`git.wntrmute.dev/mc/mcias/clients/go`) handles this flow.
 
-**Status:** Implemented. v1.8.0. Feature-complete with active refinement
+**Status:** Implemented. v1.9.0. Feature-complete with active refinement
 (WebAuthn/FIDO2 passkeys, TOTP 2FA, service-context login policies).
 
 ---
@@ -264,7 +264,7 @@ core.
 operations on which engine mounts. Priority-based evaluation, default deny,
 admin bypass. See Metacrypt's `POLICY.md` for the full model.
 
-**Status:** Implemented. v1.1.0. All four engine types complete — CA (with ACME
+**Status:** Implemented. v1.3.1. All four engine types complete — CA (with ACME
 support), SSH CA, transit encryption, and user-to-user encryption.
 
 ---
@@ -421,6 +421,10 @@ each managed node.
   the initial config, pulls the image from MCR, starts the container, and
   pushes a DNS update to MCNS (`α.svc.mcp.metacircular.net` → node address).
 
+- **Undeploy.** Full teardown of a service. Stops the container, removes
+  MC-Proxy routes, deletes DNS records from MCNS, and cleans up the service
+  registry entry. The inverse of deploy.
+
 - **Migrate.** Move a service from one node to another. MCP snapshots the
   service's `/srv/<service>/` directory on the source node (as a tar.zst
   image), transfers it to the destination, extracts it, starts the service,
@@ -478,14 +482,15 @@ services it depends on.
 can deploy them. The systemd unit files exist as a fallback and for bootstrap —
 the long-term deployment model is MCP-managed containers.
 
-**Status:** Implemented. v0.7.2. Deployed on rift managing all platform
+**Status:** Implemented. v0.7.6. Deployed on rift managing all platform
 containers. Route declarations with automatic port allocation (`$PORT` /
 `$PORT_<NAME>` env vars passed to containers). MC-Proxy route registration
 during deploy and stop. Automated TLS cert provisioning for L7 routes via
-Metacrypt CA (Phase C). Two components — `mcp` CLI (operator workstation) and
+Metacrypt CA (Phase C). Automated DNS registration in MCNS during deploy
+and stop (Phase D). Two components — `mcp` CLI (operator workstation) and
 `mcp-agent` (per-node daemon with SQLite registry, rootless Podman,
-monitoring with drift/flap detection). gRPC-only (no REST). 12+ RPCs,
-15+ CLI commands.
+monitoring with drift/flap detection). gRPC-only (no REST). 15 RPCs,
+17+ CLI commands.
 
 ---