@@ -48,11 +48,11 @@ the spec disagree, one of them has a bug.
## High-Level Overview ## High-Level Overview
Metacircular infrastructure is built from six core components and a
Metacircular infrastructure is built from six core components, plus a shared
documentation server, plus a shared standard library (**MCDSL**) that providesstandard library (**MCDSL**) that provides the common patterns all services
the common patterns all services depend on (auth integration, database setup,depend on (auth integration, database setup, config loading, HTTP/gRPC server
config loading, HTTP/gRPC server bootstrapping, CSRF, web session management,bootstrapping, CSRF, web session management, health checks, snapshots, and
health checks, snapshots, and service directory archiving):service directory archiving):
- **MCIAS** — Identity and access. The root of trust for all other services.- **MCIAS** — Identity and access. The root of trust for all other services.
Handles authentication, token issuance, role management, and login policy
Handles authentication, token issuance, role management, and login policy
@@ -75,10 +75,6 @@ health checks, snapshots, and service directory archiving):
accepts outside connections, and routes them to the correct service — either
accepts outside connections, and routes them to the correct service — either
as raw TCP passthrough or via TLS-terminating HTTP/2 reverse proxy.
as raw TCP passthrough or via TLS-terminating HTTP/2 reverse proxy.
- **MCDoc** — Documentation server. Fetches markdown from Gitea repositories,
renders HTML with syntax highlighting, serves a navigable documentation site.
Public-facing, no MCIAS authentication required.
These components form a dependency graph rooted at MCIAS:
These components form a dependency graph rooted at MCIAS:
``` ```
@@ -208,7 +204,7 @@ MCIAS evaluates login policy against the service context, verifies credentials,
and returns a bearer token. The MCIAS Go client library
and returns a bearer token. The MCIAS Go client library
(`git.wntrmute.dev/mc/mcias/clients/go` ) handles this flow.
(`git.wntrmute.dev/mc/mcias/clients/go` ) handles this flow.
**Status: ** Implemented. v1.8 .0. Feature-complete with active refinement**Status: ** Implemented. v1.7 .0. Feature-complete with active refinement
(WebAuthn/FIDO2 passkeys, TOTP 2FA, service-context login policies).
(WebAuthn/FIDO2 passkeys, TOTP 2FA, service-context login policies).
---
---
@@ -259,7 +255,7 @@ core.
operations on which engine mounts. Priority-based evaluation, default deny,
operations on which engine mounts. Priority-based evaluation, default deny,
admin bypass. See Metacrypt's `POLICY.md` for the full model.
admin bypass. See Metacrypt's `POLICY.md` for the full model.
**Status: ** Implemented. v1.1.0. All four engine types complete — CA (with ACME**Status: ** Implemented. All four engine types complete — CA (with ACME
support), SSH CA, transit encryption, and user-to-user encryption.
support), SSH CA, transit encryption, and user-to-user encryption.
---
---
@@ -290,7 +286,7 @@ serves the container images that MCP deploys across the platform.
is scheduled, MCP tells the node's agent which image to pull and where to get
is scheduled, MCP tells the node's agent which image to pull and where to get
it. MCR sits behind an MC-Proxy instance for TLS routing.
it. MCR sits behind an MC-Proxy instance for TLS routing.
**Status: ** Implemented. v1.2.0. All implementation phases complete.**Status: ** Implemented. Phase 13 (deployment artifacts) complete.
---
---
@@ -337,9 +333,7 @@ two instances — an edge proxy on a public VPS and an origin proxy on the
private network, connected over the overlay with PROXY protocol preserving
private network, connected over the overlay with PROXY protocol preserving
client IPs across the hop.
client IPs across the hop.
**Status: ** Implemented. v1.2.1. Route state persisted in SQLite with **Status: ** Implemented.
write-through semantics. gRPC admin API with idempotent AddRoute for runtime
route management.
---
---
@@ -381,7 +375,7 @@ services can use stable DNS names in their configs (e.g.,
`mcias.svc.mcp.metacircular.net` in `[mcias] server_url` ) that survive`mcias.svc.mcp.metacircular.net` in `[mcias] server_url` ) that survive
migration without config changes.
migration without config changes.
**Status: ** Implemented. v1.1 .0. Custom Go DNS server deployed on rift,**Status: ** Implemented. v1.0 .0. Custom Go DNS server deployed on rift,
serving two authoritative zones (`svc.mcp.metacircular.net` and
serving two authoritative zones (`svc.mcp.metacircular.net` and
`mcp.metacircular.net` ) plus upstream forwarding. REST + gRPC APIs with`mcp.metacircular.net` ) plus upstream forwarding. REST + gRPC APIs with
MCIAS auth. Records stored in SQLite.
MCIAS auth. Records stored in SQLite.
@@ -458,14 +452,11 @@ services it depends on.
can deploy them. The systemd unit files exist as a fallback and for bootstrap —
can deploy them. The systemd unit files exist as a fallback and for bootstrap —
the long-term deployment model is MCP-managed containers.
the long-term deployment model is MCP-managed containers.
**Status: ** Implemented. v0.4 .0. Deployed on rift managing all platform**Status: ** Implemented. v0.1 .0. Deployed on rift managing all platform
containers. Route declarations with automatic port allocation (`$PORT` /
containers. Two components — `mcp` CLI (operator workstation) and
`$PORT_<NAME>` env vars passed to containers). MC-Proxy route registration
during deploy and stop. Automated TLS cert provisioning for L7 routes via
Metacrypt CA (Phase C). Two components — `mcp` CLI (operator workstation) and
`mcp-agent` (per-node daemon with SQLite registry, rootless Podman,`mcp-agent` (per-node daemon with SQLite registry, rootless Podman,
monitoring with drift/flap detection). gRPC-only (no REST). 12+ RPCs,
monitoring with drift/flap detection). gRPC-only (no REST). 12 RPCs,
15+ CLI commands.
15 CLI commands.
---
---
@@ -672,22 +663,20 @@ renew certificates programmatically.
### How Services Get Certificates Today ### How Services Get Certificates Today
For services deployed via MCP with L7 routes, certificates are provisioned Currently, certificates are provisioned through Metacrypt's **REST API or web
automatically during deploy — MCP uses the Metacrypt ACME client library to UI** and placed into each service's `/srv/<service>/certs/` directory. This is
obtain certs and transfers them to the node. For other services and during a manual process — the operator issues a certificate, downloads it, and
bootstrap, certificates are provisioned through Metacrypt's **REST API or web deploys the files. The ACME client library exists but is not yet integrated
UI** and placed into each service's `/srv/<service>/certs/` directory manually .into any service.
### How MCP Automates Certificates ### How It Will Work With MCP
MCP automates certificate provisioning for deploy workflows, with renewal and
MCP is the natural place to automate certificate provisioning:
migration automation planned:
- **Initial deploy.** When MCP deploys a new service, it provisions a- **Initial deploy.** When MCP deploys a new service, it can provision a
certificate from Metacrypt (via the ACME client library), transfers the cert
certificate from Metacrypt (via the ACME client library or the REST API),
and key to the node as part of the config push to `/srv/<service>/certs/` ,
transfer the cert and key to the node as part of the config push to
and starts the service with valid TLS material. For L7 routes, MCP also
`/srv/<service>/certs/` , and start the service with valid TLS material.
provisions a TLS certificate for MC-Proxy's termination endpoint.
- **Renewal.** MCP knows what services are running and when their certificates- **Renewal.** MCP knows what services are running and when their certificates
expire. It can renew certificates before expiry by re-running the ACME flow
expire. It can renew certificates before expiry by re-running the ACME flow
@@ -700,8 +689,10 @@ migration automation planned:
for the new name.
for the new name.
- **MC-Proxy L7 routes.** MC-Proxy's L7 mode requires certificate/key pairs- **MC-Proxy L7 routes.** MC-Proxy's L7 mode requires certificate/key pairs
for TLS termination. MCP provisions these from Metacrypt during deploy and
for TLS termination. MCP (or the operator) can provision these from
pushes them to the node alongside the route registration.
Metacrypt and push them to MC-Proxy's cert directory. MC-Proxy's
architecture doc lists ACME integration and Metacrypt key storage as future
work.
### Trust Distribution ### Trust Distribution
@@ -802,13 +793,8 @@ Operator workstation (vade)
│
│
├── Scheduling: select Node C (best fit)
├── Scheduling: select Node C (best fit)
│
│
├── Port assignment: allocate a free host port for each
├── Provision TLS certificate from Metacrypt
│ declared route (passed as $PORT / $PORT_<NAME> env vars )
│ (ACME flow or REST API )
│
├── Provision TLS certificate from Metacrypt CA
│ (ACME client library) for the service
│ — for L7 routes, also provision a cert for MC-Proxy
│ TLS termination
│
│
├── C2 to Node C agent:
├── C2 to Node C agent:
│ 1. Create /srv/α
│ 1. Create /srv/α
@@ -816,15 +802,15 @@ Operator workstation (vade)
│ 3. Transfer TLS cert+key → /srv/α
│ 3. Transfer TLS cert+key → /srv/α
│ 4. Transfer root CA cert → /srv/α
│ 4. Transfer root CA cert → /srv/α
│ 5. Pull image from MCR
│ 5. Pull image from MCR
│ 6. Start container with $PORT / $PORT_<NAME> env vars
│ 6. Start container
│
├── Register routes with MC-Proxy
│ (gRPC AddRoute for each declared route)
│
│
├── Update service registry: α
├── Update service registry: α
│
│
└ ── Push DNS update to MCNS:
├ ── Push DNS update to MCNS:
α
│ α
│
└── (Optionally) update MC-Proxy route table
if α
``` ```
### 4. Migration ### 4. Migration
