Sync docs/metacircular.md versions and add undeploy capability

Update version references to match current git tags: MCIAS v1.9.0,
Metacrypt v1.3.1, MCP v0.7.6. Add Phase D (DNS registration) to MCP
status, update RPC/CLI counts, and document undeploy as a first-class
capability. Also sync STATUS.md and packaging-and-deployment.md with
the same version updates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -18,8 +18,10 @@ Metacircular is a multi-service personal infrastructure platform. This root repo
 | `mcdsl/` | Standard library — shared packages for auth, db, config, HTTP/gRPC servers, CSRF, snapshots | Go |
 | `mcdoc/` | Documentation server — renders markdown from Gitea, serves public docs via mc-proxy | Go |
 | `mcp/` | Control plane — operator-driven deployment, service registry, container lifecycle (master/agent) | Go |
+| `mcdeploy/` | Deployment CLI — tactical bridge tool for build, push, deploy operations | Go |
 | `mcns/` | Networking service — custom Go DNS server, authoritative for internal zones | Go |
 | `ca/` | PKI infrastructure and secrets for dev/test (not source code, gitignored) | — |
+| `docs/` | Platform-wide documentation (architecture overview, deployment guide) | Markdown |
 
 Each subproject has its own `CLAUDE.md`, `ARCHITECTURE.md`, `Makefile`, and `go.mod`. When working in a subproject, read its own CLAUDE.md first.
 

README.md

@@ -25,7 +25,8 @@ lives in [docs/metacircular.md](docs/metacircular.md).
 | **MC-Proxy** | Node ingress — TLS proxy and router. L4 passthrough or L7 terminating (per-route), PROXY protocol, firewall with rate limiting and GeoIP. | Implemented |
 | **MCNS** | Networking — authoritative DNS for internal platform zones, upstream forwarding. | Implemented |
 | **MCP** | Control plane — operator-driven deployment, service registry, data transfer, master/agent container lifecycle. | Implemented |
-| **MCDoc** | Documentation server — renders markdown from Gitea, serves public docs. | In progress |
+| **MCDoc** | Documentation server — renders markdown from Gitea, serves public docs. | Implemented |
+| **MCDeploy** | Deployment CLI — single-binary tool for build, push, deploy, cert renewal, and status. Tactical bridge tool while MCP capabilities mature. | Active dev |
 
 Shared library: **MCDSL** — standard library for all services (auth, db,
 config, TLS server, CSRF, snapshots).
@@ -102,6 +103,7 @@ metacircular/
 ├── mcns/           DNS server
 ├── mcat/           Login policy tester
 ├── mcdsl/          Standard library (shared packages)
+├── mcdeploy/       Deployment CLI tool
 ├── mcdoc/          Documentation server
 ├── ca/             PKI infrastructure (dev/test, not source code)
 └── docs/           Platform-wide documentation

STATUS.md

@@ -24,8 +24,8 @@ provisioning, and DNS registration). Multi-node deployment is being planned
 | MCAT | v1.1.1 | Complete | Unknown | — |
 | MCDSL | v1.4.0 | Stable | N/A (library) | — |
 | MCNS | v1.1.1 | Production | Yes | rift |
+| MCDoc | v0.1.0 | Production | Yes | rift |
 | MCP | v0.7.6 | Production | Yes | rift |
-| MCDoc | v0.1.0 | Active dev | No | — |
 
 ## Service Details
 
@@ -60,8 +60,8 @@ provisioning, and DNS registration). Multi-node deployment is being planned
 - **Deployment:** Running on rift. Fronts Metacrypt, MCR, and sgard on ports
   443, 8443, and 9443. Prometheus metrics on 127.0.0.1:9091. Routes persisted
   in SQLite and managed via gRPC API.
-- **Recent work:** MCR route additions, Nix flake, L7 backend cert handling,
+- **Recent work:** Route persistence (SQLite), idempotent AddRoute (upsert),
-  Prometheus metrics, L7 policies.
+  golangci-lint v2 compliance, module path migration to mc/ org.
 - **Artifacts:** systemd units (service + backup timer), Docker Compose
   (standard + rift), install and backup scripts, rift config.
 
@@ -109,30 +109,35 @@ provisioning, and DNS registration). Multi-node deployment is being planned
 - **Artifacts:** Dockerfile, Docker Compose (rift), MCP service definition,
   systemd units, install script, example config.
 
-### MCP — Control Plane
-
-- **Version:** v0.7.6.
-- **Phase:** Production. Phases A–D complete (automated port assignment, route
-  registration, TLS cert provisioning, DNS registration).
-- **Deployment:** Running on rift. Agent as systemd service under `mcp` user
-  with rootless podman. Manages metacrypt, mc-proxy, mcr, and mcns containers.
-- **Architecture:** Two components — `mcp` CLI (thin client on vade) and
-  `mcp-agent` (per-node daemon with SQLite registry, podman management,
-  monitoring with drift/flap detection). gRPC-only (no REST). 15 RPCs, 17+
-  CLI commands.
-- **Recent work:** Phase C (automated TLS cert provisioning via Metacrypt CA),
-  Phase D (automated DNS registration via MCNS), undeploy command, logs
-  command, edit command, auto-login to MCR, system account auth model.
-- **Artifacts:** systemd service (NixOS), TLS cert from Metacrypt, service
-  definition files, design docs.
-
 ### MCDoc — Documentation Server
 
 - **Version:** v0.1.0.
-- **Phase:** Active development.
+- **Phase:** Production. Fetches and renders markdown documentation from Gitea.
-- **Deployment:** Not yet deployed.
+- **Deployment:** Running on rift as a container, fronted by MC-Proxy on
-- **Description:** Documentation server — fetches markdown from Gitea, renders
+  port 443 (L7).
-  HTML, serves public docs via mc-proxy. No MCIAS auth required.
+- **Recent work:** Initial implementation, Gitea content fetching, goldmark
+  rendering with syntax highlighting, webhook-driven refresh.
+- **Artifacts:** Dockerfile, MCP service definition.
+
+### MCP — Control Plane
+
+- **Version:** v0.7.6.
+- **Phase:** Production. Phases A–D complete. Deployed to rift, managing all
+  platform containers.
+- **Deployment:** Running on rift. Agent as systemd service under `mcp` user
+  with rootless podman. Manages metacrypt, mc-proxy, mcr, mcns, and mcdoc
+  containers.
+- **Architecture:** Two components — `mcp` CLI (thin client on vade) and
+  `mcp-agent` (per-node daemon with SQLite registry, podman management,
+  monitoring with drift/flap detection, route registration with mc-proxy,
+  automated TLS cert provisioning for L7 routes via Metacrypt CA, automated
+  DNS registration in MCNS). gRPC-only (no REST). 15 RPCs, 17+ CLI commands.
+- **Recent work:** Phase C (automated TLS cert provisioning), Phase D
+  (automated DNS registration via MCNS), undeploy command, logs command,
+  edit command, auto-login to MCR, system account auth model, module path
+  migration.
+- **Artifacts:** systemd service (NixOS), TLS cert from Metacrypt, service
+  definition files, design docs.
 
 ## Node Inventory
 
@@ -144,12 +149,12 @@ provisioning, and DNS registration). Multi-node deployment is being planned
 
 Note: Services deployed via MCP receive dynamically assigned host ports
 (10000–60000). The ports below are for infrastructure services with static
-assignments.
+assignments or well-known ports.
 
 | Port | Protocol | Services |
 |------|----------|----------|
 | 53 | DNS (LAN + Tailscale) | mcns |
-| 443 | L7 (TLS termination) | metacrypt-web, mcr-web |
+| 443 | L7 (TLS termination) | metacrypt-web, mcr-web, mcdoc |
 | 8080 | HTTP (all interfaces) | exod |
 | 8443 | L4 (SNI passthrough) | metacrypt API, mcr API |
 | 9090 | HTTP (all interfaces) | exod |