# Metacircular Platform Status

Last updated: 2026-03-27

## Platform Overview

One node operational (**rift**), running core infrastructure services as
containers fronted by MC-Proxy. MCIAS runs separately (not on rift).
Bootstrap phases 0–4 complete (MCIAS, Metacrypt, MC-Proxy, MCR all
operational). MCP is deployed and managing all platform containers. MCNS is
deployed on rift, serving authoritative DNS.

## Service Status

| Service | Version | SDLC Phase | Deployed | Node |
|---------|---------|------------|----------|------|
| MCIAS | v1.8.0 | Maintenance | Yes | (separate) |
| Metacrypt | v1.1.0 | Production | Yes | rift |
| MC-Proxy | v1.2.1 | Maintenance | Yes | rift |
| MCR | v1.2.0 | Production | Yes | rift |
| MCAT | v1.1.0 | Complete | Unknown | — |
| MCDSL | v1.2.0 | Stable | N/A (library) | — |
| MCNS | v1.1.0 | Production | Yes | rift |
| MCDoc | v0.1.0 | Production | Yes | rift |
| MCP | v0.4.0 | Production | Yes | rift |
| MCDeploy | v0.2.0 | Active dev | N/A (CLI tool) | — |

## Service Details

### MCIAS — Identity and Access Service

- **Version:** v1.8.0 (client library: clients/go/v0.2.0)
- **Phase:** Maintenance. Phases 0-14 complete. Feature-complete with active
  refinement.
- **Deployment:** Running in production. All other services authenticate
  against it.
- **Recent work:** WebAuthn/FIDO2 passkeys, TOTP 2FA, service-context login
  policies, Nix flake for CLI tools.
- **Artifacts:** systemd units (service + backup timer), install script,
  Dockerfile, example configs.

### Metacrypt — Cryptographic Service Engine

- **Version:** v1.1.0.
- **Phase:** Production. All four engine types implemented (CA, SSH CA, transit,
  user-to-user). Active work on integration test coverage.
- **Deployment:** Running on rift as a container, fronted by MC-Proxy on
  ports 443 (web, L7), 8443 (API, L4), and 9443 (gRPC, L4).
- **Recent work:** ACME integration tests (60+ tests), mcdsl migration,
  security audit fixes.
- **Artifacts:** systemd units (service + web + backup timer), Docker Compose
  (standard + rift), install script, example configs.

### MC-Proxy — TLS Proxy and Router

- **Version:** v1.2.1.
- **Phase:** Maintenance. Stable and actively routing traffic on rift.
- **Deployment:** Running on rift. Fronts Metacrypt, MCR, and sgard on ports
  443, 8443, and 9443. Prometheus metrics on 127.0.0.1:9091.
- **Recent work:** Route persistence (SQLite), idempotent AddRoute (upsert),
  golangci-lint v2 compliance, module path migration to mc/ org.
- **Artifacts:** systemd units (service + backup timer), Docker Compose
  (standard + rift), install and backup scripts, rift config.

### MCR — Container Registry

- **Version:** v1.2.0. All implementation phases complete.
- **Phase:** Production. Deployed on rift, serving container images.
- **Deployment:** Running on rift as two containers (mcr API + mcr-web),
  fronted by MC-Proxy on ports 443 (web, L7), 8443 (API, L4), and
  9443 (gRPC, L4). Metacrypt is already pulling images from MCR.
- **Recent work:** Manifest push bug fix (LastInsertId unreliable after
  upsert), structured slog error logging in OCI handlers, first production
  deploy, Dockerfile fixes, server wiring, OCI route mounting.
- **Artifacts:** systemd units (service + web + backup timer), Dockerfiles
  (API + web), Docker Compose (rift), install script, rift config.

### MCAT — Login Policy Tester

- **Version:** v1.1.0.
- **Phase:** Complete. Diagnostic tool, not core infrastructure.
- **Deployment:** Available for ad-hoc use. Lightweight tool for testing
  MCIAS login policy rules.
- **Recent work:** Migrated to mcdsl for auth, config, CSRF, and web.
- **Artifacts:** systemd unit, install script, example config.

### MCDSL — Standard Library

- **Version:** v1.2.0.
- **Phase:** Stable. All 9 packages implemented and tested. Being adopted
  across the platform.
- **Deployment:** N/A (Go library, imported by other services).
- **Packages:** auth, db, config, httpserver, grpcserver, csrf, web, health,
  archive.
- **Adoption:** All services except mcias on v1.2.0. mcias pending.

### MCNS — Networking Service

- **Version:** v1.1.0.
- **Phase:** Production. Custom Go DNS server replacing CoreDNS precursor.
- **Deployment:** Running on rift as a container managed by MCP. Serves two
  authoritative zones plus upstream forwarding.
- **Recent work:** v1.0.0 implementation (custom Go DNS server), engineering
  review, deployed to rift replacing CoreDNS.
- **Artifacts:** Dockerfile, Docker Compose (rift), MCP service definition,
  systemd units, install script, example config.

### MCDoc — Documentation Server

- **Version:** v0.1.0.
- **Phase:** Production. Fetches and renders markdown documentation from Gitea.
- **Deployment:** Running on rift as a container, fronted by MC-Proxy on
  port 443 (L7).
- **Recent work:** Initial implementation, Gitea content fetching, goldmark
  rendering with syntax highlighting, webhook-driven refresh.
- **Artifacts:** Dockerfile, MCP service definition.

### MCP — Control Plane

- **Version:** v0.4.0.
- **Phase:** Production. Phases 0-4 complete. Phase C (automated TLS cert
  provisioning) implemented. Deployed to rift, managing all platform containers.
- **Deployment:** Running on rift. Agent as systemd service under `mcp` user
  with rootless podman. Manages metacrypt, mc-proxy, mcr, and mcns containers.
- **Architecture:** Two components — `mcp` CLI (thin client on vade) and
  `mcp-agent` (per-node daemon with SQLite registry, podman management,
  monitoring with drift/flap detection, route registration with mc-proxy during
  deploy/stop, automated TLS cert provisioning for L7 routes via Metacrypt CA).
  gRPC-only (no REST).
- **Recent work:** Full v1 implementation (12 RPCs, 15 CLI commands),
  deployment to rift, container migration from kyle→mcp user, service
  definition authoring. Phase C automated TLS cert provisioning for L7 routes,
  mc-proxy route registration during deploy, mc-proxy dependency updated to
  v1.2.0, module path migration.
- **Artifacts:** systemd service (NixOS), TLS cert from Metacrypt, service
  definition files, design docs.

### MCDeploy — Deployment CLI

- **Version:** v0.2.0.
- **Phase:** Active development. Tactical bridge tool for deploying services
  while MCP is being built.
- **Deployment:** N/A (local CLI tool, not a server).
- **Recent work:** Initial implementation, Nix flake.
- **Description:** Single-binary CLI that shells out to podman/ssh/scp/git
  for build, push, deploy, cert renewal, and status. TOML-configured.

## Node Inventory

| Node | Address (LAN) | Address (Tailscale) | Role |
|------|---------------|---------------------|------|
| rift | 192.168.88.181 | 100.95.252.120 | Infrastructure services |

## Rift Port Map

| Port | Protocol | Services |
|------|----------|----------|
| 53 | DNS (LAN + Tailscale) | mcns |
| 443 | L7 (TLS termination) | metacrypt-web, mcr-web |
| 8080 | HTTP (all interfaces) | exod |
| 8443 | L4 (SNI passthrough) | metacrypt API, mcr API |
| 9090 | HTTP (all interfaces) | exod |
| 9443 | L4 (SNI passthrough) | metacrypt gRPC, mcr gRPC, sgard |
| 9091 | HTTP (loopback) | MC-Proxy Prometheus metrics |

Non-platform services also running on rift: **exod** (ports 8080/9090),
**sgardd** (port 19473, fronted by MC-Proxy on 9443).