mc/metacircular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cadbb3f2341fe048d039179e691390d4ac920c28
metacircular/README.md
Kyle Isom 162afc44d5 Update platform docs: accuracy audit and module path migration 
- MCNS/MCP status: Planned → Implemented (both deployed on rift)
- Add mcp/, mcns/, mcdoc/ to project map and repo structure
- Fix MCNS description from CoreDNS precursor to custom Go DNS server
- Fix versions: MCR v1.1.0, MCDSL v1.1.0, MCIAS v1.7.0
- Update mcdsl adoption status (metacrypt now migrated)
- Fix engineering-standards: Go 1.25 builder, proto v1 conventions
- Update PLATFORM_EVOLUTION gap #8 (MCNS API exists)
- Migrate all module path references from kyle/ to mc/ org
- Fix diagrams: MCP Slave → MCP Agent, Docker → Podman

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 02:08:45 -07:00

109 lines
6.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Metacircular Dynamics
Metacircular Dynamics is a self-hosted personal infrastructure platform. The
name comes from the tradition of metacircular evaluators in Lisp — a system
defined in terms of itself — by way of SICP and Common Lisp projects that
preceded this work. The infrastructure is metacircular in the same sense: the
platform manages, secures, and hosts its own services.
Every component is self-hosted, every dependency is controlled, and the entire
stack is operable by one person. No cloud providers, no third-party auth, no
external databases. The platform is designed for a small number of machines — a
personal homelab or a handful of VPSes — not for hyperscale.
All services are written in Go and follow shared
[engineering standards](engineering-standards.md). Full platform documentation
lives in [docs/metacircular.md](docs/metacircular.md).
## Components
| Component | Purpose | Status |
|-----------|---------|--------|
| **MCIAS** | Identity and access — the root of trust. SSO, token issuance, role management, login policy. Every other service delegates auth here. | Implemented |
| **Metacrypt** | Cryptographic services — PKI/CA, transit encryption, encrypted secret storage behind a seal/unseal barrier. Issues TLS certificates for the platform. | Implemented |
| **MCR** | Container registry — OCI-compliant image storage with MCIAS auth and policy-controlled push/pull. | Implemented |
| **MC-Proxy** | Node ingress — TLS proxy and router. L4 passthrough or L7 terminating (per-route), PROXY protocol, firewall with rate limiting and GeoIP. | Implemented |
| **MCNS** | Networking — authoritative DNS for internal platform zones, upstream forwarding. | Implemented |
| **MCP** | Control plane — operator-driven deployment, service registry, data transfer, master/agent container lifecycle. | Implemented |
| **MCDoc** | Documentation server — renders markdown from Gitea, serves public docs. | In progress |
Shared library: **MCDSL** — standard library for all services (auth, db,
config, TLS server, CSRF, snapshots).
Supporting tool: **MCAT** — lightweight web app for testing MCIAS login
policies.
## Architecture
```
MCIAS (standalone — the root of trust)
├── Metacrypt (auth via MCIAS; provides certs to all services)
├── MCR (auth via MCIAS; stores images pulled by MCP)
├── MCNS (auth via MCIAS; provides DNS for the platform)
├── MCP (auth via MCIAS; orchestrates everything; owns service registry)
└── MC-Proxy (pre-auth; routes traffic to services behind it)
```
Each machine is an **MC Node**. On every node, **MC-Proxy** accepts outside
connections and routes by TLS SNI — either relaying raw TCP (L4) or
terminating TLS and reverse proxying HTTP/2 (L7), per-route. **MCP Agent** on
each node receives commands from **MCP Master** (which runs on the operator's
workstation) and manages containers via the local runtime. Core infrastructure
(MCIAS, Metacrypt, MCR) runs on nodes like any other workload.
```
┌──────────────────┐ ┌──────────────┐
│ Core Infra │ │ MCP Master │
│ (e.g. MCIAS) │ │ │
└────────┬─────────┘ └──────┬───────┘
│ │ C2
Outside ┌─────────────▼─────────────────────▼──────────┐
Client ────▶│ MC Node │
│ ┌───────────┐ │
│ │ MC-Proxy │──┬──────┬──────┐ │
│ └───────────┘ │ │ │ │
│ ┌───▼┐ ┌──▼─┐ ┌─▼──┐ ┌─────┐ │
│ │ α │ │ β │ │ γ │ │ MCP │ │
│ └────┘ └────┘ └────┘ │Agent│ │
│ └──┬──┘ │
│ ┌────▼───┐│
│ │Container│
│ │Runtime │
│ └────────┘│
└──────────────────────────────────────────────┘
```
## Design Principles
- **Sovereignty** — self-hosted end to end; no SaaS dependencies
- **Simplicity** — SQLite over Postgres, stdlib testing, pure Go, htmx, single binaries
- **Consistency** — every service follows identical patterns (layout, config, auth, deployment)
- **Security as structure** — default deny, TLS 1.3 minimum, interceptor-map auth, encrypted-at-rest secrets
- **Design before code** — ARCHITECTURE.md is the spec, written before implementation
## Tech Stack
Go 1.25+, SQLite (modernc.org/sqlite), chi router, gRPC + protobuf, htmx +
Go html/template, golangci-lint v2, Ed25519/Argon2id/AES-256-GCM, TLS 1.3,
container-first deployment (Docker + systemd).
## Repository Structure
This root repository is a workspace container. Each subdirectory is a separate
Git repo with its own `CLAUDE.md`, `ARCHITECTURE.md`, `Makefile`, and `go.mod`:
```
metacircular/
├── mcias/ Identity and Access Service
├── metacrypt/ Cryptographic service engine
├── mcr/ Container registry
├── mc-proxy/ TLS proxy and router
├── mcp/ Control plane (master/agent)
├── mcns/ DNS server
├── mcat/ Login policy tester
├── mcdsl/ Standard library (shared packages)
├── mcdoc/ Documentation server
├── ca/ PKI infrastructure (dev/test, not source code)
└── docs/ Platform-wide documentation
```
Reference in New Issue View Git Blame Copy Permalink