Persist engine mounts across seal/unseal cycles

- Add Registry.UnsealAll() that rediscovers mounted engines from the
  barrier on unseal, using stored metadata at engine/_mounts/ with a
  fallback discovery scan for pre-existing mounts (migration path)
- Registry.Mount() now persists mount metadata to the barrier;
  Registry.Unmount() cleans it up
- Call UnsealAll() from both REST and web unseal handlers
- Change Unmount() signature to accept context.Context
- Default CA key size changed from P-384 to P-521
- Add build-time version stamp via ldflags; display in dashboard status bar
- Make metacrypt target .PHONY so make devserver always rebuilds
- Redirect /pki to /dashboard when no CA engine is mounted

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/server/routes.go

@@ -136,6 +136,12 @@ func (s *Server) handleUnseal(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if err := s.engines.UnsealAll(r.Context()); err != nil {
+		s.logger.Error("engine unseal failed", "error", err)
+		http.Error(w, `{"error":"engine unseal failed"}`, http.StatusInternalServerError)
+		return
+	}
+
 	writeJSON(w, http.StatusOK, map[string]interface{}{
 		"state": s.seal.State().String(),
 	})
@@ -255,7 +261,7 @@ func (s *Server) handleEngineUnmount(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
 		return
 	}
-	if err := s.engines.Unmount(req.Name); err != nil {
+	if err := s.engines.Unmount(r.Context(), req.Name); err != nil {
 		http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
 		return
 	}
@@ -552,6 +558,11 @@ func (s *Server) handleWebUnseal(w http.ResponseWriter, r *http.Request) {
 			s.renderTemplate(w, "unseal.html", map[string]interface{}{"Error": msg})
 			return
 		}
+		if err := s.engines.UnsealAll(r.Context()); err != nil {
+			s.logger.Error("engine unseal failed", "error", err)
+			s.renderTemplate(w, "unseal.html", map[string]interface{}{"Error": "Engine reload failed: " + err.Error()})
+			return
+		}
 		http.Redirect(w, r, "/dashboard", http.StatusFound)
 	default:
 		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
@@ -599,6 +610,7 @@ func (s *Server) handleWebDashboard(w http.ResponseWriter, r *http.Request) {
 		"Roles":    info.Roles,
 		"Mounts":   mounts,
 		"State":    s.seal.State().String(),
+		"Version":  s.version,
 	})
 }
 
@@ -666,13 +678,13 @@ func (s *Server) handleWebPKI(w http.ResponseWriter, r *http.Request) {
 
 	mountName, err := s.findCAMount()
 	if err != nil {
-		http.Error(w, "no CA engine mounted", http.StatusNotFound)
+		http.Redirect(w, r, "/dashboard", http.StatusFound)
 		return
 	}
 
 	caEng, err := s.getCAEngine(mountName)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusNotFound)
+		http.Redirect(w, r, "/dashboard", http.StatusFound)
 		return
 	}
 

internal/server/server.go

@@ -27,11 +27,12 @@ type Server struct {
 	engines  *engine.Registry
 	httpSrv  *http.Server
 	logger   *slog.Logger
+	version  string
 }
 
 // New creates a new server.
 func New(cfg *config.Config, sealMgr *seal.Manager, authenticator *auth.Authenticator,
-	policyEngine *policy.Engine, engineRegistry *engine.Registry, logger *slog.Logger) *Server {
+	policyEngine *policy.Engine, engineRegistry *engine.Registry, logger *slog.Logger, version string) *Server {
 	s := &Server{
 		cfg:     cfg,
 		seal:    sealMgr,
@@ -39,6 +40,7 @@ func New(cfg *config.Config, sealMgr *seal.Manager, authenticator *auth.Authenti
 		policy:  policyEngine,
 		engines: engineRegistry,
 		logger:  logger,
+		version: version,
 	}
 	return s
 }

internal/server/server_test.go

@@ -61,7 +61,7 @@ func setupTestServer(t *testing.T) (*Server, *seal.Manager, chi.Router) {
 	}
 
 	logger := slog.Default()
-	srv := New(cfg, sealMgr, authenticator, policyEngine, engineRegistry, logger)
+	srv := New(cfg, sealMgr, authenticator, policyEngine, engineRegistry, logger, "test")
 
 	r := chi.NewRouter()
 	srv.registerRoutes(r)