Migrate config to mcdsl: Load[T], env overrides, embedded types

Replace local TOML loading with mcdsl/config.Load[Config] which adds
METACRYPT_ environment variable overrides. ServerConfig and MCIASConfig
now embed their mcdsl counterparts, extending with ExternalURL and
ServiceToken respectively. DatabaseConfig and LogConfig replaced with
mcdsl types directly.

TOML structure is preserved — no config file changes needed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/config/config.go

@@ -3,9 +3,9 @@ package config
 
 import (
 	"fmt"
-	"os"
 
-	"github.com/pelletier/go-toml/v2"
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
+	mcdslconfig "git.wntrmute.dev/kyle/mcdsl/config"
 )
 
 // Config is the top-level configuration for Metacrypt.
@@ -13,29 +13,24 @@ type Config struct {
 	Server   ServerConfig   `toml:"server"`
 	Web      WebConfig      `toml:"web"`
 	MCIAS    MCIASConfig    `toml:"mcias"`
-	Database DatabaseConfig `toml:"database"`
-	Log      LogConfig      `toml:"log"`
+	Database mcdslconfig.DatabaseConfig `toml:"database"`
+	Log      mcdslconfig.LogConfig      `toml:"log"`
 	Seal     SealConfig     `toml:"seal"`
 	Audit    AuditConfig    `toml:"audit"`
 }
 
-// AuditConfig holds audit logging settings.
-type AuditConfig struct {
-	// Mode controls audit log output: "file", "stdout", or "" (disabled).
-	Mode string `toml:"mode"`
-	// Path is the audit log file path (required when mode is "file").
-	Path string `toml:"path"`
-	// IncludeReads enables audit logging for read-only operations.
-	IncludeReads bool `toml:"include_reads"`
+// ServerConfig holds HTTP/gRPC server settings. It embeds the standard
+// mcdsl server config and adds the ACME external URL.
+type ServerConfig struct {
+	mcdslconfig.ServerConfig
+	ExternalURL string `toml:"external_url"` // public base URL for ACME directory
 }
 
-// ServerConfig holds HTTP/gRPC server settings.
-type ServerConfig struct {
-	ListenAddr  string `toml:"listen_addr"`
-	GRPCAddr string `toml:"grpc_addr"`
-	TLSCert     string `toml:"tls_cert"`
-	TLSKey      string `toml:"tls_key"`
-	ExternalURL string `toml:"external_url"` // public base URL for ACME directory, e.g. "https://metacrypt.example.com"
+// MCIASConfig holds MCIAS integration settings. It embeds the standard
+// mcdsl auth config and adds the service token for web UI login.
+type MCIASConfig struct {
+	mcdslauth.Config
+	ServiceToken string `toml:"service_token"`
 }
 
 // WebConfig holds settings for the standalone web UI server (metacrypt-web).
@@ -56,16 +51,14 @@ type WebConfig struct {
 	TLSKey  string `toml:"tls_key"`
 }
 
-// DatabaseConfig holds SQLite database settings.
-type DatabaseConfig struct {
+// AuditConfig holds audit logging settings.
+type AuditConfig struct {
+	// Mode controls audit log output: "file", "stdout", or "" (disabled).
+	Mode string `toml:"mode"`
+	// Path is the audit log file path (required when mode is "file").
 	Path string `toml:"path"`
-}
-
-// MCIASConfig holds MCIAS integration settings.
-type MCIASConfig struct {
-	ServerURL    string `toml:"server_url"`
-	CACert       string `toml:"ca_cert"`
-	ServiceToken string `toml:"service_token"`
+	// IncludeReads enables audit logging for read-only operations.
+	IncludeReads bool `toml:"include_reads"`
 }
 
 // SealConfig holds Argon2id parameters for the seal process.
@@ -75,46 +68,31 @@ type SealConfig struct {
 	Argon2Threads uint8  `toml:"argon2_threads"`
 }
 
-// LogConfig holds logging settings.
-type LogConfig struct {
-	Level string `toml:"level"`
-}
-
-// Load reads and parses a TOML config file.
+// Load reads and parses a TOML config file with METACRYPT_ env var overrides.
 func Load(path string) (*Config, error) {
-	data, err := os.ReadFile(path) //nolint:gosec
-	if err != nil {
-		return nil, fmt.Errorf("config: read file: %w", err)
-	}
-	var cfg Config
-	if err := toml.Unmarshal(data, &cfg); err != nil {
-		return nil, fmt.Errorf("config: parse: %w", err)
-	}
-	if err := cfg.Validate(); err != nil {
-		return nil, err
-	}
-	return &cfg, nil
+	return mcdslconfig.Load[Config](path, "METACRYPT")
 }
 
-// Validate checks required fields and applies defaults.
+// Validate implements mcdslconfig.Validator for metacrypt-specific rules.
 func (c *Config) Validate() error {
+	// Required fields.
 	if c.Server.ListenAddr == "" {
-		return fmt.Errorf("config: server.listen_addr is required")
+		return fmt.Errorf("server.listen_addr is required")
 	}
 	if c.Server.TLSCert == "" {
-		return fmt.Errorf("config: server.tls_cert is required")
+		return fmt.Errorf("server.tls_cert is required")
 	}
 	if c.Server.TLSKey == "" {
-		return fmt.Errorf("config: server.tls_key is required")
+		return fmt.Errorf("server.tls_key is required")
 	}
 	if c.Database.Path == "" {
-		return fmt.Errorf("config: database.path is required")
+		return fmt.Errorf("database.path is required")
 	}
 	if c.MCIAS.ServerURL == "" {
-		return fmt.Errorf("config: mcias.server_url is required")
+		return fmt.Errorf("mcias.server_url is required")
 	}
 
-	// Apply defaults for seal parameters.
+	// Seal defaults.
 	if c.Seal.Argon2Time == 0 {
 		c.Seal.Argon2Time = 3
 	}
@@ -125,25 +103,26 @@ func (c *Config) Validate() error {
 		c.Seal.Argon2Threads = 4
 	}
 
+	// Log default.
 	if c.Log.Level == "" {
 		c.Log.Level = "info"
 	}
 
-	// Apply defaults for web server.
+	// Web default.
 	if c.Web.ListenAddr == "" {
 		c.Web.ListenAddr = "127.0.0.1:8080"
 	}
 
-	// Validate audit config.
+	// Audit validation.
 	switch c.Audit.Mode {
 	case "", "stdout":
 		// ok
 	case "file":
 		if c.Audit.Path == "" {
-			return fmt.Errorf("config: audit.path is required when audit.mode is \"file\"")
+			return fmt.Errorf("audit.path is required when audit.mode is \"file\"")
 		}
 	default:
-		return fmt.Errorf("config: audit.mode must be \"file\", \"stdout\", or empty")
+		return fmt.Errorf("audit.mode must be \"file\", \"stdout\", or empty")
 	}
 
 	return nil

internal/config/config_test.go

@@ -41,6 +41,38 @@ server_url = "https://mcias.example.com"
 	}
 }
 
+func TestLoadEnvOverride(t *testing.T) {
+	content := `
+[server]
+listen_addr = ":8443"
+tls_cert = "cert.pem"
+tls_key = "key.pem"
+
+[database]
+path = "test.db"
+
+[mcias]
+server_url = "https://mcias.example.com"
+`
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.toml")
+	_ = os.WriteFile(path, []byte(content), 0600)
+
+	t.Setenv("METACRYPT_SERVER_LISTEN_ADDR", ":9999")
+	t.Setenv("METACRYPT_MCIAS_SERVER_URL", "https://override.example.com")
+
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load: %v", err)
+	}
+	if cfg.Server.ListenAddr != ":9999" {
+		t.Errorf("ListenAddr env override: got %q, want %q", cfg.Server.ListenAddr, ":9999")
+	}
+	if cfg.MCIAS.ServerURL != "https://override.example.com" {
+		t.Errorf("ServerURL env override: got %q", cfg.MCIAS.ServerURL)
+	}
+}
+
 func TestLoadMissingRequired(t *testing.T) {
 	content := `
 [server]

internal/server/server_test.go

@@ -16,6 +16,9 @@ import (
 	"git.wntrmute.dev/kyle/metacrypt/internal/barrier"
 	"git.wntrmute.dev/kyle/metacrypt/internal/config"
 	"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
+
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
+	mcdslconfig "git.wntrmute.dev/kyle/mcdsl/config"
 	"git.wntrmute.dev/kyle/metacrypt/internal/db"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine"
 	"git.wntrmute.dev/kyle/metacrypt/internal/policy"
@@ -46,12 +49,14 @@ func setupTestServer(t *testing.T) (*Server, *seal.Manager, chi.Router) {
 
 	cfg := &config.Config{
 		Server: config.ServerConfig{
-			ListenAddr: ":0",
-			TLSCert:    "cert.pem",
-			TLSKey:     "key.pem",
+			ServerConfig: mcdslconfig.ServerConfig{
+				ListenAddr: ":0",
+				TLSCert:    "cert.pem",
+				TLSKey:     "key.pem",
+			},
 		},
-		Database: config.DatabaseConfig{Path: filepath.Join(dir, "test.db")},
-		MCIAS:    config.MCIASConfig{ServerURL: "https://mcias.test"},
+		Database: mcdslconfig.DatabaseConfig{Path: filepath.Join(dir, "test.db")},
+		MCIAS:    config.MCIASConfig{Config: mcdslauth.Config{ServerURL: "https://mcias.test"}},
 		Seal: config.SealConfig{
 			Argon2Time:    1,
 			Argon2Memory:  64 * 1024,