Migrate gRPC server to mcdsl grpcserver package

Replace metacrypt's hand-rolled gRPC interceptor chain with the mcdsl grpcserver package, which provides TLS setup, logging, and method-map auth (public/auth-required/admin-required) out of the box. Metacrypt-specific interceptors are preserved as hooks: - sealInterceptor runs as a PreInterceptor (before logging/auth) - auditInterceptor runs as a PostInterceptor (after auth) The three legacy method maps (seal/auth/admin) are restructured into mcdsl's MethodMap (Public/AuthRequired/AdminRequired) plus a separate seal-required map for the PreInterceptor. Token context is now stored via mcdsl/auth.ContextWithTokenInfo instead of a package-local key. Bumps mcdsl from v1.0.0 to v1.0.1 (adds PreInterceptors/PostInterceptors to grpcserver.Options). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 14:42:41 -07:00
parent d308db8598
commit 310ed83f28
12 changed files with 264 additions and 378 deletions
--- a/internal/grpcserver/sshca.go
+++ b/internal/grpcserver/sshca.go
@@ -11,6 +11,7 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"

 	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
+	"git.wntrmute.dev/kyle/metacrypt/internal/auth"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine/sshca"
 	"git.wntrmute.dev/kyle/metacrypt/internal/policy"
@@ -50,7 +51,7 @@ func (ss *sshcaServer) sshcaHandleRequest(ctx context.Context, mount, operation
 }

 func (ss *sshcaServer) callerInfo(ctx context.Context) *engine.CallerInfo {
-	ti := tokenInfoFromContext(ctx)
+	ti := auth.TokenInfoFromContext(ctx)
 	if ti == nil {
 		return nil
 	}