Checkpoint: auth, engine, seal, server, grpc updates

Co-authored-by: Junie <junie@jetbrains.com>
2026-03-15 09:54:04 -07:00
parent 33beb33a13
commit 44e5e6e174
21 changed files with 185 additions and 31 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,59 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Metacrypt is a cryptographic service for the Metacircular platform, written in Go. It provides cryptographic resources via an "engines" architecture (CA, SSH CA, transit encryption, user-to-user encryption). Authentication is handled by MCIAS (Metacircular Identity and Access Service) using the client library at `git.wntrmute.dev/kyle/mcias/clients/go`. MCIAS API docs: https://mcias.metacircular.net:8443/docs
+
+## Build & Test Commands
+
+```bash
+go build ./...    # Build all packages
+go test ./...     # Run all tests
+go vet ./...      # Static analysis
+```
+
+## Architecture
+
+- **Engines**: Modular cryptographic service providers (CA, SSH CA, transit, user-to-user encryption)
+- **Storage**: SQLite database with an encrypted storage barrier (similar to HashiCorp Vault)
+- **Seal/Unseal**: Single password unseals the service; a master encryption key serves as a key-encryption key (KEK) to decrypt per-engine data encryption keys
+- **Auth**: MCIAS integration; MCIAS admin users get admin privileges on this service
+
+## Project Structure
+
+```
+.
+├── cmd/metacrypt/          # CLI entry point (server, init, status, snapshot)
+├── deploy/
+│   ├── docker/             # Docker Compose configuration
+│   ├── examples/           # Example config files
+│   ├── scripts/            # Deployment scripts
+│   └── systemd/            # systemd unit files
+├── internal/
+│   ├── auth/               # MCIAS token authentication & caching
+│   ├── barrier/            # Encrypted key-value storage abstraction
+│   ├── config/             # TOML configuration loading & validation
+│   ├── crypto/             # Low-level cryptographic primitives
+│   ├── db/                 # SQLite setup & schema migrations
+│   ├── engine/             # Pluggable engine registry & interface
+│   ├── policy/             # Priority-based ACL engine
+│   ├── seal/               # Seal/unseal state machine
+│   └── server/             # HTTP server, routes, middleware
+├── proto/metacrypt/        # Protobuf/gRPC definitions
+├── web/
+│   ├── static/             # CSS, HTMX
+│   └── templates/          # Go HTML templates
+├── Dockerfile
+├── Makefile
+└── metacrypt.toml.example
+```
+
+## Ignored Directories
+
+- `srv/` — Local runtime data (database, certs, config). Do not read, modify, or reference these files.
+
+## API Sync Rule
+
+The gRPC proto definitions (`proto/metacrypt/v1/`) and the REST API (`internal/server/routes.go`) must always be kept in sync. When adding, removing, or changing an endpoint in either surface, the other must be updated in the same change. Every REST endpoint must have a corresponding gRPC RPC (and vice versa), with matching request/response fields.