Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper), db (SQLite/migrations), barrier (encrypted storage), seal (state machine with rate-limited unseal), auth (MCIAS integration with token cache), policy (priority-based ACL engine), engine (interface + registry). Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI (init, unseal, login, dashboard pages). CLI: cobra/viper subcommands (server, init, status, snapshot) with env var override support (METACRYPT_ prefix). Operational tooling: Dockerfile (multi-stage, non-root), docker-compose, hardened systemd units (service + daily backup timer), install script, backup script with retention pruning, production config examples. Runbook covering installation, configuration, daily operations, backup/restore, monitoring, troubleshooting, and security procedures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 20:43:11 -07:00
commit 4ddd32b117
60 changed files with 4644 additions and 0 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -0,0 +1,7 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git:*)"
+    ]
+  }
+}
--- a/.claude/skills/checkpoint/SKILL.md
+++ b/.claude/skills/checkpoint/SKILL.md
@@ -0,0 +1,8 @@
+# Checkpoint Skill
+
+1. Run `go build ./...`  abort if errors
+2. Run `go test ./...`  abort if failures
+3. Run `go vet ./...`
+4. Run `git add -A && git status`  show user what will be committed
+5. Generate an appropriate commit message based on your instructions.
+6. Run `git commit -m "<message>"` and verify with `git log -1`
--- a/.claude/tasks/security-audit/TASK.md
+++ b/.claude/tasks/security-audit/TASK.md
@@ -0,0 +1,8 @@
+Run a full security audit of this Go codebase. For each finding rated
+HIGH or CRITICAL: spawn a sub-agent using Task to implement the fix
+across all affected files (models, handlers, migrations, templates,
+tests). Each sub-agent must: 1) write a failing test that reproduces the
+vulnerability, 2) implement the fix, 3) run `go test ./...` and `go vet
+./...` in a loop until all pass, 4) commit with a message referencing
+the finding ID. After all sub-agents complete, generate a summary of
+what was fixed and what needs manual review.