Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper), db (SQLite/migrations), barrier (encrypted storage), seal (state machine with rate-limited unseal), auth (MCIAS integration with token cache), policy (priority-based ACL engine), engine (interface + registry). Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI (init, unseal, login, dashboard pages). CLI: cobra/viper subcommands (server, init, status, snapshot) with env var override support (METACRYPT_ prefix). Operational tooling: Dockerfile (multi-stage, non-root), docker-compose, hardened systemd units (service + daily backup timer), install script, backup script with retention pruning, production config examples. Runbook covering installation, configuration, daily operations, backup/restore, monitoring, troubleshooting, and security procedures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 20:43:11 -07:00
commit 4ddd32b117
60 changed files with 4644 additions and 0 deletions
--- a/deploy/examples/metacrypt.toml
+++ b/deploy/examples/metacrypt.toml
@@ -0,0 +1,38 @@
+# Metacrypt production configuration
+# Copy to /etc/metacrypt/metacrypt.toml and adjust for your environment.
+
+[server]
+# Address to listen on. Use "0.0.0.0:8443" to listen on all interfaces.
+listen_addr = ":8443"
+
+# TLS certificate and key. Metacrypt always terminates TLS.
+tls_cert = "/etc/metacrypt/certs/server.crt"
+tls_key  = "/etc/metacrypt/certs/server.key"
+
+[database]
+# SQLite database path. Created automatically on first run.
+# The directory must be writable by the metacrypt user.
+path = "/var/lib/metacrypt/metacrypt.db"
+
+[mcias]
+# MCIAS server URL for authentication.
+server_url = "https://mcias.metacircular.net:8443"
+
+# CA certificate for verifying the MCIAS server's TLS certificate.
+# Omit if MCIAS uses a publicly trusted certificate.
+# ca_cert = "/etc/metacrypt/certs/mcias-ca.crt"
+
+[seal]
+# Argon2id parameters for key derivation.
+# These are applied during initialization and stored alongside the encrypted
+# master key. Changing them here after init has no effect.
+#
+# Defaults are tuned for server hardware (3 iterations, 128 MiB, 4 threads).
+# Increase argon2_memory on machines with more RAM for stronger protection.
+# argon2_time    = 3
+# argon2_memory  = 131072   # KiB (128 MiB)
+# argon2_threads = 4
+
+[log]
+# Log level: debug, info, warn, error
+level = "info"