Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper), db (SQLite/migrations), barrier (encrypted storage), seal (state machine with rate-limited unseal), auth (MCIAS integration with token cache), policy (priority-based ACL engine), engine (interface + registry). Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI (init, unseal, login, dashboard pages). CLI: cobra/viper subcommands (server, init, status, snapshot) with env var override support (METACRYPT_ prefix). Operational tooling: Dockerfile (multi-stage, non-root), docker-compose, hardened systemd units (service + daily backup timer), install script, backup script with retention pruning, production config examples. Runbook covering installation, configuration, daily operations, backup/restore, monitoring, troubleshooting, and security procedures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 20:43:11 -07:00
commit 4ddd32b117
60 changed files with 4644 additions and 0 deletions
--- a/internal/barrier/barrier_test.go
+++ b/internal/barrier/barrier_test.go
@@ -0,0 +1,159 @@
+package barrier
+
+import (
+	"context"
+	"path/filepath"
+	"testing"
+
+	"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
+	"git.wntrmute.dev/kyle/metacrypt/internal/db"
+)
+
+func setupBarrier(t *testing.T) (*AESGCMBarrier, func()) {
+	t.Helper()
+	dir := t.TempDir()
+	database, err := db.Open(filepath.Join(dir, "test.db"))
+	if err != nil {
+		t.Fatalf("open db: %v", err)
+	}
+	if err := db.Migrate(database); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+	b := NewAESGCMBarrier(database)
+	return b, func() { database.Close() }
+}
+
+func TestBarrierSealUnseal(t *testing.T) {
+	b, cleanup := setupBarrier(t)
+	defer cleanup()
+
+	if !b.IsSealed() {
+		t.Fatal("new barrier should be sealed")
+	}
+
+	mek, _ := crypto.GenerateKey()
+	if err := b.Unseal(mek); err != nil {
+		t.Fatalf("Unseal: %v", err)
+	}
+	if b.IsSealed() {
+		t.Fatal("barrier should be unsealed")
+	}
+
+	if err := b.Seal(); err != nil {
+		t.Fatalf("Seal: %v", err)
+	}
+	if !b.IsSealed() {
+		t.Fatal("barrier should be sealed after Seal()")
+	}
+}
+
+func TestBarrierPutGet(t *testing.T) {
+	b, cleanup := setupBarrier(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	mek, _ := crypto.GenerateKey()
+	b.Unseal(mek)
+
+	data := []byte("test value")
+	if err := b.Put(ctx, "test/path", data); err != nil {
+		t.Fatalf("Put: %v", err)
+	}
+
+	got, err := b.Get(ctx, "test/path")
+	if err != nil {
+		t.Fatalf("Get: %v", err)
+	}
+	if string(got) != string(data) {
+		t.Fatalf("Get: got %q, want %q", got, data)
+	}
+}
+
+func TestBarrierGetNotFound(t *testing.T) {
+	b, cleanup := setupBarrier(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	mek, _ := crypto.GenerateKey()
+	b.Unseal(mek)
+
+	_, err := b.Get(ctx, "nonexistent")
+	if err != ErrNotFound {
+		t.Fatalf("expected ErrNotFound, got: %v", err)
+	}
+}
+
+func TestBarrierDelete(t *testing.T) {
+	b, cleanup := setupBarrier(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	mek, _ := crypto.GenerateKey()
+	b.Unseal(mek)
+
+	b.Put(ctx, "test/delete-me", []byte("data"))
+	if err := b.Delete(ctx, "test/delete-me"); err != nil {
+		t.Fatalf("Delete: %v", err)
+	}
+	_, err := b.Get(ctx, "test/delete-me")
+	if err != ErrNotFound {
+		t.Fatalf("expected ErrNotFound after delete, got: %v", err)
+	}
+}
+
+func TestBarrierList(t *testing.T) {
+	b, cleanup := setupBarrier(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	mek, _ := crypto.GenerateKey()
+	b.Unseal(mek)
+
+	b.Put(ctx, "engine/ca/default/config", []byte("cfg"))
+	b.Put(ctx, "engine/ca/default/dek", []byte("key"))
+	b.Put(ctx, "engine/transit/main/config", []byte("cfg"))
+
+	paths, err := b.List(ctx, "engine/ca/")
+	if err != nil {
+		t.Fatalf("List: %v", err)
+	}
+	if len(paths) != 2 {
+		t.Fatalf("List: got %d paths, want 2", len(paths))
+	}
+}
+
+func TestBarrierSealedOperations(t *testing.T) {
+	b, cleanup := setupBarrier(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	if _, err := b.Get(ctx, "test"); err != ErrSealed {
+		t.Fatalf("Get when sealed: expected ErrSealed, got: %v", err)
+	}
+	if err := b.Put(ctx, "test", []byte("data")); err != ErrSealed {
+		t.Fatalf("Put when sealed: expected ErrSealed, got: %v", err)
+	}
+	if err := b.Delete(ctx, "test"); err != ErrSealed {
+		t.Fatalf("Delete when sealed: expected ErrSealed, got: %v", err)
+	}
+	if _, err := b.List(ctx, "test"); err != ErrSealed {
+		t.Fatalf("List when sealed: expected ErrSealed, got: %v", err)
+	}
+}
+
+func TestBarrierOverwrite(t *testing.T) {
+	b, cleanup := setupBarrier(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	mek, _ := crypto.GenerateKey()
+	b.Unseal(mek)
+
+	b.Put(ctx, "test/overwrite", []byte("v1"))
+	b.Put(ctx, "test/overwrite", []byte("v2"))
+
+	got, _ := b.Get(ctx, "test/overwrite")
+	if string(got) != "v2" {
+		t.Fatalf("overwrite: got %q, want %q", got, "v2")
+	}
+}