Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper),
db (SQLite/migrations), barrier (encrypted storage), seal (state machine
with rate-limited unseal), auth (MCIAS integration with token cache),
policy (priority-based ACL engine), engine (interface + registry).

Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI
(init, unseal, login, dashboard pages).

CLI: cobra/viper subcommands (server, init, status, snapshot) with env
var override support (METACRYPT_ prefix).

Operational tooling: Dockerfile (multi-stage, non-root), docker-compose,
hardened systemd units (service + daily backup timer), install script,
backup script with retention pruning, production config examples.

Runbook covering installation, configuration, daily operations,
backup/restore, monitoring, troubleshooting, and security procedures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/crypto/crypto.go

@@ -0,0 +1,137 @@
+// Package crypto provides Argon2id KDF, AES-256-GCM encryption, and key helpers.
+package crypto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/subtle"
+	"errors"
+	"fmt"
+
+	"golang.org/x/crypto/argon2"
+)
+
+const (
+	// KeySize is the size of AES-256 keys in bytes.
+	KeySize = 32
+	// NonceSize is the size of AES-GCM nonces in bytes.
+	NonceSize = 12
+	// SaltSize is the size of Argon2id salts in bytes.
+	SaltSize = 32
+
+	// BarrierVersion is the version byte prefix for encrypted barrier entries.
+	BarrierVersion byte = 0x01
+
+	// Default Argon2id parameters.
+	DefaultArgon2Time    = 3
+	DefaultArgon2Memory  = 128 * 1024 // 128 MiB in KiB
+	DefaultArgon2Threads = 4
+)
+
+var (
+	ErrInvalidCiphertext = errors.New("crypto: invalid ciphertext")
+	ErrDecryptionFailed  = errors.New("crypto: decryption failed")
+)
+
+// Argon2Params holds Argon2id KDF parameters.
+type Argon2Params struct {
+	Time    uint32
+	Memory  uint32 // in KiB
+	Threads uint8
+}
+
+// DefaultArgon2Params returns the default Argon2id parameters.
+func DefaultArgon2Params() Argon2Params {
+	return Argon2Params{
+		Time:    DefaultArgon2Time,
+		Memory:  DefaultArgon2Memory,
+		Threads: DefaultArgon2Threads,
+	}
+}
+
+// DeriveKey derives a 256-bit key from password and salt using Argon2id.
+func DeriveKey(password []byte, salt []byte, params Argon2Params) []byte {
+	return argon2.IDKey(password, salt, params.Time, params.Memory, params.Threads, KeySize)
+}
+
+// GenerateKey generates a random 256-bit key.
+func GenerateKey() ([]byte, error) {
+	key := make([]byte, KeySize)
+	if _, err := rand.Read(key); err != nil {
+		return nil, fmt.Errorf("crypto: generate key: %w", err)
+	}
+	return key, nil
+}
+
+// GenerateSalt generates a random salt for Argon2id.
+func GenerateSalt() ([]byte, error) {
+	salt := make([]byte, SaltSize)
+	if _, err := rand.Read(salt); err != nil {
+		return nil, fmt.Errorf("crypto: generate salt: %w", err)
+	}
+	return salt, nil
+}
+
+// Encrypt encrypts plaintext with AES-256-GCM using the given key.
+// Returns: [version byte][12-byte nonce][ciphertext+tag]
+func Encrypt(key, plaintext []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, fmt.Errorf("crypto: new cipher: %w", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("crypto: new gcm: %w", err)
+	}
+	nonce := make([]byte, NonceSize)
+	if _, err := rand.Read(nonce); err != nil {
+		return nil, fmt.Errorf("crypto: generate nonce: %w", err)
+	}
+	ciphertext := gcm.Seal(nil, nonce, plaintext, nil)
+
+	// Format: [version][nonce][ciphertext+tag]
+	result := make([]byte, 1+NonceSize+len(ciphertext))
+	result[0] = BarrierVersion
+	copy(result[1:1+NonceSize], nonce)
+	copy(result[1+NonceSize:], ciphertext)
+	return result, nil
+}
+
+// Decrypt decrypts ciphertext produced by Encrypt.
+func Decrypt(key, data []byte) ([]byte, error) {
+	if len(data) < 1+NonceSize+aes.BlockSize {
+		return nil, ErrInvalidCiphertext
+	}
+	if data[0] != BarrierVersion {
+		return nil, fmt.Errorf("crypto: unsupported version: %d", data[0])
+	}
+	nonce := data[1 : 1+NonceSize]
+	ciphertext := data[1+NonceSize:]
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, fmt.Errorf("crypto: new cipher: %w", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("crypto: new gcm: %w", err)
+	}
+	plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		return nil, ErrDecryptionFailed
+	}
+	return plaintext, nil
+}
+
+// Zeroize overwrites a byte slice with zeros.
+func Zeroize(b []byte) {
+	for i := range b {
+		b[i] = 0
+	}
+}
+
+// ConstantTimeEqual compares two byte slices in constant time.
+func ConstantTimeEqual(a, b []byte) bool {
+	return subtle.ConstantTimeCompare(a, b) == 1
+}

internal/crypto/crypto_test.go

@@ -0,0 +1,132 @@
+package crypto
+
+import (
+	"bytes"
+	"testing"
+)
+
+func TestGenerateKey(t *testing.T) {
+	key, err := GenerateKey()
+	if err != nil {
+		t.Fatalf("GenerateKey: %v", err)
+	}
+	if len(key) != KeySize {
+		t.Fatalf("key length: got %d, want %d", len(key), KeySize)
+	}
+	// Should be random (not all zeros).
+	if bytes.Equal(key, make([]byte, KeySize)) {
+		t.Fatal("key is all zeros")
+	}
+}
+
+func TestGenerateSalt(t *testing.T) {
+	salt, err := GenerateSalt()
+	if err != nil {
+		t.Fatalf("GenerateSalt: %v", err)
+	}
+	if len(salt) != SaltSize {
+		t.Fatalf("salt length: got %d, want %d", len(salt), SaltSize)
+	}
+}
+
+func TestEncryptDecrypt(t *testing.T) {
+	key, _ := GenerateKey()
+	plaintext := []byte("hello, metacrypt!")
+
+	ciphertext, err := Encrypt(key, plaintext)
+	if err != nil {
+		t.Fatalf("Encrypt: %v", err)
+	}
+
+	// Version byte should be present.
+	if ciphertext[0] != BarrierVersion {
+		t.Fatalf("version byte: got %d, want %d", ciphertext[0], BarrierVersion)
+	}
+
+	decrypted, err := Decrypt(key, ciphertext)
+	if err != nil {
+		t.Fatalf("Decrypt: %v", err)
+	}
+
+	if !bytes.Equal(plaintext, decrypted) {
+		t.Fatalf("roundtrip failed: got %q, want %q", decrypted, plaintext)
+	}
+}
+
+func TestDecryptWrongKey(t *testing.T) {
+	key1, _ := GenerateKey()
+	key2, _ := GenerateKey()
+	plaintext := []byte("secret data")
+
+	ciphertext, _ := Encrypt(key1, plaintext)
+	_, err := Decrypt(key2, ciphertext)
+	if err != ErrDecryptionFailed {
+		t.Fatalf("expected ErrDecryptionFailed, got: %v", err)
+	}
+}
+
+func TestDecryptInvalidCiphertext(t *testing.T) {
+	key, _ := GenerateKey()
+	_, err := Decrypt(key, []byte("short"))
+	if err != ErrInvalidCiphertext {
+		t.Fatalf("expected ErrInvalidCiphertext, got: %v", err)
+	}
+}
+
+func TestDeriveKey(t *testing.T) {
+	password := []byte("test-password")
+	salt, _ := GenerateSalt()
+	params := Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
+
+	key := DeriveKey(password, salt, params)
+	if len(key) != KeySize {
+		t.Fatalf("derived key length: got %d, want %d", len(key), KeySize)
+	}
+
+	// Same inputs should produce same output.
+	key2 := DeriveKey(password, salt, params)
+	if !bytes.Equal(key, key2) {
+		t.Fatal("determinism: same inputs produced different keys")
+	}
+
+	// Different password should produce different output.
+	key3 := DeriveKey([]byte("different"), salt, params)
+	if bytes.Equal(key, key3) {
+		t.Fatal("different passwords produced same key")
+	}
+}
+
+func TestZeroize(t *testing.T) {
+	data := []byte{1, 2, 3, 4, 5}
+	Zeroize(data)
+	for i, b := range data {
+		if b != 0 {
+			t.Fatalf("byte %d not zeroed: %d", i, b)
+		}
+	}
+}
+
+func TestConstantTimeEqual(t *testing.T) {
+	a := []byte("hello")
+	b := []byte("hello")
+	c := []byte("world")
+
+	if !ConstantTimeEqual(a, b) {
+		t.Fatal("equal slices reported as not equal")
+	}
+	if ConstantTimeEqual(a, c) {
+		t.Fatal("different slices reported as equal")
+	}
+}
+
+func TestEncryptProducesDifferentCiphertext(t *testing.T) {
+	key, _ := GenerateKey()
+	plaintext := []byte("same data")
+
+	ct1, _ := Encrypt(key, plaintext)
+	ct2, _ := Encrypt(key, plaintext)
+
+	if bytes.Equal(ct1, ct2) {
+		t.Fatal("two encryptions of same plaintext produced identical ciphertext (nonce reuse)")
+	}
+}