Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper),
db (SQLite/migrations), barrier (encrypted storage), seal (state machine
with rate-limited unseal), auth (MCIAS integration with token cache),
policy (priority-based ACL engine), engine (interface + registry).

Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI
(init, unseal, login, dashboard pages).

CLI: cobra/viper subcommands (server, init, status, snapshot) with env
var override support (METACRYPT_ prefix).

Operational tooling: Dockerfile (multi-stage, non-root), docker-compose,
hardened systemd units (service + daily backup timer), install script,
backup script with retention pruning, production config examples.

Runbook covering installation, configuration, daily operations,
backup/restore, monitoring, troubleshooting, and security procedures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/db/db.go

@@ -0,0 +1,43 @@
+// Package db provides SQLite database access and migrations.
+package db
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+
+	_ "modernc.org/sqlite"
+)
+
+// Open opens or creates a SQLite database at the given path with secure
+// file permissions (0600) and WAL mode enabled.
+func Open(path string) (*sql.DB, error) {
+	// Ensure the file has restrictive permissions if it doesn't exist yet.
+	if _, err := os.Stat(path); os.IsNotExist(err) {
+		f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0600)
+		if err != nil {
+			return nil, fmt.Errorf("db: create file: %w", err)
+		}
+		f.Close()
+	}
+
+	db, err := sql.Open("sqlite", path)
+	if err != nil {
+		return nil, fmt.Errorf("db: open: %w", err)
+	}
+
+	// Enable WAL mode and foreign keys.
+	pragmas := []string{
+		"PRAGMA journal_mode=WAL",
+		"PRAGMA foreign_keys=ON",
+		"PRAGMA busy_timeout=5000",
+	}
+	for _, p := range pragmas {
+		if _, err := db.Exec(p); err != nil {
+			db.Close()
+			return nil, fmt.Errorf("db: pragma %q: %w", p, err)
+		}
+	}
+
+	return db, nil
+}

internal/db/db_test.go

@@ -0,0 +1,44 @@
+package db
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func TestOpenAndMigrate(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.db")
+
+	database, err := Open(path)
+	if err != nil {
+		t.Fatalf("Open: %v", err)
+	}
+	defer database.Close()
+
+	if err := Migrate(database); err != nil {
+		t.Fatalf("Migrate: %v", err)
+	}
+
+	// Verify tables exist.
+	tables := []string{"seal_config", "barrier_entries", "schema_migrations"}
+	for _, table := range tables {
+		var name string
+		err := database.QueryRow(
+			"SELECT name FROM sqlite_master WHERE type='table' AND name=?", table).Scan(&name)
+		if err != nil {
+			t.Errorf("table %q not found: %v", table, err)
+		}
+	}
+
+	// Migration should be idempotent.
+	if err := Migrate(database); err != nil {
+		t.Fatalf("second Migrate: %v", err)
+	}
+
+	// Check migration version.
+	var version int
+	database.QueryRow("SELECT MAX(version) FROM schema_migrations").Scan(&version)
+	if version != 1 {
+		t.Errorf("migration version: got %d, want 1", version)
+	}
+}

internal/db/migrate.go

@@ -0,0 +1,70 @@
+package db
+
+import (
+	"database/sql"
+	"fmt"
+)
+
+// migrations is an ordered list of SQL DDL statements. Each index is the
+// migration version (1-based).
+var migrations = []string{
+	// Version 1: initial schema
+	`CREATE TABLE IF NOT EXISTS seal_config (
+		id INTEGER PRIMARY KEY CHECK (id = 1),
+		encrypted_mek BLOB NOT NULL,
+		kdf_salt BLOB NOT NULL,
+		argon2_time INTEGER NOT NULL,
+		argon2_memory INTEGER NOT NULL,
+		argon2_threads INTEGER NOT NULL,
+		initialized_at DATETIME NOT NULL DEFAULT (datetime('now'))
+	);
+
+	CREATE TABLE IF NOT EXISTS barrier_entries (
+		path TEXT PRIMARY KEY,
+		value BLOB NOT NULL,
+		created_at DATETIME NOT NULL DEFAULT (datetime('now')),
+		updated_at DATETIME NOT NULL DEFAULT (datetime('now'))
+	);
+
+	CREATE TABLE IF NOT EXISTS schema_migrations (
+		version INTEGER PRIMARY KEY,
+		applied_at DATETIME NOT NULL DEFAULT (datetime('now'))
+	);`,
+}
+
+// Migrate applies all pending migrations.
+func Migrate(db *sql.DB) error {
+	// Ensure the migrations table exists (bootstrap).
+	if _, err := db.Exec(`CREATE TABLE IF NOT EXISTS schema_migrations (
+		version INTEGER PRIMARY KEY,
+		applied_at DATETIME NOT NULL DEFAULT (datetime('now'))
+	)`); err != nil {
+		return fmt.Errorf("db: create migrations table: %w", err)
+	}
+
+	var current int
+	row := db.QueryRow("SELECT COALESCE(MAX(version), 0) FROM schema_migrations")
+	if err := row.Scan(&current); err != nil {
+		return fmt.Errorf("db: get migration version: %w", err)
+	}
+
+	for i := current; i < len(migrations); i++ {
+		version := i + 1
+		tx, err := db.Begin()
+		if err != nil {
+			return fmt.Errorf("db: begin migration %d: %w", version, err)
+		}
+		if _, err := tx.Exec(migrations[i]); err != nil {
+			tx.Rollback()
+			return fmt.Errorf("db: migration %d: %w", version, err)
+		}
+		if _, err := tx.Exec("INSERT INTO schema_migrations (version) VALUES (?)", version); err != nil {
+			tx.Rollback()
+			return fmt.Errorf("db: record migration %d: %w", version, err)
+		}
+		if err := tx.Commit(); err != nil {
+			return fmt.Errorf("db: commit migration %d: %w", version, err)
+		}
+	}
+	return nil
+}