Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper), db (SQLite/migrations), barrier (encrypted storage), seal (state machine with rate-limited unseal), auth (MCIAS integration with token cache), policy (priority-based ACL engine), engine (interface + registry). Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI (init, unseal, login, dashboard pages). CLI: cobra/viper subcommands (server, init, status, snapshot) with env var override support (METACRYPT_ prefix). Operational tooling: Dockerfile (multi-stage, non-root), docker-compose, hardened systemd units (service + daily backup timer), install script, backup script with retention pruning, production config examples. Runbook covering installation, configuration, daily operations, backup/restore, monitoring, troubleshooting, and security procedures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 20:43:11 -07:00
commit 4ddd32b117
60 changed files with 4644 additions and 0 deletions
--- a/web/templates/dashboard.html
+++ b/web/templates/dashboard.html
@@ -0,0 +1,31 @@
+{{define "title"}} - Dashboard{{end}}
+{{define "content"}}
+<h2>Dashboard</h2>
+<div class="status-bar">
+    <span>Logged in as <strong>{{.Username}}</strong></span>
+    {{if .IsAdmin}}<span class="badge">Admin</span>{{end}}
+    <span>State: <strong>{{.State}}</strong></span>
+    <a href="/login" onclick="fetch('/v1/auth/logout',{method:'POST'})">Logout</a>
+</div>
+
+<h3>Engine Mounts</h3>
+{{if .Mounts}}
+<table>
+    <thead><tr><th>Name</th><th>Type</th><th>Path</th></tr></thead>
+    <tbody>
+    {{range .Mounts}}
+    <tr><td>{{.Name}}</td><td>{{.Type}}</td><td>{{.MountPath}}</td></tr>
+    {{end}}
+    </tbody>
+</table>
+{{else}}
+<p>No engines mounted.</p>
+{{end}}
+
+{{if .IsAdmin}}
+<h3>Admin Actions</h3>
+<div class="admin-actions">
+    <button hx-post="/v1/seal" hx-confirm="Are you sure you want to seal the service?">Seal Service</button>
+</div>
+{{end}}
+{{end}}
--- a/web/templates/init.html
+++ b/web/templates/init.html
@@ -0,0 +1,17 @@
+{{define "title"}} - Initialize{{end}}
+{{define "content"}}
+<h2>Initialize Metacrypt</h2>
+<p>Set the seal password for this Metacrypt instance. This password will be required to unseal the service after each restart.</p>
+{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
+<form method="POST" action="/init">
+    <div class="form-group">
+        <label for="password">Seal Password</label>
+        <input type="password" id="password" name="password" required autofocus>
+    </div>
+    <div class="form-group">
+        <label for="confirm">Confirm Password</label>
+        <input type="password" id="confirm" name="confirm" required>
+    </div>
+    <button type="submit">Initialize</button>
+</form>
+{{end}}
--- a/web/templates/initializing.html
+++ b/web/templates/initializing.html
@@ -0,0 +1,9 @@
+{{define "title"}} - Initializing{{end}}
+{{define "content"}}
+<h2>Initializing...</h2>
+<p>Metacrypt is being initialized. Please wait.</p>
+<div hx-get="/v1/status" hx-trigger="every 2s" hx-swap="none"
+     hx-on::after-request="if(JSON.parse(event.detail.xhr.responseText).state==='unsealed')window.location='/dashboard'">
+    <p>Checking status...</p>
+</div>
+{{end}}
--- a/web/templates/layout.html
+++ b/web/templates/layout.html
@@ -0,0 +1,20 @@
+{{define "layout"}}<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Metacrypt{{block "title" .}}{{end}}</title>
+    <script src="/static/htmx.min.js"></script>
+    <link rel="stylesheet" href="/static/style.css">
+</head>
+<body>
+    <div class="container">
+        <header>
+            <h1><a href="/">Metacrypt</a></h1>
+        </header>
+        <main>
+            {{template "content" .}}
+        </main>
+    </div>
+</body>
+</html>{{end}}
--- a/web/templates/login.html
+++ b/web/templates/login.html
@@ -0,0 +1,21 @@
+{{define "title"}} - Login{{end}}
+{{define "content"}}
+<h2>Login</h2>
+<p>Authenticate with your MCIAS credentials.</p>
+{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
+<form method="POST" action="/login">
+    <div class="form-group">
+        <label for="username">Username</label>
+        <input type="text" id="username" name="username" required autofocus>
+    </div>
+    <div class="form-group">
+        <label for="password">Password</label>
+        <input type="password" id="password" name="password" required>
+    </div>
+    <div class="form-group">
+        <label for="totp_code">TOTP Code (if enabled)</label>
+        <input type="text" id="totp_code" name="totp_code" autocomplete="one-time-code">
+    </div>
+    <button type="submit">Login</button>
+</form>
+{{end}}
--- a/web/templates/unseal.html
+++ b/web/templates/unseal.html
@@ -0,0 +1,13 @@
+{{define "title"}} - Unseal{{end}}
+{{define "content"}}
+<h2>Unseal Metacrypt</h2>
+<p>The service is sealed. Enter the seal password to unseal.</p>
+{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
+<form method="POST" action="/unseal">
+    <div class="form-group">
+        <label for="password">Seal Password</label>
+        <input type="password" id="password" name="password" required autofocus>
+    </div>
+    <button type="submit">Unseal</button>
+</form>
+{{end}}