Add architecture docs, fix gRPC/REST API parity, project conventions

- Add ARCHITECTURE.md with full system specification - Add Project Structure and API Sync Rule to CLAUDE.md; ignore srv/ - Fix engine.proto MountRequest missing config field - Add pki.proto PKIService to match unauthenticated REST PKI routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 23:29:51 -07:00
parent 8f77050a84
commit 658d067d78
15 changed files with 923 additions and 201 deletions
--- a/proto/metacrypt/v1/engine.proto
+++ b/proto/metacrypt/v1/engine.proto
@@ -16,6 +16,7 @@ service EngineService {
 message MountRequest {
  string name = 1;
  string type = 2;
+  google.protobuf.Struct config = 3;
 }
 message MountResponse {}

--- a/proto/metacrypt/v1/pki.proto
+++ b/proto/metacrypt/v1/pki.proto
@@ -0,0 +1,36 @@
+syntax = "proto3";
+
+package metacrypt.v1;
+
+option go_package = "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1;metacryptv1";
+
+// PKIService provides unauthenticated access to public CA certificates.
+// These endpoints only require the service to be unsealed.
+service PKIService {
+  rpc GetRootCert(GetRootCertRequest) returns (GetRootCertResponse);
+  rpc GetChain(GetChainRequest) returns (GetChainResponse);
+  rpc GetIssuerCert(GetIssuerCertRequest) returns (GetIssuerCertResponse);
+}
+
+message GetRootCertRequest {
+  string mount = 1;
+}
+message GetRootCertResponse {
+  bytes cert_pem = 1;
+}
+
+message GetChainRequest {
+  string mount = 1;
+  string issuer = 2;
+}
+message GetChainResponse {
+  bytes chain_pem = 1;
+}
+
+message GetIssuerCertRequest {
+  string mount = 1;
+  string issuer = 2;
+}
+message GetIssuerCertResponse {
+  bytes cert_pem = 1;
+}