Add architecture docs, fix gRPC/REST API parity, project conventions

- Add ARCHITECTURE.md with full system specification - Add Project Structure and API Sync Rule to CLAUDE.md; ignore srv/ - Fix engine.proto MountRequest missing config field - Add pki.proto PKIService to match unauthenticated REST PKI routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 23:29:51 -07:00
parent 8f77050a84
commit 658d067d78
15 changed files with 923 additions and 201 deletions
--- a/web/static/style.css
+++ b/web/static/style.css
@@ -22,3 +22,10 @@ th { font-weight: 600; background: #f9fafb; }
 .admin-actions { margin-top: 0.5rem; }
 .admin-actions button { background: #dc2626; }
 .admin-actions button:hover { background: #b91c1c; }
+.badge-danger { background: #fee2e2; color: #991b1b; }
+.form-group textarea, .pem-input { width: 100%; padding: 0.5rem; border: 1px solid #ccc; border-radius: 4px; font-family: monospace; font-size: 0.875rem; resize: vertical; }
+.form-group input[type="file"] { padding: 0.25rem 0; border: none; }
+.form-row { display: flex; gap: 1rem; }
+.form-row .form-group { flex: 1; }
+details { margin: 0.75rem 0; }
+details summary { cursor: pointer; color: #2563eb; font-weight: 600; margin-bottom: 0.5rem; }
--- a/web/templates/dashboard.html
+++ b/web/templates/dashboard.html
@@ -14,7 +14,11 @@
    <thead><tr><th>Name</th><th>Type</th><th>Path</th></tr></thead>
    <tbody>
    {{range .Mounts}}
-    <tr><td>{{.Name}}</td><td>{{.Type}}</td><td>{{.MountPath}}</td></tr>
+    <tr>
+        <td>{{if eq (printf "%s" .Type) "ca"}}<a href="/pki">{{.Name}}</a>{{else}}{{.Name}}{{end}}</td>
+        <td>{{.Type}}</td>
+        <td>{{.MountPath}}</td>
+    </tr>
    {{end}}
    </tbody>
 </table>
@@ -23,6 +27,33 @@
 {{end}}

 {{if .IsAdmin}}
+<h3>Mount CA Engine</h3>
+{{if .MountError}}<div class="error">{{.MountError}}</div>{{end}}
+<form method="post" action="/dashboard/mount-ca" enctype="multipart/form-data">
+    <div class="form-row">
+        <div class="form-group">
+            <label for="mount_name">Mount Name</label>
+            <input type="text" id="mount_name" name="name" placeholder="pki" required>
+        </div>
+        <div class="form-group">
+            <label for="organization">Organization</label>
+            <input type="text" id="organization" name="organization" placeholder="Metacircular">
+        </div>
+    </div>
+    <details>
+        <summary>Import existing root CA (optional)</summary>
+        <div class="form-group">
+            <label for="cert_file">Certificate PEM file</label>
+            <input type="file" id="cert_file" name="cert_file" accept=".pem,.crt">
+        </div>
+        <div class="form-group">
+            <label for="key_file">Private Key PEM file</label>
+            <input type="file" id="key_file" name="key_file" accept=".pem,.key">
+        </div>
+    </details>
+    <button type="submit">Mount</button>
+</form>
+
 <h3>Admin Actions</h3>
 <div class="admin-actions">
    <button hx-post="/v1/seal" hx-confirm="Are you sure you want to seal the service?">Seal Service</button>
--- a/web/templates/pki.html
+++ b/web/templates/pki.html
@@ -0,0 +1,111 @@
+{{define "title"}} - PKI: {{.MountName}}{{end}}
+{{define "content"}}
+<h2>PKI Engine: {{.MountName}}</h2>
+
+<p><a href="/dashboard">&larr; Dashboard</a></p>
+
+{{if .Error}}
+<div class="error">{{.Error}}</div>
+{{end}}
+
+<h3>Root CA</h3>
+{{if .HasRoot}}
+<table>
+    <tr><th>Common Name</th><td>{{.RootCN}}</td></tr>
+    <tr><th>Organization</th><td>{{.RootOrg}}</td></tr>
+    <tr><th>Valid From</th><td>{{.RootNotBefore}}</td></tr>
+    <tr>
+        <th>Valid Until</th>
+        <td>
+            {{.RootNotAfter}}
+            {{if .RootExpired}} <span class="badge badge-danger">Expired</span>{{end}}
+        </td>
+    </tr>
+</table>
+<p style="margin-top: 0.5rem;">
+    <a href="/v1/pki/{{.MountName}}/ca" download="root-ca.pem">Download Root CA (PEM)</a>
+</p>
+{{else}}
+<p>No root CA configured.</p>
+{{end}}
+
+{{if .IsAdmin}}
+{{if or (not .HasRoot) .RootExpired}}
+<h3>Import Root CA</h3>
+<p>{{if .RootExpired}}The current root CA has expired. Import a new one.{{else}}No root CA is present. Import one to get started.{{end}}</p>
+<form method="post" action="/pki/import-root" enctype="multipart/form-data">
+    <div class="form-group">
+        <label for="cert_file">Certificate PEM</label>
+        <input type="file" id="cert_file" name="cert_file" accept=".pem,.crt">
+    </div>
+    <div class="form-group">
+        <label for="cert_pem">Or paste certificate PEM</label>
+        <textarea id="cert_pem" name="cert_pem" rows="6" class="pem-input" placeholder="-----BEGIN CERTIFICATE-----"></textarea>
+    </div>
+    <div class="form-group">
+        <label for="key_file">Private Key PEM</label>
+        <input type="file" id="key_file" name="key_file" accept=".pem,.key">
+    </div>
+    <div class="form-group">
+        <label for="key_pem">Or paste private key PEM</label>
+        <textarea id="key_pem" name="key_pem" rows="6" class="pem-input" placeholder="-----BEGIN PRIVATE KEY-----"></textarea>
+    </div>
+    <button type="submit">Import Root CA</button>
+</form>
+{{end}}
+{{end}}
+
+<h3>Issuers</h3>
+{{if .Issuers}}
+<table>
+    <thead><tr><th>Name</th><th>Actions</th></tr></thead>
+    <tbody>
+    {{range .Issuers}}
+    <tr>
+        <td>{{.}}</td>
+        <td><a href="/pki/{{.}}" download="{{.}}.pem">Download Cert (PEM)</a></td>
+    </tr>
+    {{end}}
+    </tbody>
+</table>
+{{else}}
+<p>No issuers configured.</p>
+{{end}}
+
+{{if .IsAdmin}}
+{{if .HasRoot}}
+<h3>Create Issuer</h3>
+{{if .IssuerError}}<div class="error">{{.IssuerError}}</div>{{end}}
+<form method="post" action="/pki/create-issuer">
+    <div class="form-row">
+        <div class="form-group">
+            <label for="issuer_name">Issuer Name</label>
+            <input type="text" id="issuer_name" name="name" placeholder="default" required>
+        </div>
+        <div class="form-group">
+            <label for="issuer_expiry">Expiry</label>
+            <input type="text" id="issuer_expiry" name="expiry" placeholder="43800h (5 years)">
+        </div>
+    </div>
+    <details>
+        <summary>Advanced options</summary>
+        <div class="form-row">
+            <div class="form-group">
+                <label for="issuer_key_alg">Key Algorithm</label>
+                <input type="text" id="issuer_key_alg" name="key_algorithm" placeholder="ECDSA (default)">
+            </div>
+            <div class="form-group">
+                <label for="issuer_key_size">Key Size</label>
+                <input type="text" id="issuer_key_size" name="key_size" placeholder="256 (default)">
+            </div>
+        </div>
+        <div class="form-group">
+            <label for="issuer_max_ttl">Max Leaf TTL</label>
+            <input type="text" id="issuer_max_ttl" name="max_ttl" placeholder="2160h (90 days)">
+        </div>
+    </details>
+    <button type="submit">Create Issuer</button>
+</form>
+{{end}}
+{{end}}
+{{end}}