Implement CA/PKI engine with two-tier X.509 certificate issuance

Add the first concrete engine implementation: a CA (PKI) engine that generates a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"), and signs leaf certificates using configurable profiles (server, client, peer). Engine framework updates: - Add CallerInfo struct for auth context in engine requests - Add config parameter to Engine.Initialize for mount-time configuration - Export Mount.Engine field; add GetEngine/GetMount on Registry CA engine (internal/engine/ca/): - Two-tier PKI: root CA → issuers → leaf certificates - 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers, issue, get-cert, list-certs, renew - Certificate profiles with user-overridable TTL, key usages, and key algorithm - Private keys never stored in barrier; zeroized from memory on seal - Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen Server routes: - Wire up engine mount/request handlers (replace Phase 1 stubs) - Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name}) for unauthenticated TLS trust bootstrapping Also includes: ARCHITECTURE.md, deploy config updates, operational tooling. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 21:57:52 -07:00
parent 4ddd32b117
commit 8f77050a84
26 changed files with 2980 additions and 129 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -20,3 +20,32 @@ go vet ./...      # Static analysis
 - **Storage**: SQLite database with an encrypted storage barrier (similar to HashiCorp Vault)
 - **Seal/Unseal**: Single password unseals the service; a master encryption key serves as a key-encryption key (KEK) to decrypt per-engine data encryption keys
 - **Auth**: MCIAS integration; MCIAS admin users get admin privileges on this service
+
+## Project Structure
+
+```
+.
+├── cmd/metacrypt/          # CLI entry point (server, init, status, snapshot)
+├── deploy/
+│   ├── docker/             # Docker Compose configuration
+│   ├── examples/           # Example config files
+│   ├── scripts/            # Deployment scripts
+│   └── systemd/            # systemd unit files
+├── internal/
+│   ├── auth/               # MCIAS token authentication & caching
+│   ├── barrier/            # Encrypted key-value storage abstraction
+│   ├── config/             # TOML configuration loading & validation
+│   ├── crypto/             # Low-level cryptographic primitives
+│   ├── db/                 # SQLite setup & schema migrations
+│   ├── engine/             # Pluggable engine registry & interface
+│   ├── policy/             # Priority-based ACL engine
+│   ├── seal/               # Seal/unseal state machine
+│   └── server/             # HTTP server, routes, middleware
+├── proto/metacrypt/        # Protobuf/gRPC definitions
+├── web/
+│   ├── static/             # CSS, HTMX
+│   └── templates/          # Go HTML templates
+├── Dockerfile
+├── Makefile
+└── metacrypt.toml.example
+```