Add TLS unsealing via gRPC to CLI and server

Implements the SystemService gRPC endpoint (Status, Init, Unseal, Seal)
alongside the existing REST API, secured with the same TLS certificate.

The `metacrypt unseal` CLI command now prefers gRPC when --grpc-addr is
provided, falling back to the REST API via --addr. Both transports require
TLS; a custom CA certificate can be supplied with --ca-cert.

Server changes:
- internal/server/grpc.go: SystemServiceServer implementation with
  StartGRPC/ShutdownGRPC methods; uses the TLS cert from config.
- internal/server/server.go: adds grpcSrv field and grpc import.
- cmd/metacrypt/server.go: starts gRPC goroutine when grpc_addr is set
  in config, shuts it down on signal.

Generated code (from proto/metacrypt/v1/system.proto):
- gen/metacrypt/v1/system.pb.go: protobuf message types
- gen/metacrypt/v1/system_grpc.pb.go: gRPC client/server stubs

Dependencies added to go.mod (run `go mod tidy` to populate go.sum):
- google.golang.org/grpc v1.71.1
- google.golang.org/protobuf v1.36.5
- google.golang.org/genproto/googleapis/rpc (indirect)
- golang.org/x/net (indirect)

https://claude.ai/code/session_013m1QXGoTB4jaPUN5gwir8F

cmd/metacrypt/server.go

@@ -86,7 +86,17 @@ func runServer(cmd *cobra.Command, args []string) error {
 		}
 	}()
 
+	if cfg.Server.GRPCAddr != "" {
+		go func() {
+			if err := srv.StartGRPC(); err != nil {
+				logger.Error("grpc server error", "error", err)
+				os.Exit(1)
+			}
+		}()
+	}
+
 	<-ctx.Done()
 	logger.Info("shutting down")
+	srv.ShutdownGRPC()
 	return srv.Shutdown(context.Background())
 }

cmd/metacrypt/unseal.go

@@ -0,0 +1,132 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"golang.org/x/term"
+
+	metacryptv1 "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
+)
+
+var unsealCmd = &cobra.Command{
+	Use:   "unseal",
+	Short: "Unseal the Metacrypt service",
+	Long:  "Send an unseal request to a running Metacrypt server over TLS. Uses gRPC when --grpc-addr is provided, otherwise falls back to the REST API.",
+	RunE:  runUnseal,
+}
+
+var (
+	unsealAddr     string
+	unsealGRPCAddr string
+	unsealCACert   string
+)
+
+func init() {
+	unsealCmd.Flags().StringVar(&unsealAddr, "addr", "", "REST server address (e.g., https://localhost:8443)")
+	unsealCmd.Flags().StringVar(&unsealGRPCAddr, "grpc-addr", "", "gRPC server address (e.g., localhost:9443); preferred over --addr when set")
+	unsealCmd.Flags().StringVar(&unsealCACert, "ca-cert", "", "path to CA certificate for TLS verification")
+	rootCmd.AddCommand(unsealCmd)
+}
+
+func runUnseal(cmd *cobra.Command, args []string) error {
+	if unsealGRPCAddr == "" && unsealAddr == "" {
+		return fmt.Errorf("one of --grpc-addr or --addr is required")
+	}
+
+	fmt.Print("Unseal password: ")
+	passwordBytes, err := term.ReadPassword(int(os.Stdin.Fd()))
+	fmt.Println()
+	if err != nil {
+		return fmt.Errorf("read password: %w", err)
+	}
+
+	if unsealGRPCAddr != "" {
+		return unsealViaGRPC(unsealGRPCAddr, unsealCACert, string(passwordBytes))
+	}
+	return unsealViaREST(unsealAddr, unsealCACert, string(passwordBytes))
+}
+
+func buildTLSConfig(caCertPath string) (*tls.Config, error) {
+	tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
+	if caCertPath != "" {
+		pem, err := os.ReadFile(caCertPath)
+		if err != nil {
+			return nil, fmt.Errorf("read CA cert: %w", err)
+		}
+		pool := x509.NewCertPool()
+		if !pool.AppendCertsFromPEM(pem) {
+			return nil, fmt.Errorf("no valid certs in CA file")
+		}
+		tlsCfg.RootCAs = pool
+	}
+	return tlsCfg, nil
+}
+
+func unsealViaGRPC(addr, caCertPath, password string) error {
+	tlsCfg, err := buildTLSConfig(caCertPath)
+	if err != nil {
+		return err
+	}
+
+	conn, err := grpc.NewClient(addr, grpc.WithTransportCredentials(credentials.NewTLS(tlsCfg)))
+	if err != nil {
+		return fmt.Errorf("grpc dial: %w", err)
+	}
+	defer conn.Close()
+
+	client := metacryptv1.NewSystemServiceClient(conn)
+	resp, err := client.Unseal(context.Background(), &metacryptv1.UnsealRequest{Password: password})
+	if err != nil {
+		return fmt.Errorf("unseal failed: %w", err)
+	}
+
+	fmt.Printf("State: %s\n", resp.State)
+	return nil
+}
+
+func unsealViaREST(addr, caCertPath, password string) error {
+	tlsCfg, err := buildTLSConfig(caCertPath)
+	if err != nil {
+		return err
+	}
+
+	client := &http.Client{
+		Transport: &http.Transport{TLSClientConfig: tlsCfg},
+	}
+
+	body, err := json.Marshal(map[string]string{"password": password})
+	if err != nil {
+		return fmt.Errorf("encode request: %w", err)
+	}
+
+	resp, err := client.Post(addr+"/v1/unseal", "application/json", bytes.NewReader(body))
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	var result struct {
+		State string `json:"state"`
+		Error string `json:"error"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return fmt.Errorf("decode response: %w", err)
+	}
+
+	if result.Error != "" {
+		return fmt.Errorf("unseal failed: %s", result.Error)
+	}
+
+	fmt.Printf("State: %s\n", result.State)
+	return nil
+}

gen/metacrypt/v1/system.pb.go

@@ -0,0 +1,381 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// source: proto/metacrypt/v1/system.proto
+
+package metacryptv1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type StatusRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StatusRequest) Reset() {
+	*x = StatusRequest{}
+	mi := &file_system_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+func (x *StatusRequest) String() string  { return protoimpl.X.MessageStringOf(x) }
+func (*StatusRequest) ProtoMessage()     {}
+func (x *StatusRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_system_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+type StatusResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	State         string                 `protobuf:"bytes,1,opt,name=state,proto3" json:"state,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *StatusResponse) Reset() {
+	*x = StatusResponse{}
+	mi := &file_system_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+func (x *StatusResponse) String() string  { return protoimpl.X.MessageStringOf(x) }
+func (*StatusResponse) ProtoMessage()     {}
+func (x *StatusResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_system_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+func (x *StatusResponse) GetState() string {
+	if x != nil {
+		return x.State
+	}
+	return ""
+}
+
+type InitRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Password      string                 `protobuf:"bytes,1,opt,name=password,proto3" json:"password,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *InitRequest) Reset() {
+	*x = InitRequest{}
+	mi := &file_system_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+func (x *InitRequest) String() string  { return protoimpl.X.MessageStringOf(x) }
+func (*InitRequest) ProtoMessage()     {}
+func (x *InitRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_system_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+func (x *InitRequest) GetPassword() string {
+	if x != nil {
+		return x.Password
+	}
+	return ""
+}
+
+type InitResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	State         string                 `protobuf:"bytes,1,opt,name=state,proto3" json:"state,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *InitResponse) Reset() {
+	*x = InitResponse{}
+	mi := &file_system_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+func (x *InitResponse) String() string  { return protoimpl.X.MessageStringOf(x) }
+func (*InitResponse) ProtoMessage()     {}
+func (x *InitResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_system_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+func (x *InitResponse) GetState() string {
+	if x != nil {
+		return x.State
+	}
+	return ""
+}
+
+type UnsealRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Password      string                 `protobuf:"bytes,1,opt,name=password,proto3" json:"password,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *UnsealRequest) Reset() {
+	*x = UnsealRequest{}
+	mi := &file_system_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+func (x *UnsealRequest) String() string  { return protoimpl.X.MessageStringOf(x) }
+func (*UnsealRequest) ProtoMessage()     {}
+func (x *UnsealRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_system_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+func (x *UnsealRequest) GetPassword() string {
+	if x != nil {
+		return x.Password
+	}
+	return ""
+}
+
+type UnsealResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	State         string                 `protobuf:"bytes,1,opt,name=state,proto3" json:"state,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *UnsealResponse) Reset() {
+	*x = UnsealResponse{}
+	mi := &file_system_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+func (x *UnsealResponse) String() string  { return protoimpl.X.MessageStringOf(x) }
+func (*UnsealResponse) ProtoMessage()     {}
+func (x *UnsealResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_system_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+func (x *UnsealResponse) GetState() string {
+	if x != nil {
+		return x.State
+	}
+	return ""
+}
+
+type SealRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SealRequest) Reset() {
+	*x = SealRequest{}
+	mi := &file_system_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+func (x *SealRequest) String() string  { return protoimpl.X.MessageStringOf(x) }
+func (*SealRequest) ProtoMessage()     {}
+func (x *SealRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_system_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+type SealResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	State         string                 `protobuf:"bytes,1,opt,name=state,proto3" json:"state,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SealResponse) Reset() {
+	*x = SealResponse{}
+	mi := &file_system_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+func (x *SealResponse) String() string  { return protoimpl.X.MessageStringOf(x) }
+func (*SealResponse) ProtoMessage()     {}
+func (x *SealResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_system_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+func (x *SealResponse) GetState() string {
+	if x != nil {
+		return x.State
+	}
+	return ""
+}
+
+// file descriptor compiled from proto/metacrypt/v1/system.proto
+var file_system_proto_rawDesc = []byte{
+	0x0a, 0x1e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70,
+	0x74, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x0c, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x22,
+	0x0f, 0x0a, 0x0d, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x22, 0x27, 0x0a, 0x0e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x12, 0x15, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x28, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77,
+	0x6f, 0x72, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77,
+	0x6f, 0x72, 0x64, 0x22, 0x25, 0x0a, 0x0c, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x12, 0x15, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x2a, 0x0a, 0x0d, 0x55, 0x6e, 0x73,
+	0x65, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x61,
+	0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61,
+	0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x22, 0x27, 0x0a, 0x0e, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x15, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74,
+	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x0d,
+	0x0a, 0x0b, 0x53, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x25, 0x0a,
+	0x0c, 0x53, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x15, 0x0a,
+	0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x73, 0x74,
+	0x61, 0x74, 0x65, 0x32, 0xc7, 0x01, 0x0a, 0x0d, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x65,
+	0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x38, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12,
+	0x1b, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53,
+	0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x6d,
+	0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x74, 0x61, 0x74,
+	0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x04, 0x49, 0x6e,
+	0x69, 0x74, 0x12, 0x19, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76,
+	0x31, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1a, 0x2e,
+	0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x69,
+	0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x38, 0x0a, 0x06, 0x55, 0x6e, 0x73,
+	0x65, 0x61, 0x6c, 0x12, 0x1b, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e,
+	0x76, 0x31, 0x2e, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x1c, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e,
+	0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x0e,
+	0x0a, 0x04, 0x53, 0x65, 0x61, 0x6c, 0x12, 0x19, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x1a, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2e, 0x76, 0x31,
+	0x2e, 0x53, 0x65, 0x61, 0x6c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x44, 0x5a,
+	0x42, 0x67, 0x69, 0x74, 0x2e, 0x77, 0x6e, 0x74, 0x72, 0x6d, 0x75, 0x74, 0x65, 0x2e, 0x64, 0x65,
+	0x76, 0x2f, 0x6b, 0x79, 0x6c, 0x65, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74,
+	0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x76,
+	0x31, 0x3b, 0x6d, 0x65, 0x74, 0x61, 0x63, 0x72, 0x79, 0x70, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_system_proto_rawDescOnce sync.Once
+	file_system_proto_rawDescData []byte
+)
+
+func file_system_proto_rawDescGZIP() []byte {
+	file_system_proto_rawDescOnce.Do(func() {
+		file_system_proto_rawDescData = file_system_proto_rawDesc
+	})
+	return file_system_proto_rawDescData
+}
+
+var file_system_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_system_proto_goTypes = []any{
+	(*StatusRequest)(nil),  // 0
+	(*StatusResponse)(nil), // 1
+	(*InitRequest)(nil),    // 2
+	(*InitResponse)(nil),   // 3
+	(*UnsealRequest)(nil),  // 4
+	(*UnsealResponse)(nil), // 5
+	(*SealRequest)(nil),    // 6
+	(*SealResponse)(nil),   // 7
+}
+var file_system_proto_depIdxs = []int32{
+	0, // 0: metacrypt.v1.SystemService.Status:input_type -> metacrypt.v1.StatusRequest
+	2, // 1: metacrypt.v1.SystemService.Init:input_type -> metacrypt.v1.InitRequest
+	4, // 2: metacrypt.v1.SystemService.Unseal:input_type -> metacrypt.v1.UnsealRequest
+	6, // 3: metacrypt.v1.SystemService.Seal:input_type -> metacrypt.v1.SealRequest
+	1, // 4: metacrypt.v1.SystemService.Status:output_type -> metacrypt.v1.StatusResponse
+	3, // 5: metacrypt.v1.SystemService.Init:output_type -> metacrypt.v1.InitResponse
+	5, // 6: metacrypt.v1.SystemService.Unseal:output_type -> metacrypt.v1.UnsealResponse
+	7, // 7: metacrypt.v1.SystemService.Seal:output_type -> metacrypt.v1.SealResponse
+	4, // [4:8] is the sub-list for method output_type
+	0, // [0:4] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_system_proto_init() }
+
+func file_system_proto_init() {
+	if File_system_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_system_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   8,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_system_proto_goTypes,
+		DependencyIndexes: file_system_proto_depIdxs,
+		MessageInfos:      file_system_proto_msgTypes,
+	}.Build()
+	File_system_proto = out.File
+	file_system_proto_rawDescData = nil
+	file_system_proto_goTypes = nil
+	file_system_proto_depIdxs = nil
+}
+
+// File_system_proto is the protoreflect.FileDescriptor for proto/metacrypt/v1/system.proto.
+var File_system_proto protoreflect.FileDescriptor

gen/metacrypt/v1/system_grpc.pb.go

@@ -0,0 +1,208 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// source: proto/metacrypt/v1/system.proto
+
+package metacryptv1
+
+import (
+	context "context"
+
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// SystemServiceClient is the client API for SystemService.
+type SystemServiceClient interface {
+	Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
+	Init(ctx context.Context, in *InitRequest, opts ...grpc.CallOption) (*InitResponse, error)
+	Unseal(ctx context.Context, in *UnsealRequest, opts ...grpc.CallOption) (*UnsealResponse, error)
+	Seal(ctx context.Context, in *SealRequest, opts ...grpc.CallOption) (*SealResponse, error)
+}
+
+type systemServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewSystemServiceClient(cc grpc.ClientConnInterface) SystemServiceClient {
+	return &systemServiceClient{cc}
+}
+
+func (c *systemServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(StatusResponse)
+	err := c.cc.Invoke(ctx, SystemService_Status_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *systemServiceClient) Init(ctx context.Context, in *InitRequest, opts ...grpc.CallOption) (*InitResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(InitResponse)
+	err := c.cc.Invoke(ctx, SystemService_Init_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *systemServiceClient) Unseal(ctx context.Context, in *UnsealRequest, opts ...grpc.CallOption) (*UnsealResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(UnsealResponse)
+	err := c.cc.Invoke(ctx, SystemService_Unseal_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *systemServiceClient) Seal(ctx context.Context, in *SealRequest, opts ...grpc.CallOption) (*SealResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SealResponse)
+	err := c.cc.Invoke(ctx, SystemService_Seal_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// SystemServiceServer is the server API for SystemService.
+type SystemServiceServer interface {
+	Status(context.Context, *StatusRequest) (*StatusResponse, error)
+	Init(context.Context, *InitRequest) (*InitResponse, error)
+	Unseal(context.Context, *UnsealRequest) (*UnsealResponse, error)
+	Seal(context.Context, *SealRequest) (*SealResponse, error)
+	mustEmbedUnimplementedSystemServiceServer()
+}
+
+// UnimplementedSystemServiceServer must be embedded to have forward-compatible implementations.
+type UnimplementedSystemServiceServer struct{}
+
+func (UnimplementedSystemServiceServer) Status(context.Context, *StatusRequest) (*StatusResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Status not implemented")
+}
+func (UnimplementedSystemServiceServer) Init(context.Context, *InitRequest) (*InitResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Init not implemented")
+}
+func (UnimplementedSystemServiceServer) Unseal(context.Context, *UnsealRequest) (*UnsealResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Unseal not implemented")
+}
+func (UnimplementedSystemServiceServer) Seal(context.Context, *SealRequest) (*SealResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Seal not implemented")
+}
+func (UnimplementedSystemServiceServer) mustEmbedUnimplementedSystemServiceServer() {}
+
+// UnsafeSystemServiceServer may be embedded to opt out of forward compatibility.
+type UnsafeSystemServiceServer interface {
+	mustEmbedUnimplementedSystemServiceServer()
+}
+
+const (
+	SystemService_Status_FullMethodName = "/metacrypt.v1.SystemService/Status"
+	SystemService_Init_FullMethodName   = "/metacrypt.v1.SystemService/Init"
+	SystemService_Unseal_FullMethodName = "/metacrypt.v1.SystemService/Unseal"
+	SystemService_Seal_FullMethodName   = "/metacrypt.v1.SystemService/Seal"
+)
+
+func RegisterSystemServiceServer(s grpc.ServiceRegistrar, srv SystemServiceServer) {
+	s.RegisterService(&SystemService_ServiceDesc, srv)
+}
+
+func _SystemService_Status_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(StatusRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SystemServiceServer).Status(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SystemService_Status_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SystemServiceServer).Status(ctx, req.(*StatusRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SystemService_Init_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(InitRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SystemServiceServer).Init(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SystemService_Init_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SystemServiceServer).Init(ctx, req.(*InitRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SystemService_Unseal_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UnsealRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SystemServiceServer).Unseal(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SystemService_Unseal_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SystemServiceServer).Unseal(ctx, req.(*UnsealRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _SystemService_Seal_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SealRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SystemServiceServer).Seal(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SystemService_Seal_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SystemServiceServer).Seal(ctx, req.(*SealRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// SystemService_ServiceDesc is the grpc.ServiceDesc for SystemService service.
+var SystemService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "metacrypt.v1.SystemService",
+	HandlerType: (*SystemServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Status",
+			Handler:    _SystemService_Status_Handler,
+		},
+		{
+			MethodName: "Init",
+			Handler:    _SystemService_Init_Handler,
+		},
+		{
+			MethodName: "Unseal",
+			Handler:    _SystemService_Unseal_Handler,
+		},
+		{
+			MethodName: "Seal",
+			Handler:    _SystemService_Seal_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "proto/metacrypt/v1/system.proto",
+}

go.mod

@@ -15,6 +15,8 @@ require (
 	github.com/spf13/viper v1.21.0
 	golang.org/x/crypto v0.49.0
 	golang.org/x/term v0.41.0
+	google.golang.org/grpc v1.71.1
+	google.golang.org/protobuf v1.36.5
 	modernc.org/sqlite v1.46.1
 )
 
@@ -35,8 +37,10 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
+	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.35.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
 	modernc.org/libc v1.67.6 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect

internal/server/grpc.go

@@ -0,0 +1,125 @@
+package server
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	grpcstatus "google.golang.org/grpc/status"
+
+	metacryptv1 "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
+	"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
+	"git.wntrmute.dev/kyle/metacrypt/internal/seal"
+)
+
+// systemServiceServer implements metacryptv1.SystemServiceServer.
+type systemServiceServer struct {
+	metacryptv1.UnimplementedSystemServiceServer
+	s *Server
+}
+
+func (g *systemServiceServer) Status(_ context.Context, _ *metacryptv1.StatusRequest) (*metacryptv1.StatusResponse, error) {
+	return &metacryptv1.StatusResponse{State: g.s.seal.State().String()}, nil
+}
+
+func (g *systemServiceServer) Init(ctx context.Context, req *metacryptv1.InitRequest) (*metacryptv1.InitResponse, error) {
+	params := crypto.Argon2Params{
+		Time:    g.s.cfg.Seal.Argon2Time,
+		Memory:  g.s.cfg.Seal.Argon2Memory,
+		Threads: g.s.cfg.Seal.Argon2Threads,
+	}
+	if err := g.s.seal.Initialize(ctx, []byte(req.Password), params); err != nil {
+		if err == seal.ErrAlreadyInitialized {
+			return nil, grpcstatus.Error(codes.AlreadyExists, "already initialized")
+		}
+		g.s.logger.Error("grpc init failed", "error", err)
+		return nil, grpcstatus.Error(codes.Internal, "initialization failed")
+	}
+	return &metacryptv1.InitResponse{State: g.s.seal.State().String()}, nil
+}
+
+func (g *systemServiceServer) Unseal(ctx context.Context, req *metacryptv1.UnsealRequest) (*metacryptv1.UnsealResponse, error) {
+	if err := g.s.seal.Unseal([]byte(req.Password)); err != nil {
+		switch err {
+		case seal.ErrNotInitialized:
+			return nil, grpcstatus.Error(codes.FailedPrecondition, "not initialized")
+		case seal.ErrInvalidPassword:
+			return nil, grpcstatus.Error(codes.Unauthenticated, "invalid password")
+		case seal.ErrRateLimited:
+			return nil, grpcstatus.Error(codes.ResourceExhausted, "too many attempts, try again later")
+		case seal.ErrNotSealed:
+			return nil, grpcstatus.Error(codes.AlreadyExists, "already unsealed")
+		default:
+			g.s.logger.Error("grpc unseal failed", "error", err)
+			return nil, grpcstatus.Error(codes.Internal, "unseal failed")
+		}
+	}
+
+	if err := g.s.engines.UnsealAll(ctx); err != nil {
+		g.s.logger.Error("grpc engine unseal failed", "error", err)
+		return nil, grpcstatus.Error(codes.Internal, "engine unseal failed")
+	}
+
+	return &metacryptv1.UnsealResponse{State: g.s.seal.State().String()}, nil
+}
+
+func (g *systemServiceServer) Seal(_ context.Context, _ *metacryptv1.SealRequest) (*metacryptv1.SealResponse, error) {
+	if err := g.s.engines.SealAll(); err != nil {
+		g.s.logger.Error("grpc seal engines failed", "error", err)
+	}
+	if err := g.s.seal.Seal(); err != nil {
+		g.s.logger.Error("grpc seal failed", "error", err)
+		return nil, grpcstatus.Error(codes.Internal, "seal failed")
+	}
+	g.s.auth.ClearCache()
+	return &metacryptv1.SealResponse{State: g.s.seal.State().String()}, nil
+}
+
+// StartGRPC starts the gRPC server on cfg.Server.GRPCAddr using the same TLS
+// certificate as the HTTP server. It blocks until the listener closes.
+func (s *Server) StartGRPC() error {
+	if s.cfg.Server.GRPCAddr == "" {
+		return nil
+	}
+
+	cert, err := tls.LoadX509KeyPair(s.cfg.Server.TLSCert, s.cfg.Server.TLSKey)
+	if err != nil {
+		return fmt.Errorf("grpc: load TLS key pair: %w", err)
+	}
+	tlsCfg := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		},
+	}
+
+	grpcSrv := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsCfg)))
+	metacryptv1.RegisterSystemServiceServer(grpcSrv, &systemServiceServer{s: s})
+
+	lis, err := net.Listen("tcp", s.cfg.Server.GRPCAddr)
+	if err != nil {
+		return fmt.Errorf("grpc: listen: %w", err)
+	}
+
+	s.grpcSrv = grpcSrv
+	s.logger.Info("starting gRPC server", "addr", s.cfg.Server.GRPCAddr)
+	if err := grpcSrv.Serve(lis); err != nil {
+		return fmt.Errorf("grpc: serve: %w", err)
+	}
+	return nil
+}
+
+// ShutdownGRPC gracefully stops the gRPC server.
+func (s *Server) ShutdownGRPC() {
+	if s.grpcSrv != nil {
+		s.grpcSrv.GracefulStop()
+	}
+}

internal/server/server.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/go-chi/chi/v5"
+	"google.golang.org/grpc"
 
 	internacme "git.wntrmute.dev/kyle/metacrypt/internal/acme"
 	"git.wntrmute.dev/kyle/metacrypt/internal/auth"
@@ -28,6 +29,7 @@ type Server struct {
 	policy   *policy.Engine
 	engines  *engine.Registry
 	httpSrv  *http.Server
+	grpcSrv  *grpc.Server
 	logger   *slog.Logger
 	version  string