Migrate HTTP server to mcdsl/httpserver

Replace manual chi/TLS/http.Server setup with httpserver.New which
provides TLS 1.3, config-driven timeouts, and the chi router. Replace
local loggingMiddleware and statusWriter with mcdsl equivalents.

Seal-aware middleware (requireUnseal, requireAuth, requireAdmin) and
token extraction remain metacrypt-specific.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/server/middleware.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"net/http"
 	"strings"
-	"time"
 
 	"git.wntrmute.dev/kyle/metacrypt/internal/auth"
 	"git.wntrmute.dev/kyle/metacrypt/internal/seal"
@@ -20,22 +19,6 @@ func TokenInfoFromContext(ctx context.Context) *auth.TokenInfo {
 	return info
 }
 
-// loggingMiddleware logs HTTP requests, stripping sensitive headers.
-func (s *Server) loggingMiddleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		start := time.Now()
-		sw := &statusWriter{ResponseWriter: w, status: 200}
-		next.ServeHTTP(sw, r)
-		s.logger.Info("http request",
-			"method", r.Method,
-			"path", r.URL.Path,
-			"status", sw.status,
-			"duration", time.Since(start),
-			"remote", r.RemoteAddr,
-		)
-	})
-}
-
 // requireUnseal rejects requests unless the service is unsealed.
 func (s *Server) requireUnseal(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
@@ -105,12 +88,3 @@ func extractToken(r *http.Request) string {
 	return ""
 }
 
-type statusWriter struct {
-	http.ResponseWriter
-	status int
-}
-
-func (w *statusWriter) WriteHeader(code int) {
-	w.status = code
-	w.ResponseWriter.WriteHeader(code)
-}

internal/server/server.go

@@ -3,16 +3,12 @@ package server
 
 import (
 	"context"
-	"crypto/tls"
-	"fmt"
 	"log/slog"
-	"net/http"
 	"sync"
-	"time"
 
-	"github.com/go-chi/chi/v5"
 	"google.golang.org/grpc"
 
+	"git.wntrmute.dev/kyle/mcdsl/httpserver"
 	internacme "git.wntrmute.dev/kyle/metacrypt/internal/acme"
 	"git.wntrmute.dev/kyle/metacrypt/internal/audit"
 	"git.wntrmute.dev/kyle/metacrypt/internal/auth"
@@ -30,7 +26,7 @@ type Server struct {
 	policy       *policy.Engine
 	engines      *engine.Registry
 	audit        *audit.Logger
-	httpSrv      *http.Server
+	httpSrv      *httpserver.Server
 	grpcSrv      *grpc.Server
 	logger       *slog.Logger
 	acmeHandlers map[string]*internacme.Handler
@@ -56,32 +52,16 @@ func New(cfg *config.Config, sealMgr *seal.Manager, authenticator *auth.Authenti
 
 // Start starts the HTTPS server.
 func (s *Server) Start() error {
-	r := chi.NewRouter()
+	s.httpSrv = httpserver.New(s.cfg.Server.ServerConfig, s.logger)
-	r.Use(s.loggingMiddleware)
+	s.httpSrv.Router.Use(s.httpSrv.LoggingMiddleware)
-	s.registerRoutes(r)
+	s.registerRoutes(s.httpSrv.Router)
-
+	return s.httpSrv.ListenAndServeTLS()
-	tlsCfg := &tls.Config{
-		MinVersion: tls.VersionTLS13,
-	}
-
-	s.httpSrv = &http.Server{
-		Addr:         s.cfg.Server.ListenAddr,
-		Handler:      r,
-		TLSConfig:    tlsCfg,
-		ReadTimeout:  30 * time.Second,
-		WriteTimeout: 30 * time.Second,
-		IdleTimeout:  120 * time.Second,
-	}
-
-	s.logger.Info("starting server", "addr", s.cfg.Server.ListenAddr)
-	err := s.httpSrv.ListenAndServeTLS(s.cfg.Server.TLSCert, s.cfg.Server.TLSKey)
-	if err != nil && err != http.ErrServerClosed {
-		return fmt.Errorf("server: %w", err)
-	}
-	return nil
 }
 
 // Shutdown gracefully shuts down the server.
 func (s *Server) Shutdown(ctx context.Context) error {
+	if s.httpSrv != nil {
 		return s.httpSrv.Shutdown(ctx)
+	}
+	return nil
 }