The vault server holds in-memory unsealed state (KEK, engine keys) that
is lost on restart, requiring a full unseal ceremony. Previously the web
UI ran inside the vault process, so any UI change forced a restart and
re-unseal.
This change extracts the web UI into a separate metacrypt-web binary
that communicates with the vault over an authenticated gRPC connection.
The web server carries no sealed state and can be restarted freely.
- gen/metacrypt/v1/: generated Go bindings from proto/metacrypt/v1/
- internal/grpcserver/: full gRPC server implementation (System, Auth,
Engine, PKI, Policy, ACME services) with seal/auth/admin interceptors
- internal/webserver/: web server with gRPC vault client; templates
embedded via web/embed.go (no runtime web/ directory needed)
- cmd/metacrypt-web/: standalone binary entry point
- internal/config: added [web] section (listen_addr, vault_grpc, etc.)
- internal/server/routes.go: removed all web UI routes and handlers
- cmd/metacrypt/server.go: starts gRPC server alongside HTTP server
- Deploy: Dockerfile builds both binaries, docker-compose adds
metacrypt-web service, new metacrypt-web.service systemd unit,
Makefile gains proto/metacrypt-web targets
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements the SystemService gRPC endpoint (Status, Init, Unseal, Seal)
alongside the existing REST API, secured with the same TLS certificate.
The `metacrypt unseal` CLI command now prefers gRPC when --grpc-addr is
provided, falling back to the REST API via --addr. Both transports require
TLS; a custom CA certificate can be supplied with --ca-cert.
Server changes:
- internal/server/grpc.go: SystemServiceServer implementation with
StartGRPC/ShutdownGRPC methods; uses the TLS cert from config.
- internal/server/server.go: adds grpcSrv field and grpc import.
- cmd/metacrypt/server.go: starts gRPC goroutine when grpc_addr is set
in config, shuts it down on signal.
Generated code (from proto/metacrypt/v1/system.proto):
- gen/metacrypt/v1/system.pb.go: protobuf message types
- gen/metacrypt/v1/system_grpc.pb.go: gRPC client/server stubs
Dependencies added to go.mod (run `go mod tidy` to populate go.sum):
- google.golang.org/grpc v1.71.1
- google.golang.org/protobuf v1.36.5
- google.golang.org/genproto/googleapis/rpc (indirect)
- golang.org/x/net (indirect)
https://claude.ai/code/session_013m1QXGoTB4jaPUN5gwir8F
- Add ARCHITECTURE.md with full system specification
- Add Project Structure and API Sync Rule to CLAUDE.md; ignore srv/
- Fix engine.proto MountRequest missing config field
- Add pki.proto PKIService to match unauthenticated REST PKI routes
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).
Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry
CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen
Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
for unauthenticated TLS trust bootstrapping
Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
