metacrypt

mc/metacrypt

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Isom	ac4577f778	Add CRL endpoint, sign-CSR web route, and policy-based issuance authorization - Register handleSignCSR route in webserver (was dead code) - Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and PKIService.GetCRL gRPC RPC for DER-encoded CRL generation - Replace admin-only gates on issue/renew/sign-csr with policy-based access control: admins grant-all, authenticated users subject to identifier ownership (CN/SANs not held by another user's active cert) and optional policy overrides via ca/{mount}/id/{identifier} resources - Add PolicyChecker to engine.Request and policy.Match() method to distinguish matched rules from default deny - Update and expand CA engine tests for ownership, revocation freeing, and policy override scenarios Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-16 15:22:04 -07:00
Kyle Isom	fbaf79a8a0	Fix gosec, govet, and errorlint linter errors Co-authored-by: Junie <junie@jetbrains.com>	2026-03-15 10:16:28 -07:00
Kyle Isom	4ddd32b117	Implement Phase 1: core framework, operational tooling, and runbook Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper), db (SQLite/migrations), barrier (encrypted storage), seal (state machine with rate-limited unseal), auth (MCIAS integration with token cache), policy (priority-based ACL engine), engine (interface + registry). Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI (init, unseal, login, dashboard pages). CLI: cobra/viper subcommands (server, init, status, snapshot) with env var override support (METACRYPT_ prefix). Operational tooling: Dockerfile (multi-stage, non-root), docker-compose, hardened systemd units (service + daily backup timer), install script, backup script with retention pruning, production config examples. Runbook covering installation, configuration, daily operations, backup/restore, monitoring, troubleshooting, and security procedures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-14 20:43:11 -07:00

Author

SHA1

Message

Date

Kyle Isom

ac4577f778

Add CRL endpoint, sign-CSR web route, and policy-based issuance authorization

- Register handleSignCSR route in webserver (was dead code)
- Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and
  PKIService.GetCRL gRPC RPC for DER-encoded CRL generation
- Replace admin-only gates on issue/renew/sign-csr with policy-based
  access control: admins grant-all, authenticated users subject to
  identifier ownership (CN/SANs not held by another user's active cert)
  and optional policy overrides via ca/{mount}/id/{identifier} resources
- Add PolicyChecker to engine.Request and policy.Match() method to
  distinguish matched rules from default deny
- Update and expand CA engine tests for ownership, revocation freeing,
  and policy override scenarios

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-16 15:22:04 -07:00

Kyle Isom

fbaf79a8a0

Fix gosec, govet, and errorlint linter errors

Co-authored-by: Junie <junie@jetbrains.com>

2026-03-15 10:16:28 -07:00

Kyle Isom

4ddd32b117

Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper),
db (SQLite/migrations), barrier (encrypted storage), seal (state machine
with rate-limited unseal), auth (MCIAS integration with token cache),
policy (priority-based ACL engine), engine (interface + registry).

Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI
(init, unseal, login, dashboard pages).

CLI: cobra/viper subcommands (server, init, status, snapshot) with env
var override support (METACRYPT_ prefix).

Operational tooling: Dockerfile (multi-stage, non-root), docker-compose,
hardened systemd units (service + daily backup timer), install script,
backup script with retention pruning, production config examples.

Runbook covering installation, configuration, daily operations,
backup/restore, monitoring, troubleshooting, and security procedures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-14 20:43:11 -07:00

3 Commits