metacrypt

mc/metacrypt

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Isom	0f1d58a9b8	Persist engine mounts across seal/unseal cycles - Add Registry.UnsealAll() that rediscovers mounted engines from the barrier on unseal, using stored metadata at engine/_mounts/ with a fallback discovery scan for pre-existing mounts (migration path) - Registry.Mount() now persists mount metadata to the barrier; Registry.Unmount() cleans it up - Call UnsealAll() from both REST and web unseal handlers - Change Unmount() signature to accept context.Context - Default CA key size changed from P-384 to P-521 - Add build-time version stamp via ldflags; display in dashboard status bar - Make metacrypt target .PHONY so make devserver always rebuilds - Redirect /pki to /dashboard when no CA engine is mounted Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-15 00:47:48 -07:00
Kyle Isom	658d067d78	Add architecture docs, fix gRPC/REST API parity, project conventions - Add ARCHITECTURE.md with full system specification - Add Project Structure and API Sync Rule to CLAUDE.md; ignore srv/ - Fix engine.proto MountRequest missing config field - Add pki.proto PKIService to match unauthenticated REST PKI routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-14 23:29:51 -07:00
Kyle Isom	4ddd32b117	Implement Phase 1: core framework, operational tooling, and runbook Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper), db (SQLite/migrations), barrier (encrypted storage), seal (state machine with rate-limited unseal), auth (MCIAS integration with token cache), policy (priority-based ACL engine), engine (interface + registry). Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI (init, unseal, login, dashboard pages). CLI: cobra/viper subcommands (server, init, status, snapshot) with env var override support (METACRYPT_ prefix). Operational tooling: Dockerfile (multi-stage, non-root), docker-compose, hardened systemd units (service + daily backup timer), install script, backup script with retention pruning, production config examples. Runbook covering installation, configuration, daily operations, backup/restore, monitoring, troubleshooting, and security procedures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-14 20:43:11 -07:00

Author

SHA1

Message

Date

Kyle Isom

0f1d58a9b8

Persist engine mounts across seal/unseal cycles

- Add Registry.UnsealAll() that rediscovers mounted engines from the
  barrier on unseal, using stored metadata at engine/_mounts/ with a
  fallback discovery scan for pre-existing mounts (migration path)
- Registry.Mount() now persists mount metadata to the barrier;
  Registry.Unmount() cleans it up
- Call UnsealAll() from both REST and web unseal handlers
- Change Unmount() signature to accept context.Context
- Default CA key size changed from P-384 to P-521
- Add build-time version stamp via ldflags; display in dashboard status bar
- Make metacrypt target .PHONY so make devserver always rebuilds
- Redirect /pki to /dashboard when no CA engine is mounted

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-15 00:47:48 -07:00

Kyle Isom

658d067d78

Add architecture docs, fix gRPC/REST API parity, project conventions

- Add ARCHITECTURE.md with full system specification
- Add Project Structure and API Sync Rule to CLAUDE.md; ignore srv/
- Fix engine.proto MountRequest missing config field
- Add pki.proto PKIService to match unauthenticated REST PKI routes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-14 23:29:51 -07:00

Kyle Isom

4ddd32b117

Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper),
db (SQLite/migrations), barrier (encrypted storage), seal (state machine
with rate-limited unseal), auth (MCIAS integration with token cache),
policy (priority-based ACL engine), engine (interface + registry).

Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI
(init, unseal, login, dashboard pages).

CLI: cobra/viper subcommands (server, init, status, snapshot) with env
var override support (METACRYPT_ prefix).

Operational tooling: Dockerfile (multi-stage, non-root), docker-compose,
hardened systemd units (service + daily backup timer), install script,
backup script with retention pruning, production config examples.

Runbook covering installation, configuration, daily operations,
backup/restore, monitoring, troubleshooting, and security procedures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-14 20:43:11 -07:00

3 Commits