Test coverage for the entire ACME server implementation:
- helpers_test.go: memBarrier, key generation, JWS/EAB signing, test fixtures
- nonce_test.go: issue/consume lifecycle, reuse rejection, concurrency
- jws_test.go: JWS parsing/verification (ES256, ES384, RS256), JWK parsing,
RFC 7638 thumbprints, EAB HMAC verification, key authorization
- eab_test.go: EAB credential CRUD, account/order listing
- validate_test.go: HTTP-01 challenge validation with httptest servers,
authorization/order state machine transitions
- handlers_test.go: full ACME protocol flow via chi router — directory,
nonce, account creation with EAB, order creation, authorization retrieval,
challenge triggering, finalize (order-not-ready), cert retrieval/revocation,
CSR identifier validation
One production change: extract dnsResolver variable in validate.go for
DNS-01 test injection (no behavior change).
All 60 tests pass with -race. Full project vet and test clean.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The web UI connects to the vault API via gRPC using the Docker
compose service name (e.g., "metacrypt:9443"), but the vault's TLS
certificate has SANs for "crypt.metacircular.net" and "localhost".
The new vault_sni config field overrides the TLS ServerName so
certificate verification succeeds despite the hostname mismatch.
Also updates metacrypt-rift.toml with vault_sni and temporarily
binds the web UI port to 0.0.0.0 for direct access until mc-proxy
is deployed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Run containers as user 0:0 (root inside container = kyle on host
via rootless podman UID mapping). This allows the container process
to read /srv/metacrypt/ files owned by kyle.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- db.Open: delegate to mcdsl/db.Open
- db.Migrate: convert to mcdsl/db.Migration format, delegate
- auth: type aliases for TokenInfo/Authenticator/Config from mcdsl,
re-export error sentinels, Logout helper
- cmd/server: construct auth.Authenticator from Config (not mcias.Client)
- server/routes.go logout: use auth.Logout(authenticator, token)
- grpcserver/auth.go: same logout pattern, fix Login return type
(time.Time not string)
- webserver: replace mcias.Client with mcdsl/auth for service token
validation; resolveUser degrades to raw UUID (TODO: restore when
mcias client library is properly tagged)
- Dockerfiles: bump to golang:1.25-alpine, remove gcc/musl-dev,
add VERSION build arg
- Deploy: add docker-compose-rift.yml with localhost-only port mapping
- Remove git.wntrmute.dev/kyle/mcias/clients/go dependency entirely
- All tests pass, net -185 lines
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
