Fix web UI download links for CA certs, SSH CA pubkey, and KRL

Templates linked to /v1/ API server routes which don't exist on the web server (separate binary). Add web server handlers that fetch data via gRPC and serve the downloads directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use mcdsl/terminal for all password prompts
2026-03-28 19:02:15 -07:00 · 2026-03-28 11:40:19 -07:00 · 2026-03-27 14:32:09 -07:00 · 2026-03-27 02:54:26 -07:00 · 2026-03-27 02:24:11 -07:00
50 changed files with 147 additions and 96 deletions
--- a/14
+++ b/14
@@ -1,6 +1,8 @@
-.PHONY: build test vet lint proto-lint clean docker all devserver metacrypt metacrypt-web proto binaries
+.PHONY: build test vet lint proto-lint clean docker push all devserver metacrypt metacrypt-web proto binaries
-LDFLAGS := -trimpath -ldflags="-s -w -X main.version=$(shell git describe --tags --always --dirty 2>/dev/null || echo dev)"
+MCR     := mcr.svc.mcp.metacircular.net:8443
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo dev)
 LDFLAGS := -trimpath -ldflags="-s -w -X main.version=$(VERSION)"
 binaries: metacrypt metacrypt-web
@@ -38,8 +40,12 @@ clean:
 	rm -f metacrypt metacrypt-web
 docker:
-	docker build -t metacrypt -f Dockerfile.api .
+	docker build --build-arg VERSION=$(VERSION) -t $(MCR)/metacrypt:$(VERSION) -f Dockerfile.api .
-	docker build -t metacrypt-web -f Dockerfile.web .
+	docker build --build-arg VERSION=$(VERSION) -t $(MCR)/metacrypt-web:$(VERSION) -f Dockerfile.web .
 push: docker
 	docker push $(MCR)/metacrypt:$(VERSION)
 	docker push $(MCR)/metacrypt-web:$(VERSION)
 docker-compose:
 	docker compose -f deploy/docker/docker-compose.yml up --build
--- a/cmd/metacrypt/init.go
+++ b/cmd/metacrypt/init.go
@@ -5,11 +5,10 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
 	"syscall"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	"git.wntrmute.dev/mc/mcdsl/terminal"
 	"git.wntrmute.dev/mc/metacrypt/internal/barrier"
 	"git.wntrmute.dev/mc/metacrypt/internal/config"
 	"git.wntrmute.dev/mc/metacrypt/internal/crypto"
@@ -59,16 +58,12 @@ func runInit(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("already initialized")
 	}
-	fmt.Print("Enter seal password: ")
+	pw1, err := terminal.ReadPasswordBytes("Enter seal password: ")
 	pw1, err := term.ReadPassword(int(syscall.Stdin))
 	fmt.Println()
 	if err != nil {
 		return fmt.Errorf("reading password: %w", err)
 	}
-	fmt.Print("Confirm seal password: ")
+	pw2, err := terminal.ReadPasswordBytes("Confirm seal password: ")
 	pw2, err := term.ReadPassword(int(syscall.Stdin))
 	fmt.Println()
 	if err != nil {
 		return fmt.Errorf("reading password: %w", err)
 	}
--- a/cmd/metacrypt/migrate_aad.go
+++ b/cmd/metacrypt/migrate_aad.go
@@ -4,12 +4,10 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
 	"os"
 	"syscall"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	"git.wntrmute.dev/mc/mcdsl/terminal"
 	"git.wntrmute.dev/mc/metacrypt/internal/config"
 	"git.wntrmute.dev/mc/metacrypt/internal/crypto"
 	"git.wntrmute.dev/mc/metacrypt/internal/db"
@@ -52,9 +50,7 @@ func runMigrateAAD(cmd *cobra.Command, args []string) error {
 	defer func() { _ = database.Close() }()
 	// Read unseal password.
-	fmt.Fprint(os.Stderr, "Unseal password: ")
+	passwordBytes, err := terminal.ReadPasswordBytes("Unseal password: ")
 	passwordBytes, err := term.ReadPassword(int(syscall.Stdin))
 	fmt.Fprintln(os.Stderr)
 	if err != nil {
 		return fmt.Errorf("read password: %w", err)
 	}
--- a/cmd/metacrypt/migrate_barrier.go
+++ b/cmd/metacrypt/migrate_barrier.go
@@ -4,12 +4,10 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
 	"os"
 	"syscall"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	"git.wntrmute.dev/mc/mcdsl/terminal"
 	"git.wntrmute.dev/mc/metacrypt/internal/barrier"
 	"git.wntrmute.dev/mc/metacrypt/internal/config"
 	"git.wntrmute.dev/mc/metacrypt/internal/crypto"
@@ -62,9 +60,7 @@ func runMigrateBarrier(cmd *cobra.Command, args []string) error {
 	}
 	// Read unseal password.
-	fmt.Fprint(os.Stderr, "Unseal password: ")
+	passwordBytes, err := terminal.ReadPasswordBytes("Unseal password: ")
 	passwordBytes, err := term.ReadPassword(int(syscall.Stdin))
 	fmt.Fprintln(os.Stderr)
 	if err != nil {
 		return fmt.Errorf("read password: %w", err)
 	}
--- a/cmd/metacrypt/unseal.go
+++ b/cmd/metacrypt/unseal.go
@@ -11,10 +11,10 @@ import (
 	"os"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"git.wntrmute.dev/mc/mcdsl/terminal"
 	metacryptv1 "git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1"
 )
@@ -43,17 +43,15 @@ func runUnseal(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("one of --grpc-addr or --addr is required")
 	}
-	fmt.Print("Unseal password: ")
+	password, err := terminal.ReadPassword("Unseal password: ")
 	passwordBytes, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec
 	fmt.Println()
 	if err != nil {
 		return fmt.Errorf("read password: %w", err)
 	}
 	if unsealGRPCAddr != "" {
-		return unsealViaGRPC(unsealGRPCAddr, unsealCACert, string(passwordBytes))
+		return unsealViaGRPC(unsealGRPCAddr, unsealCACert, password)
 	}
-	return unsealViaREST(unsealAddr, unsealCACert, string(passwordBytes))
+	return unsealViaREST(unsealAddr, unsealCACert, password)
 }
 func buildTLSConfig(caCertPath string) (*tls.Config, error) {
--- a/gen/metacrypt/v1/acme.pb.go
+++ b/gen/metacrypt/v1/acme.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v1/acme.proto
 package metacryptv1
@@ -600,7 +600,7 @@ const file_proto_metacrypt_v1_acme_proto_rawDesc = "" +
 	"\tSetConfig\x12\x1e.metacrypt.v1.SetConfigRequest\x1a\x1f.metacrypt.v1.SetConfigResponse\x12U\n" +
 	"\fListAccounts\x12!.metacrypt.v1.ListAccountsRequest\x1a\".metacrypt.v1.ListAccountsResponse\x12O\n" +
 	"\n" +
-	"ListOrders\x12\x1f.metacrypt.v1.ListOrdersRequest\x1a .metacrypt.v1.ListOrdersResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
+	"ListOrders\x12\x1f.metacrypt.v1.ListOrdersRequest\x1a .metacrypt.v1.ListOrdersResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
 var (
 	file_proto_metacrypt_v1_acme_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v1/acme_grpc.pb.go
+++ b/gen/metacrypt/v1/acme_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v1/acme.proto
 package metacryptv1
--- a/gen/metacrypt/v1/auth.pb.go
+++ b/gen/metacrypt/v1/auth.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v1/auth.proto
 package metacryptv1
@@ -324,7 +324,7 @@ const file_proto_metacrypt_v1_auth_proto_rawDesc = "" +
 	"\vAuthService\x12@\n" +
 	"\x05Login\x12\x1a.metacrypt.v1.LoginRequest\x1a\x1b.metacrypt.v1.LoginResponse\x12C\n" +
 	"\x06Logout\x12\x1b.metacrypt.v1.LogoutRequest\x1a\x1c.metacrypt.v1.LogoutResponse\x12L\n" +
-	"\tTokenInfo\x12\x1e.metacrypt.v1.TokenInfoRequest\x1a\x1f.metacrypt.v1.TokenInfoResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
+	"\tTokenInfo\x12\x1e.metacrypt.v1.TokenInfoRequest\x1a\x1f.metacrypt.v1.TokenInfoResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
 var (
 	file_proto_metacrypt_v1_auth_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v1/auth_grpc.pb.go
+++ b/gen/metacrypt/v1/auth_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v1/auth.proto
 package metacryptv1
--- a/gen/metacrypt/v1/barrier.pb.go
+++ b/gen/metacrypt/v1/barrier.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v1/barrier.proto
 package metacryptv1
@@ -455,7 +455,7 @@ const file_proto_metacrypt_v1_barrier_proto_rawDesc = "" +
 	"\bListKeys\x12\x1d.metacrypt.v1.ListKeysRequest\x1a\x1e.metacrypt.v1.ListKeysResponse\x12L\n" +
 	"\tRotateMEK\x12\x1e.metacrypt.v1.RotateMEKRequest\x1a\x1f.metacrypt.v1.RotateMEKResponse\x12L\n" +
 	"\tRotateKey\x12\x1e.metacrypt.v1.RotateKeyRequest\x1a\x1f.metacrypt.v1.RotateKeyResponse\x12T\n" +
-	"\aMigrate\x12#.metacrypt.v1.MigrateBarrierRequest\x1a$.metacrypt.v1.MigrateBarrierResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
+	"\aMigrate\x12#.metacrypt.v1.MigrateBarrierRequest\x1a$.metacrypt.v1.MigrateBarrierResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
 var (
 	file_proto_metacrypt_v1_barrier_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v1/barrier_grpc.pb.go
+++ b/gen/metacrypt/v1/barrier_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v1/barrier.proto
 package metacryptv1
--- a/gen/metacrypt/v1/common.pb.go
+++ b/gen/metacrypt/v1/common.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v1/common.proto
 package metacryptv1
@@ -24,7 +24,7 @@ var File_proto_metacrypt_v1_common_proto protoreflect.FileDescriptor
 const file_proto_metacrypt_v1_common_proto_rawDesc = "" +
 	"\n" +
-	"\x1fproto/metacrypt/v1/common.proto\x12\fmetacrypt.v1B>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
+	"\x1fproto/metacrypt/v1/common.proto\x12\fmetacrypt.v1B<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
 var file_proto_metacrypt_v1_common_proto_goTypes = []any{}
 var file_proto_metacrypt_v1_common_proto_depIdxs = []int32{
--- a/gen/metacrypt/v1/engine.pb.go
+++ b/gen/metacrypt/v1/engine.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v1/engine.proto
 package metacryptv1
@@ -483,7 +483,7 @@ const file_proto_metacrypt_v1_engine_proto_rawDesc = "" +
 	"\aUnmount\x12\x1c.metacrypt.v1.UnmountRequest\x1a\x1d.metacrypt.v1.UnmountResponse\x12O\n" +
 	"\n" +
 	"ListMounts\x12\x1f.metacrypt.v1.ListMountsRequest\x1a .metacrypt.v1.ListMountsResponse\x12F\n" +
-	"\aExecute\x12\x1c.metacrypt.v1.ExecuteRequest\x1a\x1d.metacrypt.v1.ExecuteResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
+	"\aExecute\x12\x1c.metacrypt.v1.ExecuteRequest\x1a\x1d.metacrypt.v1.ExecuteResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
 var (
 	file_proto_metacrypt_v1_engine_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v1/engine_grpc.pb.go
+++ b/gen/metacrypt/v1/engine_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v1/engine.proto
 package metacryptv1
--- a/gen/metacrypt/v1/pki.pb.go
+++ b/gen/metacrypt/v1/pki.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v1/pki.proto
 package metacryptv1
@@ -324,7 +324,7 @@ const file_proto_metacrypt_v1_pki_proto_rawDesc = "" +
 	"PKIService\x12R\n" +
 	"\vGetRootCert\x12 .metacrypt.v1.GetRootCertRequest\x1a!.metacrypt.v1.GetRootCertResponse\x12I\n" +
 	"\bGetChain\x12\x1d.metacrypt.v1.GetChainRequest\x1a\x1e.metacrypt.v1.GetChainResponse\x12X\n" +
-	"\rGetIssuerCert\x12\".metacrypt.v1.GetIssuerCertRequest\x1a#.metacrypt.v1.GetIssuerCertResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
+	"\rGetIssuerCert\x12\".metacrypt.v1.GetIssuerCertRequest\x1a#.metacrypt.v1.GetIssuerCertResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
 var (
 	file_proto_metacrypt_v1_pki_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v1/pki_grpc.pb.go
+++ b/gen/metacrypt/v1/pki_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v1/pki.proto
 package metacryptv1
--- a/gen/metacrypt/v1/policy.pb.go
+++ b/gen/metacrypt/v1/policy.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v1/policy.proto
 package metacryptv1
@@ -481,7 +481,7 @@ const file_proto_metacrypt_v1_policy_proto_rawDesc = "" +
 	"\fCreatePolicy\x12!.metacrypt.v1.CreatePolicyRequest\x1a\".metacrypt.v1.CreatePolicyResponse\x12U\n" +
 	"\fListPolicies\x12!.metacrypt.v1.ListPoliciesRequest\x1a\".metacrypt.v1.ListPoliciesResponse\x12L\n" +
 	"\tGetPolicy\x12\x1e.metacrypt.v1.GetPolicyRequest\x1a\x1f.metacrypt.v1.GetPolicyResponse\x12U\n" +
-	"\fDeletePolicy\x12!.metacrypt.v1.DeletePolicyRequest\x1a\".metacrypt.v1.DeletePolicyResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
+	"\fDeletePolicy\x12!.metacrypt.v1.DeletePolicyRequest\x1a\".metacrypt.v1.DeletePolicyResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
 var (
 	file_proto_metacrypt_v1_policy_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v1/policy_grpc.pb.go
+++ b/gen/metacrypt/v1/policy_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v1/policy.proto
 package metacryptv1
--- a/gen/metacrypt/v1/system.pb.go
+++ b/gen/metacrypt/v1/system.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v1/system.proto
 package metacryptv1
@@ -380,7 +380,7 @@ const file_proto_metacrypt_v1_system_proto_rawDesc = "" +
 	"\x06Status\x12\x1b.metacrypt.v1.StatusRequest\x1a\x1c.metacrypt.v1.StatusResponse\x12=\n" +
 	"\x04Init\x12\x19.metacrypt.v1.InitRequest\x1a\x1a.metacrypt.v1.InitResponse\x12C\n" +
 	"\x06Unseal\x12\x1b.metacrypt.v1.UnsealRequest\x1a\x1c.metacrypt.v1.UnsealResponse\x12=\n" +
-	"\x04Seal\x12\x19.metacrypt.v1.SealRequest\x1a\x1a.metacrypt.v1.SealResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
+	"\x04Seal\x12\x19.metacrypt.v1.SealRequest\x1a\x1a.metacrypt.v1.SealResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v1;metacryptv1b\x06proto3"
 var (
 	file_proto_metacrypt_v1_system_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v1/system_grpc.pb.go
+++ b/gen/metacrypt/v1/system_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v1/system.proto
 package metacryptv1
--- a/gen/metacrypt/v2/acme.pb.go
+++ b/gen/metacrypt/v2/acme.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/acme.proto
 package metacryptv2
@@ -592,7 +592,7 @@ const file_proto_metacrypt_v2_acme_proto_rawDesc = "" +
 	"\tSetConfig\x12\x1e.metacrypt.v2.SetConfigRequest\x1a\x1f.metacrypt.v2.SetConfigResponse\x12U\n" +
 	"\fListAccounts\x12!.metacrypt.v2.ListAccountsRequest\x1a\".metacrypt.v2.ListAccountsResponse\x12O\n" +
 	"\n" +
-	"ListOrders\x12\x1f.metacrypt.v2.ListOrdersRequest\x1a .metacrypt.v2.ListOrdersResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"ListOrders\x12\x1f.metacrypt.v2.ListOrdersRequest\x1a .metacrypt.v2.ListOrdersResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_acme_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/acme_grpc.pb.go
+++ b/gen/metacrypt/v2/acme_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/acme.proto
 package metacryptv2
--- a/gen/metacrypt/v2/auth.pb.go
+++ b/gen/metacrypt/v2/auth.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/auth.proto
 package metacryptv2
@@ -325,7 +325,7 @@ const file_proto_metacrypt_v2_auth_proto_rawDesc = "" +
 	"\vAuthService\x12@\n" +
 	"\x05Login\x12\x1a.metacrypt.v2.LoginRequest\x1a\x1b.metacrypt.v2.LoginResponse\x12C\n" +
 	"\x06Logout\x12\x1b.metacrypt.v2.LogoutRequest\x1a\x1c.metacrypt.v2.LogoutResponse\x12L\n" +
-	"\tTokenInfo\x12\x1e.metacrypt.v2.TokenInfoRequest\x1a\x1f.metacrypt.v2.TokenInfoResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\tTokenInfo\x12\x1e.metacrypt.v2.TokenInfoRequest\x1a\x1f.metacrypt.v2.TokenInfoResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_auth_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/auth_grpc.pb.go
+++ b/gen/metacrypt/v2/auth_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/auth.proto
 package metacryptv2
--- a/gen/metacrypt/v2/barrier.pb.go
+++ b/gen/metacrypt/v2/barrier.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/barrier.proto
 package metacryptv2
@@ -455,7 +455,7 @@ const file_proto_metacrypt_v2_barrier_proto_rawDesc = "" +
 	"\bListKeys\x12\x1d.metacrypt.v2.ListKeysRequest\x1a\x1e.metacrypt.v2.ListKeysResponse\x12L\n" +
 	"\tRotateMEK\x12\x1e.metacrypt.v2.RotateMEKRequest\x1a\x1f.metacrypt.v2.RotateMEKResponse\x12L\n" +
 	"\tRotateKey\x12\x1e.metacrypt.v2.RotateKeyRequest\x1a\x1f.metacrypt.v2.RotateKeyResponse\x12T\n" +
-	"\aMigrate\x12#.metacrypt.v2.MigrateBarrierRequest\x1a$.metacrypt.v2.MigrateBarrierResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\aMigrate\x12#.metacrypt.v2.MigrateBarrierRequest\x1a$.metacrypt.v2.MigrateBarrierResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_barrier_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/barrier_grpc.pb.go
+++ b/gen/metacrypt/v2/barrier_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/barrier.proto
 package metacryptv2
--- a/gen/metacrypt/v2/ca.pb.go
+++ b/gen/metacrypt/v2/ca.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/ca.proto
 package metacryptv2
@@ -2075,7 +2075,7 @@ const file_proto_metacrypt_v2_ca_proto_rawDesc = "" +
 	"\n" +
 	"RevokeCert\x12\x1f.metacrypt.v2.RevokeCertRequest\x1a .metacrypt.v2.RevokeCertResponse\x12O\n" +
 	"\n" +
-	"DeleteCert\x12\x1f.metacrypt.v2.DeleteCertRequest\x1a .metacrypt.v2.DeleteCertResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"DeleteCert\x12\x1f.metacrypt.v2.DeleteCertRequest\x1a .metacrypt.v2.DeleteCertResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_ca_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/ca_grpc.pb.go
+++ b/gen/metacrypt/v2/ca_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/ca.proto
 package metacryptv2
--- a/gen/metacrypt/v2/common.pb.go
+++ b/gen/metacrypt/v2/common.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/common.proto
 package metacryptv2
@@ -24,7 +24,7 @@ var File_proto_metacrypt_v2_common_proto protoreflect.FileDescriptor
 const file_proto_metacrypt_v2_common_proto_rawDesc = "" +
 	"\n" +
-	"\x1fproto/metacrypt/v2/common.proto\x12\fmetacrypt.v2B>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\x1fproto/metacrypt/v2/common.proto\x12\fmetacrypt.v2B<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var file_proto_metacrypt_v2_common_proto_goTypes = []any{}
 var file_proto_metacrypt_v2_common_proto_depIdxs = []int32{
--- a/gen/metacrypt/v2/engine.pb.go
+++ b/gen/metacrypt/v2/engine.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/engine.proto
 package metacryptv2
@@ -366,7 +366,7 @@ const file_proto_metacrypt_v2_engine_proto_rawDesc = "" +
 	"\x05Mount\x12\x1a.metacrypt.v2.MountRequest\x1a\x1b.metacrypt.v2.MountResponse\x12F\n" +
 	"\aUnmount\x12\x1c.metacrypt.v2.UnmountRequest\x1a\x1d.metacrypt.v2.UnmountResponse\x12O\n" +
 	"\n" +
-	"ListMounts\x12\x1f.metacrypt.v2.ListMountsRequest\x1a .metacrypt.v2.ListMountsResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"ListMounts\x12\x1f.metacrypt.v2.ListMountsRequest\x1a .metacrypt.v2.ListMountsResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_engine_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/engine_grpc.pb.go
+++ b/gen/metacrypt/v2/engine_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/engine.proto
 package metacryptv2
--- a/gen/metacrypt/v2/pki.pb.go
+++ b/gen/metacrypt/v2/pki.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/pki.proto
 package metacryptv2
@@ -426,7 +426,7 @@ const file_proto_metacrypt_v2_pki_proto_rawDesc = "" +
 	"\vGetRootCert\x12 .metacrypt.v2.GetRootCertRequest\x1a!.metacrypt.v2.GetRootCertResponse\x12I\n" +
 	"\bGetChain\x12\x1d.metacrypt.v2.GetChainRequest\x1a\x1e.metacrypt.v2.GetChainResponse\x12X\n" +
 	"\rGetIssuerCert\x12\".metacrypt.v2.GetIssuerCertRequest\x1a#.metacrypt.v2.GetIssuerCertResponse\x12C\n" +
-	"\x06GetCRL\x12\x1b.metacrypt.v2.GetCRLRequest\x1a\x1c.metacrypt.v2.GetCRLResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\x06GetCRL\x12\x1b.metacrypt.v2.GetCRLRequest\x1a\x1c.metacrypt.v2.GetCRLResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_pki_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/pki_grpc.pb.go
+++ b/gen/metacrypt/v2/pki_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/pki.proto
 package metacryptv2
--- a/gen/metacrypt/v2/policy.pb.go
+++ b/gen/metacrypt/v2/policy.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/policy.proto
 package metacryptv2
@@ -481,7 +481,7 @@ const file_proto_metacrypt_v2_policy_proto_rawDesc = "" +
 	"\fCreatePolicy\x12!.metacrypt.v2.CreatePolicyRequest\x1a\".metacrypt.v2.CreatePolicyResponse\x12U\n" +
 	"\fListPolicies\x12!.metacrypt.v2.ListPoliciesRequest\x1a\".metacrypt.v2.ListPoliciesResponse\x12L\n" +
 	"\tGetPolicy\x12\x1e.metacrypt.v2.GetPolicyRequest\x1a\x1f.metacrypt.v2.GetPolicyResponse\x12U\n" +
-	"\fDeletePolicy\x12!.metacrypt.v2.DeletePolicyRequest\x1a\".metacrypt.v2.DeletePolicyResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\fDeletePolicy\x12!.metacrypt.v2.DeletePolicyRequest\x1a\".metacrypt.v2.DeletePolicyResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_policy_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/policy_grpc.pb.go
+++ b/gen/metacrypt/v2/policy_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/policy.proto
 package metacryptv2
--- a/gen/metacrypt/v2/sshca.pb.go
+++ b/gen/metacrypt/v2/sshca.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/sshca.proto
 package metacryptv2
@@ -1919,7 +1919,7 @@ const file_proto_metacrypt_v2_sshca_proto_rawDesc = "" +
 	"RevokeCert\x12\".metacrypt.v2.SSHRevokeCertRequest\x1a#.metacrypt.v2.SSHRevokeCertResponse\x12U\n" +
 	"\n" +
 	"DeleteCert\x12\".metacrypt.v2.SSHDeleteCertRequest\x1a#.metacrypt.v2.SSHDeleteCertResponse\x12I\n" +
-	"\x06GetKRL\x12\x1e.metacrypt.v2.SSHGetKRLRequest\x1a\x1f.metacrypt.v2.SSHGetKRLResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\x06GetKRL\x12\x1e.metacrypt.v2.SSHGetKRLRequest\x1a\x1f.metacrypt.v2.SSHGetKRLResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_sshca_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/sshca_grpc.pb.go
+++ b/gen/metacrypt/v2/sshca_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/sshca.proto
 package metacryptv2
--- a/gen/metacrypt/v2/system.pb.go
+++ b/gen/metacrypt/v2/system.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/system.proto
 package metacryptv2
@@ -380,7 +380,7 @@ const file_proto_metacrypt_v2_system_proto_rawDesc = "" +
 	"\x06Status\x12\x1b.metacrypt.v2.StatusRequest\x1a\x1c.metacrypt.v2.StatusResponse\x12=\n" +
 	"\x04Init\x12\x19.metacrypt.v2.InitRequest\x1a\x1a.metacrypt.v2.InitResponse\x12C\n" +
 	"\x06Unseal\x12\x1b.metacrypt.v2.UnsealRequest\x1a\x1c.metacrypt.v2.UnsealResponse\x12=\n" +
-	"\x04Seal\x12\x19.metacrypt.v2.SealRequest\x1a\x1a.metacrypt.v2.SealResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\x04Seal\x12\x19.metacrypt.v2.SealRequest\x1a\x1a.metacrypt.v2.SealResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_system_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/system_grpc.pb.go
+++ b/gen/metacrypt/v2/system_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/system.proto
 package metacryptv2
--- a/gen/metacrypt/v2/transit.pb.go
+++ b/gen/metacrypt/v2/transit.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/transit.proto
 package metacryptv2
@@ -2075,7 +2075,7 @@ const file_proto_metacrypt_v2_transit_proto_rawDesc = "" +
 	"\x04Sign\x12 .metacrypt.v2.TransitSignRequest\x1a!.metacrypt.v2.TransitSignResponse\x12Q\n" +
 	"\x06Verify\x12\".metacrypt.v2.TransitVerifyRequest\x1a#.metacrypt.v2.TransitVerifyResponse\x12K\n" +
 	"\x04Hmac\x12 .metacrypt.v2.TransitHmacRequest\x1a!.metacrypt.v2.TransitHmacResponse\x12c\n" +
-	"\fGetPublicKey\x12(.metacrypt.v2.GetTransitPublicKeyRequest\x1a).metacrypt.v2.GetTransitPublicKeyResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\fGetPublicKey\x12(.metacrypt.v2.GetTransitPublicKeyRequest\x1a).metacrypt.v2.GetTransitPublicKeyResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_transit_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/transit_grpc.pb.go
+++ b/gen/metacrypt/v2/transit_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/transit.proto
 package metacryptv2
--- a/gen/metacrypt/v2/user.pb.go
+++ b/gen/metacrypt/v2/user.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v3.20.3
+// 	protoc        v6.32.1
 // source: proto/metacrypt/v2/user.proto
 package metacryptv2
@@ -1023,7 +1023,7 @@ const file_proto_metacrypt_v2_user_proto_rawDesc = "" +
 	"\tReEncrypt\x12\".metacrypt.v2.UserReEncryptRequest\x1a#.metacrypt.v2.UserReEncryptResponse\x12T\n" +
 	"\tRotateKey\x12\".metacrypt.v2.UserRotateKeyRequest\x1a#.metacrypt.v2.UserRotateKeyResponse\x12W\n" +
 	"\n" +
-	"DeleteUser\x12#.metacrypt.v2.UserDeleteUserRequest\x1a$.metacrypt.v2.UserDeleteUserResponseB>Z<git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"DeleteUser\x12#.metacrypt.v2.UserDeleteUserRequest\x1a$.metacrypt.v2.UserDeleteUserResponseB<Z:git.wntrmute.dev/mc/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 var (
 	file_proto_metacrypt_v2_user_proto_rawDescOnce sync.Once
--- a/gen/metacrypt/v2/user_grpc.pb.go
+++ b/gen/metacrypt/v2/user_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v3.20.3
+// - protoc             v6.32.1
 // source: proto/metacrypt/v2/user.proto
 package metacryptv2
--- a/go.mod
+++ b/go.mod
@@ -4,12 +4,11 @@ go 1.25.7
 require (
 	git.wntrmute.dev/kyle/goutils v1.21.0
-	git.wntrmute.dev/mc/mcdsl v1.2.0
+	git.wntrmute.dev/mc/mcdsl v1.4.0
 	github.com/go-chi/chi/v5 v5.2.5
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
 	golang.org/x/crypto v0.49.0
 	golang.org/x/term v0.41.0
 	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 )
@@ -33,6 +32,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/net v0.51.0 // indirect
 	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/term v0.41.0 // indirect
 	golang.org/x/text v0.35.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
 	modernc.org/libc v1.70.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,7 +1,7 @@
 git.wntrmute.dev/kyle/goutils v1.21.0 h1:ZR7ovV400hsF09zc8tkdHs6vyen8TDJ7flong/dnFXM=
 git.wntrmute.dev/kyle/goutils v1.21.0/go.mod h1:JQ8NL5lHSEYl719UMf20p4G1ei70RVGma0hjjNXCR2c=
-git.wntrmute.dev/mc/mcdsl v1.2.0 h1:41hep7/PNZJfN0SN/nM+rQpyF1GSZcvNNjyVG81DI7U=
+git.wntrmute.dev/mc/mcdsl v1.4.0 h1:PsEIyskcjBduwHSRwNB/U/uSeU/cv3C8MVr0SRjBRLg=
-git.wntrmute.dev/mc/mcdsl v1.2.0/go.mod h1:lXYrAt74ZUix6rx9oVN8d2zH1YJoyp4uxPVKQ+SSxuM=
+git.wntrmute.dev/mc/mcdsl v1.4.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
--- a/internal/grpcserver/server.go
+++ b/internal/grpcserver/server.go
@@ -160,7 +160,6 @@ func publicMethods() map[string]bool {
 		// CA read-only — public certificates and chains.
 		"/metacrypt.v2.CAService/GetRoot":    true,
 		"/metacrypt.v2.CAService/GetIssuer":  true,
 		"/metacrypt.v2.CAService/ListIssuers": true,
 		"/metacrypt.v2.CAService/GetChain":   true,
 		// SSH CA — public key and key revocation list.
 		"/metacrypt.v2.SSHCAService/GetCAPublicKey": true,
@@ -175,6 +174,7 @@ func authRequiredMethods() map[string]bool {
 		"/metacrypt.v2.AuthService/Logout":    true,
 		"/metacrypt.v2.AuthService/TokenInfo": true,
 		"/metacrypt.v2.EngineService/ListMounts": true,
 		"/metacrypt.v2.CAService/ListIssuers": true,
 		"/metacrypt.v2.CAService/IssueCert":   true,
 		"/metacrypt.v2.CAService/GetCert":     true,
 		"/metacrypt.v2.CAService/ListCerts":   true,
--- a/internal/webserver/routes.go
+++ b/internal/webserver/routes.go
@@ -50,6 +50,8 @@ func (ws *WebServer) registerRoutes(r chi.Router) {
 	r.Route("/sshca", func(r chi.Router) {
 		r.Get("/", ws.requireAuth(ws.handleSSHCA))
 		r.Get("/ca", ws.requireAuth(ws.handleSSHCADownload))
 		r.Get("/krl", ws.requireAuth(ws.handleSSHCAKRLDownload))
 		r.Post("/sign-user", ws.requireAuth(ws.handleSSHCASignUser))
 		r.Post("/sign-host", ws.requireAuth(ws.handleSSHCASignHost))
 		r.Get("/cert/{serial}", ws.requireAuth(ws.handleSSHCACertDetail))
@@ -91,6 +93,7 @@ func (ws *WebServer) registerRoutes(r chi.Router) {
 	r.Route("/pki", func(r chi.Router) {
 		r.Get("/", ws.requireAuth(ws.handlePKI))
 		r.Get("/ca", ws.requireAuth(ws.handlePKIRootCA))
 		r.Post("/import-root", ws.requireAuth(ws.handleImportRoot))
 		r.Post("/create-issuer", ws.requireAuth(ws.handleCreateIssuer))
 		r.Post("/issue", ws.requireAuth(ws.handleIssueCert))
@@ -475,6 +478,25 @@ func (ws *WebServer) handleCreateIssuer(w http.ResponseWriter, r *http.Request)
 	http.Redirect(w, r, "/pki", http.StatusFound)
 }
 func (ws *WebServer) handlePKIRootCA(w http.ResponseWriter, r *http.Request) {
 	token := extractCookie(r)
 	mountName, err := ws.findCAMount(r, token)
 	if err != nil {
 		http.Error(w, "no CA engine mounted", http.StatusNotFound)
 		return
 	}
 	certPEM, err := ws.vault.GetRootCert(r.Context(), mountName)
 	if err != nil || len(certPEM) == 0 {
 		http.Error(w, "root CA not found", http.StatusNotFound)
 		return
 	}
 	w.Header().Set("Content-Type", "application/x-pem-file")
 	w.Header().Set("Content-Disposition", "attachment; filename=root-ca.pem")
 	_, _ = w.Write(certPEM) //nolint:gosec
 }
 func (ws *WebServer) handlePKIIssuer(w http.ResponseWriter, r *http.Request) {
 	token := extractCookie(r)
 	mountName, err := ws.findCAMount(r, token)
--- a/internal/webserver/sshca.go
+++ b/internal/webserver/sshca.go
@@ -40,6 +40,44 @@ func (ws *WebServer) handleSSHCA(w http.ResponseWriter, r *http.Request) {
 	ws.renderTemplate(w, "sshca.html", data)
 }
 func (ws *WebServer) handleSSHCADownload(w http.ResponseWriter, r *http.Request) {
 	token := extractCookie(r)
 	mountName, err := ws.findSSHCAMount(r, token)
 	if err != nil {
 		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
 		return
 	}
 	pubkey, err := ws.vault.GetSSHCAPublicKey(r.Context(), mountName)
 	if err != nil || pubkey == nil {
 		http.Error(w, "CA public key not found", http.StatusNotFound)
 		return
 	}
 	w.Header().Set("Content-Type", "text/plain")
 	w.Header().Set("Content-Disposition", "attachment; filename=ca.pub")
 	_, _ = w.Write([]byte(pubkey.PublicKey)) //nolint:gosec
 }
 func (ws *WebServer) handleSSHCAKRLDownload(w http.ResponseWriter, r *http.Request) {
 	token := extractCookie(r)
 	mountName, err := ws.findSSHCAMount(r, token)
 	if err != nil {
 		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
 		return
 	}
 	krl, err := ws.vault.GetSSHCAKRL(r.Context(), mountName)
 	if err != nil {
 		http.Error(w, "KRL not found", http.StatusNotFound)
 		return
 	}
 	w.Header().Set("Content-Type", "application/octet-stream")
 	w.Header().Set("Content-Disposition", "attachment; filename=krl.bin")
 	_, _ = w.Write(krl) //nolint:gosec
 }
 func (ws *WebServer) handleSSHCASignUser(w http.ResponseWriter, r *http.Request) {
 	info := tokenInfoFromContext(r.Context())
 	token := extractCookie(r)
--- a/web/templates/pki.html
+++ b/web/templates/pki.html
@@ -27,7 +27,7 @@
        </tbody>
    </table>
    <p style="margin-top: 1rem; margin-bottom: 0;">
-        <a href="/v1/pki/{{.MountName}}/ca" download="root-ca.pem">Download Root CA (PEM)</a>
+        <a href="/pki/ca" download="root-ca.pem">Download Root CA (PEM)</a>
    </p>
    {{else}}
    <p>No root CA configured.</p>
--- a/web/templates/sshca.html
+++ b/web/templates/sshca.html
@@ -14,7 +14,7 @@
    {{if .CAPublicKey}}
    <textarea rows="3" class="pem-input" readonly>{{.CAPublicKey}}</textarea>
    <p style="margin-top: 0.5rem; margin-bottom: 0;">
-        <a href="/v1/sshca/{{.MountName}}/ca" download="ca.pub">Download CA Public Key</a>
+        <a href="/sshca/ca" download="ca.pub">Download CA Public Key</a>
    </p>
    {{else}}
    <p>CA public key not available.</p>
@@ -210,7 +210,7 @@
 {{if .IsAdmin}}
 <div class="card">
    <div class="card-title">Key Revocation List</div>
-    <p><a href="/v1/sshca/{{.MountName}}/krl" download="krl.bin">Download KRL</a></p>
+    <p><a href="/sshca/krl" download="krl.bin">Download KRL</a></p>
 </div>
 {{end}}
 {{end}}
Author	SHA1	Message	Date
Kyle Isom	ae4cc8b420	Fix web UI download links for CA certs, SSH CA pubkey, and KRL Templates linked to /v1/ API server routes which don't exist on the web server (separate binary). Add web server handlers that fetch data via gRPC and serve the downloads directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 19:02:15 -07:00
Kyle Isom	131d3e778a	Use mcdsl/terminal for all password prompts Replace direct golang.org/x/term calls with mcdsl/terminal across init, unseal, migrate-aad, and migrate-barrier commands. Seal password prompts use ReadPasswordBytes to preserve zeroization capability. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 11:40:19 -07:00
Kyle Isom	b8dc39fd12	Standardize Makefile docker/push targets for MCR Add MCR and VERSION variables. Tag images with full MCR registry URL and version. Add push target. Pass --build-arg VERSION for both images. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-27 14:32:09 -07:00
Kyle Isom	26f397afc0	Regenerate proto files for mc/ module path Raw descriptor bytes in .pb.go files were corrupted by the sed-based module path rename (string length changed, breaking protobuf binary encoding). Regenerated with protoc to fix. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-27 02:54:26 -07:00
Kyle Isom	28d6f9fa1f	Fix ListIssuers auth: move from public to auth-required methods ListIssuers was miscategorized as a public gRPC method, but the CA engine handler requires CallerInfo with user role. When called without auth (public path), the interceptor skipped token validation, so CallerInfo was nil and the handler returned ErrUnauthorized — which the web UI silently swallowed, showing "No issuers configured." Security: gRPC interceptor map correction (ListIssuers requires auth) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-27 02:24:11 -07:00