Go to file

Kyle Isom 310ed83f28 Migrate gRPC server to mcdsl grpcserver package

Replace metacrypt's hand-rolled gRPC interceptor chain with the mcdsl
grpcserver package, which provides TLS setup, logging, and method-map
auth (public/auth-required/admin-required) out of the box.

Metacrypt-specific interceptors are preserved as hooks:
- sealInterceptor runs as a PreInterceptor (before logging/auth)
- auditInterceptor runs as a PostInterceptor (after auth)

The three legacy method maps (seal/auth/admin) are restructured into
mcdsl's MethodMap (Public/AuthRequired/AdminRequired) plus a separate
seal-required map for the PreInterceptor. Token context is now stored
via mcdsl/auth.ContextWithTokenInfo instead of a package-local key.

Bumps mcdsl from v1.0.0 to v1.0.1 (adds PreInterceptors/PostInterceptors
to grpcserver.Options).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-26 14:42:41 -07:00

.claude

Add ACME (RFC 8555) server and Go client library

2026-03-15 08:09:12 -07:00

.junie

Add policy CRUD, cert management, and web UI updates

2026-03-15 19:41:11 -07:00

clients/go

Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6 , #22 )

2026-03-16 18:27:44 -07:00

cmd

Add /healthz endpoint via mcdsl/health

2026-03-26 14:18:09 -07:00

deploy

Add comprehensive ACME test suite (60 tests, 2100 lines)

2026-03-25 21:01:23 -07:00

docs

Update engine specs, audit doc, and server tests for SSH CA, transit, and user engines

2026-03-16 20:16:23 -07:00

engines

Fix ECDH zeroization, add audit logging, and remediate high findings

2026-03-17 14:04:39 -07:00

gen/metacrypt

Merge branch 'worktree-agent-a98b5183'

2026-03-16 20:01:04 -07:00

internal

Migrate gRPC server to mcdsl grpcserver package

2026-03-26 14:42:41 -07:00

proto/metacrypt

Merge branch 'worktree-agent-a98b5183'

2026-03-16 20:01:04 -07:00

web

Add web UI for SSH CA, Transit, and User engines; full security audit and remediation

2026-03-16 22:02:06 -07:00

.gitignore

Checkpoint: auth, engine, seal, server, grpc updates

2026-03-15 10:15:47 -07:00

.golangci.yaml

Add golangci yaml.

2026-03-15 10:15:47 -07:00

AGENTS.md

Checkpoint: auth, engine, seal, server, grpc updates

2026-03-15 10:15:47 -07:00

ARCHITECTURE.md

Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6 , #22 )

2026-03-16 18:27:44 -07:00

AUDIT.md

Fix ECDH zeroization, add audit logging, and remediate high findings

2026-03-17 14:04:39 -07:00

buf.yaml

Add buf lint/breaking targets and fix proto naming violations

2026-03-15 10:27:52 -07:00

CLAUDE.md

Add architecture docs, fix gRPC/REST API parity, project conventions

2026-03-14 23:29:51 -07:00

Dockerfile

Checkpoint: grpc auth fix, issuer list/detail, v2 protos, architecture docs

2026-03-15 11:39:13 -07:00

Dockerfile.api

Migrate db, auth to mcdsl; remove mcias client dependency

2026-03-25 18:42:43 -07:00

Dockerfile.web

Migrate db, auth to mcdsl; remove mcias client dependency

2026-03-25 18:42:43 -07:00

go.mod

Migrate gRPC server to mcdsl grpcserver package

2026-03-26 14:42:41 -07:00

go.sum

Migrate gRPC server to mcdsl grpcserver package

2026-03-26 14:42:41 -07:00

Makefile

Add certificate issuance, CSR signing, and cert listing to web UI

2026-03-15 13:21:13 -07:00

PKI-ENGINE-PLAN.md

Implement CA/PKI engine with two-tier X.509 certificate issuance

2026-03-14 21:57:52 -07:00

POLICY.md

Add policy CRUD, cert management, and web UI updates

2026-03-15 19:41:11 -07:00

PROJECT.md

Implement Phase 1: core framework, operational tooling, and runbook

2026-03-14 20:43:11 -07:00

README.md

Add README with quick-start and links to detailed docs

2026-03-15 10:33:47 -07:00

REMEDIATION.md

Fix ECDH zeroization, add audit logging, and remediate high findings

2026-03-17 14:04:39 -07:00

RUNBOOK.md

Implement CA/PKI engine with two-tier X.509 certificate issuance

2026-03-14 21:57:52 -07:00

README.md

Metacrypt

Metacrypt is a cryptographic service for the Metacircular platform. It provides an encrypted secrets barrier and pluggable cryptographic engines (CA/PKI, SSH CA, transit encryption, user-to-user encryption) over a gRPC and HTTPS API. Authentication is delegated to MCIAS.

It operates using a seal/unseal model similar to HashiCorp Vault: the service starts sealed on every boot and must be unlocked with a password before cryptographic operations are available.

Quick Start

Prerequisites

Go 1.23+
A running MCIAS instance
TLS certificate and key for the server

Build

make metacrypt metacrypt-web

Configure

cp deploy/examples/metacrypt.toml /srv/metacrypt/metacrypt.toml
# Edit to set listen_addr, tls_cert, tls_key, database.path, mcias.server_url

Initialize

./metacrypt init --config /srv/metacrypt/metacrypt.toml

This prompts for a seal password and generates the master encryption key. Store the seal password securely — it cannot be recovered if lost.

Run

./metacrypt server --config /srv/metacrypt/metacrypt.toml

The service starts sealed. Unseal it:

curl -sk -X POST https://localhost:8443/v1/unseal \
    -H 'Content-Type: application/json' \
    -d '{"password":"<seal-password>"}'

Or use the web UI: navigate to https://<host>:8443/.

Docker

make docker
docker compose -f deploy/docker/docker-compose.yml up -d

See RUNBOOK.md for volume setup instructions.

Document	Contents
ARCHITECTURE.md	Cryptographic design, key hierarchy, engine architecture, API reference, security model
RUNBOOK.md	Installation, daily operations, backup/restore, monitoring, troubleshooting
PKI-ENGINE-PLAN.md	CA engine implementation plan

Development

make build      # Build all packages
make test       # Run tests
make vet        # Static analysis
make lint       # golangci-lint
make proto      # Regenerate protobuf/gRPC stubs
make proto-lint # Lint and check proto breaking changes

Languages

Go 91%

HTML 7.4%

CSS 1.1%

Shell 0.3%

Makefile 0.2%

README.md

Metacrypt

Quick Start

Prerequisites

Build

Configure

Initialize

Run

Docker

Further Reading

Development