mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f77050a844d327d344d41b557a871ee4c740006
metacrypt/CLAUDE.md
Kyle Isom 8f77050a84 Implement CA/PKI engine with two-tier X.509 certificate issuance 
Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).

Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry

CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
  issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen

Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
  for unauthenticated TLS trust bootstrapping

Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 21:57:52 -07:00

2.4 KiB
Raw Blame History

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

Project Overview

Metacrypt is a cryptographic service for the Metacircular platform, written in Go. It provides cryptographic resources via an "engines" architecture (CA, SSH CA, transit encryption, user-to-user encryption). Authentication is handled by MCIAS (Metacircular Identity and Access Service) using the client library at git.wntrmute.dev/kyle/mcias/clients/go. MCIAS API docs: https://mcias.metacircular.net:8443/docs

Build & Test Commands

go build ./...    # Build all packages
go test ./...     # Run all tests
go vet ./...      # Static analysis

Architecture

  • Engines: Modular cryptographic service providers (CA, SSH CA, transit, user-to-user encryption)
  • Storage: SQLite database with an encrypted storage barrier (similar to HashiCorp Vault)
  • Seal/Unseal: Single password unseals the service; a master encryption key serves as a key-encryption key (KEK) to decrypt per-engine data encryption keys
  • Auth: MCIAS integration; MCIAS admin users get admin privileges on this service

Project Structure

.
├── cmd/metacrypt/          # CLI entry point (server, init, status, snapshot)
├── deploy/
│   ├── docker/             # Docker Compose configuration
│   ├── examples/           # Example config files
│   ├── scripts/            # Deployment scripts
│   └── systemd/            # systemd unit files
├── internal/
│   ├── auth/               # MCIAS token authentication & caching
│   ├── barrier/            # Encrypted key-value storage abstraction
│   ├── config/             # TOML configuration loading & validation
│   ├── crypto/             # Low-level cryptographic primitives
│   ├── db/                 # SQLite setup & schema migrations
│   ├── engine/             # Pluggable engine registry & interface
│   ├── policy/             # Priority-based ACL engine
│   ├── seal/               # Seal/unseal state machine
│   └── server/             # HTTP server, routes, middleware
├── proto/metacrypt/        # Protobuf/gRPC definitions
├── web/
│   ├── static/             # CSS, HTMX
│   └── templates/          # Go HTML templates
├── Dockerfile
├── Makefile
└── metacrypt.toml.example
Reference in New Issue View Git Blame Copy Permalink