mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f77050a844d327d344d41b557a871ee4c740006
metacrypt/CLAUDE.md
Kyle Isom 8f77050a84 Implement CA/PKI engine with two-tier X.509 certificate issuance 
Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).

Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry

CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
  issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen

Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
  for unauthenticated TLS trust bootstrapping

Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 21:57:52 -07:00

52 lines
2.4 KiB
Markdown
Raw Blame History

# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Project Overview
Metacrypt is a cryptographic service for the Metacircular platform, written in Go. It provides cryptographic resources via an "engines" architecture (CA, SSH CA, transit encryption, user-to-user encryption). Authentication is handled by MCIAS (Metacircular Identity and Access Service) using the client library at `git.wntrmute.dev/kyle/mcias/clients/go`. MCIAS API docs: https://mcias.metacircular.net:8443/docs
## Build & Test Commands
```bash
go build ./... # Build all packages
go test ./... # Run all tests
go vet ./... # Static analysis
```
## Architecture
- **Engines**: Modular cryptographic service providers (CA, SSH CA, transit, user-to-user encryption)
- **Storage**: SQLite database with an encrypted storage barrier (similar to HashiCorp Vault)
- **Seal/Unseal**: Single password unseals the service; a master encryption key serves as a key-encryption key (KEK) to decrypt per-engine data encryption keys
- **Auth**: MCIAS integration; MCIAS admin users get admin privileges on this service
## Project Structure
```
.
├── cmd/metacrypt/ # CLI entry point (server, init, status, snapshot)
├── deploy/
│ ├── docker/ # Docker Compose configuration
│ ├── examples/ # Example config files
│ ├── scripts/ # Deployment scripts
│ └── systemd/ # systemd unit files
├── internal/
│ ├── auth/ # MCIAS token authentication & caching
│ ├── barrier/ # Encrypted key-value storage abstraction
│ ├── config/ # TOML configuration loading & validation
│ ├── crypto/ # Low-level cryptographic primitives
│ ├── db/ # SQLite setup & schema migrations
│ ├── engine/ # Pluggable engine registry & interface
│ ├── policy/ # Priority-based ACL engine
│ ├── seal/ # Seal/unseal state machine
│ └── server/ # HTTP server, routes, middleware
├── proto/metacrypt/ # Protobuf/gRPC definitions
├── web/
│ ├── static/ # CSS, HTMX
│ └── templates/ # Go HTML templates
├── Dockerfile
├── Makefile
└── metacrypt.toml.example
```
Reference in New Issue View Git Blame Copy Permalink