Kyle Isom
a80323e320
Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Metacrypt
Metacrypt is a cryptographic service for the Metacircular platform. It provides an encrypted secrets barrier and pluggable cryptographic engines (CA/PKI, SSH CA, transit encryption, user-to-user encryption) over a gRPC and HTTPS API. Authentication is delegated to MCIAS.
It operates using a seal/unseal model similar to HashiCorp Vault: the service starts sealed on every boot and must be unlocked with a password before cryptographic operations are available.
Quick Start
Prerequisites
- Go 1.23+
- A running MCIAS instance
- TLS certificate and key for the server
Build
make metacrypt metacrypt-web
Configure
cp deploy/examples/metacrypt.toml /srv/metacrypt/metacrypt.toml
# Edit to set listen_addr, tls_cert, tls_key, database.path, mcias.server_url
Initialize
./metacrypt init --config /srv/metacrypt/metacrypt.toml
This prompts for a seal password and generates the master encryption key. Store the seal password securely — it cannot be recovered if lost.
Run
./metacrypt server --config /srv/metacrypt/metacrypt.toml
The service starts sealed. Unseal it:
curl -sk -X POST https://localhost:8443/v1/unseal \
-H 'Content-Type: application/json' \
-d '{"password":"<seal-password>"}'
Or use the web UI: navigate to https://<host>:8443/.
Docker
make docker
docker compose -f deploy/docker/docker-compose.yml up -d
See RUNBOOK.md for volume setup instructions.
Further Reading
| Document | Contents |
|---|---|
| ARCHITECTURE.md | Cryptographic design, key hierarchy, engine architecture, API reference, security model |
| RUNBOOK.md | Installation, daily operations, backup/restore, monitoring, troubleshooting |
| PKI-ENGINE-PLAN.md | CA engine implementation plan |
Development
make build # Build all packages
make test # Run tests
make vet # Static analysis
make lint # golangci-lint
make proto # Regenerate protobuf/gRPC stubs
make proto-lint # Lint and check proto breaking changes