mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
52 Commits 1 Branch 2 Tags
c5dcb63165f60df53fd6d003edb359631436f8a6
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Kyle Isom c5dcb63165 Migrate HTTP server to mcdsl/httpserver 
Replace manual chi/TLS/http.Server setup with httpserver.New which
provides TLS 1.3, config-driven timeouts, and the chi router. Replace
local loggingMiddleware and statusWriter with mcdsl equivalents.

Seal-aware middleware (requireUnseal, requireAuth, requireAdmin) and
token extraction remain metacrypt-specific.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 14:16:16 -07:00
.claude
Add ACME (RFC 8555) server and Go client library
2026-03-15 08:09:12 -07:00
.junie
Add policy CRUD, cert management, and web UI updates
2026-03-15 19:41:11 -07:00
clients/go
Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22)
2026-03-16 18:27:44 -07:00
cmd
Migrate CSRF, web templates, session cookies, and snapshot to mcdsl
2026-03-26 14:14:11 -07:00
deploy
Add comprehensive ACME test suite (60 tests, 2100 lines)
2026-03-25 21:01:23 -07:00
docs
Update engine specs, audit doc, and server tests for SSH CA, transit, and user engines
2026-03-16 20:16:23 -07:00
engines
Fix ECDH zeroization, add audit logging, and remediate high findings
2026-03-17 14:04:39 -07:00
gen/metacrypt
Merge branch 'worktree-agent-a98b5183'
2026-03-16 20:01:04 -07:00
internal
Migrate HTTP server to mcdsl/httpserver
2026-03-26 14:16:16 -07:00
proto/metacrypt
Merge branch 'worktree-agent-a98b5183'
2026-03-16 20:01:04 -07:00
web
Add web UI for SSH CA, Transit, and User engines; full security audit and remediation
2026-03-16 22:02:06 -07:00
.gitignore
Checkpoint: auth, engine, seal, server, grpc updates
2026-03-15 10:15:47 -07:00
.golangci.yaml
Add golangci yaml.
2026-03-15 10:15:47 -07:00
AGENTS.md
Checkpoint: auth, engine, seal, server, grpc updates
2026-03-15 10:15:47 -07:00
ARCHITECTURE.md
Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22)
2026-03-16 18:27:44 -07:00
AUDIT.md
Fix ECDH zeroization, add audit logging, and remediate high findings
2026-03-17 14:04:39 -07:00
buf.yaml
Add buf lint/breaking targets and fix proto naming violations
2026-03-15 10:27:52 -07:00
CLAUDE.md
Add architecture docs, fix gRPC/REST API parity, project conventions
2026-03-14 23:29:51 -07:00
Dockerfile
Checkpoint: grpc auth fix, issuer list/detail, v2 protos, architecture docs
2026-03-15 11:39:13 -07:00
Dockerfile.api
Migrate db, auth to mcdsl; remove mcias client dependency
2026-03-25 18:42:43 -07:00
Dockerfile.web
Migrate db, auth to mcdsl; remove mcias client dependency
2026-03-25 18:42:43 -07:00
go.mod
Migrate config to mcdsl: Load[T], env overrides, embedded types
2026-03-26 14:09:58 -07:00
go.sum
Bump mcdsl from v0.1.0 to v1.0.0
2026-03-26 14:06:02 -07:00
Makefile
Add certificate issuance, CSR signing, and cert listing to web UI
2026-03-15 13:21:13 -07:00
PKI-ENGINE-PLAN.md
Implement CA/PKI engine with two-tier X.509 certificate issuance
2026-03-14 21:57:52 -07:00
POLICY.md
Add policy CRUD, cert management, and web UI updates
2026-03-15 19:41:11 -07:00
PROJECT.md
Implement Phase 1: core framework, operational tooling, and runbook
2026-03-14 20:43:11 -07:00
README.md
Add README with quick-start and links to detailed docs
2026-03-15 10:33:47 -07:00
REMEDIATION.md
Fix ECDH zeroization, add audit logging, and remediate high findings
2026-03-17 14:04:39 -07:00
RUNBOOK.md
Implement CA/PKI engine with two-tier X.509 certificate issuance
2026-03-14 21:57:52 -07:00

README.md

Metacrypt

Metacrypt is a cryptographic service for the Metacircular platform. It provides an encrypted secrets barrier and pluggable cryptographic engines (CA/PKI, SSH CA, transit encryption, user-to-user encryption) over a gRPC and HTTPS API. Authentication is delegated to MCIAS.

It operates using a seal/unseal model similar to HashiCorp Vault: the service starts sealed on every boot and must be unlocked with a password before cryptographic operations are available.

Quick Start

Prerequisites

  • Go 1.23+
  • A running MCIAS instance
  • TLS certificate and key for the server

Build

make metacrypt metacrypt-web

Configure

cp deploy/examples/metacrypt.toml /srv/metacrypt/metacrypt.toml
# Edit to set listen_addr, tls_cert, tls_key, database.path, mcias.server_url

Initialize

./metacrypt init --config /srv/metacrypt/metacrypt.toml

This prompts for a seal password and generates the master encryption key. Store the seal password securely — it cannot be recovered if lost.

Run

./metacrypt server --config /srv/metacrypt/metacrypt.toml

The service starts sealed. Unseal it:

curl -sk -X POST https://localhost:8443/v1/unseal \
    -H 'Content-Type: application/json' \
    -d '{"password":"<seal-password>"}'

Or use the web UI: navigate to https://<host>:8443/.

Docker

make docker
docker compose -f deploy/docker/docker-compose.yml up -d

See RUNBOOK.md for volume setup instructions.

Further Reading

Document Contents
ARCHITECTURE.md Cryptographic design, key hierarchy, engine architecture, API reference, security model
RUNBOOK.md Installation, daily operations, backup/restore, monitoring, troubleshooting
PKI-ENGINE-PLAN.md CA engine implementation plan

Development

make build      # Build all packages
make test       # Run tests
make vet        # Static analysis
make lint       # golangci-lint
make proto      # Regenerate protobuf/gRPC stubs
make proto-lint # Lint and check proto breaking changes
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 3.1 MiB
Languages
Go 91%
HTML 7.4%
CSS 1.1%
Shell 0.3%
Makefile 0.2%