diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ad4b1b1..44144c7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -65,7 +65,7 @@ jobs: VERSION=$(git describe --tags --always 2>/dev/null || echo "dev") fi echo "version=${VERSION}" >> "$GITHUB_OUTPUT" - echo "archive=runevault_${VERSION}_${{ matrix.os }}_${{ matrix.arch }}.tar.gz" >> "$GITHUB_OUTPUT" + echo "archive=runeconsole_${VERSION}_${{ matrix.os }}_${{ matrix.arch }}.tar.gz" >> "$GITHUB_OUTPUT" - name: Build binary env: @@ -73,7 +73,7 @@ jobs: GOARCH: ${{ matrix.arch }} VERSION: ${{ steps.meta.outputs.version }} run: | - PKG="github.com/CryptoLabInc/rune-admin/vault/internal/commands" + PKG="github.com/CryptoLabInc/rune-console/runeconsole/internal/commands" COMMIT=$(git rev-parse --short HEAD) DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) if [ "${{ matrix.os }}" = "darwin" ] && [ "${{ matrix.arch }}" = "amd64" ]; then @@ -82,24 +82,24 @@ jobs: export CGO_CFLAGS="-arch x86_64 -I/usr/local/opt/openssl@3/include" export CGO_LDFLAGS="-arch x86_64 -L/usr/local/opt/openssl@3/lib" fi - cd vault && go build \ + cd runeconsole && go build \ -trimpath \ -ldflags "-s -w -X '${PKG}.buildVersion=${VERSION}' -X '${PKG}.buildCommit=${COMMIT}' -X '${PKG}.buildDate=${DATE}'" \ - -o bin/runevault \ + -o bin/runeconsole \ ./cmd - name: Smoke test run: | if [ "${{ matrix.os }}" = "darwin" ] && [ "${{ matrix.arch }}" = "amd64" ]; then - arch -x86_64 ./vault/bin/runevault version + arch -x86_64 ./runeconsole/bin/runeconsole version else - ./vault/bin/runevault version + ./runeconsole/bin/runeconsole version fi - name: Package run: | mkdir -p _dist - cp vault/bin/runevault _dist/ + cp runeconsole/bin/runeconsole _dist/ cp LICENSE _dist/ tar -czf "${{ steps.meta.outputs.archive }}" -C _dist . diff --git a/.github/workflows/sync-to-public.yml b/.github/workflows/sync-to-public.yml index a1544c4..5ac3cea 100644 --- a/.github/workflows/sync-to-public.yml +++ b/.github/workflows/sync-to-public.yml @@ -1,5 +1,5 @@ # Mirrors the latest state of this repository's main branch to the public -# CryptoLabInc/rune-admin repository as a single squashed commit. Commit +# CryptoLabInc/rune-console repository as a single squashed commit. Commit # history, messages, and author details from this repository are not # transferred — only the resulting file tree is published. name: Sync to public repository @@ -16,7 +16,7 @@ jobs: sync: # Only run in the private development repository, never in the public # mirror or forks. - if: github.repository == 'geuna0204/rune-admin-private' + if: github.repository == 'geuna0204/rune-console-private' runs-on: ubuntu-latest steps: - name: Check deploy key availability @@ -51,7 +51,7 @@ jobs: if: steps.guard.outputs.enabled == 'true' run: | set -euo pipefail - git remote add public git@github.com:CryptoLabInc/rune-admin.git + git remote add public git@github.com:CryptoLabInc/rune-console.git git fetch public main PARENT=$(git rev-parse FETCH_HEAD) # Build the published tree from HEAD with internal-only paths @@ -72,6 +72,6 @@ jobs: export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL" COMMIT=$(git commit-tree "$TREE" -p "$PARENT" \ -m "chore: sync from development repository" \ - -m "Source: rune-admin-private@$(git rev-parse --short HEAD)") + -m "Source: rune-console-private@$(git rev-parse --short HEAD)") git push public "$COMMIT:refs/heads/main" - echo "Pushed $COMMIT to CryptoLabInc/rune-admin main." + echo "Pushed $COMMIT to CryptoLabInc/rune-console main." diff --git a/.gitignore b/.gitignore index 11762c3..e096ab1 100644 --- a/.gitignore +++ b/.gitignore @@ -51,7 +51,7 @@ htmlcov/ *.sec *.pub *_token -vault_token.txt +runeconsole-token.txt certs/ # Logs @@ -97,9 +97,9 @@ Thumbs.db *.dylib # Go build artifacts -vault/bin/ -vault/**/*.test -vault/**/*.out +runeconsole/bin/ +runeconsole/**/*.test +runeconsole/**/*.out # Database *.db @@ -109,9 +109,9 @@ vault/**/*.out # Credentials credentials.json service-account.json -vault-credentials/ +runeconsole-credentials/ team_keys/ -vault_keys/ +runeconsole-keys/ # Test artifacts test-results/ @@ -121,4 +121,4 @@ test-results/ tests/fixtures/ # Local dev runtime files (config, socket, keys, pid) -vault/dev/ +runeconsole/dev/ diff --git a/.mise.toml b/.mise.toml index 683c6b2..87c0345 100644 --- a/.mise.toml +++ b/.mise.toml @@ -1,4 +1,4 @@ -# Rune-Vault Development Environment +# Rune-console Development Environment # Run `mise install` to set up all tools, then `mise run setup` to bootstrap. # Prerequisites: mise (https://mise.jdx.dev) @@ -25,10 +25,10 @@ run = """ set -euo pipefail echo "==> Resolving Go modules..." -cd vault && go mod download && cd .. +cd runeconsole && go mod download && cd .. echo "==> Generating Go proto stubs..." -cd vault && buf generate && cd .. +cd runeconsole && buf generate && cd .. echo "==> Configuring git hooks..." git config core.hooksPath .githooks @@ -43,7 +43,7 @@ description = "Run all quality checks (gofmt + go vet + unit tests)" run = """ #!/usr/bin/env bash set -euo pipefail -cd vault +cd runeconsole echo "==> Checking Go format..." diff=$(gofmt -l .) if [ -n "$diff" ]; then @@ -60,60 +60,60 @@ echo "All checks passed." """ [tasks."proto:go"] -description = "Regenerate Go protobuf/gRPC stubs into vault/pkg/vaultpb" -run = "cd vault && buf generate" +description = "Regenerate Go protobuf/gRPC stubs into runeconsole/pkg/consolepb" +run = "cd runeconsole && buf generate" [tasks."go:build"] -description = "Build runevault binary to vault/bin/runevault" +description = "Build runeconsole binary to runeconsole/bin/runeconsole" run = """ #!/usr/bin/env bash set -euo pipefail VERSION="${VERSION:-dev}" COMMIT=$(git rev-parse --short HEAD 2>/dev/null || echo "none") DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) -PKG="github.com/CryptoLabInc/rune-admin/vault/internal/commands" -cd vault && go build \ - -o bin/runevault \ +PKG="github.com/CryptoLabInc/rune-console/runeconsole/internal/commands" +cd runeconsole && go build \ + -o bin/runeconsole \ -ldflags "-X '${PKG}.buildVersion=${VERSION}' -X '${PKG}.buildCommit=${COMMIT}' -X '${PKG}.buildDate=${DATE}'" \ ./cmd """ [tasks."go:test"] -description = "Run all tests including E2E (requires pre-built binary via RUNEVAULT_TEST_BINARY)" -run = "cd vault && go test -race -tags e2e ./..." +description = "Run all tests including E2E (requires pre-built binary via RUNECONSOLE_TEST_BINARY)" +run = "cd runeconsole && go test -race -tags e2e ./..." [tasks."go:test:unit"] description = "Run unit tests only (E2E excluded by build tag)" -run = "cd vault && go test -race ./..." +run = "cd runeconsole && go test -race ./..." [tasks."go:test:e2e"] -description = "Run E2E tests against the pre-built runevault binary (run go:build first)" +description = "Run E2E tests against the pre-built runeconsole binary (run go:build first)" run = """ #!/usr/bin/env bash set -euo pipefail -BINARY="${RUNEVAULT_TEST_BINARY:-$(pwd)/vault/bin/runevault}" +BINARY="${RUNECONSOLE_TEST_BINARY:-$(pwd)/runeconsole/bin/runeconsole}" if [ ! -x "$BINARY" ]; then - echo "runevault binary not found at $BINARY — run 'mise run go:build' first" >&2 + echo "runeconsole binary not found at $BINARY — run 'mise run go:build' first" >&2 exit 1 fi -export RUNEVAULT_TEST_BINARY="$BINARY" -cd vault && go test -race -tags e2e ./internal/tests/... +export RUNECONSOLE_TEST_BINARY="$BINARY" +cd runeconsole && go test -race -tags e2e ./internal/tests/... """ [tasks."go:vet"] description = "Run go vet on all Go packages" -run = "cd vault && go vet ./..." +run = "cd runeconsole && go vet ./..." [tasks."go:fmt"] description = "Format Go source files" -run = "cd vault && gofmt -w ." +run = "cd runeconsole && gofmt -w ." [tasks."go:fmt:check"] description = "Check Go formatting without modifying" run = """ #!/usr/bin/env bash set -euo pipefail -cd vault +cd runeconsole diff=$(gofmt -l .) if [ -n "$diff" ]; then echo "gofmt found unformatted files:" >&2 @@ -123,8 +123,8 @@ fi """ [tasks.dev] -description = "Run runevault daemon in foreground for development" -run = "cd vault && go run ./cmd/runevault --config dev/runevault.conf daemon start" +description = "Run runeconsole daemon in foreground for development" +run = "cd runeconsole && go run ./cmd/runeconsole --config dev/runeconsole.conf daemon start" [tasks."fixtures:decrypt"] description = "Decrypt test fixtures from GPG archive" diff --git a/AGENTS.md b/AGENTS.md index cc04a80..de3e271 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,7 +1,7 @@ -# Rune-Vault (rune-admin) +# Rune-console (rune-console) -Single-binary Go gRPC server (`runevault`) for FHE-encrypted organizational -memory. Built on `github.com/CryptoLabInc/envector-go-sdk`. The secret key +Single-binary Go gRPC server (`runeconsole`) for FHE-encrypted organizational +memory. Built on `github.com/CryptoLabInc/runespace-sdk`. The secret key never leaves this server. ## Setup @@ -17,15 +17,15 @@ Do NOT run go, gofmt, or buf directly. |---------|-------------| | `mise run setup` | Bootstrap (Go modules + proto stubs) | | `mise run check` | All checks: gofmt + go vet + unit tests (race) | -| `mise run go:build` | Build the runevault binary to `vault/bin/runevault` | -| `mise run go:test` | Run all tests including E2E (requires `RUNEVAULT_TEST_BINARY`) | +| `mise run go:build` | Build the runeconsole binary to `runeconsole/bin/runeconsole` | +| `mise run go:test` | Run all tests including E2E (requires `RUNECONSOLE_TEST_BINARY`) | | `mise run go:test:unit` | Run unit tests only (E2E excluded by build tag) | | `mise run go:test:e2e` | Run E2E tests against pre-built binary (run `go:build` first) | | `mise run go:vet` | Run go vet on all Go packages | | `mise run go:fmt` | Format Go source files | | `mise run go:fmt:check` | Check Go formatting without modifying | -| `mise run proto:go` | Regenerate Go protobuf/gRPC stubs into `vault/pkg/vaultpb` | -| `mise run dev` | Run runevault daemon in foreground (uses `vault/dev/runevault.conf`) | +| `mise run proto:go` | Regenerate Go protobuf/gRPC stubs into `runeconsole/pkg/consolepb` | +| `mise run dev` | Run runeconsole daemon in foreground (uses `runeconsole/dev/runeconsole.conf`) | | `mise run certs` | Generate self-signed TLS certificates | | `mise run fixtures:decrypt` | Decrypt test fixtures (requires `FIXTURES_GPG_PASSPHRASE`) | | `mise run fixtures:encrypt` | Re-encrypt test fixtures | @@ -35,15 +35,15 @@ Do NOT run go, gofmt, or buf directly. - English only in code, commit messages, PR descriptions, and issue bodies - Do not amend commits or force-push unless explicitly instructed - All exported Go identifiers need a doc comment -- New gRPC methods need corresponding unit tests in `vault/internal/server/grpc_test.go` -- Token/auth changes must update `vault/internal/tokens/store_test.go` +- New gRPC methods need corresponding unit tests in `runeconsole/internal/server/grpc_test.go` +- Token/auth changes must update `runeconsole/internal/tokens/store_test.go` - Run `mise run check` before committing ## Security invariants -- Secret key (`vault-keys//SecKey.json`) must never be logged, returned in API responses, or leave the server process -- Admin transport is a Unix domain socket (mode 0600, vault-user owned) — never expose externally -- Token secrets and FHE keys live in `runevault.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments +- Secret key (`runeconsole-keys//SecKey.json`) must never be logged, returned in API responses, or leave the server process +- Admin transport is a Unix domain socket (mode 0600, runeconsole-user owned) — never expose externally +- Token secrets and FHE keys live in `runeconsole.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments - TLS is required for all cloud deployments (`server.grpc.tls.disable: true` is dev-only) ## Worktree setup diff --git a/CLAUDE.md b/CLAUDE.md index d562d4a..6e395c8 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,7 +1,7 @@ -# Rune-Vault (rune-admin) +# Rune-console (rune-console) -Single-binary Go gRPC server (`runevault`) for FHE-encrypted organizational -memory. Built on `github.com/CryptoLabInc/envector-go-sdk`. The secret key +Single-binary Go gRPC server (`runeconsole`) for FHE-encrypted organizational +memory. Built on `github.com/CryptoLabInc/runespace-sdk`. The secret key never leaves this server. ## Setup @@ -17,15 +17,15 @@ Do NOT run go, gofmt, or buf directly. |---------|-------------| | `mise run setup` | Bootstrap (Go modules + proto stubs) | | `mise run check` | All checks: gofmt + go vet + unit tests (race) | -| `mise run go:build` | Build the runevault binary to `vault/bin/runevault` | -| `mise run go:test` | Run all tests including E2E (requires `RUNEVAULT_TEST_BINARY`) | +| `mise run go:build` | Build the runeconsole binary to `runeconsole/bin/runeconsole` | +| `mise run go:test` | Run all tests including E2E (requires `RUNECONSOLE_TEST_BINARY`) | | `mise run go:test:unit` | Run unit tests only (E2E excluded by build tag) | | `mise run go:test:e2e` | Run E2E tests against pre-built binary (run `go:build` first) | | `mise run go:vet` | Run go vet on all Go packages | | `mise run go:fmt` | Format Go source files | | `mise run go:fmt:check` | Check Go formatting without modifying | -| `mise run proto:go` | Regenerate Go protobuf/gRPC stubs into `vault/pkg/vaultpb` | -| `mise run dev` | Run runevault daemon in foreground (uses `vault/dev/runevault.conf`) | +| `mise run proto:go` | Regenerate Go protobuf/gRPC stubs into `runeconsole/pkg/consolepb` | +| `mise run dev` | Run runeconsole daemon in foreground (uses `runeconsole/dev/runeconsole.conf`) | | `mise run certs` | Generate self-signed TLS certificates | | `mise run fixtures:decrypt` | Decrypt test fixtures (requires `FIXTURES_GPG_PASSPHRASE`) | | `mise run fixtures:encrypt` | Re-encrypt test fixtures | @@ -35,8 +35,8 @@ Do NOT run go, gofmt, or buf directly. - English only in code, commit messages, PR descriptions, and issue bodies - Do not amend commits or force-push unless explicitly instructed - All exported Go identifiers need a doc comment -- New gRPC methods need corresponding unit tests in `vault/internal/server/grpc_test.go` -- Token/auth changes must update `vault/internal/tokens/store_test.go` +- New gRPC methods need corresponding unit tests in `runeconsole/internal/server/grpc_test.go` +- Token/auth changes must update `runeconsole/internal/tokens/store_test.go` - Run `mise run check` before committing ## Documentation @@ -52,9 +52,9 @@ Do NOT run go, gofmt, or buf directly. ## Security invariants -- Secret key (`vault-keys//SecKey.json`) must never be logged, returned in API responses, or leave the server process -- Admin transport is a Unix domain socket (mode 0600, vault-user owned) — never expose externally -- Token secrets and FHE keys live in `runevault.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments +- Secret key (`runeconsole-keys//SecKey.json`) must never be logged, returned in API responses, or leave the server process +- Admin transport is a Unix domain socket (mode 0600, runeconsole-user owned) — never expose externally +- Token secrets and FHE keys live in `runeconsole.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments - TLS is required for all cloud deployments (`server.grpc.tls.disable: true` is dev-only) ## Worktree setup diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 40f82c3..4bf3d81 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -19,7 +19,7 @@ Before creating an issue: - Error messages and logs - Steps to reproduce -Create issue at: https://github.com/CryptoLabInc/rune-admin/issues +Create issue at: https://github.com/CryptoLabInc/rune-console/issues ### Suggesting Features @@ -43,8 +43,8 @@ Feature requests should include: 1. **Clone repository** ```bash - git clone https://github.com/CryptoLabInc/rune-admin.git - cd rune-admin + git clone https://github.com/CryptoLabInc/rune-console.git + cd rune-console ``` 2. **Install tools and bootstrap** @@ -76,9 +76,9 @@ See [CLAUDE.md](CLAUDE.md#commands) (or [AGENTS.md](AGENTS.md#commands)) for the ### Test Structure ``` -vault/internal/ +runeconsole/internal/ ├── tokens/ # Token store + role/rate-limit unit tests -├── crypto/ # HKDF + AES-CTR + envector-go-sdk wrappers +├── crypto/ # HKDF + AES-CTR + runespace-sdk wrappers ├── server/ # gRPC handlers, interceptors, audit, admin UDS, config ├── commands/ # CLI subcommands + admin client └── tests/ # E2E (build tag `e2e`): decrypt pipeline (fixture-based) + CLI smoke @@ -88,14 +88,14 @@ vault/internal/ ```bash mise run go:test:unit # Unit tests only (E2E excluded by build tag) -mise run go:build # Build vault/bin/runevault first… +mise run go:build # Build runeconsole/bin/runeconsole first… mise run go:test:e2e # …then run E2E against the built binary -mise run go:test # All tests including E2E (requires RUNEVAULT_TEST_BINARY) +mise run go:test # All tests including E2E (requires RUNECONSOLE_TEST_BINARY) ``` ### Test Fixtures -Integration tests use GPG-encrypted fixtures containing FHE keys and ciphertext blobs. See [tests/FIXTURES.md](tests/FIXTURES.md) for the full update procedure, including passphrase rotation and re-encryption steps. The fixture-based decrypt-pipeline test under `vault/internal/tests/` skips automatically when `tests/fixtures/` is not decrypted. +Integration tests use GPG-encrypted fixtures containing FHE keys and ciphertext blobs. See [tests/FIXTURES.md](tests/FIXTURES.md) for the full update procedure, including passphrase rotation and re-encryption steps. The fixture-based decrypt-pipeline test under `runeconsole/internal/tests/` skips automatically when `tests/fixtures/` is not decrypted. ### Test Requirements @@ -103,8 +103,8 @@ Integration tests use GPG-encrypted fixtures containing FHE keys and ciphertext - Use fixtures for crypto setup to avoid repeated key generation - Mock external dependencies - Test both success and error paths -- New gRPC methods need corresponding unit tests in `vault/internal/server/grpc_test.go` -- Token/auth changes must update `vault/internal/tokens/store_test.go` +- New gRPC methods need corresponding unit tests in `runeconsole/internal/server/grpc_test.go` +- Token/auth changes must update `runeconsole/internal/tokens/store_test.go` ## Code Style @@ -146,8 +146,8 @@ Integration tests use GPG-encrypted fixtures containing FHE keys and ciphertext ### Local Testing ```bash -mise run dev # Run runevault daemon in foreground (uses vault/dev/runevault.conf) -mise run go:build # Build runevault binary to vault/bin/runevault +mise run dev # Run runeconsole daemon in foreground (uses runeconsole/dev/runeconsole.conf) +mise run go:build # Build runeconsole binary to runeconsole/bin/runeconsole ``` ### Testing the Installer Locally @@ -158,12 +158,12 @@ of a published GitHub release. ```bash # Local install into a rootless prefix (no service registration) -RUNEVAULT_SKIP_SERVICE=1 \ - bash scripts/install-dev.sh --target local --prefix "$HOME/runevault-test" +RUNECONSOLE_SKIP_SERVICE=1 \ + bash scripts/install-dev.sh --target local --prefix "$HOME/runeconsole-test" # Cloud install: cross-compiles linux/amd64 in golang:1.26-bookworm, # uploads via SCP, and runs install.sh on the remote VM. -bash scripts/install-dev.sh --target oci --install-dir "$HOME/rune-vault-oci" +bash scripts/install-dev.sh --target oci --install-dir "$HOME/runeconsole-oci" ``` Flags mirror `install.sh`: `--target`, `--install-dir`, `--prefix`, @@ -222,7 +222,7 @@ Flags mirror `install.sh`: `--target`, `--install-dir`, `--prefix`, ``` feat: Add Kubernetes deployment support -- Add k8s manifests for Vault deployment +- Add k8s manifests for Rune console deployment - Update install scripts to detect k8s - Add documentation for k8s deployment @@ -240,17 +240,17 @@ Closes #123 ## Repository Structure ``` -rune-admin/ -├── vault/ -│ ├── cmd/ # runevault binary entry point +rune-console/ +├── runeconsole/ +│ ├── cmd/ # runeconsole binary entry point │ ├── internal/ # commands, server, tokens, crypto, tests -│ ├── pkg/vaultpb/ # generated gRPC stubs +│ ├── pkg/consolepb/ # generated gRPC stubs │ ├── proto/ # .proto source │ └── dev/ # local dev config (gitignored) ├── deployment/ │ ├── aws/ gcp/ oci/ # Terraform per CSP -│ ├── systemd/runevault.service # Linux service unit -│ └── launchd/com.cryptolabinc.runevault.plist # macOS service +│ ├── systemd/runeconsole.service # Linux service unit +│ └── launchd/com.cryptolabinc.runeconsole.plist # macOS service ├── scripts/ │ ├── install-dev.sh # Dev sibling of install.sh │ ├── generate-certs.sh # Self-signed TLS certs for dev @@ -260,16 +260,16 @@ rune-admin/ └── install.sh # Production installer (SHA256SUMS-verified) ``` -## Vault Architecture +## Rune Console Architecture -Core server code is in `vault/`. See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for details. +Core server code is in `runeconsole/`. See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for details. ## Security Considerations -- Secret key (`vault-keys//SecKey.json`) must never be logged, returned in API responses, or leave the server process -- Admin transport is a Unix domain socket (mode 0600, vault-user owned) — never expose externally -- Never commit private keys (`SecKey.json`) or filled-in `runevault.conf` files -- Token secrets and FHE keys live in `runevault.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments +- Secret key (`runeconsole-keys//SecKey.json`) must never be logged, returned in API responses, or leave the server process +- Admin transport is a Unix domain socket (mode 0600, runeconsole-user owned) — never expose externally +- Never commit private keys (`SecKey.json`) or filled-in `runeconsole.conf` files +- Token secrets and FHE keys live in `runeconsole.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments - TLS is required for all cloud deployments (`server.grpc.tls.disable: true` is dev-only) - Review security implications of changes - Test authentication and authorization diff --git a/README.md b/README.md index 8300597..966748c 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,14 @@ # Rune-Admin -**Infrastructure & Team Management for Rune-Vault** +**Infrastructure & Team Management for Rune-console** -Deploy and manage Rune-Vault infrastructure for your team. This repository contains deployment automation and team onboarding tools for administrators. +Deploy and manage Rune-console infrastructure for your team. This repository contains deployment automation and team onboarding tools for administrators. ## What is Rune-Admin? -Rune-Admin provides **infrastructure management** for Rune-Vault: +Rune-Admin provides **infrastructure management** for Rune-console: -- **Deployment**: Automated Vault deployment to OCI, AWS, or GCP +- **Deployment**: Automated Rune console deployment to OCI, AWS, or GCP - **Key Management**: FHE encryption key generation and secure storage - **Team Onboarding**: Per-user token issuance and credential distribution - **Audit Logging**: Structured JSON audit logs for all gRPC operations @@ -19,11 +19,11 @@ For system architecture and data flow details, see [docs/ARCHITECTURE.md](docs/A ### Platform -- **macOS** or **Linux** (Windows is not supported — `runevault` registers a systemd or launchd service) +- **macOS** or **Linux** (Windows is not supported — `runeconsole` registers a systemd or launchd service) ### For Administrators -1. **enVector Cloud account** at [https://envector.io](https://envector.io) — Cluster Endpoint and API Key +1. **Runespace account** at [https://runespace.example.com](https://runespace.example.com) — Cluster Endpoint and API Key 2. **Cloud provider account** (AWS, GCP, or OCI) — only needed for cloud deployment The [installer](#quick-start) auto-checks for the tools it needs (`terraform` and the relevant cloud CLI when targeting a CSP). @@ -31,32 +31,30 @@ The [installer](#quick-start) auto-checks for the tools it needs (`terraform` an ### For Team Members Team members install [Rune](https://github.com/CryptoLabInc/rune) from Claude Marketplace and configure it with: -- Vault Endpoint (provided by admin) -- Vault Token (provided by admin) -- enVector Cluster Endpoint (provided by admin) -- enVector API Key (provided by admin) +- Rune console Endpoint (provided by admin) +- Rune console Token (provided by admin) ## Quick Start -### 1. Install Rune-Vault +### 1. Install Rune-console -The interactive installer downloads the `runevault` binary, verifies its -`SHA256SUMS` checksum, renders `runevault.conf`, generates TLS certs, -and registers a `runevault` service (systemd on Linux, launchd on macOS): +The interactive installer downloads the `runeconsole` binary, verifies its +`SHA256SUMS` checksum, renders `runeconsole.conf`, generates TLS certs, +and registers a `runeconsole` service (systemd on Linux, launchd on macOS): ```bash # Local install -curl -fsSL https://raw.githubusercontent.com/CryptoLabInc/rune-admin/main/install.sh \ +curl -fsSL https://raw.githubusercontent.com/CryptoLabInc/rune-console/main/install.sh \ | sudo bash -s -- --target local # Cloud install (provisions a VM + bootstraps it via Terraform) -curl -fsSL https://raw.githubusercontent.com/CryptoLabInc/rune-admin/main/install.sh \ +curl -fsSL https://raw.githubusercontent.com/CryptoLabInc/rune-console/main/install.sh \ | sudo bash -s -- --target aws # or gcp, oci ``` -The installer prompts for team name, enVector endpoint, and CSP-specific +The installer prompts for team name, Runespace endpoint, and CSP-specific inputs (region, GCP project ID, OCI compartment OCID). Use `--non-interactive` -plus the `RUNEVAULT_*` env vars listed in [`install.sh`](install.sh) for CI. +plus the `RUNECONSOLE_*` env vars listed in [`install.sh`](install.sh) for CI. If you'd rather inspect the script before running it, download `install.sh` and the `SHA256SUMS` file from the release page first, then run `install.sh` @@ -66,93 +64,91 @@ with the binary it pulls down — see [Release Checksum Verification](#release-c ```bash # gRPC health check (requires grpcurl: brew install grpcurl) -grpcurl -cacert /opt/runevault/certs/ca.pem :50051 grpc.health.v1.Health/Check +grpcurl -cacert /opt/runeconsole/certs/ca.pem :50051 grpc.health.v1.Health/Check # Expected: { "status": "SERVING" } -# Or use the runevault CLI to query daemon status via the admin socket -runevault status +# Or use the runeconsole CLI to query daemon status via the admin socket +runeconsole status ``` ### 3. Onboard Team Members ```bash # Issue a per-user token (90-day expiry) -sudo runevault token issue --user alice --role member --expires 90d +sudo runeconsole token issue --user alice --role member --expires 90d # Share via secure channel (1Password, Signal, etc.): -# - Vault Endpoint -# - Vault Token -# - enVector Cluster Endpoint -# - enVector API Key +# - Rune console Endpoint +# - Rune console Token ``` -Members of the `runevault` group can run the CLI without `sudo`. +Members of the `runeconsole` group can run the CLI without `sudo`. Team members install [Rune](https://github.com/CryptoLabInc/rune) and configure with the provided credentials. ### From Source (development) ```bash -git clone https://github.com/CryptoLabInc/rune-admin.git -cd rune-admin +git clone https://github.com/CryptoLabInc/rune-console.git +cd rune-console mise install # Go 1.26, buf, terraform, cloud CLIs mise run setup # Resolve Go modules + generate proto stubs -mise run go:build # Builds vault/bin/runevault -# Copy + edit a dev config (the vault/dev/ tree is gitignored): -cp vault/internal/server/testdata/runevault.conf.example vault/dev/runevault.conf -mise run dev # Run the daemon in the foreground (uses vault/dev/runevault.conf) +mise run go:build # Builds runeconsole/bin/runeconsole +# Copy + edit a dev config (the runeconsole/dev/ tree is gitignored): +cp runeconsole/internal/server/testdata/runeconsole.conf.example runeconsole/dev/runeconsole.conf +mise run dev # Run the daemon in the foreground (uses runeconsole/dev/runeconsole.conf) ``` ## Admin Workflows All admin commands talk to the daemon over a Unix domain socket -(`/opt/runevault/admin.sock`). Members of the `runevault` group can run +(`/opt/runeconsole/admin.sock`). Members of the `runeconsole` group can run them without `sudo`. ### Manage Tokens ```bash -runevault token issue --user alice --role member --expires 90d -runevault token list -runevault token rotate --user alice # or --all -runevault token revoke --user alice +runeconsole token issue --user alice --role member --expires 90d +runeconsole token list +runeconsole token rotate --user alice # or --all +runeconsole token revoke --user alice ``` ### Manage Roles ```bash -runevault role list -runevault role create --name --scope a,b,c --top-k 10 --rate-limit 30/60s -runevault role update --name [--scope ...] [--top-k ...] [--rate-limit ...] -runevault role delete --name +runeconsole role list +runeconsole role create --name --scope a,b,c --top-k 10 --rate-limit 30/60s +runeconsole role update --name [--scope ...] [--top-k ...] [--rate-limit ...] +runeconsole role delete --name ``` ### Daemon Health & Logs ```bash -runevault status # health + socket liveness -runevault logs # tail audit log -sudo systemctl restart runevault # Linux -sudo launchctl kickstart -k system/com.cryptolabinc.runevault # macOS +runeconsole status # health + socket liveness +runeconsole logs # tail audit log +sudo systemctl restart runeconsole # Linux +sudo launchctl kickstart -k system/com.cryptolabinc.runeconsole # macOS ``` ## Security ### Token Management -- Issue per-user tokens via `runevault token issue` +- Issue per-user tokens via `runeconsole token issue` - Share tokens only via encrypted channels (1Password, Signal) - Never hardcode tokens in code or commit to git -- Rotate periodically via `runevault token rotate` +- Rotate periodically via `runeconsole token rotate` ### TLS Requirement -Vault communications MUST use TLS. The installer automatically configures TLS certificates. Without TLS, tokens are exposed to MITM attacks. +Rune console communications MUST use TLS. The installer automatically configures TLS certificates. Without TLS, tokens are exposed to MITM attacks. ### Key Isolation -- **Secret key**: Never leaves Vault VM (architectural constraint) +- **Secret key**: Never leaves Rune console VM (architectural constraint) - **EncKey/EvalKey**: Safe to distribute (public keys) - Per-agent metadata encryption uses HKDF-derived DEKs (no separate key file) @@ -172,7 +168,7 @@ of the release page. ## Deployment Targets `install.sh --target ` provisions a VM via Terraform and -bootstraps `runevault` on it end-to-end. Each target lives under +bootstraps `runeconsole` on it end-to-end. Each target lives under `deployment/`: - **AWS** (Amazon Web Services): `deployment/aws/` @@ -185,12 +181,12 @@ Service files for native installs are under `deployment/systemd/` and ## Uninstall ```bash -# Local: stops the service and removes /opt/runevault (prompts to keep data) +# Local: stops the service and removes /opt/runeconsole (prompts to keep data) sudo bash install.sh --uninstall --target local # Cloud: runs `terraform destroy` against the install dir created earlier sudo bash install.sh --uninstall --target aws \ - --install-dir "$HOME/rune-vault-aws" + --install-dir "$HOME/runeconsole-aws" ``` ## Development @@ -202,11 +198,11 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, commands, and guid ### Issue: Team member can't connect ```bash -# Check Vault is reachable -grpcurl -cacert /opt/runevault/certs/ca.pem :50051 grpc.health.v1.Health/Check +# Check Rune console is reachable +grpcurl -cacert /opt/runeconsole/certs/ca.pem :50051 grpc.health.v1.Health/Check # Inspect the security group / firewall rule (port 50051 must be open) -cd "$HOME/rune-vault-" +cd "$HOME/runeconsole-" terraform show | grep -A5 -E 'security_(group|list)' # Verify the token — have the team member re-enter it carefully @@ -215,29 +211,29 @@ terraform show | grep -A5 -E 'security_(group|list)' ### Issue: Slow decryption ```bash -# Check Vault CPU usage — re-provision with a larger VM if >80% -ssh ubuntu@ # or ec2-user@... / opc@... depending on CSP +# Check Rune console CPU usage — re-provision with a larger VM if >80% +ssh ubuntu@ # or ec2-user@... / opc@... depending on CSP top # Tail audit log for latency -sudo tail -20 /opt/runevault/logs/audit.log +sudo tail -20 /opt/runeconsole/logs/audit.log # Or via the CLI: -runevault logs +runeconsole logs ``` -### Issue: Vault crashed +### Issue: Rune console crashed ```bash # Inspect logs -sudo journalctl -u runevault -n 100 # Linux -sudo log show --predicate 'process == "runevault"' --last 10m # macOS +sudo journalctl -u runeconsole -n 100 # Linux +sudo log show --predicate 'process == "runeconsole"' --last 10m # macOS # Restart -sudo systemctl restart runevault # Linux -sudo launchctl kickstart -k system/com.cryptolabinc.runevault # macOS +sudo systemctl restart runeconsole # Linux +sudo launchctl kickstart -k system/com.cryptolabinc.runeconsole # macOS # If persistent, re-provision the VM: -sudo bash install.sh --uninstall --target --install-dir "$HOME/rune-vault-" +sudo bash install.sh --uninstall --target --install-dir "$HOME/runeconsole-" sudo bash install.sh --target ``` @@ -249,8 +245,8 @@ sudo bash install.sh --target ## Support -- **Issues**: https://github.com/CryptoLabInc/rune-admin/issues -- **Discussions**: https://github.com/CryptoLabInc/rune-admin/discussions +- **Issues**: https://github.com/CryptoLabInc/rune-console/issues +- **Discussions**: https://github.com/CryptoLabInc/rune-console/discussions - **Email**: zotanika@cryptolab.co.kr ## Related Repositories diff --git a/ci/oci/main.tf b/ci/oci/main.tf index 97b3f9d..591d52f 100644 --- a/ci/oci/main.tf +++ b/ci/oci/main.tf @@ -1,7 +1,7 @@ # Terraform Deployment for CI Runner (OCI) # -# Provisions a self-hosted GitHub Actions runner for Rune-Vault CI. -# Runner labels: self-hosted, vault-ci +# Provisions a self-hosted GitHub Actions runner for Rune-console CI. +# Runner labels: self-hosted, runeconsole-ci # # Usage: # cd deployment/ci/oci @@ -44,7 +44,7 @@ variable "compartment_id" { variable "github_repo" { description = "GitHub repository (owner/name)" type = string - default = "CryptoLabInc/rune-admin" + default = "CryptoLabInc/rune-console" } variable "github_runner_token" { @@ -56,14 +56,14 @@ variable "github_runner_token" { variable "runner_labels" { description = "Comma-separated runner labels" type = string - default = "vault-ci" + default = "runeconsole-ci" } # VCN for CI Runner resource "oci_core_vcn" "ci_vcn" { compartment_id = var.compartment_id - display_name = "vault-ci-vcn" + display_name = "runeconsole-ci-vcn" cidr_block = "10.1.0.0/16" dns_label = "civcn" } @@ -72,7 +72,7 @@ resource "oci_core_vcn" "ci_vcn" { resource "oci_core_subnet" "ci_subnet" { compartment_id = var.compartment_id vcn_id = oci_core_vcn.ci_vcn.id - display_name = "vault-ci-subnet" + display_name = "runeconsole-ci-subnet" cidr_block = "10.1.1.0/24" dns_label = "cisub" security_list_ids = [oci_core_security_list.ci_security_list.id] @@ -83,14 +83,14 @@ resource "oci_core_subnet" "ci_subnet" { resource "oci_core_internet_gateway" "ci_ig" { compartment_id = var.compartment_id vcn_id = oci_core_vcn.ci_vcn.id - display_name = "vault-ci-ig" + display_name = "runeconsole-ci-ig" } # Route Table resource "oci_core_route_table" "ci_route_table" { compartment_id = var.compartment_id vcn_id = oci_core_vcn.ci_vcn.id - display_name = "vault-ci-rt" + display_name = "runeconsole-ci-rt" route_rules { destination = "0.0.0.0/0" @@ -102,7 +102,7 @@ resource "oci_core_route_table" "ci_route_table" { resource "oci_core_security_list" "ci_security_list" { compartment_id = var.compartment_id vcn_id = oci_core_vcn.ci_vcn.id - display_name = "vault-ci-sl" + display_name = "runeconsole-ci-sl" egress_security_rules { destination = "0.0.0.0/0" @@ -114,7 +114,7 @@ resource "oci_core_security_list" "ci_security_list" { resource "oci_core_instance" "ci_runner" { compartment_id = var.compartment_id availability_domain = data.oci_identity_availability_domains.ads.availability_domains[0].name - display_name = "vault-ci-runner" + display_name = "runeconsole-ci-runner" shape = "VM.Standard.E5.Flex" shape_config { @@ -124,7 +124,7 @@ resource "oci_core_instance" "ci_runner" { create_vnic_details { subnet_id = oci_core_subnet.ci_subnet.id - display_name = "vault-ci-vnic" + display_name = "runeconsole-ci-vnic" assign_public_ip = true } diff --git a/ci/oci/startup-script.sh b/ci/oci/startup-script.sh index 54ce587..ab91c77 100755 --- a/ci/oci/startup-script.sh +++ b/ci/oci/startup-script.sh @@ -56,7 +56,7 @@ su - "$RUNNER_USER" -c "cd $RUNNER_HOME && ./config.sh \ --url https://github.com/${github_repo} \ --token ${github_runner_token} \ --labels self-hosted,${runner_labels} \ - --name vault-ci-runner \ + --name runeconsole-ci-runner \ --work _work \ --unattended \ --replace" diff --git a/deployment/aws/cloud-init-dev.yaml b/deployment/aws/cloud-init-dev.yaml index d6424ae..295de0d 100644 --- a/deployment/aws/cloud-init-dev.yaml +++ b/deployment/aws/cloud-init-dev.yaml @@ -4,4 +4,4 @@ package_update: true packages: [ca-certificates, curl, openssl] runcmd: - - touch /var/run/runevault-dev-ready + - touch /var/run/runeconsole-dev-ready diff --git a/deployment/aws/cloud-init.yaml b/deployment/aws/cloud-init.yaml index 54bdacd..bfe515f 100644 --- a/deployment/aws/cloud-init.yaml +++ b/deployment/aws/cloud-init.yaml @@ -3,22 +3,22 @@ package_update: true packages: [ca-certificates, curl, openssl] write_files: - - path: /etc/profile.d/runevault-installer-env.sh + - path: /etc/profile.d/runeconsole-installer-env.sh content: | - export RUNEVAULT_TEAM_NAME='${team_name}' - export RUNEVAULT_ENVECTOR_ENDPOINT='${envector_endpoint}' - export RUNEVAULT_ENVECTOR_API_KEY='${envector_api_key}' + export RUNECONSOLE_TEAM_NAME='${team_name}' + export RUNECONSOLE_RUNESPACE_ENDPOINT='${runespace_endpoint}' + export RUNECONSOLE_RUNESPACE_TOKEN='${runespace_token}' permissions: '0600' runcmd: - - exec > /var/log/runevault-install.log 2>&1 - - set -a; . /etc/profile.d/runevault-installer-env.sh; set +a + - exec > /var/log/runeconsole-install.log 2>&1 + - set -a; . /etc/profile.d/runeconsole-installer-env.sh; set +a - | - INSTALL_URL="https://raw.githubusercontent.com/CryptoLabInc/rune-admin/${runevault_version}/install.sh" + INSTALL_URL="https://raw.githubusercontent.com/CryptoLabInc/rune-console/${runeconsole_version}/install.sh" for i in 1 2 3 4 5; do curl -fsSL --retry 5 --retry-delay 10 --connect-timeout 15 "$${INSTALL_URL}" -o /tmp/install.sh && break sleep $((i*10)) done - bash /tmp/install.sh --target local --non-interactive --version "${runevault_version}" - - usermod -aG runevault ubuntu - - rm -f /etc/profile.d/runevault-installer-env.sh + bash /tmp/install.sh --target local --non-interactive --version "${runeconsole_version}" + - usermod -aG runeconsole ubuntu + - rm -f /etc/profile.d/runeconsole-installer-env.sh diff --git a/deployment/aws/main.tf b/deployment/aws/main.tf index f9e3ef5..cd27e27 100644 --- a/deployment/aws/main.tf +++ b/deployment/aws/main.tf @@ -32,13 +32,13 @@ variable "tls_mode" { default = "self-signed" } -variable "envector_endpoint" { - description = "enVector Cloud endpoint" +variable "runespace_endpoint" { + description = "Runespace endpoint" type = string } -variable "envector_api_key" { - description = "enVector Cloud API key" +variable "runespace_token" { + description = "Runespace API key" type = string sensitive = true } @@ -49,8 +49,8 @@ variable "instance_type" { default = "t3.medium" # 2 vCPU, 4GB RAM } -variable "runevault_version" { - description = "Pinned runevault release tag — drives the install.sh URL and binary version on the VM." +variable "runeconsole_version" { + description = "Pinned runeconsole release tag — drives the install.sh URL and binary version on the VM." type = string } @@ -77,37 +77,37 @@ data "aws_ami" "ubuntu" { } # VPC -resource "aws_vpc" "vault_vpc" { +resource "aws_vpc" "runeconsole_vpc" { cidr_block = "10.0.0.0/16" enable_dns_hostnames = true enable_dns_support = true tags = { - Name = "rune-vault-${var.team_name}" + Name = "runeconsole-${var.team_name}" Project = "Rune" Team = var.team_name } } # Internet Gateway -resource "aws_internet_gateway" "vault_igw" { - vpc_id = aws_vpc.vault_vpc.id +resource "aws_internet_gateway" "runeconsole_igw" { + vpc_id = aws_vpc.runeconsole_vpc.id tags = { - Name = "rune-vault-igw-${var.team_name}" + Name = "runeconsole-igw-${var.team_name}" Project = "Rune" } } # Public Subnet -resource "aws_subnet" "vault_subnet" { - vpc_id = aws_vpc.vault_vpc.id +resource "aws_subnet" "runeconsole_subnet" { + vpc_id = aws_vpc.runeconsole_vpc.id cidr_block = "10.0.1.0/24" availability_zone = data.aws_availability_zones.available.names[0] map_public_ip_on_launch = true tags = { - Name = "rune-vault-subnet-${var.team_name}" + Name = "runeconsole-subnet-${var.team_name}" Project = "Rune" } } @@ -117,30 +117,30 @@ data "aws_availability_zones" "available" { } # Route Table -resource "aws_route_table" "vault_rt" { - vpc_id = aws_vpc.vault_vpc.id +resource "aws_route_table" "runeconsole_rt" { + vpc_id = aws_vpc.runeconsole_vpc.id route { cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.vault_igw.id + gateway_id = aws_internet_gateway.runeconsole_igw.id } tags = { - Name = "rune-vault-rt-${var.team_name}" + Name = "runeconsole-rt-${var.team_name}" Project = "Rune" } } -resource "aws_route_table_association" "vault_rta" { - subnet_id = aws_subnet.vault_subnet.id - route_table_id = aws_route_table.vault_rt.id +resource "aws_route_table_association" "runeconsole_rta" { + subnet_id = aws_subnet.runeconsole_subnet.id + route_table_id = aws_route_table.runeconsole_rt.id } # Security Group -resource "aws_security_group" "vault_sg" { - name = "rune-vault-sg-${var.team_name}" - description = "Security group for Rune-Vault" - vpc_id = aws_vpc.vault_vpc.id +resource "aws_security_group" "runeconsole_sg" { + name = "runeconsole-sg-${var.team_name}" + description = "Security group for Rune-console" + vpc_id = aws_vpc.runeconsole_vpc.id # gRPC ingress { @@ -170,36 +170,36 @@ resource "aws_security_group" "vault_sg" { } tags = { - Name = "rune-vault-sg-${var.team_name}" + Name = "runeconsole-sg-${var.team_name}" Project = "Rune" } } # SSH Key Pair (auto-generated by install.sh) -resource "aws_key_pair" "vault_key" { +resource "aws_key_pair" "runeconsole_key" { count = var.public_key != "" ? 1 : 0 - key_name = "rune-vault-${var.team_name}" + key_name = "runeconsole-${var.team_name}" public_key = var.public_key tags = { - Name = "rune-vault-${var.team_name}" + Name = "runeconsole-${var.team_name}" Project = "Rune" } } # EC2 Instance -resource "aws_instance" "vault" { +resource "aws_instance" "runeconsole" { ami = data.aws_ami.ubuntu.id instance_type = var.instance_type - subnet_id = aws_subnet.vault_subnet.id - vpc_security_group_ids = [aws_security_group.vault_sg.id] - key_name = var.public_key != "" ? aws_key_pair.vault_key[0].key_name : null + subnet_id = aws_subnet.runeconsole_subnet.id + vpc_security_group_ids = [aws_security_group.runeconsole_sg.id] + key_name = var.public_key != "" ? aws_key_pair.runeconsole_key[0].key_name : null user_data = templatefile("${path.module}/cloud-init.yaml", { team_name = var.team_name - envector_endpoint = var.envector_endpoint - envector_api_key = var.envector_api_key - runevault_version = var.runevault_version + runespace_endpoint = var.runespace_endpoint + runespace_token = var.runespace_token + runeconsole_version = var.runeconsole_version }) root_block_device { @@ -216,45 +216,45 @@ resource "aws_instance" "vault" { } tags = { - Name = "rune-vault-${var.team_name}" + Name = "runeconsole-${var.team_name}" Project = "Rune" Team = var.team_name } } # Elastic IP (optional, for stable endpoint) -resource "aws_eip" "vault_eip" { - instance = aws_instance.vault.id +resource "aws_eip" "runeconsole_eip" { + instance = aws_instance.runeconsole.id domain = "vpc" tags = { - Name = "rune-vault-eip-${var.team_name}" + Name = "runeconsole-eip-${var.team_name}" Project = "Rune" } } # Outputs -output "vault_url" { - description = "Rune-Vault gRPC endpoint" - value = "${aws_eip.vault_eip.public_ip}:50051" +output "runeconsole_url" { + description = "Rune console gRPC endpoint" + value = "${aws_eip.runeconsole_eip.public_ip}:50051" } -output "vault_public_ip" { +output "runeconsole_public_ip" { description = "Public IP address" - value = aws_eip.vault_eip.public_ip + value = aws_eip.runeconsole_eip.public_ip } -output "vault_private_ip" { +output "runeconsole_private_ip" { description = "Private IP address" - value = aws_instance.vault.private_ip + value = aws_instance.runeconsole.private_ip } output "ssh_command" { - description = "SSH command to connect to Vault instance" - value = var.public_key != "" ? "ssh ubuntu@${aws_eip.vault_eip.public_ip}" : "SSH key not configured" + description = "SSH command to connect to Rune console instance" + value = var.public_key != "" ? "ssh ubuntu@${aws_eip.runeconsole_eip.public_ip}" : "SSH key not configured" } output "instance_id" { description = "EC2 instance ID" - value = aws_instance.vault.id + value = aws_instance.runeconsole.id } diff --git a/deployment/gcp/main.tf b/deployment/gcp/main.tf index 3a5d9f0..225ad50 100644 --- a/deployment/gcp/main.tf +++ b/deployment/gcp/main.tf @@ -47,13 +47,13 @@ variable "tls_mode" { default = "self-signed" } -variable "envector_endpoint" { - description = "enVector Cloud endpoint" +variable "runespace_endpoint" { + description = "Runespace endpoint" type = string } -variable "envector_api_key" { - description = "enVector Cloud API key" +variable "runespace_token" { + description = "Runespace API key" type = string sensitive = true } @@ -64,8 +64,8 @@ variable "machine_type" { default = "e2-medium" # 2 vCPU, 4GB RAM } -variable "runevault_version" { - description = "Pinned runevault release tag — drives the install.sh URL and binary version on the VM." +variable "runeconsole_version" { + description = "Pinned runeconsole release tag — drives the install.sh URL and binary version on the VM." type = string } @@ -76,23 +76,23 @@ variable "public_key" { } # VPC Network -resource "google_compute_network" "vault_network" { - name = "rune-vault-${var.team_name}" +resource "google_compute_network" "runeconsole_network" { + name = "runeconsole-${var.team_name}" auto_create_subnetworks = false } # Subnet -resource "google_compute_subnetwork" "vault_subnet" { - name = "rune-vault-subnet-${var.team_name}" +resource "google_compute_subnetwork" "runeconsole_subnet" { + name = "runeconsole-subnet-${var.team_name}" ip_cidr_range = "10.0.1.0/24" region = var.region - network = google_compute_network.vault_network.id + network = google_compute_network.runeconsole_network.id } # Firewall Rules -resource "google_compute_firewall" "vault_grpc" { - name = "rune-vault-grpc-${var.team_name}" - network = google_compute_network.vault_network.name +resource "google_compute_firewall" "runeconsole_grpc" { + name = "runeconsole-grpc-${var.team_name}" + network = google_compute_network.runeconsole_network.name allow { protocol = "tcp" @@ -100,12 +100,12 @@ resource "google_compute_firewall" "vault_grpc" { } source_ranges = ["0.0.0.0/0"] - target_tags = ["rune-vault"] + target_tags = ["runeconsole"] } -resource "google_compute_firewall" "vault_ssh" { - name = "rune-vault-ssh-${var.team_name}" - network = google_compute_network.vault_network.name +resource "google_compute_firewall" "runeconsole_ssh" { + name = "runeconsole-ssh-${var.team_name}" + network = google_compute_network.runeconsole_network.name allow { protocol = "tcp" @@ -113,22 +113,22 @@ resource "google_compute_firewall" "vault_ssh" { } source_ranges = ["0.0.0.0/0"] - target_tags = ["rune-vault"] + target_tags = ["runeconsole"] } # Static IP -resource "google_compute_address" "vault_ip" { - name = "rune-vault-ip-${var.team_name}" +resource "google_compute_address" "runeconsole_ip" { + name = "runeconsole-ip-${var.team_name}" region = var.region } # Compute Instance -resource "google_compute_instance" "vault" { - name = "rune-vault-${var.team_name}" +resource "google_compute_instance" "runeconsole" { + name = "runeconsole-${var.team_name}" machine_type = var.machine_type zone = local.zone - tags = ["rune-vault"] + tags = ["runeconsole"] boot_disk { initialize_params { @@ -139,10 +139,10 @@ resource "google_compute_instance" "vault" { } network_interface { - subnetwork = google_compute_subnetwork.vault_subnet.name + subnetwork = google_compute_subnetwork.runeconsole_subnet.name access_config { - nat_ip = google_compute_address.vault_ip.address + nat_ip = google_compute_address.runeconsole_ip.address } } @@ -152,9 +152,9 @@ resource "google_compute_instance" "vault" { metadata_startup_script = templatefile("${path.module}/startup-script.sh", { team_name = var.team_name - envector_endpoint = var.envector_endpoint - envector_api_key = var.envector_api_key - runevault_version = var.runevault_version + runespace_endpoint = var.runespace_endpoint + runespace_token = var.runespace_token + runeconsole_version = var.runeconsole_version }) service_account { @@ -172,27 +172,27 @@ resource "google_compute_instance" "vault" { } # Outputs -output "vault_url" { - description = "Rune-Vault gRPC endpoint" - value = "${google_compute_address.vault_ip.address}:50051" +output "runeconsole_url" { + description = "Rune-console gRPC endpoint" + value = "${google_compute_address.runeconsole_ip.address}:50051" } -output "vault_public_ip" { +output "runeconsole_public_ip" { description = "Public IP address" - value = google_compute_address.vault_ip.address + value = google_compute_address.runeconsole_ip.address } -output "vault_private_ip" { +output "runeconsole_private_ip" { description = "Private IP address" - value = google_compute_instance.vault.network_interface[0].network_ip + value = google_compute_instance.runeconsole.network_interface[0].network_ip } output "ssh_command" { - description = "SSH command to connect to Vault instance" - value = "gcloud compute ssh ${google_compute_instance.vault.name} --zone=${local.zone}" + description = "SSH command to connect to Rune console instance" + value = "gcloud compute ssh ${google_compute_instance.runeconsole.name} --zone=${local.zone}" } output "instance_name" { description = "Compute Engine instance name" - value = google_compute_instance.vault.name + value = google_compute_instance.runeconsole.name } diff --git a/deployment/gcp/startup-script-dev.sh b/deployment/gcp/startup-script-dev.sh index 55dea6f..7bf9a87 100755 --- a/deployment/gcp/startup-script-dev.sh +++ b/deployment/gcp/startup-script-dev.sh @@ -1,13 +1,13 @@ #!/bin/bash # Dev mode: installs prereqs only. install.sh + binary injected via SCP by install-dev.sh. set -euo pipefail -exec > /var/log/runevault-install.log 2>&1 -echo "=== runevault dev startup at $(date) ===" +exec > /var/log/runeconsole-install.log 2>&1 +echo "=== runeconsole dev startup at $(date) ===" for i in $(seq 1 30); do apt-get update -q && apt-get install -y ca-certificates curl openssl && break echo "apt retry $i..." && sleep 10 done -touch /var/run/runevault-dev-ready +touch /var/run/runeconsole-dev-ready echo "=== prereqs ready at $(date), waiting for install-dev.sh injection ===" diff --git a/deployment/gcp/startup-script.sh b/deployment/gcp/startup-script.sh index 217f7a6..44d9c15 100644 --- a/deployment/gcp/startup-script.sh +++ b/deployment/gcp/startup-script.sh @@ -1,30 +1,30 @@ #!/bin/bash set -euo pipefail -exec > /var/log/runevault-install.log 2>&1 -echo "=== runevault startup at $(date) ===" +exec > /var/log/runeconsole-install.log 2>&1 +echo "=== runeconsole startup at $(date) ===" for i in $(seq 1 30); do apt-get update -q && apt-get install -y ca-certificates curl openssl && break echo "apt retry $i..." && sleep 10 done -cat > /etc/profile.d/runevault-installer-env.sh <<'ENVFILE' -export RUNEVAULT_TEAM_NAME='${team_name}' -export RUNEVAULT_ENVECTOR_ENDPOINT='${envector_endpoint}' -export RUNEVAULT_ENVECTOR_API_KEY='${envector_api_key}' +cat > /etc/profile.d/runeconsole-installer-env.sh <<'ENVFILE' +export RUNECONSOLE_TEAM_NAME='${team_name}' +export RUNECONSOLE_RUNESPACE_ENDPOINT='${runespace_endpoint}' +export RUNECONSOLE_RUNESPACE_TOKEN='${runespace_token}' ENVFILE -chmod 600 /etc/profile.d/runevault-installer-env.sh -set -a; . /etc/profile.d/runevault-installer-env.sh; set +a +chmod 600 /etc/profile.d/runeconsole-installer-env.sh +set -a; . /etc/profile.d/runeconsole-installer-env.sh; set +a -INSTALL_URL="https://raw.githubusercontent.com/CryptoLabInc/rune-admin/${runevault_version}/install.sh" +INSTALL_URL="https://raw.githubusercontent.com/CryptoLabInc/rune-console/${runeconsole_version}/install.sh" for i in 1 2 3 4 5; do curl -fsSL --retry 5 --retry-delay 10 --connect-timeout 15 "$${INSTALL_URL}" -o /tmp/install.sh && break sleep $((i*10)) done -bash /tmp/install.sh --target local --non-interactive --version "${runevault_version}" +bash /tmp/install.sh --target local --non-interactive --version "${runeconsole_version}" -usermod -aG runevault ubuntu +usermod -aG runeconsole ubuntu -rm -f /etc/profile.d/runevault-installer-env.sh +rm -f /etc/profile.d/runeconsole-installer-env.sh echo "=== completed at $(date) ===" diff --git a/deployment/launchd/com.cryptolabinc.runevault.plist b/deployment/launchd/com.cryptolabinc.runeconsole.plist similarity index 70% rename from deployment/launchd/com.cryptolabinc.runevault.plist rename to deployment/launchd/com.cryptolabinc.runeconsole.plist index 7b1bfb3..bb7f1a8 100644 --- a/deployment/launchd/com.cryptolabinc.runevault.plist +++ b/deployment/launchd/com.cryptolabinc.runeconsole.plist @@ -4,19 +4,19 @@ Label - com.cryptolabinc.runevault + com.cryptolabinc.runeconsole ProgramArguments - /usr/local/bin/runevault + /usr/local/bin/runeconsole daemon start --config - /opt/runevault/configs/runevault.conf + /opt/runeconsole/configs/runeconsole.conf UserName - runevault + runeconsole RunAtLoad @@ -28,10 +28,10 @@ 10 StandardOutPath - /opt/runevault/logs/runevault.stdout.log + /opt/runeconsole/logs/runeconsole.stdout.log StandardErrorPath - /opt/runevault/logs/runevault.stderr.log + /opt/runeconsole/logs/runeconsole.stderr.log EnvironmentVariables diff --git a/deployment/oci/main.tf b/deployment/oci/main.tf index 39febaa..b440f6f 100644 --- a/deployment/oci/main.tf +++ b/deployment/oci/main.tf @@ -33,7 +33,7 @@ variable "compartment_id" { } variable "team_name" { - description = "Team name for Vault instance" + description = "Team name for Rune console instance" type = string } @@ -43,19 +43,19 @@ variable "tls_mode" { default = "self-signed" } -variable "envector_endpoint" { - description = "enVector Cloud endpoint" +variable "runespace_endpoint" { + description = "Runespace endpoint" type = string } -variable "envector_api_key" { - description = "enVector Cloud API key" +variable "runespace_token" { + description = "Runespace API key" type = string sensitive = true } -variable "runevault_version" { - description = "Pinned runevault release tag — drives the install.sh URL and binary version on the VM." +variable "runeconsole_version" { + description = "Pinned runeconsole release tag — drives the install.sh URL and binary version on the VM." type = string } @@ -65,49 +65,49 @@ variable "public_key" { default = "" } -# VCN for Vault -resource "oci_core_vcn" "vault_vcn" { +# VCN for Rune console +resource "oci_core_vcn" "runeconsole_vcn" { compartment_id = var.compartment_id - display_name = "vault-${var.team_name}-vcn" + display_name = "runeconsole-${var.team_name}-vcn" cidr_block = "10.0.0.0/16" - dns_label = "vaultvcn" + dns_label = "runeconsolevcn" } # Public subnet -resource "oci_core_subnet" "vault_subnet" { +resource "oci_core_subnet" "runeconsole_subnet" { compartment_id = var.compartment_id - vcn_id = oci_core_vcn.vault_vcn.id - display_name = "vault-${var.team_name}-subnet" + vcn_id = oci_core_vcn.runeconsole_vcn.id + display_name = "runeconsole-${var.team_name}-subnet" cidr_block = "10.0.1.0/24" - dns_label = "vaultsub" - security_list_ids = [oci_core_security_list.vault_security_list.id] - route_table_id = oci_core_route_table.vault_route_table.id + dns_label = "runeconsolesub" + security_list_ids = [oci_core_security_list.runeconsole_security_list.id] + route_table_id = oci_core_route_table.runeconsole_route_table.id } # Internet Gateway -resource "oci_core_internet_gateway" "vault_ig" { +resource "oci_core_internet_gateway" "runeconsole_ig" { compartment_id = var.compartment_id - vcn_id = oci_core_vcn.vault_vcn.id - display_name = "vault-${var.team_name}-ig" + vcn_id = oci_core_vcn.runeconsole_vcn.id + display_name = "runeconsole-${var.team_name}-ig" } # Route Table -resource "oci_core_route_table" "vault_route_table" { +resource "oci_core_route_table" "runeconsole_route_table" { compartment_id = var.compartment_id - vcn_id = oci_core_vcn.vault_vcn.id - display_name = "vault-${var.team_name}-rt" + vcn_id = oci_core_vcn.runeconsole_vcn.id + display_name = "runeconsole-${var.team_name}-rt" route_rules { destination = "0.0.0.0/0" - network_entity_id = oci_core_internet_gateway.vault_ig.id + network_entity_id = oci_core_internet_gateway.runeconsole_ig.id } } # Security List -resource "oci_core_security_list" "vault_security_list" { +resource "oci_core_security_list" "runeconsole_security_list" { compartment_id = var.compartment_id - vcn_id = oci_core_vcn.vault_vcn.id - display_name = "vault-${var.team_name}-sl" + vcn_id = oci_core_vcn.runeconsole_vcn.id + display_name = "runeconsole-${var.team_name}-sl" egress_security_rules { destination = "0.0.0.0/0" @@ -137,11 +137,11 @@ resource "oci_core_security_list" "vault_security_list" { } } -# Compute Instance for Vault -resource "oci_core_instance" "vault_instance" { +# Compute Instance for Rune console +resource "oci_core_instance" "runeconsole_instance" { compartment_id = var.compartment_id availability_domain = data.oci_identity_availability_domains.ads.availability_domains[0].name - display_name = "vault-${var.team_name}" + display_name = "runeconsole-${var.team_name}" shape = "VM.Standard.E5.Flex" shape_config { @@ -150,8 +150,8 @@ resource "oci_core_instance" "vault_instance" { } create_vnic_details { - subnet_id = oci_core_subnet.vault_subnet.id - display_name = "vault-${var.team_name}-vnic" + subnet_id = oci_core_subnet.runeconsole_subnet.id + display_name = "runeconsole-${var.team_name}-vnic" assign_public_ip = true } @@ -164,9 +164,9 @@ resource "oci_core_instance" "vault_instance" { ssh_authorized_keys = var.public_key user_data = base64encode(templatefile("${path.module}/startup-script.sh", { team_name = var.team_name - envector_endpoint = var.envector_endpoint - envector_api_key = var.envector_api_key - runevault_version = var.runevault_version + runespace_endpoint = var.runespace_endpoint + runespace_token = var.runespace_token + runeconsole_version = var.runeconsole_version })) } } @@ -192,17 +192,17 @@ data "oci_core_images" "ubuntu_image" { } # Outputs -output "vault_url" { - description = "Rune-Vault gRPC endpoint" - value = "${oci_core_instance.vault_instance.public_ip}:50051" +output "runeconsole_url" { + description = "Rune console gRPC endpoint" + value = "${oci_core_instance.runeconsole_instance.public_ip}:50051" } -output "vault_public_ip" { - value = oci_core_instance.vault_instance.public_ip - description = "Public IP of Vault instance" +output "runeconsole_public_ip" { + value = oci_core_instance.runeconsole_instance.public_ip + description = "Public IP of Rune console instance" } output "ssh_command" { - value = "ssh ubuntu@${oci_core_instance.vault_instance.public_ip}" - description = "SSH command to connect to Vault instance" + value = "ssh ubuntu@${oci_core_instance.runeconsole_instance.public_ip}" + description = "SSH command to connect to Rune console instance" } diff --git a/deployment/oci/startup-script-dev.sh b/deployment/oci/startup-script-dev.sh index ea13143..4b37f48 100755 --- a/deployment/oci/startup-script-dev.sh +++ b/deployment/oci/startup-script-dev.sh @@ -1,8 +1,8 @@ #!/bin/bash # Dev mode: installs prereqs only. install.sh + binary injected via SCP by install-dev.sh. set -euo pipefail -exec > /var/log/runevault-install.log 2>&1 -echo "=== runevault dev startup at $(date) ===" +exec > /var/log/runeconsole-install.log 2>&1 +echo "=== runeconsole dev startup at $(date) ===" for i in $(seq 1 30); do apt-get update -q \ @@ -12,5 +12,5 @@ for i in $(seq 1 30); do echo "apt retry $i..." && sleep 10 done -touch /var/run/runevault-dev-ready +touch /var/run/runeconsole-dev-ready echo "=== prereqs ready at $(date), waiting for install-dev.sh injection ===" diff --git a/deployment/oci/startup-script.sh b/deployment/oci/startup-script.sh index 6ecfaea..d940c98 100644 --- a/deployment/oci/startup-script.sh +++ b/deployment/oci/startup-script.sh @@ -1,7 +1,7 @@ #!/bin/bash set -euo pipefail -exec > /var/log/runevault-install.log 2>&1 -echo "=== runevault startup at $(date) ===" +exec > /var/log/runeconsole-install.log 2>&1 +echo "=== runeconsole startup at $(date) ===" for i in $(seq 1 30); do apt-get update -q \ @@ -11,23 +11,23 @@ for i in $(seq 1 30); do echo "apt retry $i..." && sleep 10 done -cat > /etc/profile.d/runevault-installer-env.sh <<'ENVFILE' -export RUNEVAULT_TEAM_NAME='${team_name}' -export RUNEVAULT_ENVECTOR_ENDPOINT='${envector_endpoint}' -export RUNEVAULT_ENVECTOR_API_KEY='${envector_api_key}' +cat > /etc/profile.d/runeconsole-installer-env.sh <<'ENVFILE' +export RUNECONSOLE_TEAM_NAME='${team_name}' +export RUNECONSOLE_RUNESPACE_ENDPOINT='${runespace_endpoint}' +export RUNECONSOLE_RUNESPACE_TOKEN='${runespace_token}' ENVFILE -chmod 600 /etc/profile.d/runevault-installer-env.sh -set -a; . /etc/profile.d/runevault-installer-env.sh; set +a +chmod 600 /etc/profile.d/runeconsole-installer-env.sh +set -a; . /etc/profile.d/runeconsole-installer-env.sh; set +a -INSTALL_URL="https://raw.githubusercontent.com/CryptoLabInc/rune-admin/${runevault_version}/install.sh" +INSTALL_URL="https://raw.githubusercontent.com/CryptoLabInc/rune-console/${runeconsole_version}/install.sh" for i in 1 2 3 4 5; do curl -fsSL --retry 5 --retry-delay 10 --connect-timeout 15 "$${INSTALL_URL}" -o /tmp/install.sh && break sleep $((i*10)) done -bash /tmp/install.sh --target local --non-interactive --version "${runevault_version}" +bash /tmp/install.sh --target local --non-interactive --version "${runeconsole_version}" -usermod -aG runevault ubuntu +usermod -aG runeconsole ubuntu -rm -f /etc/profile.d/runevault-installer-env.sh +rm -f /etc/profile.d/runeconsole-installer-env.sh echo "=== completed at $(date) ===" diff --git a/deployment/systemd/runevault.service b/deployment/systemd/runeconsole.service similarity index 66% rename from deployment/systemd/runevault.service rename to deployment/systemd/runeconsole.service index 72dfe74..40143ce 100644 --- a/deployment/systemd/runevault.service +++ b/deployment/systemd/runeconsole.service @@ -1,27 +1,27 @@ [Unit] -Description=Rune-Vault FHE gRPC Server -Documentation=https://github.com/CryptoLabInc/rune-admin +Description=Rune-console FHE gRPC Server +Documentation=https://github.com/CryptoLabInc/rune-console After=network-online.target Wants=network-online.target [Service] Type=simple -User=runevault -Group=runevault -ExecStart=/usr/local/bin/runevault daemon start --config /opt/runevault/configs/runevault.conf +User=runeconsole +Group=runeconsole +ExecStart=/usr/local/bin/runeconsole daemon start --config /opt/runeconsole/configs/runeconsole.conf Restart=on-failure RestartSec=5s TimeoutStopSec=30s StandardOutput=journal StandardError=journal -SyslogIdentifier=runevault +SyslogIdentifier=runeconsole # Security hardening NoNewPrivileges=true PrivateTmp=true ProtectSystem=strict ProtectHome=true -ReadWritePaths=/opt/runevault +ReadWritePaths=/opt/runeconsole ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true diff --git a/docs-public/ARCHITECTURE.md b/docs-public/ARCHITECTURE.md index 355be82..c38649e 100644 --- a/docs-public/ARCHITECTURE.md +++ b/docs-public/ARCHITECTURE.md @@ -1,13 +1,13 @@ -# Rune-Vault Architecture +# Rune-console Architecture ## System Overview -Rune-Vault is the **infrastructure backbone** for team-shared FHE-encrypted organizational memory. It manages cryptographic keys, authenticates team members, and provides decryption services for encrypted search results. +Rune-console is the **infrastructure backbone** for team-shared FHE-encrypted organizational memory. It manages cryptographic keys, authenticates team members, and provides decryption services for encrypted search results. ### Core Responsibilities 1. **Key Management**: Generate, store, and protect FHE keys (secret key isolation) -2. **Decryption Service**: Decrypt search results from enVector Cloud +2. **Decryption Service**: Decrypt search results from Runespace 3. **Authentication**: Validate team member access via tokens 4. **Access Control**: Per-user RBAC with role-based top_k limits, scope enforcement, and rate limiting 5. **Audit Logging**: Structured JSON logs for compliance and debugging @@ -28,59 +28,59 @@ Rune-Vault is the **infrastructure backbone** for team-shared FHE-encrypted orga └───────────────┴───────────────┘ │ MCP tool calls ▼ - ┌────────────────────────────┐ - │ envector-mcp-server(s) │ ← Scalable - │ (Public Keys only) │ - │ │ - │ Tools: │ - │ - insert, search (direct) │ - │ - remember (Vault pipeline│ - │ search → decrypt → meta)│ - └──────┬──────────────┬──────┘ + ┌───────────────────────────────┐ + │ runespace-mcp-server(s) │ ← Scalable + │ (Public Keys only) │ + │ │ + │ Tools: │ + │ - insert, search (direct) │ + │ - remember (Console pipeline)│ + │ search → decrypt → meta) │ + └──────┬──────────────┬─────────┘ │ │ search/insert │ │ decrypt_scores() │ │ (called by remember) ▼ ▼ - ┌──────────────────────┐ ┌────────────────────────────┐ - │ enVector Cloud(SaaS) │ │ Rune-Vault │ - │ https://envector.io │ │ (Your Infrastructure) │ - │ │ │ │ - │ - Encrypted vectors │ │ ┌──────────────────────┐ │ - │ - Encrypted │ │ │ FHE Key Manager │ │ - │ similarity search │ │ │ │ │ - │ - Team isolation │ │ │ - secret key (isolated)│ │ - │ - Scalable storage │ │ │ - EncKey (public) │ │ - └──────────────────────┘ │ └──────────────────────┘ │ - │ │ - │ ┌──────────────────────┐ │ - │ │ gRPC Service (:50051)│ │ - │ │ - GetPublicKey() │ │ - │ │ - DecryptScores() │ │ - │ │ - DecryptMetadata() │ │ - │ └──────────────────────┘ │ - │ │ - │ ┌──────────────────────┐ │ - │ │ Auth & Audit │ │ - │ │ - Token validation │ │ - │ │ - Audit logging │ │ - │ └──────────────────────┘ │ - └────────────────────────────┘ + ┌─────────────────────────┐ ┌──────────────────────────────┐ + │ Runespace(SaaS) │ │ Rune-console │ + │ https://runespace.team │ │ (Your Infrastructure) │ + │ │ │ │ + │ - Encrypted vectors │ │ ┌─────────────────────────┐ │ + │ - Encrypted │ │ │ FHE Key Manager │ │ + │ similarity search │ │ │ │ │ + │ - Team isolation │ │ │ - secret key (isolated)│ │ + │ - Scalable storage │ │ │ - EncKey (public) │ │ + └─────────────────────────┘ │ └─────────────────────────┘ │ + │ │ + │ ┌─────────────────────────┐ │ + │ │ gRPC Service (:50051) │ │ + │ │ - GetPublicKey() │ │ + │ │ - DecryptScores() │ │ + │ │ - DecryptMetadata() │ │ + │ └─────────────────────────┘ │ + │ │ + │ ┌─────────────────────────┐ │ + │ │ Auth & Audit │ │ + │ │ - Token validation │ │ + │ │ - Audit logging │ │ + │ └─────────────────────────┘ │ + └──────────────────────────────┘ ``` -**Key**: Agents never contact Vault directly. The envector-mcp-server's -`remember` tool orchestrates the Vault decryption call as part of its -3-step pipeline. Secret key never leaves Vault. +**Key**: Agents never contact Rune console directly. The runespace-mcp-server's +`remember` tool orchestrates the Rune console decryption call as part of its +3-step pipeline. Secret key never leaves Rune console. ## Port Summary | Endpoint | Protocol | Purpose | Exposure | |----------|----------|---------|----------| -| `:50051` | gRPC + TLS | Vault service, health check, reflection | Public (team members) | -| `/opt/runevault/admin.sock` | Unix domain socket (mode 0600) | Admin token/role CRUD + status | Local only — `runevault` CLI | +| `:50051` | gRPC + TLS | Rune console service, health check, reflection | Public (team members) | +| `/opt/runeconsole/admin.sock` | Unix domain socket (mode 0600) | Admin token/role CRUD + status | Local only — `runeconsole` CLI | ## Component Details -### 1. Rune-Vault Server +### 1. Rune-console Server **Purpose**: Centralized key management and decryption service for a team @@ -91,21 +91,21 @@ Rune-Vault is the **infrastructure backbone** for team-shared FHE-encrypted orga - **On-Premise** (Self-hosted) **Runtime**: -- Single-binary Go gRPC daemon (`runevault`) — no runtime dependencies beyond TLS -- gRPC server on port 50051 (used by envector-mcp-server) +- Single-binary Go gRPC daemon (`runeconsole`) — no runtime dependencies beyond TLS +- gRPC server on port 50051 (used by runespace-mcp-server) - gRPC health check via `grpc.health.v1` protocol -- Admin Unix domain socket at `/opt/runevault/admin.sock` (mode 0600, vault-user owned) -- Registered as a native systemd unit (`runevault.service`) on Linux or a launchd job (`com.cryptolabinc.runevault`) on macOS +- Admin Unix domain socket at `/opt/runeconsole/admin.sock` (mode 0600, runeconsole-user owned) +- Registered as a native systemd unit (`runeconsole.service`) on Linux or a launchd job (`com.cryptolabinc.runeconsole`) on macOS -**Key Storage** (`/opt/runevault/vault-keys//`, default `` = `vault-key`): +**Key Storage** (`/opt/runeconsole/runeconsole-keys//`, default `` = `runeconsole-key`): ``` -/opt/runevault/vault-keys/vault-key/ +/opt/runeconsole/runeconsole-keys/runeconsole-key/ ├── EncKey.json # Public encryption key (distributed to agents) ├── EvalKey.json # Public evaluation key (for FHE operations) -└── SecKey.json # Secret decryption key (NEVER leaves Vault) +└── SecKey.json # Secret decryption key (NEVER leaves Rune console) ``` -Keys are auto-generated on first startup by `EnsureVault` (in `vault/internal/server/ensure_vault.go`). +Keys are auto-generated on first startup by `EnsureKeys` (in `runeconsole/internal/server/ensure.go`). **Security Properties**: - Secret key stored encrypted at rest (filesystem encryption) @@ -116,7 +116,7 @@ Keys are auto-generated on first startup by `EnsureVault` (in `vault/internal/se ### 2. gRPC Service (API) -Defined in `proto/vault_service.proto` (`rune.vault.v1.VaultService`). +Defined in `proto/service.proto` (`rune.console.v1.ConsoleService`). **Server Configuration**: - Max message size: 256 MB (for EvalKey transfer) @@ -127,22 +127,22 @@ Defined in `proto/vault_service.proto` (`rune.vault.v1.VaultService`). **`GetPublicKey()`** - Returns: JSON bundle containing EncKey, EvalKey, index_name, key_id, agent_id, agent_dek (per-user derived encryption key) -- Used by: envector-mcp-server at startup +- Used by: runespace-mcp-server at startup - Auth: Required (validates token + scope check) **`DecryptScores()`** - Input: Result ciphertext from encrypted similarity search (base64-serialized) - Returns: Top-K typed `ScoreEntry` messages (shard_idx, row_idx, score) -- Used by: envector-mcp-server's `remember` pipeline (per search query) +- Used by: runespace-mcp-server's `remember` pipeline (per search query) - Auth: Required (validates token + scope check) - Policy: Per-role top_k limit (admin: 50, member: 10). Proto constraint: 1-300 range. **`DecryptMetadata()`** - Input: List of AES-encrypted metadata blobs. Each blob is JSON `{"a": "", "c": ""}`. - Returns: Decrypted metadata (JSON strings) -- Used by: envector-mcp-server's `remember` pipeline +- Used by: runespace-mcp-server's `remember` pipeline - Auth: Required (validates token + scope check) -- Vault derives the agent's DEK via HKDF-SHA256 from team secret + agent_id. +- Rune console derives the agent's DEK via HKDF-SHA256 from team secret + agent_id. ### 3. Authentication & Access Control @@ -163,47 +163,47 @@ Defined in `proto/vault_service.proto` (`rune.vault.v1.VaultService`). | admin | get_public_key, decrypt_scores, decrypt_metadata, manage_tokens | 50 | 150/60s | | member | get_public_key, decrypt_scores, decrypt_metadata | 10 | 30/60s | -Custom roles can be created via `runevault role create`. +Custom roles can be created via `runeconsole role create`. **Token Lifecycle:** -- Issue: `runevault token issue --user alice --role member --expires 90d` -- Rotate: `runevault token rotate --user alice` (atomic revoke + reissue) or `--all` -- Revoke: `runevault token revoke --user alice` -- Persistence: atomic YAML writes to the files referenced by `tokens.tokens_file` and `tokens.roles_file` in `runevault.conf` (defaults: `/opt/runevault/configs/{tokens,roles}.yml`). +- Issue: `runeconsole token issue --user alice --role member --expires 90d` +- Rotate: `runeconsole token rotate --user alice` (atomic revoke + reissue) or `--all` +- Revoke: `runeconsole token revoke --user alice` +- Persistence: atomic YAML writes to the files referenced by `tokens.tokens_file` and `tokens.roles_file` in `runeconsole.conf` (defaults: `/opt/runeconsole/configs/{tokens,roles}.yml`). -**Configuration Source**: `runevault.conf` (YAML) is the single source of truth — no env-var fallback or migration helper. Lookup order: +**Configuration Source**: `runeconsole.conf` (YAML) is the single source of truth — no env-var fallback or migration helper. Lookup order: 1. `--config ` CLI flag -2. `/opt/runevault/configs/runevault.conf` -3. `./runevault.conf` (cwd, dev only) +2. `/opt/runeconsole/configs/runeconsole.conf` +3. `./runeconsole.conf` (cwd, dev only) -Secret YAML fields (`tokens.team_secret`, `envector.api_key`) accept a sibling `*_file` key for KMS-backed deployments. +Secret YAML fields (`tokens.team_secret`, `runespace.token`) accept a sibling `*_file` key for KMS-backed deployments. ### 4. Admin Socket & CLI -**Admin Socket** (`vault/internal/server/admin.go`): -- Unix domain socket at `/opt/runevault/admin.sock` (mode 0600, vault-user owned) +**Admin Socket** (`runeconsole/internal/server/admin.go`): +- Unix domain socket at `/opt/runeconsole/admin.sock` (mode 0600, runeconsole-user owned) - Filesystem permissions are the only authorization gate; never expose externally -- Used by the `runevault` CLI and by the daemon's lifecycle hooks (e.g. `ErrRestartRequested` after token rotation) +- Used by the `runeconsole` CLI and by the daemon's lifecycle hooks (e.g. `ErrRestartRequested` after token rotation) -**CLI** (`runevault`): +**CLI** (`runeconsole`): | Command | Purpose | |---------|---------| -| `runevault status` | Daemon health and socket liveness | -| `runevault logs` | Tail audit log output | -| `runevault token issue --user --role [--expires 90d]` | Issue a new per-user token | -| `runevault token list` | List issued tokens | -| `runevault token rotate --user ` / `--all` | Atomic revoke + reissue | -| `runevault token revoke --user ` | Revoke a token | -| `runevault role list` | List configured roles | -| `runevault role create --name --scope a,b,c --top-k N --rate-limit N/Ts` | Create a custom role | -| `runevault role update --name [--scope] [--top-k] [--rate-limit]` | Update an existing role | -| `runevault role delete --name ` | Delete a role | -| `runevault version` | Print build version (works without daemon or socket) | +| `runeconsole status` | Daemon health and socket liveness | +| `runeconsole logs` | Tail audit log output | +| `runeconsole token issue --user --role [--expires 90d]` | Issue a new per-user token | +| `runeconsole token list` | List issued tokens | +| `runeconsole token rotate --user ` / `--all` | Atomic revoke + reissue | +| `runeconsole token revoke --user ` | Revoke a token | +| `runeconsole role list` | List configured roles | +| `runeconsole role create --name --scope a,b,c --top-k N --rate-limit N/Ts` | Create a custom role | +| `runeconsole role update --name [--scope] [--top-k] [--rate-limit]` | Update an existing role | +| `runeconsole role delete --name ` | Delete a role | +| `runeconsole version` | Print build version (works without daemon or socket) | The `daemon start` subcommand is invoked by systemd / launchd; operators -control lifecycle via `systemctl … runevault` (Linux) or -`launchctl … system/com.cryptolabinc.runevault` (macOS) rather than directly. +control lifecycle via `systemctl … runeconsole` (Linux) or +`launchctl … system/com.cryptolabinc.runeconsole` (macOS) rather than directly. ### 5. Input Validation @@ -212,7 +212,7 @@ Two-layer validation runs as a gRPC interceptor before requests reach business l - **Layer 1: protovalidate** -- Enforces `.proto` annotation constraints (field length, int range, repeated item rules) - **Layer 2: Runtime checks** -- Control character rejection, whitespace validation (not expressible in proto annotations) -Non-Vault methods (health check, reflection) pass through untouched. +Non Rune console methods (health check, reflection) pass through untouched. ### 6. Per-Agent Metadata Encryption @@ -225,23 +225,23 @@ agent_id = SHA256(token)[:32] - DEK is distributed to the agent via the `GetPublicKey()` response (`agent_dek` field) - Metadata is encrypted client-side with the agent-specific DEK -- Vault re-derives the DEK from team secret + agent_id to decrypt +- Rune console re-derives the DEK from team secret + agent_id to decrypt - Ensures one agent cannot decrypt another agent's metadata even if both are on the same team ### 7. Audit Logging -Structured JSON logging for all gRPC operations (`vault/internal/server/audit.go`): +Structured JSON logging for all gRPC operations (`runeconsole/internal/server/audit.go`): - One JSON line per request: timestamp, user_id, method, top_k, result_count, status, source_ip, latency_ms, error - Source IP extracted from the gRPC peer context - File output uses `lumberjack` for size-based rotation -**Configuration** in `runevault.conf`: +**Configuration** in `runeconsole.conf`: ```yaml audit: mode: file+stdout # one of: "" (disabled), file, stdout, file+stdout - path: /opt/runevault/logs/audit.log + path: /opt/runeconsole/logs/audit.log ``` ## Data Flow @@ -252,15 +252,15 @@ audit: Team Member's Laptop │ ├── 1. Install Rune from Claude Marketplace (github.com/CryptoLabInc/rune) - ├── 2. Configure Vault Endpoint + Token + ├── 2. Configure Rune console Endpoint + Token │ ▼ Rune Startup │ - ├── 3. Call GetPublicKey() → Vault (gRPC :50051) + ├── 3. Call GetPublicKey() → Rune console (gRPC :50051) │ ▼ -Vault (gRPC) +Rune console (gRPC) │ ├── 4. Validate token (returns username + role) ├── 5. Read EncKey.json, EvalKey.json @@ -281,19 +281,19 @@ User: "What decisions did we make about database?" ▼ AI Agent (Claude/Gemini/Codex) │ - ├── 1. Call envector-mcp-server `remember` tool + ├── 1. Call runespace-mcp-server `remember` tool │ ▼ -envector-mcp-server (`remember` orchestration) +runespace-mcp-server (`remember` orchestration) │ ├── 2. Embed query (auto-embedded if text, or accepts vector/JSON) - ├── 3. Encrypted similarity scoring on enVector Cloud + ├── 3. Encrypted similarity scoring on Runespace │ → Returns result ciphertext (base64) │ - ├── 4. Call Vault: DecryptScores(token, ciphertext, top_k) via gRPC + ├── 4. Call Rune console: DecryptScores(token, ciphertext, top_k) via gRPC │ ▼ -Vault (gRPC — secret key holder) +Rune console (gRPC — secret key holder) │ ├── 5. Validate token (returns username + role) ├── 6. Decrypt result ciphertext with secret key → similarity values @@ -301,23 +301,23 @@ Vault (gRPC — secret key holder) ├── 8. Return [{index: 42, score: 0.95}, ...] │ ▼ -envector-mcp-server (continued) +runespace-mcp-server (continued) │ - ├── 9. Retrieve metadata for top-k indices from enVector Cloud + ├── 9. Retrieve metadata for top-k indices from Runespace ├── 10. Return results to Agent │ ▼ AI Agent → User: "In Q2 2024, team chose PostgreSQL for JSON support..." ``` -**Key**: The Agent never contacts Vault directly. The `remember` tool -in envector-mcp-server orchestrates the entire 3-step pipeline. -Secret key never leaves Vault. +**Key**: The Agent never contacts Rune console directly. The `remember` tool +in runespace-mcp-server orchestrates the entire 3-step pipeline. +Secret key never leaves Rune console. **`search` vs `remember`**: The `search` tool is for the operator's own encrypted data where secret key is held locally by the MCP server runtime. The `remember` tool accesses shared team memory where secret key is held -exclusively by Rune-Vault, preventing agent tampering attacks from +exclusively by Rune-console, preventing agent tampering attacks from indiscriminately decrypting shared vectors. ## Security Model @@ -325,32 +325,32 @@ indiscriminately decrypting shared vectors. ### Threat Model **Assumptions**: -- enVector Cloud is **untrusted** (sees only ciphertext) +- Runespace is **untrusted** (sees only ciphertext) - Network is **untrusted** (TLS required) - Team members' laptops are **trusted** (Rune runs locally) -- Vault VM is **trusted** (admin controls infrastructure) +- Rune console VM is **trusted** (admin controls infrastructure) **Threats Mitigated**: -1. **Cloud Provider Breach**: enVector Cloud compromise → no plaintext leak (FHE) +1. **Cloud Provider Breach**: Runespace compromise → no plaintext leak (FHE) 2. **Network Eavesdropping**: MITM attacks → TLS encryption 3. **Unauthorized Access**: Non-team members → token authentication 4. **Key Theft**: secret key extraction → architectural isolation (no export API) **Threats Not Mitigated** (out of scope): -- Vault VM compromise (admin responsibility: use secure cloud, enable disk encryption) +- Rune console VM compromise (admin responsibility: use secure cloud, enable disk encryption) - Team member laptop compromise (user responsibility: secure devices) - Token leakage (admin responsibility: rotate tokens, use secure distribution) ### Key Isolation Strategy -**Why Secret Key Never Leaves Vault**: +**Why Secret Key Never Leaves Rune console**: - **Principle**: Decryption capability = highest privilege -- **Constraint**: Only Vault has secret key, no export API +- **Constraint**: Only Rune console has secret key, no export API - **Benefit**: Even if client compromised, attacker cannot decrypt historical data **Key Distribution**: ``` -Secret key: Vault only (generated on deployment, never exported) +Secret key: Rune console only (generated on deployment, never exported) EncKey: Distributed to all team members (safe to share, encryption-only) EvalKey: Distributed to all team members (safe to share, FHE operations) ``` @@ -358,7 +358,7 @@ EvalKey: Distributed to all team members (safe to share, FHE operations) ### Defense in Depth **Layer 1: Network** -- TLS 1.3 for all Vault communications +- TLS 1.3 for all Rune console communications - Firewall rules (allow gRPC 50051) - Optional: VPN for extra isolation @@ -398,25 +398,25 @@ Cloud Resources Created ├── Compute Instance (VM) │ ├── OS: Ubuntu 24.04 LTS │ └── Software (installed via cloud-init startup script): - │ ├── runevault binary (SHA256SUMS-verified) - │ └── runevault.service (systemd) registered + │ ├── runeconsole binary (SHA256SUMS-verified) + │ └── runeconsole.service (systemd) registered │ ├── Networking │ ├── Public IP address │ └── Security group / list / firewall rule (allow 50051/gRPC) │ ├── Storage - │ └── /opt/runevault/vault-keys// (FHE keys) + │ └── /opt/runeconsole/runeconsole-keys// (FHE keys) │ └── Audit Logging - └── /opt/runevault/logs/audit.log + └── /opt/runeconsole/logs/audit.log ``` Common Terraform variables across all CSPs: `team_name`, `tls_mode`, -`envector_endpoint`, `envector_api_key`, `runevault_version`, +`runespace_endpoint`, `runespace_token`, `runeconsole_version`, `public_key`, `region`. CSP-specific: `instance_type` (AWS), `project_id` / `zone` / `machine_type` (GCP), `oci_profile` / -`compartment_id` (OCI). Output: `vault_public_ip`. +`compartment_id` (OCI). Output: `runeconsole_public_ip`. Horizontal scaling and multi-instance HA are not currently supported. For higher capacity, re-provision with a larger VM shape via your cloud @@ -427,16 +427,16 @@ provider. ### Backup & Recovery **Critical Assets**: -- `/opt/runevault/vault-keys//SecKey.json` — **MUST backup** (cannot regenerate) -- `tokens.team_secret` from `runevault.conf` — **MUST backup** (needed for DEK re-derivation) -- Per-user tokens — rotatable via `runevault token rotate` +- `/opt/runeconsole/runeconsole-keys//SecKey.json` — **MUST backup** (cannot regenerate) +- `tokens.team_secret` from `runeconsole.conf` — **MUST backup** (needed for DEK re-derivation) +- Per-user tokens — rotatable via `runeconsole token rotate` **Backup Strategy**: ```bash -# Manually back up vault keys (run on the VM) -sudo tar czf vault-keys_backup_$(date +%Y-%m-%d).tar.gz -C /opt/runevault vault-keys/ +# Manually back up runeconsole keys (run on the VM) +sudo tar czf runeconsole-keys_backup_$(date +%Y-%m-%d).tar.gz -C /opt/runeconsole runeconsole-keys/ -# Also archive runevault.conf or at minimum the tokens.team_secret value +# Also archive runeconsole.conf or at minimum the tokens.team_secret value # Store in: offline media, a different cloud provider, or a password manager ``` @@ -446,14 +446,14 @@ sudo tar czf vault-keys_backup_$(date +%Y-%m-%d).tar.gz -C /opt/runevault vault- sudo bash install.sh --target # 2. Stop the daemon before restoring keys -sudo systemctl stop runevault +sudo systemctl stop runeconsole -# 3. Restore vault-keys and team_secret -sudo tar xzf vault-keys_backup_YYYY-MM-DD.tar.gz -C /opt/runevault -# Edit /opt/runevault/configs/runevault.conf and restore tokens.team_secret +# 3. Restore runeconsole-keys and team_secret +sudo tar xzf runeconsole-keys_backup_YYYY-MM-DD.tar.gz -C /opt/runeconsole +# Edit /opt/runeconsole/configs/runeconsole.conf and restore tokens.team_secret # 4. Bring the daemon back up -sudo systemctl start runevault +sudo systemctl start runeconsole # Team members continue without reconfiguration. ``` @@ -461,17 +461,17 @@ sudo systemctl start runevault ```bash # Rotate a single user's token -runevault token rotate --user alice +runeconsole token rotate --user alice # Rotate all tokens -runevault token rotate --all +runeconsole token rotate --all # Distribute new tokens to team members via a secure channel ``` ### Scaling Strategy -Re-provision with a larger VM shape via your cloud provider's console or +Re-provision with a larger VM shape via your cloud provider's runeconsole or by editing the relevant `instance_type` (AWS) / `machine_type` (GCP) / shape configuration (OCI) and re-running `terraform apply` from your install directory. @@ -485,13 +485,13 @@ When to scale: | Package | Purpose | |---------|---------| -| `vault/cmd` | Binary entry point — wires Cobra root command and runs `Execute()` | -| `vault/internal/commands` | CLI subcommands (`daemon`, `token`, `role`, `status`, `logs`, `version`) and admin-socket client | -| `vault/internal/server` | gRPC server, config loader, audit logger, admin UDS, `EnsureVault` startup hook, interceptors | -| `vault/internal/tokens` | Per-user RBAC store: tokens, roles, validation, rate limiting, YAML persistence | -| `vault/internal/crypto` | FHE key management + HKDF/AES wrappers around `envector-go-sdk` | -| `vault/internal/tests` | E2E tests gated by build tag `e2e` (decrypt pipeline + CLI smoke) | -| `vault/pkg/vaultpb` | Generated gRPC stubs from `vault/proto/*.proto` | +| `runeconsole/cmd` | Binary entry point — wires Cobra root command and runs `Execute()` | +| `runeconsole/internal/commands` | CLI subcommands (`daemon`, `token`, `role`, `status`, `logs`, `version`) and admin-socket client | +| `runeconsole/internal/server` | gRPC server, config loader, audit logger, admin UDS, `EnsureKeys` startup hook, interceptors | +| `runeconsole/internal/tokens` | Per-user RBAC store: tokens, roles, validation, rate limiting, YAML persistence | +| `runeconsole/internal/crypto` | FHE key management + HKDF/AES wrappers around `runespace-sdk` | +| `runeconsole/internal/tests` | E2E tests gated by build tag `e2e` (decrypt pipeline + CLI smoke) | +| `runeconsole/pkg/consolepb` | Generated gRPC stubs from `runeconsole/proto/*.proto` | ## Troubleshooting @@ -501,14 +501,14 @@ When to scale: **Diagnosis**: ```bash -# Check Vault CPU on the server -ssh ubuntu@ # or ec2-user@... / opc@... depending on CSP +# Check Rune console CPU on the server +ssh ubuntu@ # or ec2-user@... / opc@... depending on CSP top # Tail the audit log for latency -sudo tail -20 /opt/runevault/logs/audit.log +sudo tail -20 /opt/runeconsole/logs/audit.log # Or use the CLI from the host: -runevault logs +runeconsole logs ``` **Solutions**: @@ -523,41 +523,41 @@ runevault logs **Diagnosis**: ```bash # Verify the daemon is up -runevault status +runeconsole status # Inspect server logs for denied requests -sudo journalctl -u runevault | grep -i "denied\|unauthenticated" +sudo journalctl -u runeconsole | grep -i "denied\|unauthenticated" ``` **Solutions**: - Wrong token → Re-share the correct token - Token rotated → Distribute the new token to all team members -- Token expired → Issue a fresh token via `runevault token issue` +- Token expired → Issue a fresh token via `runeconsole token issue` - Rate limited → Wait for the window to reset, or adjust the role's `rate_limit` - Firewall → Check the security group allows 50051 from team IPs -### Issue: Vault Crashed +### Issue: Rune console Crashed **Symptoms**: Health check fails, daemon not responsive **Diagnosis**: ```bash # Linux -sudo systemctl status runevault -sudo journalctl -u runevault -n 100 +sudo systemctl status runeconsole +sudo journalctl -u runeconsole -n 100 # macOS -sudo launchctl print system/com.cryptolabinc.runevault -sudo log show --predicate 'process == "runevault"' --last 10m +sudo launchctl print system/com.cryptolabinc.runeconsole +sudo log show --predicate 'process == "runeconsole"' --last 10m ``` **Solutions**: - OOM killer → Increase VM memory - Disk full → Rotate logs (`lumberjack` handles size-based rotation, but free disk first) -- Crashed process → `sudo systemctl restart runevault` (Linux) / `sudo launchctl kickstart -k system/com.cryptolabinc.runevault` (macOS) -- Persistent crash → Re-provision with `install.sh --uninstall` then `install.sh --target `, restoring `vault-keys/` from backup before first start +- Crashed process → `sudo systemctl restart runeconsole` (Linux) / `sudo launchctl kickstart -k system/com.cryptolabinc.runeconsole` (macOS) +- Persistent crash → Re-provision with `install.sh --uninstall` then `install.sh --target `, restoring `runeconsole-keys/` from backup before first start ## Next Steps -- Deploy your first Vault: [Quick Start](../README.md#quick-start) +- Deploy your first Rune console: [Quick Start](../README.md#quick-start) - Contributing: [CONTRIBUTING.md](../CONTRIBUTING.md) diff --git a/install.sh b/install.sh index 4833620..b6a8437 100755 --- a/install.sh +++ b/install.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash # -# Rune-Vault installer. +# Rune-console installer. # -# Downloads, verifies, and installs the runevault daemon with systemd (Linux) +# Downloads, verifies, and installs the runeconsole daemon with systemd (Linux) # or launchd (macOS) service registration. # # Usage: @@ -11,7 +11,7 @@ # Options: # --version Install a specific release tag (default: latest) # --target Deploy locally or to a cloud provider (default: local) -# --install-dir CSP install directory (default: $HOME/rune-vault-) +# --install-dir CSP install directory (default: $HOME/runeconsole-) # --force Overwrite existing config and TLS certificates # --non-interactive Skip all prompts; supply secrets via env vars # --uninstall Tear down the install. Local: stop service + remove files @@ -19,49 +19,49 @@ # optionally remove the install directory. # # Non-interactive env vars (local install): -# RUNEVAULT_TEAM_NAME keys.index_name (required) -# RUNEVAULT_ENVECTOR_ENDPOINT envector.endpoint (required) -# RUNEVAULT_ENVECTOR_API_KEY envector.api_key -# RUNEVAULT_ENVECTOR_API_KEY_FILE envector.api_key_file (alternative) -# RUNEVAULT_TLS_CERT_PATH Path to existing TLS cert (skips auto-gen) -# RUNEVAULT_TLS_KEY_PATH Path to existing TLS key (skips auto-gen) +# RUNECONSOLE_TEAM_NAME keys.index_name (required) +# RUNECONSOLE_RUNESPACE_ENDPOINT runespace.endpoint (required) +# RUNECONSOLE_RUNESPACE_TOKEN runespace.token +# RUNECONSOLE_RUNESPACE_TOKEN_FILE runespace.token_file (alternative) +# RUNECONSOLE_TLS_CERT_PATH Path to existing TLS cert (skips auto-gen) +# RUNECONSOLE_TLS_KEY_PATH Path to existing TLS key (skips auto-gen) # # Non-interactive env vars (CSP install — operator workstation): -# RUNEVAULT_ENVECTOR_ENDPOINT enVector endpoint URL (required) -# RUNEVAULT_ENVECTOR_API_KEY enVector API key (required) -# RUNEVAULT_TEAM_NAME Team name — used for resource naming and vault index (required) -# RUNEVAULT_TARGET Pre-select target without interactive menu -# RUNEVAULT_INSTALL_DIR Pre-set CSP install directory -# RUNEVAULT_CSP_REGION Cloud region -# RUNEVAULT_GCP_PROJECT_ID GCP: project ID (required for GCP) -# RUNEVAULT_OCI_COMPARTMENT_ID OCI: compartment OCID (required for OCI) +# RUNECONSOLE_RUNESPACE_ENDPOINT Runespace endpoint URL (required) +# RUNECONSOLE_RUNESPACE_TOKEN Runespace API key (required) +# RUNECONSOLE_TEAM_NAME Team name — used for resource naming and console index (required) +# RUNECONSOLE_TARGET Pre-select target without interactive menu +# RUNECONSOLE_INSTALL_DIR Pre-set CSP install directory +# RUNECONSOLE_CSP_REGION Cloud region +# RUNECONSOLE_GCP_PROJECT_ID GCP: project ID (required for GCP) +# RUNECONSOLE_OCI_COMPARTMENT_ID OCI: compartment OCID (required for OCI) # # Dev/testing env vars (set by scripts/install-dev.sh): -# RUNEVAULT_LOCAL_BINARY Path to local binary; skips download + checksum verify -# RUNEVAULT_SKIP_VERIFY Set to 1 to skip checksum verification (dev only) -# RUNEVAULT_INSTALL_PREFIX Override /opt/runevault (default) -# RUNEVAULT_BINARY_PATH Override /usr/local/bin/runevault (default) -# RUNEVAULT_SKIP_SERVICE Set to 1 to skip systemd/launchd installation +# RUNECONSOLE_LOCAL_BINARY Path to local binary; skips download + checksum verify +# RUNECONSOLE_SKIP_VERIFY Set to 1 to skip checksum verification (dev only) +# RUNECONSOLE_INSTALL_PREFIX Override /opt/runeconsole (default) +# RUNECONSOLE_BINARY_PATH Override /usr/local/bin/runeconsole (default) +# RUNECONSOLE_SKIP_SERVICE Set to 1 to skip systemd/launchd installation set -euo pipefail # ── Constants ────────────────────────────────────────────────────────────────── -REPO=CryptoLabInc/rune-admin -SERVICE_USER=runevault +REPO=CryptoLabInc/rune-console +SERVICE_USER=runeconsole GRPC_PORT=50051 RAW_BASE="https://raw.githubusercontent.com/${REPO}" -DEFAULT_INSTALL_DIR_CSP_FMT="%s/rune-vault-%s" +DEFAULT_INSTALL_DIR_CSP_FMT="%s/runeconsole-%s" # Overridable by env (used by scripts/install-dev.sh) -INSTALL_PREFIX="${RUNEVAULT_INSTALL_PREFIX:-/opt/runevault}" -BINARY_DEST="${RUNEVAULT_BINARY_PATH:-/usr/local/bin/runevault}" -SKIP_VERIFY="${RUNEVAULT_SKIP_VERIFY:-0}" -LOCAL_BINARY="${RUNEVAULT_LOCAL_BINARY:-}" -SKIP_SERVICE="${RUNEVAULT_SKIP_SERVICE:-0}" - -TARGET="${RUNEVAULT_TARGET:-}" -INSTALL_DIR_CSP="${RUNEVAULT_INSTALL_DIR:-}" +INSTALL_PREFIX="${RUNECONSOLE_INSTALL_PREFIX:-/opt/runeconsole}" +BINARY_DEST="${RUNECONSOLE_BINARY_PATH:-/usr/local/bin/runeconsole}" +SKIP_VERIFY="${RUNECONSOLE_SKIP_VERIFY:-0}" +LOCAL_BINARY="${RUNECONSOLE_LOCAL_BINARY:-}" +SKIP_SERVICE="${RUNECONSOLE_SKIP_SERVICE:-0}" + +TARGET="${RUNECONSOLE_TARGET:-}" +INSTALL_DIR_CSP="${RUNECONSOLE_INSTALL_DIR:-}" CSP_PUBLIC_IP="" # ── Color helpers ────────────────────────────────────────────────────────────── @@ -110,7 +110,7 @@ esac # ── Uninstall flow ───────────────────────────────────────────────────────────── run_uninstall() { - info "Uninstalling Rune-Vault..." + info "Uninstalling Rune-console..." if [[ "$TARGET" != "local" ]]; then csp_uninstall "$TARGET" @@ -120,18 +120,18 @@ run_uninstall() { [[ "$(id -u)" -eq 0 ]] || die "Local uninstall must be run as root (use sudo)." if [[ "$OS_SLUG" = linux ]]; then - if systemctl is-active --quiet runevault.service 2>/dev/null; then - info "Stopping runevault.service..." - systemctl stop runevault.service + if systemctl is-active --quiet runeconsole.service 2>/dev/null; then + info "Stopping runeconsole.service..." + systemctl stop runeconsole.service fi - systemctl disable runevault.service 2>/dev/null || true - rm -f /etc/systemd/system/runevault.service + systemctl disable runeconsole.service 2>/dev/null || true + rm -f /etc/systemd/system/runeconsole.service systemctl daemon-reload success "systemd service removed." else - local plist=/Library/LaunchDaemons/com.cryptolabinc.runevault.plist + local plist=/Library/LaunchDaemons/com.cryptolabinc.runeconsole.plist if [[ -f "$plist" ]]; then - launchctl bootout system/com.cryptolabinc.runevault 2>/dev/null || true + launchctl bootout system/com.cryptolabinc.runeconsole 2>/dev/null || true rm -f "$plist" success "launchd service removed." fi @@ -141,7 +141,7 @@ run_uninstall() { success "Binary removed: ${BINARY_DEST}" printf '\n' - warn "The following directory contains Rune-Vault Keys and configuration:" + warn "The following directory contains Rune-console Keys and configuration:" warn " ${INSTALL_PREFIX}/" warn "This data CANNOT be recovered if deleted." printf '\n' @@ -150,13 +150,13 @@ run_uninstall() { if [[ "$NON_INTERACTIVE" -eq 1 ]]; then warn "Non-interactive mode: data preserved. Remove manually: rm -rf ${INSTALL_PREFIX}" else - read -r -p "Delete all vault data including Rune-Vault Keys? [y/N] " answer + read -r -p "Delete all Rune console data including Rune-console Keys? [y/N] " answer fi case "$answer" in [Yy]*) rm -rf "${INSTALL_PREFIX}" - success "Vault data deleted." + success "Rune console data deleted." ;; *) info "Data preserved at ${INSTALL_PREFIX}" @@ -183,7 +183,7 @@ run_uninstall() { fi fi - success "Rune-Vault uninstalled." + success "Rune-console uninstalled." } # ── CSP helpers ─────────────────────────────────────────────────────────────── @@ -301,14 +301,14 @@ csp_prompt_config() { printf ' Cloud deployment configuration\n' printf '══════════════════════════════════════════════════════════\n' printf '\n' - printf ' Create your enVector cluster at https://envector.io\n' + printf ' Create your Runespace cluster at https://runespace.example.com\n' printf ' before proceeding. You will need the endpoint URL and\n' printf ' API key from the dashboard.\n' printf '\n' _prompt TEAM_NAME "Team name" "" - _prompt ENVECTOR_ENDPOINT "enVector endpoint" "" - _prompt ENVECTOR_API_KEY "enVector API key" "" + _prompt RUNESPACE_ENDPOINT "Runespace endpoint" "" + _prompt RUNESPACE_TOKEN "Runespace API key" "" case "$csp" in aws) _prompt CSP_REGION "AWS region" "us-east-1" ;; @@ -323,19 +323,19 @@ csp_prompt_config() { esac printf '\n' else - TEAM_NAME="${RUNEVAULT_TEAM_NAME:-}" - ENVECTOR_ENDPOINT="${RUNEVAULT_ENVECTOR_ENDPOINT:-}" - ENVECTOR_API_KEY="${RUNEVAULT_ENVECTOR_API_KEY:-}" - CSP_REGION="${RUNEVAULT_CSP_REGION:-}" - GCP_PROJECT_ID="${RUNEVAULT_GCP_PROJECT_ID:-}" - OCI_COMPARTMENT_ID="${RUNEVAULT_OCI_COMPARTMENT_ID:-}" + TEAM_NAME="${RUNECONSOLE_TEAM_NAME:-}" + RUNESPACE_ENDPOINT="${RUNECONSOLE_RUNESPACE_ENDPOINT:-}" + RUNESPACE_TOKEN="${RUNECONSOLE_RUNESPACE_TOKEN:-}" + CSP_REGION="${RUNECONSOLE_CSP_REGION:-}" + GCP_PROJECT_ID="${RUNECONSOLE_GCP_PROJECT_ID:-}" + OCI_COMPARTMENT_ID="${RUNECONSOLE_OCI_COMPARTMENT_ID:-}" local missing=() - [[ -z "$TEAM_NAME" ]] && missing+=("RUNEVAULT_TEAM_NAME") - [[ -z "$ENVECTOR_ENDPOINT" ]] && missing+=("RUNEVAULT_ENVECTOR_ENDPOINT") - [[ -z "$ENVECTOR_API_KEY" ]] && missing+=("RUNEVAULT_ENVECTOR_API_KEY") - [[ "$csp" = gcp && -z "$GCP_PROJECT_ID" ]] && missing+=("RUNEVAULT_GCP_PROJECT_ID") - [[ "$csp" = oci && -z "$OCI_COMPARTMENT_ID" ]] && missing+=("RUNEVAULT_OCI_COMPARTMENT_ID") + [[ -z "$TEAM_NAME" ]] && missing+=("RUNECONSOLE_TEAM_NAME") + [[ -z "$RUNESPACE_ENDPOINT" ]] && missing+=("RUNECONSOLE_RUNESPACE_ENDPOINT") + [[ -z "$RUNESPACE_TOKEN" ]] && missing+=("RUNECONSOLE_RUNESPACE_TOKEN") + [[ "$csp" = gcp && -z "$GCP_PROJECT_ID" ]] && missing+=("RUNECONSOLE_GCP_PROJECT_ID") + [[ "$csp" = oci && -z "$OCI_COMPARTMENT_ID" ]] && missing+=("RUNECONSOLE_OCI_COMPARTMENT_ID") if [[ ${#missing[@]} -gt 0 ]]; then printf 'ERROR: Missing required env vars:\n' >&2 for v in "${missing[@]}"; do printf ' %s\n' "$v" >&2; done @@ -344,8 +344,8 @@ csp_prompt_config() { fi [[ -n "$TEAM_NAME" ]] || die "Team name is required." - [[ -n "$ENVECTOR_ENDPOINT" ]] || die "enVector endpoint is required." - [[ -n "$ENVECTOR_API_KEY" ]] || die "enVector API key is required." + [[ -n "$RUNESPACE_ENDPOINT" ]] || die "Runespace endpoint is required." + [[ -n "$RUNESPACE_TOKEN" ]] || die "Runespace API key is required." if [[ "$csp" = gcp ]]; then [[ -n "$GCP_PROJECT_ID" ]] || die "GCP project ID is required." fi @@ -430,9 +430,9 @@ csp_render_tfvars() { { printf 'team_name = "%s"\n' "$(escape_tf "${TEAM_NAME:-default}")" printf 'tls_mode = "self-signed"\n' - printf 'envector_endpoint = "%s"\n' "$(escape_tf "${ENVECTOR_ENDPOINT}")" - printf 'envector_api_key = "%s"\n' "$(escape_tf "${ENVECTOR_API_KEY}")" - printf 'runevault_version = "%s"\n' "$(escape_tf "${VERSION}")" + printf 'runespace_endpoint = "%s"\n' "$(escape_tf "${RUNESPACE_ENDPOINT}")" + printf 'runespace_token = "%s"\n' "$(escape_tf "${RUNESPACE_TOKEN}")" + printf 'runeconsole_version = "%s"\n' "$(escape_tf "${VERSION}")" printf 'public_key = "%s"\n' "$(escape_tf "${public_key}")" printf 'region = "%s"\n' "$(escape_tf "${CSP_REGION}")" case "$csp" in @@ -467,8 +467,8 @@ csp_post_deploy() { local key_path="${INSTALL_DIR_CSP}/ssh_key" local public_ip - public_ip=$(cd "$tf_dir" && sudo -u "$tf_user" terraform output -raw vault_public_ip 2>/dev/null) \ - || die "Could not read vault_public_ip from terraform output." + public_ip=$(cd "$tf_dir" && sudo -u "$tf_user" terraform output -raw runeconsole_public_ip 2>/dev/null) \ + || die "Could not read runeconsole_public_ip from terraform output." CSP_PUBLIC_IP="$public_ip" local ssh_user=ubuntu @@ -485,7 +485,7 @@ csp_post_deploy() { while [[ $(date +%s) -lt $deadline ]]; do # shellcheck disable=SC2086 if $scp_prefix scp $scp_opts -i "$key_path" \ - "${ssh_user}@${public_ip}:/opt/runevault/certs/ca.pem" \ + "${ssh_user}@${public_ip}:/opt/runeconsole/certs/ca.pem" \ "${INSTALL_DIR_CSP}/certs/ca.pem" 2>/dev/null; then success "CA certificate saved: ${INSTALL_DIR_CSP}/certs/ca.pem" return 0 @@ -493,7 +493,7 @@ csp_post_deploy() { sleep 15 done - die "Timed out waiting for VM-side install. SSH in and check /var/log/runevault-install.log: ssh -i ${key_path} ${ssh_user}@${public_ip}" + die "Timed out waiting for VM-side install. SSH in and check /var/log/runeconsole-install.log: ssh -i ${key_path} ${ssh_user}@${public_ip}" } csp_summary() { @@ -503,7 +503,7 @@ csp_summary() { local public_ip="${CSP_PUBLIC_IP:-}" printf '\n' - success "Rune-Vault deployed to $(printf '%s' "$csp" | tr 'a-z' 'A-Z')." + success "Rune-console deployed to $(printf '%s' "$csp" | tr 'a-z' 'A-Z')." printf '\n' printf ' Endpoint: %s:50051\n' "$public_ip" printf ' CA cert: %s\n' "${INSTALL_DIR_CSP}/certs/ca.pem" @@ -516,10 +516,10 @@ csp_summary() { printf 'Next steps (SSH into the VM, then run on the VM):\n' printf ' ssh -i %s ubuntu@%s\n' "$key_path" "$public_ip" printf '\n' - printf ' Issue a token: runevault token issue --user --role member\n' - printf ' Check status: runevault status\n' - printf ' View logs: runevault logs\n' - printf ' Manage daemon: sudo systemctl start|stop|restart runevault\n' + printf ' Issue a token: runeconsole token issue --user --role member\n' + printf ' Check status: runeconsole status\n' + printf ' View logs: runeconsole logs\n' + printf ' Manage daemon: sudo systemctl start|stop|restart runeconsole\n' printf '\n' warn "BACKUP: Keep this safe — it cannot be recovered if lost:" warn " Terraform state: ${tf_dir}/terraform.tfstate" @@ -529,7 +529,7 @@ csp_uninstall() { local csp=$1 local user_home="${SUDO_USER:+$(eval echo ~"${SUDO_USER}")}" user_home="${user_home:-$HOME}" - INSTALL_DIR_CSP="${INSTALL_DIR_CSP:-${user_home}/rune-vault-${csp}}" + INSTALL_DIR_CSP="${INSTALL_DIR_CSP:-${user_home}/runeconsole-${csp}}" local tf_dir="${INSTALL_DIR_CSP}/deployment" if [[ ! -f "${tf_dir}/terraform.tfstate" ]]; then @@ -578,14 +578,14 @@ csp_uninstall() { esac fi - success "Rune-Vault ${csp} infrastructure uninstalled." + success "Rune-console ${csp} infrastructure uninstalled." } csp_dispatch() { local csp="$TARGET" local user_home="${SUDO_USER:+$(eval echo ~"${SUDO_USER}")}" user_home="${user_home:-$HOME}" - INSTALL_DIR_CSP="${INSTALL_DIR_CSP:-${user_home}/rune-vault-${csp}}" + INSTALL_DIR_CSP="${INSTALL_DIR_CSP:-${user_home}/runeconsole-${csp}}" mkdir -p "$INSTALL_DIR_CSP" [[ -n "${SUDO_USER:-}" ]] && chown "${SUDO_USER}" "$INSTALL_DIR_CSP" @@ -602,7 +602,7 @@ csp_dispatch() { fi csp_prompt_config "$csp" - [[ -n "$VERSION" ]] || die "runevault version is required (use --version )." + [[ -n "$VERSION" ]] || die "runeconsole version is required (use --version )." csp_generate_ssh_key csp_copy_terraform_files "$csp" csp_render_tfvars "$csp" @@ -679,7 +679,7 @@ preflight() { tools+=(shasum) fi # openssl only needed when auto-generating TLS certs - if [[ -z "${RUNEVAULT_TLS_CERT_PATH:-}" || -z "${RUNEVAULT_TLS_KEY_PATH:-}" ]]; then + if [[ -z "${RUNECONSOLE_TLS_CERT_PATH:-}" || -z "${RUNECONSOLE_TLS_KEY_PATH:-}" ]]; then tools+=(openssl) fi @@ -736,10 +736,10 @@ preflight() { if [[ "$port_occupied" -eq 1 ]]; then if [[ "$OS_SLUG" = linux ]]; then die "Port ${GRPC_PORT} is already in use. Stop the existing daemon first: - sudo systemctl stop runevault" + sudo systemctl stop runeconsole" else die "Port ${GRPC_PORT} is already in use. Stop the existing daemon first: - sudo launchctl bootout system/com.cryptolabinc.runevault" + sudo launchctl bootout system/com.cryptolabinc.runeconsole" fi fi @@ -760,7 +760,7 @@ preflight() { local installed_ver installed_ver=$("$BINARY_DEST" version 2>/dev/null | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+[^ ]*' | head -1 || true) if [[ -n "$installed_ver" && "$installed_ver" = "$VERSION" ]]; then - warn "runevault ${VERSION} is already installed. Use --force to reinstall." + warn "runeconsole ${VERSION} is already installed. Use --force to reinstall." exit 0 fi fi @@ -803,11 +803,11 @@ download_and_verify() { if [[ -n "$LOCAL_BINARY" ]]; then info "Using local binary: ${LOCAL_BINARY}" [[ -x "$LOCAL_BINARY" ]] || die "Local binary not executable: ${LOCAL_BINARY}" - cp "$LOCAL_BINARY" "$SCRATCH/runevault" + cp "$LOCAL_BINARY" "$SCRATCH/runeconsole" return 0 fi - local archive="runevault_${VERSION}_${OS_SLUG}_${ARCH_SLUG}.tar.gz" + local archive="runeconsole_${VERSION}_${OS_SLUG}_${ARCH_SLUG}.tar.gz" local base_url="https://github.com/${REPO}/releases/download/${VERSION}" info "Downloading ${archive}..." @@ -823,8 +823,8 @@ download_and_verify() { fi info "Extracting binary..." - tar -xzf "$SCRATCH/${archive}" -C "$SCRATCH" ./runevault - "$SCRATCH/runevault" version >/dev/null 2>&1 \ + tar -xzf "$SCRATCH/${archive}" -C "$SCRATCH" ./runeconsole + "$SCRATCH/runeconsole" version >/dev/null 2>&1 \ || die "Extracted binary failed smoke test." } @@ -846,7 +846,7 @@ _create_system_group() { done dscl . -create /Groups/"$SERVICE_USER" dscl . -create /Groups/"$SERVICE_USER" PrimaryGroupID "$gid" - dscl . -create /Groups/"$SERVICE_USER" RealName "Rune Vault Admin Group" + dscl . -create /Groups/"$SERVICE_USER" RealName "Rune console Admin Group" success "System group '${SERVICE_USER}' created (GID=${gid})." else info "System group '${SERVICE_USER}' already exists." @@ -875,7 +875,7 @@ _create_system_user() { | awk '{print $2}') dscl . -create /Users/"$SERVICE_USER" dscl . -create /Users/"$SERVICE_USER" UserShell /usr/bin/false - dscl . -create /Users/"$SERVICE_USER" RealName "Rune Vault Service" + dscl . -create /Users/"$SERVICE_USER" RealName "Rune console Service" dscl . -create /Users/"$SERVICE_USER" UniqueID "$uid" dscl . -create /Users/"$SERVICE_USER" PrimaryGroupID "$gid" dscl . -create /Users/"$SERVICE_USER" NFSHomeDirectory /var/empty @@ -920,14 +920,14 @@ setup_system() { chmod 0750 "$dir" [[ "$SKIP_SERVICE" -eq 0 ]] && chown "${SERVICE_USER}:${SERVICE_USER}" "$dir" done - # vault-keys stays 0700: secret FHE key material must never be group-readable. - mkdir -p "${INSTALL_PREFIX}/vault-keys" - chmod 0700 "${INSTALL_PREFIX}/vault-keys" - [[ "$SKIP_SERVICE" -eq 0 ]] && chown "${SERVICE_USER}:${SERVICE_USER}" "${INSTALL_PREFIX}/vault-keys" + # runeconsole-keys stays 0700: secret FHE key material must never be group-readable. + mkdir -p "${INSTALL_PREFIX}/runeconsole-keys" + chmod 0700 "${INSTALL_PREFIX}/runeconsole-keys" + [[ "$SKIP_SERVICE" -eq 0 ]] && chown "${SERVICE_USER}:${SERVICE_USER}" "${INSTALL_PREFIX}/runeconsole-keys" success "Directories created under ${INSTALL_PREFIX}/" - install -m 0755 "$SCRATCH/runevault" "$BINARY_DEST" + install -m 0755 "$SCRATCH/runeconsole" "$BINARY_DEST" success "Binary installed: ${BINARY_DEST}" if [[ "$SKIP_SERVICE" -eq 0 ]]; then @@ -940,9 +940,9 @@ generate_tls_certs() { local cert_dir="${INSTALL_PREFIX}/certs" # BYO cert: copy provided files and skip generation - if [[ -n "${RUNEVAULT_TLS_CERT_PATH:-}" && -n "${RUNEVAULT_TLS_KEY_PATH:-}" ]]; then - cp "${RUNEVAULT_TLS_CERT_PATH}" "${cert_dir}/server.pem" - cp "${RUNEVAULT_TLS_KEY_PATH}" "${cert_dir}/server.key" + if [[ -n "${RUNECONSOLE_TLS_CERT_PATH:-}" && -n "${RUNECONSOLE_TLS_KEY_PATH:-}" ]]; then + cp "${RUNECONSOLE_TLS_CERT_PATH}" "${cert_dir}/server.pem" + cp "${RUNECONSOLE_TLS_KEY_PATH}" "${cert_dir}/server.key" chmod 0644 "${cert_dir}/server.pem" chmod 0600 "${cert_dir}/server.key" [[ "$SKIP_SERVICE" -eq 0 ]] \ @@ -967,12 +967,11 @@ generate_tls_certs() { tmpconf=$(mktemp) printf '[req]\ndistinguished_name = req_dn\nreq_extensions = v3_req\nprompt = no\n\n' \ > "$tmpconf" - printf '[req_dn]\nCN = runevault\n\n' >> "$tmpconf" + printf '[req_dn]\nCN = runeconsole\n\n' >> "$tmpconf" printf '[v3_req]\nsubjectAltName = @alt_names\n\n' >> "$tmpconf" printf '[alt_names]\n' >> "$tmpconf" printf 'DNS.1 = localhost\n' >> "$tmpconf" - printf 'DNS.2 = vault\n' >> "$tmpconf" - printf 'DNS.3 = runevault\n' >> "$tmpconf" + printf 'DNS.2 = runeconsole\n' >> "$tmpconf" printf 'IP.1 = 127.0.0.1\n' >> "$tmpconf" [[ -n "$public_ip" ]] && printf 'IP.2 = %s\n' "$public_ip" >> "$tmpconf" @@ -980,7 +979,7 @@ generate_tls_certs() { openssl req -new -x509 \ -key "${cert_dir}/ca.key" \ -out "${cert_dir}/ca.pem" \ - -days 3650 -subj "/CN=Rune-Vault CA" -sha256 2>/dev/null + -days 3650 -subj "/CN=Rune-console CA" -sha256 2>/dev/null openssl genrsa -out "${cert_dir}/server.key" 2048 2>/dev/null local csr="${cert_dir}/server.csr" @@ -1007,37 +1006,37 @@ generate_tls_certs() { # ── Phase 6: Configuration ───────────────────────────────────────────────────── collect_and_write_config() { - local conf_file="${INSTALL_PREFIX}/configs/runevault.conf" + local conf_file="${INSTALL_PREFIX}/configs/runeconsole.conf" if [[ -f "$conf_file" && "$FORCE" -eq 0 ]]; then info "Config already exists (use --force to overwrite): ${conf_file}" else - local team_name="${RUNEVAULT_TEAM_NAME:-}" - local envector_endpoint="${RUNEVAULT_ENVECTOR_ENDPOINT:-}" - local envector_api_key="${RUNEVAULT_ENVECTOR_API_KEY:-}" - local envector_api_key_file="${RUNEVAULT_ENVECTOR_API_KEY_FILE:-}" - local team_secret="${RUNEVAULT_TEAM_SECRET:-}" + local team_name="${RUNECONSOLE_TEAM_NAME:-}" + local runespace_endpoint="${RUNECONSOLE_RUNESPACE_ENDPOINT:-}" + local runespace_token="${RUNECONSOLE_RUNESPACE_TOKEN:-}" + local runespace_token_file="${RUNECONSOLE_RUNESPACE_TOKEN_FILE:-}" + local team_secret="${RUNECONSOLE_TEAM_SECRET:-}" if [[ "$NON_INTERACTIVE" -eq 0 ]]; then printf '\n' printf '══════════════════════════════════════════════════════════\n' - printf ' Vault configuration\n' + printf ' Rune console configuration\n' printf '══════════════════════════════════════════════════════════\n' printf '\n' [[ -z "$team_name" ]] \ - && read -r -p "Team name (vault index identifier): " team_name - [[ -z "$envector_endpoint" ]] \ - && read -r -p "enVector endpoint URL: " envector_endpoint - if [[ -z "$envector_api_key" && -z "$envector_api_key_file" ]]; then - read -r -p "enVector API key: " envector_api_key + && read -r -p "Team name (Rune console index identifier): " team_name + [[ -z "$runespace_endpoint" ]] \ + && read -r -p "Runespace endpoint URL: " runespace_endpoint + if [[ -z "$runespace_token" && -z "$runespace_token_file" ]]; then + read -r -p "Runespace API key: " runespace_token fi printf '\n' else local missing=() - [[ -z "$team_name" ]] && missing+=("RUNEVAULT_TEAM_NAME") - [[ -z "$envector_endpoint" ]] && missing+=("RUNEVAULT_ENVECTOR_ENDPOINT") - [[ -z "$envector_api_key" && -z "$envector_api_key_file" ]] \ - && missing+=("RUNEVAULT_ENVECTOR_API_KEY or RUNEVAULT_ENVECTOR_API_KEY_FILE") + [[ -z "$team_name" ]] && missing+=("RUNECONSOLE_TEAM_NAME") + [[ -z "$runespace_endpoint" ]] && missing+=("RUNECONSOLE_RUNESPACE_ENDPOINT") + [[ -z "$runespace_token" && -z "$runespace_token_file" ]] \ + && missing+=("RUNECONSOLE_RUNESPACE_TOKEN or RUNECONSOLE_RUNESPACE_TOKEN_FILE") if [[ ${#missing[@]} -gt 0 ]]; then printf 'ERROR: Missing required env vars for non-interactive install:\n' >&2 for v in "${missing[@]}"; do printf ' %s\n' "$v" >&2; done @@ -1050,15 +1049,15 @@ collect_and_write_config() { fi [[ -n "$team_name" ]] || die "team_name is required." - [[ -n "$envector_endpoint" ]] || die "envector_endpoint is required." - [[ -n "$envector_api_key" || -n "$envector_api_key_file" ]] \ - || die "enVector API key or key file is required." + [[ -n "$runespace_endpoint" ]] || die "runespace_endpoint is required." + [[ -n "$runespace_token" || -n "$runespace_token_file" ]] \ + || die "Runespace API key or key file is required." - local api_key_line - if [[ -n "$envector_api_key_file" ]]; then - api_key_line=" api_key_file: ${envector_api_key_file}" + local token_line + if [[ -n "$runespace_token_file" ]]; then + token_line=" token_file: ${runespace_token_file}" else - api_key_line=" api_key: ${envector_api_key}" + token_line=" token: ${runespace_token}" fi info "Writing ${conf_file}..." @@ -1075,13 +1074,13 @@ collect_and_write_config() { " socket: ${INSTALL_PREFIX}/admin.sock" \ "" \ "keys:" \ - " path: ${INSTALL_PREFIX}/vault-keys" \ + " path: ${INSTALL_PREFIX}/runeconsole-keys" \ " index_name: ${team_name}" \ " embedding_dim: 1024" \ "" \ - "envector:" \ - " endpoint: ${envector_endpoint}" \ - "${api_key_line}" \ + "runespace:" \ + " endpoint: ${runespace_endpoint}" \ + "${token_line}" \ "" \ "tokens:" \ " team_secret: ${team_secret}" \ @@ -1136,23 +1135,23 @@ collect_and_write_config() { # ── Phase 7: Service installation ───────────────────────────────────────────── install_service() { if [[ "$SKIP_SERVICE" -eq 1 ]]; then - info "Skipping service installation (RUNEVAULT_SKIP_SERVICE=1)." + info "Skipping service installation (RUNECONSOLE_SKIP_SERVICE=1)." return 0 fi - local config_path="${INSTALL_PREFIX}/configs/runevault.conf" + local config_path="${INSTALL_PREFIX}/configs/runeconsole.conf" if [[ "$OS_SLUG" = linux ]]; then - if systemctl is-active --quiet runevault.service 2>/dev/null; then - info "Stopping running runevault service..." - systemctl stop runevault.service - info "Tip: manage the service with: sudo systemctl start|stop|restart runevault" + if systemctl is-active --quiet runeconsole.service 2>/dev/null; then + info "Stopping running runeconsole service..." + systemctl stop runeconsole.service + info "Tip: manage the service with: sudo systemctl start|stop|restart runeconsole" fi info "Installing systemd service..." - local unit=/etc/systemd/system/runevault.service + local unit=/etc/systemd/system/runeconsole.service printf '%s\n' \ "[Unit]" \ - "Description=Rune-Vault FHE gRPC Server" \ + "Description=Rune-console FHE gRPC Server" \ "Documentation=https://github.com/${REPO}" \ "After=network-online.target" \ "Wants=network-online.target" \ @@ -1167,7 +1166,7 @@ install_service() { "TimeoutStopSec=30s" \ "StandardOutput=journal" \ "StandardError=journal" \ - "SyslogIdentifier=runevault" \ + "SyslogIdentifier=runeconsole" \ "NoNewPrivileges=true" \ "PrivateTmp=true" \ "ProtectSystem=strict" \ @@ -1190,13 +1189,13 @@ install_service() { > "$unit" chmod 0644 "$unit" systemctl daemon-reload - systemctl enable runevault.service - systemctl start runevault.service + systemctl enable runeconsole.service + systemctl start runeconsole.service success "systemd service enabled and started." else info "Installing launchd service..." - local plist=/Library/LaunchDaemons/com.cryptolabinc.runevault.plist + local plist=/Library/LaunchDaemons/com.cryptolabinc.runeconsole.plist printf '%s\n' \ '' \ '' \ '' \ ' Label' \ - ' com.cryptolabinc.runevault' \ + ' com.cryptolabinc.runeconsole' \ '' \ ' ProgramArguments' \ ' ' \ @@ -1228,10 +1227,10 @@ install_service() { ' 10' \ '' \ ' StandardOutPath' \ - " ${INSTALL_PREFIX}/logs/runevault.stdout.log" \ + " ${INSTALL_PREFIX}/logs/runeconsole.stdout.log" \ '' \ ' StandardErrorPath' \ - " ${INSTALL_PREFIX}/logs/runevault.stderr.log" \ + " ${INSTALL_PREFIX}/logs/runeconsole.stderr.log" \ '' \ ' EnvironmentVariables' \ ' ' \ @@ -1246,7 +1245,7 @@ install_service() { > "$plist" chmod 0644 "$plist" chown root "$plist" - launchctl bootout system/com.cryptolabinc.runevault 2>/dev/null || true + launchctl bootout system/com.cryptolabinc.runeconsole 2>/dev/null || true launchctl bootstrap system "$plist" success "launchd service loaded." fi @@ -1255,12 +1254,12 @@ install_service() { # ── Phase 8: Post-install summary ───────────────────────────────────────────── post_install() { if [[ "$SKIP_SERVICE" -eq 0 ]]; then - info "Waiting for vault to start..." + info "Waiting for runeconsole to start..." local i for i in $(seq 1 15); do "$BINARY_DEST" status \ - --config "${INSTALL_PREFIX}/configs/runevault.conf" \ - >/dev/null 2>&1 && { success "Vault is up."; break; } || true + --config "${INSTALL_PREFIX}/configs/runeconsole.conf" \ + >/dev/null 2>&1 && { success "Rune console is up."; break; } || true sleep 1 done fi @@ -1269,22 +1268,22 @@ post_install() { public_ip=$(curl -4 -sf --connect-timeout 5 ifconfig.me 2>/dev/null || true) printf '\n' - success "Rune-Vault ${VERSION:-local} installed successfully." + success "Rune-console ${VERSION:-local} installed successfully." printf '\n' printf ' Binary: %s\n' "$BINARY_DEST" - printf ' Config: %s\n' "${INSTALL_PREFIX}/configs/runevault.conf" + printf ' Config: %s\n' "${INSTALL_PREFIX}/configs/runeconsole.conf" printf ' CA cert: %s\n' "${INSTALL_PREFIX}/certs/ca.pem" [[ -n "$public_ip" ]] && printf ' Endpoint: %s:%s\n' "$public_ip" "$GRPC_PORT" printf '\n' printf 'Next steps:\n' - printf ' Issue a token: runevault token issue --user --role member\n' - printf ' Check status: runevault status\n' - printf ' View logs: runevault logs\n' + printf ' Issue a token: runeconsole token issue --user --role member\n' + printf ' Check status: runeconsole status\n' + printf ' View logs: runeconsole logs\n' if [[ "$OS_SLUG" = linux ]]; then - printf ' Manage daemon: sudo systemctl start|stop|restart runevault\n' + printf ' Manage daemon: sudo systemctl start|stop|restart runeconsole\n' else - printf ' Manage daemon: sudo launchctl bootout system/com.cryptolabinc.runevault\n' - printf ' sudo launchctl bootstrap system /Library/LaunchDaemons/com.cryptolabinc.runevault.plist\n' + printf ' Manage daemon: sudo launchctl bootout system/com.cryptolabinc.runeconsole\n' + printf ' sudo launchctl bootstrap system /Library/LaunchDaemons/com.cryptolabinc.runeconsole.plist\n' fi if [[ -n "${SUDO_USER:-}" ]]; then printf '\n' @@ -1293,8 +1292,8 @@ post_install() { fi printf '\n' warn "BACKUP: Keep these safe — they cannot be recovered if lost:" - warn " Rune-Vault Keys: ${INSTALL_PREFIX}/vault-keys/" - warn " Config: ${INSTALL_PREFIX}/configs/runevault.conf" + warn " Rune-console Keys: ${INSTALL_PREFIX}/runeconsole-keys/" + warn " Config: ${INSTALL_PREFIX}/configs/runeconsole.conf" } # ── Main ─────────────────────────────────────────────────────────────────────── diff --git a/vault/.gitignore b/runeconsole/.gitignore similarity index 100% rename from vault/.gitignore rename to runeconsole/.gitignore diff --git a/runeconsole/buf.gen.yaml b/runeconsole/buf.gen.yaml new file mode 100644 index 0000000..8e30901 --- /dev/null +++ b/runeconsole/buf.gen.yaml @@ -0,0 +1,13 @@ +version: v2 +clean: true +plugins: + - remote: buf.build/protocolbuffers/go + out: pkg/consolepb + opt: + - module=github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb + - Mservice.proto=github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb;consolepb + - remote: buf.build/grpc/go + out: pkg/consolepb + opt: + - module=github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb + - Mservice.proto=github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb;consolepb diff --git a/vault/buf.lock b/runeconsole/buf.lock similarity index 100% rename from vault/buf.lock rename to runeconsole/buf.lock diff --git a/vault/buf.yaml b/runeconsole/buf.yaml similarity index 100% rename from vault/buf.yaml rename to runeconsole/buf.yaml diff --git a/vault/cmd/main.go b/runeconsole/cmd/main.go similarity index 67% rename from vault/cmd/main.go rename to runeconsole/cmd/main.go index 0850431..28e2bb9 100644 --- a/vault/cmd/main.go +++ b/runeconsole/cmd/main.go @@ -4,7 +4,7 @@ import ( "fmt" "os" - "github.com/CryptoLabInc/rune-admin/vault/internal/commands" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/commands" ) func main() { diff --git a/vault/go.mod b/runeconsole/go.mod similarity index 94% rename from vault/go.mod rename to runeconsole/go.mod index 32afd48..c150f79 100644 --- a/vault/go.mod +++ b/runeconsole/go.mod @@ -1,4 +1,4 @@ -module github.com/CryptoLabInc/rune-admin/vault +module github.com/CryptoLabInc/rune-console/runeconsole go 1.26.4 diff --git a/vault/go.sum b/runeconsole/go.sum similarity index 100% rename from vault/go.sum rename to runeconsole/go.sum diff --git a/vault/internal/commands/adminclient.go b/runeconsole/internal/commands/adminclient.go similarity index 95% rename from vault/internal/commands/adminclient.go rename to runeconsole/internal/commands/adminclient.go index eca2dfd..00e9625 100644 --- a/vault/internal/commands/adminclient.go +++ b/runeconsole/internal/commands/adminclient.go @@ -13,10 +13,10 @@ import ( "strings" "time" - "github.com/CryptoLabInc/rune-admin/vault/internal/server" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/server" ) -// AdminClient talks to the Vault admin UDS server. +// AdminClient talks to the Console admin UDS server. type AdminClient struct { socket string hc *http.Client @@ -102,7 +102,7 @@ func (a *AdminClient) Do(method, path string, body, dst any) error { } // resolveAdminClient returns an AdminClient using either the explicit -// --admin-socket flag or the socket field from the resolved runevault.conf. +// --admin-socket flag or the socket field from the resolved runeconsole.conf. func resolveAdminClient() (*AdminClient, error) { socket := globals.adminSocket if socket == "" { diff --git a/vault/internal/commands/adminclient_test.go b/runeconsole/internal/commands/adminclient_test.go similarity index 94% rename from vault/internal/commands/adminclient_test.go rename to runeconsole/internal/commands/adminclient_test.go index 461747b..b247c9e 100644 --- a/vault/internal/commands/adminclient_test.go +++ b/runeconsole/internal/commands/adminclient_test.go @@ -9,8 +9,8 @@ import ( "strings" "testing" - "github.com/CryptoLabInc/rune-admin/vault/internal/server" - "github.com/CryptoLabInc/rune-admin/vault/internal/tokens" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/server" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/tokens" ) // adminUDSFixture spins up a real UDS-backed admin server with a demo @@ -35,7 +35,7 @@ func adminUDSFixture(t *testing.T) (socket string, store *tokens.Store, shutdown Keys: server.KeysConfig{Path: t.TempDir(), EmbeddingDim: 1024}, } audit, _ := server.NewAuditLogger(server.AuditConfig{Mode: ""}) - v := server.NewVault(cfg, store, nil, audit) + v := server.NewConsole(cfg, store, nil, audit) stop, err := server.AdminFromConfig(context.Background(), v) if err != nil { diff --git a/vault/internal/commands/daemon.go b/runeconsole/internal/commands/daemon.go similarity index 75% rename from vault/internal/commands/daemon.go rename to runeconsole/internal/commands/daemon.go index 6aceff7..a16c01a 100644 --- a/vault/internal/commands/daemon.go +++ b/runeconsole/internal/commands/daemon.go @@ -8,15 +8,15 @@ import ( "github.com/spf13/cobra" - "github.com/CryptoLabInc/rune-admin/vault/internal/crypto" - "github.com/CryptoLabInc/rune-admin/vault/internal/server" - "github.com/CryptoLabInc/rune-admin/vault/internal/tokens" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/crypto" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/server" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/tokens" ) func newDaemonCmd() *cobra.Command { cmd := &cobra.Command{ Use: "daemon", - Short: "Manage the runevault daemon process", + Short: "Manage the runeconsole daemon process", Hidden: true, } cmd.AddCommand(newDaemonStartCmd()) @@ -53,7 +53,7 @@ func runDaemonStart(ctx context.Context) error { keyParams := crypto.KeysParams{ Root: cfg.Keys.Path, - KeyID: "vault-key", + KeyID: "runeconsole-key", Dim: cfg.Keys.EmbeddingDim, } if err := crypto.EnsureKeys(keyParams); err != nil { @@ -62,9 +62,9 @@ func runDaemonStart(ctx context.Context) error { // Open the full key set, dial runespace, and register the eval key. eng, err := crypto.OpenEngine(ctx, crypto.EngineParams{ Keys: keyParams, - Endpoint: cfg.Envector.Endpoint, - Token: cfg.Envector.APIKey, - Insecure: true, // integration test: runespace served plaintext on localhost + Endpoint: cfg.Runespace.Endpoint, + Token: cfg.Runespace.Token, + Insecure: cfg.Runespace.Insecure, // TLS by default; set runespace.insecure=true only for a localhost runespace }) if err != nil { return fmt.Errorf("daemon: open runespace engine: %w", err) @@ -77,10 +77,10 @@ func runDaemonStart(ctx context.Context) error { } defer audit.Close() - v := server.NewVault(cfg, store, eng, audit) + v := server.NewConsole(cfg, store, eng, audit) defer v.Close() - slog.Info("vault: starting daemon", + slog.Info("console: starting daemon", "pid", os.Getpid(), "config", cfg.Source, "grpc_addr", fmt.Sprintf("%s:%d", cfg.Server.GRPC.Host, cfg.Server.GRPC.Port), diff --git a/vault/internal/commands/duration.go b/runeconsole/internal/commands/duration.go similarity index 87% rename from vault/internal/commands/duration.go rename to runeconsole/internal/commands/duration.go index 200181e..7b2a84c 100644 --- a/vault/internal/commands/duration.go +++ b/runeconsole/internal/commands/duration.go @@ -9,7 +9,7 @@ import ( var durationRE = regexp.MustCompile(`^(\d+)([dwm])$`) // parseDuration converts strings like "90d", "12w", "6m" into days. -// Mirrors vault_admin_cli.py:_parse_duration (m = 30 days approximation). +// _parse_duration (m = 30 days approximation) func parseDuration(value string) (int, error) { m := durationRE.FindStringSubmatch(value) if m == nil { diff --git a/vault/internal/commands/logs.go b/runeconsole/internal/commands/logs.go similarity index 78% rename from vault/internal/commands/logs.go rename to runeconsole/internal/commands/logs.go index 138c958..eef0817 100644 --- a/vault/internal/commands/logs.go +++ b/runeconsole/internal/commands/logs.go @@ -8,7 +8,7 @@ import ( "github.com/spf13/cobra" - "github.com/CryptoLabInc/rune-admin/vault/internal/server" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/server" ) // newLogsCmd returns the "logs" subcommand which tails the daemon log output. @@ -28,7 +28,7 @@ func newLogsCmd() *cobra.Command { func runLogs(follow bool) error { if runtime.GOOS == "linux" { - args := []string{"-u", "runevault", "--no-pager"} + args := []string{"-u", "runeconsole", "--no-pager"} if follow { args = append(args, "-f") } @@ -56,11 +56,11 @@ func runLogs(follow bool) error { } // daemonStderrLogPath derives the launchd stderr log path from the config -// source location: /opt/runevault/configs/runevault.conf → /opt/runevault/logs/runevault.stderr.log +// source location: /opt/runeconsole/configs/runeconsole.conf → /opt/runeconsole/logs/runeconsole.stderr.log func daemonStderrLogPath(cfg *server.Config) string { if cfg.Source != "" { prefix := filepath.Dir(filepath.Dir(cfg.Source)) - return filepath.Join(prefix, "logs", "runevault.stderr.log") + return filepath.Join(prefix, "logs", "runeconsole.stderr.log") } - return "/opt/runevault/logs/runevault.stderr.log" + return "/opt/runeconsole/logs/runeconsole.stderr.log" } diff --git a/vault/internal/commands/role.go b/runeconsole/internal/commands/role.go similarity index 98% rename from vault/internal/commands/role.go rename to runeconsole/internal/commands/role.go index bb6df14..c6d09c1 100644 --- a/vault/internal/commands/role.go +++ b/runeconsole/internal/commands/role.go @@ -48,7 +48,7 @@ func newRoleListCmd() *cobra.Command { fmt.Fprintln(out, "No roles defined.") return nil } - // "{:<12} {:<50} {:>6} {:>10}" — match vault_admin_cli.py + // "{:<12} {:<50} {:>6} {:>10}" fmt.Fprintf(out, "%-12s %-50s %6s %10s\n", "ROLE", "SCOPE", "TOP_K", "RATE") for _, r := range result.Roles { fmt.Fprintf(out, "%-12s %-50s %6d %10s\n", diff --git a/vault/internal/commands/root.go b/runeconsole/internal/commands/root.go similarity index 78% rename from vault/internal/commands/root.go rename to runeconsole/internal/commands/root.go index 7a22b11..d7998d4 100644 --- a/vault/internal/commands/root.go +++ b/runeconsole/internal/commands/root.go @@ -13,8 +13,8 @@ var globals globalFlags func newRootCmd() *cobra.Command { cmd := &cobra.Command{ - Use: "runevault", - Short: "Rune Vault daemon server with admin CLI", + Use: "runeconsole", + Short: "Rune Console daemon server with admin CLI", SilenceUsage: true, SilenceErrors: true, CompletionOptions: cobra.CompletionOptions{ @@ -23,7 +23,7 @@ func newRootCmd() *cobra.Command { } cmd.PersistentFlags().StringVar(&globals.configPath, "config", "", - "Path to runevault.conf (default: /opt/runevault/configs/runevault.conf, then ./runevault.conf)") + "Path to runeconsole.conf (default: /opt/runeconsole/configs/runeconsole.conf, then ./runeconsole.conf)") cmd.PersistentFlags().StringVar(&globals.adminSocket, "admin-socket", "", "Override server.admin.socket from config") diff --git a/vault/internal/commands/status.go b/runeconsole/internal/commands/status.go similarity index 97% rename from vault/internal/commands/status.go rename to runeconsole/internal/commands/status.go index 3125ba9..fc15749 100644 --- a/vault/internal/commands/status.go +++ b/runeconsole/internal/commands/status.go @@ -15,7 +15,7 @@ import ( "google.golang.org/grpc/credentials/insecure" healthpb "google.golang.org/grpc/health/grpc_health_v1" - "github.com/CryptoLabInc/rune-admin/vault/internal/server" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/server" ) func newStatusCmd() *cobra.Command { diff --git a/vault/internal/commands/token.go b/runeconsole/internal/commands/token.go similarity index 98% rename from vault/internal/commands/token.go rename to runeconsole/internal/commands/token.go index 2be54a1..4c40065 100644 --- a/vault/internal/commands/token.go +++ b/runeconsole/internal/commands/token.go @@ -177,7 +177,7 @@ func newTokenListCmd() *cobra.Command { fmt.Fprintln(out, "No tokens issued.") return nil } - // "{:<16} {:<10} {:>6} {:>10} {:<12}" — match vault_admin_cli.py + // "{:<16} {:<10} {:>6} {:>10} {:<12}" fmt.Fprintf(out, "%-16s %-10s %6s %10s %-12s\n", "USER", "ROLE", "TOP_K", "RATE", "EXPIRES") for _, t := range result.Tokens { fmt.Fprintf(out, "%-16s %-10s %6s %10s %-12s\n", diff --git a/vault/internal/commands/version.go b/runeconsole/internal/commands/version.go similarity index 77% rename from vault/internal/commands/version.go rename to runeconsole/internal/commands/version.go index 93ab188..e938232 100644 --- a/vault/internal/commands/version.go +++ b/runeconsole/internal/commands/version.go @@ -16,10 +16,10 @@ var ( func newVersionCmd() *cobra.Command { return &cobra.Command{ Use: "version", - Short: "Print runevault version (works without daemon or socket)", + Short: "Print runeconsole version (works without daemon or socket)", RunE: func(cmd *cobra.Command, args []string) error { fmt.Fprintf(cmd.OutOrStdout(), - "runevault %s (commit %s, built %s, %s/%s, %s)\n", + "runeconsole %s (commit %s, built %s, %s/%s, %s)\n", buildVersion, buildCommit, buildDate, runtime.GOOS, runtime.GOARCH, runtime.Version()) return nil diff --git a/vault/internal/crypto/engine_smoke_test.go b/runeconsole/internal/crypto/engine_smoke_test.go similarity index 95% rename from vault/internal/crypto/engine_smoke_test.go rename to runeconsole/internal/crypto/engine_smoke_test.go index f6b9d31..9d5e3f1 100644 --- a/vault/internal/crypto/engine_smoke_test.go +++ b/runeconsole/internal/crypto/engine_smoke_test.go @@ -9,7 +9,7 @@ import ( "time" ) -// TestEngineSmoke exercises the full vault crypto path against a LIVE runespace +// TestEngineSmoke exercises the full console crypto path against a LIVE runespace // engine: generate keys → register eval key → Insert (encrypt) → Search // (decrypt) round-trip. Gated on RUNESPACE_ADDR so normal unit runs skip it. // diff --git a/vault/internal/crypto/keys.go b/runeconsole/internal/crypto/keys.go similarity index 94% rename from vault/internal/crypto/keys.go rename to runeconsole/internal/crypto/keys.go index f897e93..0860e9c 100644 --- a/vault/internal/crypto/keys.go +++ b/runeconsole/internal/crypto/keys.go @@ -13,8 +13,8 @@ import ( // KeysParams names the on-disk key bundle and FHE dimension. type KeysParams struct { // Root is the parent directory containing /. - // E.g., "/opt/runevault/vault-keys" with KeyID "vault-key" reads from - // "/opt/runevault/vault-keys/vault-key/{Enc,Sec,Eval}Key(.json|.bin)". + // E.g., "/opt/runeconsole/runeconsole-keys" with KeyID "runeconsole-key" reads from + // "/opt/runeconsole/runeconsole-keys/runeconsole-key/{Enc,Sec,Eval}Key(.json|.bin)". Root string KeyID string Dim int @@ -50,7 +50,7 @@ func EnsureKeys(p KeysParams) error { return nil } -// EngineParams configures the vault's runespace client. +// EngineParams configures the console's runespace client. type EngineParams struct { Keys KeysParams Endpoint string // runespace gRPC address @@ -58,7 +58,7 @@ type EngineParams struct { Insecure bool // true for local plaintext dev } -// Engine is the vault's runespace client. It owns the full FHE key set +// Engine is the console's runespace client. It owns the full FHE key set // (Enc+Eval+Sec) and the gRPC connection, and is the SOLE talker to the // runespace engine: Insert encrypts locally then appends; Search sends the // plaintext query, decrypts the score blobs, and returns ranked hits. @@ -109,7 +109,7 @@ func OpenEngine(ctx context.Context, p EngineParams) (*Engine, error) { func (e *Engine) Dim() int { return e.keys.Dim() } // ForwardInsert appends an item that rune-mcp already encrypted (EncKey) and -// sealed (agent_dek), verbatim. The vault performs no crypto here — it is a +// sealed (agent_dek), verbatim. The console performs no crypto here — it is a // pure forward; idempotency rides on the client-generated it.ID. // // A centroid-version mismatch is the one error acted on locally: it proves the @@ -133,7 +133,7 @@ func (e *Engine) Centroids(ctx context.Context) (*runespace.CentroidSet, error) // encKeyFiles are the PUBLIC encryption-key artifacts GenerateKeys writes, // relative to the key directory. They are safe to hand to clients: EncKey -// can only encrypt; decryption needs SecKey, which never leaves the vault. +// can only encrypt; decryption needs SecKey, which never leaves the console. const ( rmpEncKeyFile = "EncKey.json" // RMP envelope (JSON) mmEncKeyFile = "mm/EncKey.bin" // MM raw key bytes diff --git a/vault/internal/crypto/keys_test.go b/runeconsole/internal/crypto/keys_test.go similarity index 92% rename from vault/internal/crypto/keys_test.go rename to runeconsole/internal/crypto/keys_test.go index c3d203c..e5d4913 100644 --- a/vault/internal/crypto/keys_test.go +++ b/runeconsole/internal/crypto/keys_test.go @@ -6,7 +6,7 @@ import ( ) func TestKeysExistFalseForMissingDir(t *testing.T) { - p := KeysParams{Root: filepath.Join(t.TempDir(), "no-such"), KeyID: "vault-key", Dim: 1024} + p := KeysParams{Root: filepath.Join(t.TempDir(), "no-such"), KeyID: "runeconsole-key", Dim: 1024} if KeysExist(p) { t.Error("KeysExist = true for missing dir") } diff --git a/vault/internal/crypto/metadata.go b/runeconsole/internal/crypto/metadata.go similarity index 91% rename from vault/internal/crypto/metadata.go rename to runeconsole/internal/crypto/metadata.go index b7bb685..ad38818 100644 --- a/vault/internal/crypto/metadata.go +++ b/runeconsole/internal/crypto/metadata.go @@ -1,5 +1,5 @@ // Package crypto provides metadata key derivation, AES-256-CTR metadata -// encryption, and FHE key lifecycle wrappers around envector-go-sdk. +// encryption, and FHE key lifecycle wrappers around runespace-sdk. // // Wire format for metadata ciphertext: // @@ -9,7 +9,7 @@ // envelopes and HKDF-derived per-agent keys. // // TODO: migrate to AES-256-GCM (AEAD) — keys are issued directly between -// rune and rune-vault so there is no external wire-format compatibility +// rune and rune-console so there is no external wire-format compatibility // constraint. Requires coordinated update of the rune-side encryption path. package crypto @@ -38,8 +38,7 @@ var ( ) // DeriveAgentKey returns a 32-byte AES-256 DEK derived from the team-wide -// secret and a per-agent identifier via HKDF-SHA256. Mirrors -// vault.vault_core.derive_agent_key (HKDF salt=None, info=agent_id utf-8). +// secret and a per-agent identifier via HKDF-SHA256. (HKDF salt=None, info=agent_id utf-8). func DeriveAgentKey(teamSecret, agentID string) ([]byte, error) { if teamSecret == "" { return nil, errors.New("crypto: team_secret is empty") diff --git a/vault/internal/crypto/metadata_test.go b/runeconsole/internal/crypto/metadata_test.go similarity index 100% rename from vault/internal/crypto/metadata_test.go rename to runeconsole/internal/crypto/metadata_test.go diff --git a/vault/internal/server/admin.go b/runeconsole/internal/server/admin.go similarity index 95% rename from vault/internal/server/admin.go rename to runeconsole/internal/server/admin.go index ca74b78..9e70c97 100644 --- a/vault/internal/server/admin.go +++ b/runeconsole/internal/server/admin.go @@ -14,18 +14,18 @@ import ( "syscall" "time" - "github.com/CryptoLabInc/rune-admin/vault/internal/tokens" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/tokens" ) -// adminSocketMode is 0660: owner (runevault) + group (runevault) can connect; -// other users cannot. Installers add trusted operators to the runevault group. +// adminSocketMode is 0660: owner (runeconsole) + group (runeconsole) can connect; +// other users cannot. Installers add trusted operators to the runeconsole group. const adminSocketMode = 0o660 // AdminFromConfig is an AdminFactory suitable for production: it binds the // UDS at v.cfg.Server.Admin.Socket with mode 0660 (umask + chmod // belt+suspenders), serves the route table, and returns a closer that // gracefully stops the http.Server and unlinks the socket. -func AdminFromConfig(ctx context.Context, v *Vault) (func(context.Context) error, error) { +func AdminFromConfig(ctx context.Context, v *Console) (func(context.Context) error, error) { cfg := v.Config() socket := cfg.Server.Admin.Socket if socket == "" { @@ -65,7 +65,7 @@ func AdminFromConfig(ctx context.Context, v *Vault) (func(context.Context) error slog.Error("admin: server error", "err", err) } }() - slog.Info("vault: admin UDS listening", "socket", socket, "mode", "0660") + slog.Info("console: admin UDS listening", "socket", socket, "mode", "0660") shutdown := func(ctx context.Context) error { err := srv.Shutdown(ctx) @@ -79,7 +79,7 @@ func AdminFromConfig(ctx context.Context, v *Vault) (func(context.Context) error // buildAdminMux wires the admin route table. Exposed for tests. // Daemon lifecycle (start/stop/restart) is owned by the OS service manager // (systemd / launchd) and is intentionally not exposed over the admin socket. -func buildAdminMux(v *Vault) http.Handler { +func buildAdminMux(v *Console) http.Handler { mux := http.NewServeMux() mux.HandleFunc("GET /health", func(w http.ResponseWriter, r *http.Request) { diff --git a/vault/internal/server/admin_test.go b/runeconsole/internal/server/admin_test.go similarity index 95% rename from vault/internal/server/admin_test.go rename to runeconsole/internal/server/admin_test.go index a1a7726..a594132 100644 --- a/vault/internal/server/admin_test.go +++ b/runeconsole/internal/server/admin_test.go @@ -14,10 +14,10 @@ import ( "testing" "time" - "github.com/CryptoLabInc/rune-admin/vault/internal/tokens" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/tokens" ) -func newAdminTestVault(t *testing.T) *Vault { +func newAdminTestConsole(t *testing.T) *Console { t.Helper() cfg := &Config{ Tokens: TokensConfig{TeamSecret: "test-secret"}, @@ -26,12 +26,12 @@ func newAdminTestVault(t *testing.T) *Vault { store := tokens.NewStore() store.LoadDefaultsWithDemoToken() audit, _ := NewAuditLogger(AuditConfig{Mode: ""}) - return NewVault(cfg, store, nil, audit) + return NewConsole(cfg, store, nil, audit) } -func adminTestServer(t *testing.T) (*httptest.Server, *Vault) { +func adminTestServer(t *testing.T) (*httptest.Server, *Console) { t.Helper() - v := newAdminTestVault(t) + v := newAdminTestConsole(t) ts := httptest.NewServer(buildAdminMux(v)) t.Cleanup(ts.Close) return ts, v @@ -201,7 +201,7 @@ func TestAdminUDSBindMode0660(t *testing.T) { if runtime.GOOS == "windows" { t.Skip("UDS not supported on Windows") } - v := newAdminTestVault(t) + v := newAdminTestConsole(t) // Darwin's sockaddr_un caps sun_path at ~104 bytes; t.TempDir() with a // long test name plus the framework-injected sequence dir overruns. Use // a shorter MkdirTemp at /tmp to stay safely under the limit. @@ -238,7 +238,7 @@ func TestAdminUDSStaleSocketRecovered(t *testing.T) { if runtime.GOOS == "windows" { t.Skip("UDS not supported on Windows") } - v := newAdminTestVault(t) + v := newAdminTestConsole(t) // Darwin's sockaddr_un caps sun_path at ~104 bytes; t.TempDir() with a // long test name plus the framework-injected sequence dir overruns. Use // a shorter MkdirTemp at /tmp to stay safely under the limit. @@ -270,7 +270,7 @@ func TestAdminUDSShutdownUnlinks(t *testing.T) { if runtime.GOOS == "windows" { t.Skip("UDS not supported on Windows") } - v := newAdminTestVault(t) + v := newAdminTestConsole(t) // Darwin's sockaddr_un caps sun_path at ~104 bytes; t.TempDir() with a // long test name plus the framework-injected sequence dir overruns. Use // a shorter MkdirTemp at /tmp to stay safely under the limit. diff --git a/vault/internal/server/audit.go b/runeconsole/internal/server/audit.go similarity index 92% rename from vault/internal/server/audit.go rename to runeconsole/internal/server/audit.go index d5ce3b2..ac7dbbb 100644 --- a/vault/internal/server/audit.go +++ b/runeconsole/internal/server/audit.go @@ -38,8 +38,7 @@ func ParseAuditMode(mode string) AuditMode { return out } -// AuditEntry is the JSON structure written per request. Fields and order -// must match vault/audit.py:118-145 to keep golden compat tests aligned. +// AuditEntry is the JSON structure written per request. type AuditEntry struct { Timestamp string `json:"timestamp"` UserID string `json:"user_id"` @@ -68,7 +67,7 @@ func NewAuditLogger(cfg AuditConfig) (*AuditLogger, error) { if mode.File { path := cfg.Path if path == "" { - path = "/var/log/runevault/audit.log" + path = "/var/log/runeconsole/audit.log" } if err := os.MkdirAll(filepath.Dir(path), 0o750); err != nil { return nil, fmt.Errorf("audit: mkdir log dir: %w", err) @@ -154,8 +153,7 @@ func roundTo(v float64, decimals int) float64 { return float64(int64(v*mult-0.5)) / mult } -// ExtractSourceIP mirrors vault/audit.py:55-78 — peer addresses come in -// gRPC's "ipv4:H:P", "ipv6:[::1]:P", or "unix:/path" form. +// Peer addresses come in gRPC's "ipv4:H:P", "ipv6:[::1]:P", or "unix:/path" form. func ExtractSourceIP(p *peer.Peer) string { if p == nil || p.Addr == nil { return "unknown" diff --git a/vault/internal/server/audit_test.go b/runeconsole/internal/server/audit_test.go similarity index 100% rename from vault/internal/server/audit_test.go rename to runeconsole/internal/server/audit_test.go diff --git a/vault/internal/server/config.go b/runeconsole/internal/server/config.go similarity index 84% rename from vault/internal/server/config.go rename to runeconsole/internal/server/config.go index 8f0d036..d6ffb0b 100644 --- a/vault/internal/server/config.go +++ b/runeconsole/internal/server/config.go @@ -17,21 +17,21 @@ import ( // ConfigLookupPaths lists, in priority order, the on-disk locations that // LoadConfig probes when the caller doesn't pass an explicit path. var ConfigLookupPaths = []string{ - "/opt/runevault/configs/runevault.conf", - "./runevault.conf", + "/opt/runeconsole/configs/runeconsole.conf", + "./runeconsole.conf", } -// 0640: group-readable so runevault group members can run CLI commands without sudo. +// 0640: group-readable so runeconsole group members can run CLI commands without sudo. const expectedSecretMode fs.FileMode = 0o640 -// Config is the in-memory shape of runevault.conf. Field names follow the +// Config is the in-memory shape of runeconsole.conf. Field names follow the // YAML schema exactly so the loader can decode without an intermediate type. type Config struct { - Server ServerConfig `yaml:"server"` - Keys KeysConfig `yaml:"keys"` - Envector EnvectorConfig `yaml:"envector"` - Tokens TokensConfig `yaml:"tokens"` - Audit AuditConfig `yaml:"audit"` + Server ServerConfig `yaml:"server"` + Keys KeysConfig `yaml:"keys"` + Runespace RunespaceConfig `yaml:"runespace"` + Tokens TokensConfig `yaml:"tokens"` + Audit AuditConfig `yaml:"audit"` // Source records where this Config was loaded from (resolved absolute // path), populated by LoadConfig. Empty for in-memory test configs. @@ -65,14 +65,11 @@ type KeysConfig struct { EmbeddingDim int `yaml:"embedding_dim"` } -// EnvectorConfig accepts either an inline api_key or an api_key_file -// pointing at a 0600-mode file containing the same value. If both are -// set, api_key_file wins. Resolve() materialises the final string into -// APIKey and clears APIKeyFile. -type EnvectorConfig struct { - Endpoint string `yaml:"endpoint"` - APIKey string `yaml:"api_key"` - APIKeyFile string `yaml:"api_key_file"` +type RunespaceConfig struct { + Endpoint string `yaml:"endpoint"` + Token string `yaml:"token"` + TokenFile string `yaml:"token_file"` + Insecure bool `yaml:"insecure"` // default: false (true only for development; runespace on localhost) } type TokensConfig struct { @@ -115,7 +112,7 @@ func LoadConfig(override string) (*Config, error) { } cfg.Source = path - if err := checkSecretMode(path, "runevault.conf"); err != nil { + if err := checkSecretMode(path, "runeconsole.conf"); err != nil { return nil, err } @@ -150,13 +147,13 @@ func resolveConfigPath(override string) (path string, searched []string, err err // Returns an error if any referenced secret file has a permissive mode // (anything looser than 0o640). Idempotent. func (c *Config) Resolve() error { - if c.Envector.APIKeyFile != "" { - val, err := readSecretFile(c.Envector.APIKeyFile, "envector.api_key_file") + if c.Runespace.TokenFile != "" { + val, err := readSecretFile(c.Runespace.TokenFile, "runespace.token_file") if err != nil { return err } - c.Envector.APIKey = val - c.Envector.APIKeyFile = "" + c.Runespace.Token = val + c.Runespace.TokenFile = "" } if c.Tokens.TeamSecretFile != "" { val, err := readSecretFile(c.Tokens.TeamSecretFile, "tokens.team_secret_file") @@ -201,11 +198,11 @@ func checkSecretMode(path, label string) error { // admin endpoints that surface configuration to operators. func (c *Config) Redact() Config { out := *c - if out.Envector.APIKey != "" { - out.Envector.APIKey = "[REDACTED]" + if out.Runespace.Token != "" { + out.Runespace.Token = "[REDACTED]" } - if out.Envector.APIKeyFile != "" { - out.Envector.APIKeyFile = "[REDACTED]" + if out.Runespace.TokenFile != "" { + out.Runespace.TokenFile = "[REDACTED]" } if out.Tokens.TeamSecret != "" { out.Tokens.TeamSecret = "[REDACTED]" diff --git a/vault/internal/server/config_test.go b/runeconsole/internal/server/config_test.go similarity index 86% rename from vault/internal/server/config_test.go rename to runeconsole/internal/server/config_test.go index 85d8f60..31c4186 100644 --- a/vault/internal/server/config_test.go +++ b/runeconsole/internal/server/config_test.go @@ -19,11 +19,11 @@ func minimalValidConfig(t *testing.T) string { admin: socket: /tmp/admin.sock keys: - path: /tmp/vault-keys + path: /tmp/runeconsole-keys embedding_dim: 1024 -envector: +runespace: endpoint: https://example.com - api_key: inline-api-key + token: inline-api-key tokens: team_secret: inline-team-secret-deadbeef roles_file: /tmp/roles.yml @@ -36,7 +36,7 @@ audit: func writeConfig(t *testing.T, body string) string { t.Helper() dir := t.TempDir() - path := filepath.Join(dir, "runevault.conf") + path := filepath.Join(dir, "runeconsole.conf") if err := os.WriteFile(path, []byte(body), 0o600); err != nil { t.Fatal(err) } @@ -68,11 +68,11 @@ func TestLoadConfigMinimalValid(t *testing.T) { } func TestLoadConfigMissingNamesAllPaths(t *testing.T) { - _, err := LoadConfig("/tmp/this/path/does/not/exist/runevault.conf") + _, err := LoadConfig("/tmp/this/path/does/not/exist/runeconsole.conf") if err == nil { t.Fatal("expected error for missing config") } - if !strings.Contains(err.Error(), "/tmp/this/path/does/not/exist/runevault.conf") { + if !strings.Contains(err.Error(), "/tmp/this/path/does/not/exist/runeconsole.conf") { t.Errorf("err missing override path: %v", err) } } @@ -103,16 +103,16 @@ func TestLoadConfigUnknownFieldsRejected(t *testing.T) { } } -func TestLoadConfigAPIKeyFileIndirection(t *testing.T) { +func TestLoadConfigTokenFileIndirection(t *testing.T) { dir := t.TempDir() - keyFile := filepath.Join(dir, "envector.key") + keyFile := filepath.Join(dir, "runespace.key") if err := os.WriteFile(keyFile, []byte("file-api-key\n"), 0o600); err != nil { t.Fatal(err) } body := strings.Replace( minimalValidConfig(t), - " api_key: inline-api-key", - " api_key_file: "+keyFile, + " token: inline-api-key", + " token_file: "+keyFile, 1, ) path := writeConfig(t, body) @@ -120,11 +120,11 @@ func TestLoadConfigAPIKeyFileIndirection(t *testing.T) { if err != nil { t.Fatal(err) } - if cfg.Envector.APIKey != "file-api-key" { - t.Errorf("api_key = %q, want file-api-key", cfg.Envector.APIKey) + if cfg.Runespace.Token != "file-api-key" { + t.Errorf("token = %q, want file-api-key", cfg.Runespace.Token) } - if cfg.Envector.APIKeyFile != "" { - t.Errorf("api_key_file should be cleared after Resolve, got %q", cfg.Envector.APIKeyFile) + if cfg.Runespace.TokenFile != "" { + t.Errorf("token_file should be cleared after Resolve, got %q", cfg.Runespace.TokenFile) } } @@ -205,15 +205,15 @@ func TestLoadConfigSecretFileMissing(t *testing.T) { func TestRedactMasksSecrets(t *testing.T) { cfg := &Config{ - Envector: EnvectorConfig{APIKey: "deadbeef", APIKeyFile: "/x"}, - Tokens: TokensConfig{TeamSecret: "supersecret", TeamSecretFile: "/y"}, + Runespace: RunespaceConfig{Token: "deadbeef", TokenFile: "/x"}, + Tokens: TokensConfig{TeamSecret: "supersecret", TeamSecretFile: "/y"}, } r := cfg.Redact() - if r.Envector.APIKey != "[REDACTED]" { - t.Errorf("api_key not redacted: %q", r.Envector.APIKey) + if r.Runespace.Token != "[REDACTED]" { + t.Errorf("token not redacted: %q", r.Runespace.Token) } - if r.Envector.APIKeyFile != "[REDACTED]" { - t.Errorf("api_key_file not redacted: %q", r.Envector.APIKeyFile) + if r.Runespace.TokenFile != "[REDACTED]" { + t.Errorf("token_file not redacted: %q", r.Runespace.TokenFile) } if r.Tokens.TeamSecret != "[REDACTED]" { t.Errorf("team_secret not redacted: %q", r.Tokens.TeamSecret) @@ -222,7 +222,7 @@ func TestRedactMasksSecrets(t *testing.T) { t.Errorf("team_secret_file not redacted: %q", r.Tokens.TeamSecretFile) } // Original must be untouched. - if cfg.Envector.APIKey != "deadbeef" { + if cfg.Runespace.Token != "deadbeef" { t.Errorf("Redact mutated original") } } @@ -274,7 +274,7 @@ func TestValidateRejectsTLSWithoutCertKey(t *testing.T) { func TestExampleConfigParsesCleanly(t *testing.T) { // The committed example file should at least parse — operators copy it. - data, err := os.ReadFile("testdata/runevault.conf.example") + data, err := os.ReadFile("testdata/runeconsole.conf.example") if err != nil { t.Fatal(err) } diff --git a/vault/internal/server/grpc.go b/runeconsole/internal/server/grpc.go similarity index 85% rename from vault/internal/server/grpc.go rename to runeconsole/internal/server/grpc.go index b935842..9fc3ec3 100644 --- a/vault/internal/server/grpc.go +++ b/runeconsole/internal/server/grpc.go @@ -15,18 +15,18 @@ import ( runespace "github.com/CryptoLabInc/runespace-sdk" - "github.com/CryptoLabInc/rune-admin/vault/internal/crypto" - "github.com/CryptoLabInc/rune-admin/vault/internal/tokens" - pb "github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/crypto" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/tokens" + pb "github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb" ) // MaxMessageSize bounds gRPC frames. const MaxMessageSize = 256 * 1024 * 1024 -// Vault is the runtime container shared by all RPC handlers and the admin UDS +// Console is the runtime container shared by all RPC handlers and the admin UDS // server. It owns the token store, the runespace engine (all FHE keys + the -// sole runespace client), and the audit logger. Construct via NewVault. -type Vault struct { +// sole runespace client), and the audit logger. Construct via NewConsole. +type Console struct { cfg *Config tokens *tokens.Store engine *crypto.Engine @@ -35,9 +35,9 @@ type Vault struct { bundleParams crypto.KeysParams } -// NewVault wires all subsystems together. Caller is responsible for Close. -func NewVault(cfg *Config, tokenStore *tokens.Store, engine *crypto.Engine, audit *AuditLogger) *Vault { - return &Vault{ +// NewConsole wires all subsystems together. Caller is responsible for Close. +func NewConsole(cfg *Config, tokenStore *tokens.Store, engine *crypto.Engine, audit *AuditLogger) *Console { + return &Console{ cfg: cfg, tokens: tokenStore, engine: engine, @@ -50,42 +50,42 @@ func NewVault(cfg *Config, tokenStore *tokens.Store, engine *crypto.Engine, audi } } -func defaultKeyID(_ *Config) string { return "vault-key" } +func defaultKeyID(_ *Config) string { return "runeconsole-key" } // Tokens exposes the token store for the admin UDS server. -func (v *Vault) Tokens() *tokens.Store { return v.tokens } +func (v *Console) Tokens() *tokens.Store { return v.tokens } // Config exposes the resolved config. -func (v *Vault) Config() *Config { return v.cfg } +func (v *Console) Config() *Config { return v.cfg } // Close releases the runespace engine (gRPC conn + cgo key handles). -func (v *Vault) Close() error { +func (v *Console) Close() error { if v.engine != nil { _ = v.engine.Close() } return nil } -// VaultGRPC is the gRPC service wrapper. Exposed for grpc.RegisterService. -type VaultGRPC struct { - pb.UnimplementedVaultServiceServer - v *Vault +// ConsoleGRPC is the gRPC service wrapper. Exposed for grpc.RegisterService. +type ConsoleGRPC struct { + pb.UnimplementedConsoleServiceServer + v *Console } -func NewVaultGRPC(v *Vault) *VaultGRPC { return &VaultGRPC{v: v} } +func NewConsoleGRPC(v *Console) *ConsoleGRPC { return &ConsoleGRPC{v: v} } // envelope is the sealed-metadata shape stored verbatim in runespace: // {"a": "", "c": ""}. The agent_id lets -// any vault request derive the right per-agent DEK, so team memory captured by +// any console request derive the right per-agent DEK, so team memory captured by // one agent can be recalled (and metadata-decrypted) by another. type envelope struct { AgentID string `json:"a"` Cipher string `json:"c"` } -// ── GetAgentManifest (config only — no keys ever leave the vault) ── +// ── GetAgentManifest (config only — no keys ever leave the console) ── -func (s *VaultGRPC) GetAgentManifest(ctx context.Context, req *pb.GetAgentManifestRequest) (*pb.GetAgentManifestResponse, error) { +func (s *ConsoleGRPC) GetAgentManifest(ctx context.Context, req *pb.GetAgentManifestRequest) (*pb.GetAgentManifestResponse, error) { start := time.Now() user := s.v.tokens.GetUsername(req.GetToken()) if user == "" { @@ -131,10 +131,10 @@ func (s *VaultGRPC) GetAgentManifest(ctx context.Context, req *pb.GetAgentManife } // buildBundle assembles the agent manifest. The PUBLIC EncKey pair and the -// caller's derived agent_dek leave the vault here — by design: capture-side +// caller's derived agent_dek leave the console here — by design: capture-side // encryption/sealing happens on the developer machine. SecKey/EvalKey/ // team_secret are never included. -func (v *Vault) buildBundle(ctx context.Context, token string) (map[string]any, error) { +func (v *Console) buildBundle(ctx context.Context, token string) (map[string]any, error) { rmpJSON, mmKey, err := crypto.ReadEncKeys(v.bundleParams) if err != nil { return nil, err @@ -151,7 +151,7 @@ func (v *Vault) buildBundle(ctx context.Context, token string) (map[string]any, "agent_dek": base64.StdEncoding.EncodeToString(dek), "key_id": v.bundleParams.KeyID, "dim": v.cfg.Keys.EmbeddingDim, - // Capability flag: this vault expects client-encrypted inserts. + // Capability flag: this console expects client-encrypted inserts. "insert": "pre_encrypted", } if v.cfg.Keys.IndexName != "" { @@ -170,7 +170,7 @@ func (v *Vault) buildBundle(ctx context.Context, token string) (map[string]any, // ── Insert (capture write) ──────────────────────────────────────── -func (s *VaultGRPC) Insert(ctx context.Context, req *pb.InsertRequest) (*pb.InsertResponse, error) { +func (s *ConsoleGRPC) Insert(ctx context.Context, req *pb.InsertRequest) (*pb.InsertResponse, error) { start := time.Now() user := s.v.tokens.GetUsername(req.GetToken()) if user == "" { @@ -231,7 +231,7 @@ func (s *VaultGRPC) Insert(ctx context.Context, req *pb.InsertRequest) (*pb.Inse // ── Search (recall + novelty) ───────────────────────────────────── -func (s *VaultGRPC) Search(ctx context.Context, req *pb.SearchRequest) (*pb.SearchResponse, error) { +func (s *ConsoleGRPC) Search(ctx context.Context, req *pb.SearchRequest) (*pb.SearchResponse, error) { start := time.Now() topK := req.GetTopK() user := s.v.tokens.GetUsername(req.GetToken()) @@ -289,7 +289,7 @@ func (s *VaultGRPC) Search(ctx context.Context, req *pb.SearchRequest) (*pb.Sear // openMeta best-effort opens a sealed {a,c} envelope to plaintext JSON. On any // failure it returns the stored string unchanged (plaintext/legacy tolerated). -func (s *VaultGRPC) openMeta(stored string) string { +func (s *ConsoleGRPC) openMeta(stored string) string { if stored == "" { return "" } @@ -311,7 +311,7 @@ func (s *VaultGRPC) openMeta(stored string) string { // whole Search response at the gRPC layer, so fall back to the sealed // envelope instead. Proper fix is AEAD (AES-GCM) — see crypto/metadata.go. if !utf8.Valid(pt) { - slog.Warn("vault: sealed metadata decrypted to non-UTF-8 bytes — returning envelope unopened (different team_secret or corrupted record)", + slog.Warn("console: sealed metadata decrypted to non-UTF-8 bytes — returning envelope unopened (different team_secret or corrupted record)", "agent_id", env.AgentID) return stored } @@ -359,7 +359,7 @@ func errStatus(err error) (string, *string) { return "error", &msg } -func (s *VaultGRPC) emit(ctx context.Context, method, user string, topK *int32, resultCount int, statusStr string, errDetail *string, duration time.Duration) { +func (s *ConsoleGRPC) emit(ctx context.Context, method, user string, topK *int32, resultCount int, statusStr string, errDetail *string, duration time.Duration) { if s.v.audit == nil || !s.v.audit.Enabled() { return } @@ -386,7 +386,7 @@ const centroidBatchSize = 64 // GetCentroids relays the engine's IVF centroid set to rune-mcp so it can // push the set down to runed. Same wire shape as runespace's GetCentroids: // one header frame, then id-ordered batches. -func (s *VaultGRPC) GetCentroids(req *pb.GetCentroidsRequest, stream pb.VaultService_GetCentroidsServer) error { +func (s *ConsoleGRPC) GetCentroids(req *pb.GetCentroidsRequest, stream pb.ConsoleService_GetCentroidsServer) error { ctx := stream.Context() start := time.Now() user := s.v.tokens.GetUsername(req.GetToken()) diff --git a/vault/internal/server/grpc_test.go b/runeconsole/internal/server/grpc_test.go similarity index 88% rename from vault/internal/server/grpc_test.go rename to runeconsole/internal/server/grpc_test.go index 2bec0ea..210ee33 100644 --- a/vault/internal/server/grpc_test.go +++ b/runeconsole/internal/server/grpc_test.go @@ -9,8 +9,8 @@ import ( "google.golang.org/grpc/codes" "google.golang.org/grpc/status" - "github.com/CryptoLabInc/rune-admin/vault/internal/tokens" - pb "github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/tokens" + pb "github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb" ) // ── error mapping ───────────────────────────────────────────────── @@ -37,7 +37,7 @@ func TestMapTokenErrorCodes(t *testing.T) { // ── handler — token error paths (no engine needed; auth runs first) ── -func newTestVault(t *testing.T) *Vault { +func newTestConsole(t *testing.T) *Console { t.Helper() cfg := &Config{ Tokens: TokensConfig{TeamSecret: "test-secret"}, @@ -46,11 +46,11 @@ func newTestVault(t *testing.T) *Vault { store := tokens.NewStore() store.LoadDefaultsWithDemoToken() audit, _ := NewAuditLogger(AuditConfig{Mode: ""}) - return NewVault(cfg, store, nil, audit) + return NewConsole(cfg, store, nil, audit) } func TestGetAgentManifestInvalidToken(t *testing.T) { - srv := NewVaultGRPC(newTestVault(t)) + srv := NewConsoleGRPC(newTestConsole(t)) resp, err := srv.GetAgentManifest(context.Background(), &pb.GetAgentManifestRequest{ Token: "evt_ffffffffffffffffffffffffffffffff", }) @@ -63,7 +63,7 @@ func TestGetAgentManifestInvalidToken(t *testing.T) { } func TestInsertInvalidToken(t *testing.T) { - srv := NewVaultGRPC(newTestVault(t)) + srv := NewConsoleGRPC(newTestConsole(t)) _, err := srv.Insert(context.Background(), &pb.InsertRequest{ Token: "evt_ffffffffffffffffffffffffffffffff", Id: "test-id-1", @@ -79,7 +79,7 @@ func TestInsertInvalidToken(t *testing.T) { } func TestSearchInvalidToken(t *testing.T) { - srv := NewVaultGRPC(newTestVault(t)) + srv := NewConsoleGRPC(newTestConsole(t)) _, err := srv.Search(context.Background(), &pb.SearchRequest{ Token: "evt_ffffffffffffffffffffffffffffffff", Vector: []float32{0.1, 0.2}, @@ -91,7 +91,7 @@ func TestSearchInvalidToken(t *testing.T) { } func TestSearchTopKExceeded(t *testing.T) { - srv := NewVaultGRPC(newTestVault(t)) + srv := NewConsoleGRPC(newTestConsole(t)) // Demo token has admin role with top_k=50; request 51 → rejected before engine. _, err := srv.Search(context.Background(), &pb.SearchRequest{ Token: tokens.DemoToken, diff --git a/vault/internal/server/helpers_test.go b/runeconsole/internal/server/helpers_test.go similarity index 84% rename from vault/internal/server/helpers_test.go rename to runeconsole/internal/server/helpers_test.go index 2cfbc7a..bbf5a80 100644 --- a/vault/internal/server/helpers_test.go +++ b/runeconsole/internal/server/helpers_test.go @@ -3,7 +3,7 @@ package server import ( "testing" - "github.com/CryptoLabInc/rune-admin/vault/internal/crypto" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/crypto" ) func mustDEK(t *testing.T, secret, agentID string) []byte { diff --git a/vault/internal/server/interceptors.go b/runeconsole/internal/server/interceptors.go similarity index 79% rename from vault/internal/server/interceptors.go rename to runeconsole/internal/server/interceptors.go index 8b8eadc..df9ac90 100644 --- a/vault/internal/server/interceptors.go +++ b/runeconsole/internal/server/interceptors.go @@ -13,22 +13,20 @@ import ( "google.golang.org/grpc/status" "google.golang.org/protobuf/proto" - pb "github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb" + pb "github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb" ) -// vaultMethods enumerates the gRPC method paths owned by VaultService. +// consoleMethods enumerates the gRPC method paths owned by ConsoleService. // Other services routed through the same gRPC server bypass runtime checks. -var vaultMethods = map[string]bool{ - "/rune.vault.v1.VaultService/GetAgentManifest": true, - "/rune.vault.v1.VaultService/Insert": true, - "/rune.vault.v1.VaultService/Search": true, +var consoleMethods = map[string]bool{ + "/rune.console.v1.ConsoleService/GetAgentManifest": true, + "/rune.console.v1.ConsoleService/Insert": true, + "/rune.console.v1.ConsoleService/Search": true, } // NewValidationInterceptor returns a unary server interceptor that runs // protovalidate against the request, then a runtime safety check on the // token field. Validation errors are returned as InvalidArgument. -// -// Mirrors vault/validation_interceptor.py and vault/request_validator.py. func NewValidationInterceptor() (grpc.UnaryServerInterceptor, error) { v, err := protovalidate.New() if err != nil { @@ -41,7 +39,7 @@ func NewValidationInterceptor() (grpc.UnaryServerInterceptor, error) { return nil, status.Error(codes.InvalidArgument, err.Error()) } } - if vaultMethods[info.FullMethod] { + if consoleMethods[info.FullMethod] { if err := runtimeCheckToken(req); err != nil { return nil, status.Error(codes.InvalidArgument, err.Error()) } @@ -50,7 +48,7 @@ func NewValidationInterceptor() (grpc.UnaryServerInterceptor, error) { }, nil } -// runtimeCheckToken pulls the token field from a Vault request and runs +// runtimeCheckToken pulls the token field from a Console request and runs // the supplementary checks the .proto annotations cannot express. func runtimeCheckToken(req any) error { var token string diff --git a/vault/internal/server/interceptors_test.go b/runeconsole/internal/server/interceptors_test.go similarity index 81% rename from vault/internal/server/interceptors_test.go rename to runeconsole/internal/server/interceptors_test.go index f30021a..b4bd007 100644 --- a/vault/internal/server/interceptors_test.go +++ b/runeconsole/internal/server/interceptors_test.go @@ -9,7 +9,7 @@ import ( "google.golang.org/grpc/codes" "google.golang.org/grpc/status" - pb "github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb" + pb "github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb" ) func TestCheckTokenSafetyAccepts(t *testing.T) { @@ -46,14 +46,14 @@ func mustInterceptor(t *testing.T) grpc.UnaryServerInterceptor { return ic } -func vaultMethodInfo(name string) *grpc.UnaryServerInfo { - return &grpc.UnaryServerInfo{FullMethod: "/rune.vault.v1.VaultService/" + name} +func consoleMethodInfo(name string) *grpc.UnaryServerInfo { + return &grpc.UnaryServerInfo{FullMethod: "/rune.console.v1.ConsoleService/" + name} } func TestInterceptorPassesValidRequest(t *testing.T) { ic := mustInterceptor(t) req := &pb.GetAgentManifestRequest{Token: "evt_0123456789abcdef0123456789abcdef"} - out, err := ic(context.Background(), req, vaultMethodInfo("GetAgentManifest"), noopHandler) + out, err := ic(context.Background(), req, consoleMethodInfo("GetAgentManifest"), noopHandler) if err != nil { t.Fatalf("err = %v, want nil", err) } @@ -66,7 +66,7 @@ func TestInterceptorRejectsBadProtovalidate(t *testing.T) { ic := mustInterceptor(t) // Token shorter than 36 fails the proto-level constraint. req := &pb.GetAgentManifestRequest{Token: "too_short"} - _, err := ic(context.Background(), req, vaultMethodInfo("GetAgentManifest"), noopHandler) + _, err := ic(context.Background(), req, consoleMethodInfo("GetAgentManifest"), noopHandler) if err == nil { t.Fatal("err = nil, want validation error") } @@ -83,7 +83,7 @@ func TestInterceptorRejectsControlCharToken(t *testing.T) { if len(req.Token) != 36 { t.Fatalf("test setup: token length = %d, want 36", len(req.Token)) } - _, err := ic(context.Background(), req, vaultMethodInfo("GetAgentManifest"), noopHandler) + _, err := ic(context.Background(), req, consoleMethodInfo("GetAgentManifest"), noopHandler) if err == nil { t.Fatal("err = nil, want runtime error") } @@ -92,14 +92,14 @@ func TestInterceptorRejectsControlCharToken(t *testing.T) { } } -func TestInterceptorAllowsNonVaultMethod(t *testing.T) { +func TestInterceptorAllowsNonConsoleMethod(t *testing.T) { ic := mustInterceptor(t) // Whitespace-around token would normally fail runtime check, but - // non-Vault methods skip runtime checks (and the proto for this + // non-Console methods skip runtime checks (and the proto for this // dummy message doesn't apply). req := &pb.GetAgentManifestRequest{Token: "evt_0123456789abcdef0123456789abcdef"} info := &grpc.UnaryServerInfo{FullMethod: "/grpc.health.v1.Health/Check"} if _, err := ic(context.Background(), req, info, noopHandler); err != nil { - t.Errorf("non-vault method blocked: %v", err) + t.Errorf("non-console method blocked: %v", err) } } diff --git a/vault/internal/server/vault_l2_test.go b/runeconsole/internal/server/l2_test.go similarity index 89% rename from vault/internal/server/vault_l2_test.go rename to runeconsole/internal/server/l2_test.go index f5ab039..e5e60e5 100644 --- a/vault/internal/server/vault_l2_test.go +++ b/runeconsole/internal/server/l2_test.go @@ -18,12 +18,12 @@ import ( runespace "github.com/CryptoLabInc/runespace-sdk" - "github.com/CryptoLabInc/rune-admin/vault/internal/crypto" - "github.com/CryptoLabInc/rune-admin/vault/internal/tokens" - pb "github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/crypto" + "github.com/CryptoLabInc/rune-console/runeconsole/internal/tokens" + pb "github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb" ) -// TestVaultServiceL2 brings up the VaultService gRPC server in-process against +// TestConsoleServiceL2 brings up the ConsoleService gRPC server in-process against // a LIVE runespace and plays the rune-mcp role end to end under the // client-side-crypto contract: // @@ -35,11 +35,11 @@ import ( // Gated on RUNESPACE_ADDR. Reuses the smoke-test key dir so it matches // whatever eval key runespace already has registered. // -// RUNESPACE_ADDR=127.0.0.1:51024 go test ./internal/server -run VaultServiceL2 -v -func TestVaultServiceL2(t *testing.T) { +// RUNESPACE_ADDR=127.0.0.1:51024 go test ./internal/server -run ConsoleServiceL2 -v +func TestConsoleServiceL2(t *testing.T) { addr := os.Getenv("RUNESPACE_ADDR") if addr == "" { - t.Skip("set RUNESPACE_ADDR to run the live VaultService L2 test") + t.Skip("set RUNESPACE_ADDR to run the live ConsoleService L2 test") } const dim = 1024 @@ -74,7 +74,7 @@ func TestVaultServiceL2(t *testing.T) { store := tokens.NewStore() store.LoadDefaultsWithDemoToken() audit, _ := NewAuditLogger(AuditConfig{Mode: ""}) - v := NewVault(cfg, store, eng, audit) + v := NewConsole(cfg, store, eng, audit) v.bundleParams.KeyID = kp.KeyID // manifest must read the smoke key dir // In-process gRPC server on a random port. @@ -83,7 +83,7 @@ func TestVaultServiceL2(t *testing.T) { t.Fatal(err) } gs := grpc.NewServer(grpc.MaxRecvMsgSize(MaxMessageSize), grpc.MaxSendMsgSize(MaxMessageSize)) - pb.RegisterVaultServiceServer(gs, NewVaultGRPC(v)) + pb.RegisterConsoleServiceServer(gs, NewConsoleGRPC(v)) go gs.Serve(lis) defer gs.Stop() @@ -93,7 +93,7 @@ func TestVaultServiceL2(t *testing.T) { t.Fatal(err) } defer conn.Close() - client := pb.NewVaultServiceClient(conn) + client := pb.NewConsoleServiceClient(conn) // ── mcp step 1: manifest → EncKey pair + agent_dek ────────────── mf, err := client.GetAgentManifest(ctx, &pb.GetAgentManifestRequest{Token: tokens.DemoToken}) @@ -205,7 +205,7 @@ func TestVaultServiceL2(t *testing.T) { t.Fatalf("EncryptClustered: %v", err) } - const meta = `{"title":"L2 vault test","n":7}` + const meta = `{"title":"L2 console test","n":7}` ct, err := crypto.EncryptMetadata([]byte(meta), dek) if err != nil { t.Fatalf("client seal: %v", err) @@ -230,7 +230,7 @@ func TestVaultServiceL2(t *testing.T) { } t.Logf("Insert ok id=%s (client-encrypted forward)", ins.GetId()) - // ── recall: vault decrypts scores + opens metadata ────────────── + // ── recall: console decrypts scores + opens metadata ────────────── sr, err := client.Search(ctx, &pb.SearchRequest{Token: tokens.DemoToken, Vector: vec, TopK: 5}) if err != nil { t.Fatalf("Search RPC: %v", err) @@ -249,8 +249,8 @@ func TestVaultServiceL2(t *testing.T) { if top.GetId() != id { t.Fatalf("top id %s != inserted %s", top.GetId(), id) } - // Client-sealed metadata must come back OPENED by the vault — proving the - // seal(client)/open(vault) split of the target architecture. + // Client-sealed metadata must come back OPENED by the console — proving the + // seal(client)/open(console) split of the target architecture. if top.GetMetadata() != meta { t.Fatalf("metadata round-trip mismatch: got %q want %q", top.GetMetadata(), meta) } diff --git a/vault/internal/server/serve.go b/runeconsole/internal/server/serve.go similarity index 80% rename from vault/internal/server/serve.go rename to runeconsole/internal/server/serve.go index 0f11e04..a6828e4 100644 --- a/vault/internal/server/serve.go +++ b/runeconsole/internal/server/serve.go @@ -18,17 +18,17 @@ import ( healthpb "google.golang.org/grpc/health/grpc_health_v1" "google.golang.org/grpc/reflection" - pb "github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb" + pb "github.com/CryptoLabInc/rune-console/runeconsole/pkg/consolepb" ) -// Serve starts the gRPC + admin UDS listeners with the given Vault and +// Serve starts the gRPC + admin UDS listeners with the given Console and // blocks until ctx is cancelled or a SIGTERM/SIGINT is received. The // admin listener is constructed by AdminFactory; passing nil disables the // admin UDS surface (useful for unit tests that exercise gRPC alone). // // Returns nil on graceful shutdown. Listener bind errors and server runtime // errors are returned eagerly. -func Serve(ctx context.Context, v *Vault, adminFactory AdminFactory) error { +func Serve(ctx context.Context, v *Console, adminFactory AdminFactory) error { cfg := v.Config() // runespace eval-key registration is handled by crypto.OpenEngine at daemon // startup; no separate cloud-setup step is needed. @@ -60,12 +60,11 @@ func Serve(ctx context.Context, v *Vault, adminFactory AdminFactory) error { opts = append(opts, grpc.Creds(tlsCreds)) } gs := grpc.NewServer(opts...) - pb.RegisterVaultServiceServer(gs, NewVaultGRPC(v)) + pb.RegisterConsoleServiceServer(gs, NewConsoleGRPC(v)) - // Health + reflection (matches Python registration sites: - // vault_grpc_server.py:317-331). + // Health + reflection healthSvc := health.NewServer() - healthSvc.SetServingStatus("rune.vault.v1.VaultService", healthpb.HealthCheckResponse_SERVING) + healthSvc.SetServingStatus("rune.console.v1.ConsoleService", healthpb.HealthCheckResponse_SERVING) healthSvc.SetServingStatus("", healthpb.HealthCheckResponse_SERVING) healthpb.RegisterHealthServer(gs, healthSvc) reflection.Register(gs) @@ -83,7 +82,7 @@ func Serve(ctx context.Context, v *Vault, adminFactory AdminFactory) error { if tlsCreds != nil { scheme = "tls" } - slog.Info("vault: gRPC listening", "addr", grpcAddr, "scheme", scheme) + slog.Info("console: gRPC listening", "addr", grpcAddr, "scheme", scheme) // Run gRPC in a goroutine; wait for shutdown signal or ctx cancellation. errCh := make(chan error, 1) @@ -97,9 +96,9 @@ func Serve(ctx context.Context, v *Vault, adminFactory AdminFactory) error { select { case <-ctx.Done(): - slog.Info("vault: context cancelled, shutting down") + slog.Info("console: context cancelled, shutting down") case sig := <-sigCh: - slog.Info("vault: signal received, shutting down", "signal", sig.String()) + slog.Info("console: signal received, shutting down", "signal", sig.String()) case err := <-errCh: if err != nil && !errors.Is(err, grpc.ErrServerStopped) { return fmt.Errorf("server: grpc serve: %w", err) @@ -128,7 +127,7 @@ func stopGracefullyOrForce(gs *grpc.Server, grace time.Duration) { select { case <-done: case <-time.After(grace): - slog.Warn("vault: graceful stop timed out, forcing", "grace", grace) + slog.Warn("console: graceful stop timed out, forcing", "grace", grace) gs.Stop() <-done } @@ -136,7 +135,7 @@ func stopGracefullyOrForce(gs *grpc.Server, grace time.Duration) { // AdminFactory builds the admin UDS server and returns a shutdown closer. // internal/server/admin.go (added in step 6) supplies the production impl. -type AdminFactory func(ctx context.Context, v *Vault) (shutdown func(context.Context) error, err error) +type AdminFactory func(ctx context.Context, v *Console) (shutdown func(context.Context) error, err error) func grpcHost(cfg *Config) string { if cfg.Server.GRPC.Host == "" { @@ -147,7 +146,7 @@ func grpcHost(cfg *Config) string { func loadTLSCredentials(t TLSConfig) (credentials.TransportCredentials, error) { if t.Disable { - slog.Warn("vault: TLS disabled — gRPC traffic is unencrypted (dev mode only)") + slog.Warn("console: TLS disabled — gRPC traffic is unencrypted (dev mode only)") return nil, nil } if t.Cert == "" || t.Key == "" { diff --git a/runeconsole/internal/server/testdata/runeconsole.conf.example b/runeconsole/internal/server/testdata/runeconsole.conf.example new file mode 100644 index 0000000..53e9776 --- /dev/null +++ b/runeconsole/internal/server/testdata/runeconsole.conf.example @@ -0,0 +1,40 @@ +# runeconsole.conf — example deployment configuration. +# +# Lookup order: +# 1. --config CLI flag +# 2. /opt/runeconsole/configs/runeconsole.conf +# 3. ./runeconsole.conf (cwd, dev only) +# +# This file should be mode 0600, owned by the runeconsole-user. +# Replace placeholder values before use. + +server: + grpc: + host: 0.0.0.0 + port: 50051 + tls: + cert: /opt/runeconsole/certs/server.pem + key: /opt/runeconsole/certs/server.key + disable: false # true for dev only — never in production + admin: + socket: /opt/runeconsole/admin.sock + +keys: + path: /opt/runeconsole/runeconsole-keys + index_name: my-team + embedding_dim: 1024 + +runespace: + endpoint: https://runespace.example.com + token: REPLACE_WITH_TOKEN + # Alternative: token_file: /run/secrets/runespace_token + +tokens: + team_secret: REPLACE_WITH_RANDOM_HEX_32 + # Alternative: team_secret_file: /run/secrets/team_secret + roles_file: /opt/runeconsole/configs/roles.yml + tokens_file: /opt/runeconsole/configs/tokens.yml + +audit: + mode: file+stdout # one of: "", file, stdout, file+stdout + path: /opt/runeconsole/logs/audit.log diff --git a/vault/internal/tests/e2e_test.go b/runeconsole/internal/tests/e2e_test.go similarity index 91% rename from vault/internal/tests/e2e_test.go rename to runeconsole/internal/tests/e2e_test.go index 33d3ddf..67f826e 100644 --- a/vault/internal/tests/e2e_test.go +++ b/runeconsole/internal/tests/e2e_test.go @@ -13,11 +13,11 @@ import ( "time" ) -// TestE2EDaemonLifecycle boots runevault as a daemon against a tmp config +// TestE2EDaemonLifecycle boots runeconsole as a daemon against a tmp config // (TLS disabled), exercises token/role CLI operations through the admin UDS, // then verifies daemon stop. // -// Set RUNEVAULT_TEST_BINARY to a pre-built binary path to skip the in-test +// Set RUNECONSOLE_TEST_BINARY to a pre-built binary path to skip the in-test // build step (required in CI — run `mise run go:build` first). func TestE2EDaemonLifecycle(t *testing.T) { repoRoot := RepoRoot() @@ -29,7 +29,7 @@ func TestE2EDaemonLifecycle(t *testing.T) { binary := resolveBinary(t, repoRoot, tmp) - confPath := filepath.Join(tmp, "runevault.conf") + confPath := filepath.Join(tmp, "runeconsole.conf") conf := fmt.Sprintf(`server: grpc: host: 127.0.0.1 @@ -41,9 +41,9 @@ func TestE2EDaemonLifecycle(t *testing.T) { keys: path: %[1]s/keys embedding_dim: 1024 -envector: +runespace: endpoint: "" - api_key: "" + token: "" tokens: team_secret: smoke-secret roles_file: %[1]s/roles.yml @@ -156,20 +156,20 @@ audit: } } -// resolveBinary returns the runevault binary path. If RUNEVAULT_TEST_BINARY +// resolveBinary returns the runeconsole binary path. If RUNECONSOLE_TEST_BINARY // is set it is used as-is (relative paths are resolved from repoRoot). // Otherwise the binary is built from source into tmp. func resolveBinary(t *testing.T, repoRoot, tmp string) string { t.Helper() - if p := os.Getenv("RUNEVAULT_TEST_BINARY"); p != "" { + if p := os.Getenv("RUNECONSOLE_TEST_BINARY"); p != "" { if !filepath.IsAbs(p) { p = filepath.Join(repoRoot, p) } return p } - binary := filepath.Join(tmp, "runevault") + binary := filepath.Join(tmp, "runeconsole") build := exec.Command("go", "build", "-o", binary, "./cmd") - build.Dir = filepath.Join(repoRoot, "vault") + build.Dir = filepath.Join(repoRoot, "console") if out, err := build.CombinedOutput(); err != nil { t.Fatalf("build: %v\n%s", err, out) } diff --git a/vault/internal/tests/fixtures.go b/runeconsole/internal/tests/fixtures.go similarity index 88% rename from vault/internal/tests/fixtures.go rename to runeconsole/internal/tests/fixtures.go index f23574d..4dcf5f6 100644 --- a/vault/internal/tests/fixtures.go +++ b/runeconsole/internal/tests/fixtures.go @@ -9,12 +9,12 @@ import ( "runtime" ) -// RepoRoot returns the absolute path to the rune-admin repository root, +// RepoRoot returns the absolute path to the rune-console repository root, // resolved relative to this source file. Works regardless of the test's // cwd, so tests can locate tests/fixtures/ from any subpackage. func RepoRoot() string { _, thisFile, _, _ := runtime.Caller(0) - // thisFile = .../vault/internal/tests/fixtures.go → repo root is 3 levels up. + // thisFile = .../runeconsole/internal/tests/fixtures.go → repo root is 3 levels up. return filepath.Clean(filepath.Join(filepath.Dir(thisFile), "..", "..", "..")) } diff --git a/vault/internal/tokens/errors.go b/runeconsole/internal/tokens/errors.go similarity index 100% rename from vault/internal/tokens/errors.go rename to runeconsole/internal/tokens/errors.go diff --git a/vault/internal/tokens/ratelimit.go b/runeconsole/internal/tokens/ratelimit.go similarity index 100% rename from vault/internal/tokens/ratelimit.go rename to runeconsole/internal/tokens/ratelimit.go diff --git a/vault/internal/tokens/ratelimit_test.go b/runeconsole/internal/tokens/ratelimit_test.go similarity index 100% rename from vault/internal/tokens/ratelimit_test.go rename to runeconsole/internal/tokens/ratelimit_test.go diff --git a/vault/internal/tokens/role.go b/runeconsole/internal/tokens/role.go similarity index 100% rename from vault/internal/tokens/role.go rename to runeconsole/internal/tokens/role.go diff --git a/vault/internal/tokens/store.go b/runeconsole/internal/tokens/store.go similarity index 100% rename from vault/internal/tokens/store.go rename to runeconsole/internal/tokens/store.go diff --git a/vault/internal/tokens/store_test.go b/runeconsole/internal/tokens/store_test.go similarity index 100% rename from vault/internal/tokens/store_test.go rename to runeconsole/internal/tokens/store_test.go diff --git a/vault/internal/tokens/token.go b/runeconsole/internal/tokens/token.go similarity index 100% rename from vault/internal/tokens/token.go rename to runeconsole/internal/tokens/token.go diff --git a/vault/pkg/vaultpb/vault_service.pb.go b/runeconsole/pkg/consolepb/service.pb.go similarity index 76% rename from vault/pkg/vaultpb/vault_service.pb.go rename to runeconsole/pkg/consolepb/service.pb.go index 7528bd8..f422ccf 100644 --- a/vault/pkg/vaultpb/vault_service.pb.go +++ b/runeconsole/pkg/consolepb/service.pb.go @@ -2,9 +2,9 @@ // versions: // protoc-gen-go v1.36.11 // protoc (unknown) -// source: vault_service.proto +// source: service.proto -package vaultpb +package consolepb import ( _ "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate" @@ -32,7 +32,7 @@ type GetAgentManifestRequest struct { func (x *GetAgentManifestRequest) Reset() { *x = GetAgentManifestRequest{} - mi := &file_vault_service_proto_msgTypes[0] + mi := &file_service_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -44,7 +44,7 @@ func (x *GetAgentManifestRequest) String() string { func (*GetAgentManifestRequest) ProtoMessage() {} func (x *GetAgentManifestRequest) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[0] + mi := &file_service_proto_msgTypes[0] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -57,7 +57,7 @@ func (x *GetAgentManifestRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use GetAgentManifestRequest.ProtoReflect.Descriptor instead. func (*GetAgentManifestRequest) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{0} + return file_service_proto_rawDescGZIP(), []int{0} } func (x *GetAgentManifestRequest) GetToken() string { @@ -85,7 +85,7 @@ type GetAgentManifestResponse struct { func (x *GetAgentManifestResponse) Reset() { *x = GetAgentManifestResponse{} - mi := &file_vault_service_proto_msgTypes[1] + mi := &file_service_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -97,7 +97,7 @@ func (x *GetAgentManifestResponse) String() string { func (*GetAgentManifestResponse) ProtoMessage() {} func (x *GetAgentManifestResponse) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[1] + mi := &file_service_proto_msgTypes[1] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -110,7 +110,7 @@ func (x *GetAgentManifestResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use GetAgentManifestResponse.ProtoReflect.Descriptor instead. func (*GetAgentManifestResponse) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{1} + return file_service_proto_rawDescGZIP(), []int{1} } func (x *GetAgentManifestResponse) GetManifestJson() string { @@ -132,7 +132,7 @@ type InsertRequest struct { // Auth token. Required, fixed 36 chars. Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` // Sealed metadata envelope ({"a","c"}), client-sealed with agent_dek. - // Stored verbatim; the vault does not open or re-seal it on insert. + // Stored verbatim; the console does not open or re-seal it on insert. Metadata string `protobuf:"bytes,3,opt,name=metadata,proto3" json:"metadata,omitempty"` // Client-generated opaque UUID. Required: retries at any hop reuse it so // a re-insert is an idempotent no-op. @@ -151,7 +151,7 @@ type InsertRequest struct { func (x *InsertRequest) Reset() { *x = InsertRequest{} - mi := &file_vault_service_proto_msgTypes[2] + mi := &file_service_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -163,7 +163,7 @@ func (x *InsertRequest) String() string { func (*InsertRequest) ProtoMessage() {} func (x *InsertRequest) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[2] + mi := &file_service_proto_msgTypes[2] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -176,7 +176,7 @@ func (x *InsertRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use InsertRequest.ProtoReflect.Descriptor instead. func (*InsertRequest) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{2} + return file_service_proto_rawDescGZIP(), []int{2} } func (x *InsertRequest) GetToken() string { @@ -238,7 +238,7 @@ type InsertResponse struct { func (x *InsertResponse) Reset() { *x = InsertResponse{} - mi := &file_vault_service_proto_msgTypes[3] + mi := &file_service_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -250,7 +250,7 @@ func (x *InsertResponse) String() string { func (*InsertResponse) ProtoMessage() {} func (x *InsertResponse) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[3] + mi := &file_service_proto_msgTypes[3] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -263,7 +263,7 @@ func (x *InsertResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use InsertResponse.ProtoReflect.Descriptor instead. func (*InsertResponse) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{3} + return file_service_proto_rawDescGZIP(), []int{3} } func (x *InsertResponse) GetId() string { @@ -294,7 +294,7 @@ type SearchRequest struct { func (x *SearchRequest) Reset() { *x = SearchRequest{} - mi := &file_vault_service_proto_msgTypes[4] + mi := &file_service_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -306,7 +306,7 @@ func (x *SearchRequest) String() string { func (*SearchRequest) ProtoMessage() {} func (x *SearchRequest) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[4] + mi := &file_service_proto_msgTypes[4] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -319,7 +319,7 @@ func (x *SearchRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use SearchRequest.ProtoReflect.Descriptor instead. func (*SearchRequest) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{4} + return file_service_proto_rawDescGZIP(), []int{4} } func (x *SearchRequest) GetToken() string { @@ -347,14 +347,14 @@ type SearchHit struct { state protoimpl.MessageState `protogen:"open.v1"` Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` Score float64 `protobuf:"fixed64,2,opt,name=score,proto3" json:"score,omitempty"` - Metadata string `protobuf:"bytes,3,opt,name=metadata,proto3" json:"metadata,omitempty"` // plaintext JSON (vault opened the agent_dek envelope) + Metadata string `protobuf:"bytes,3,opt,name=metadata,proto3" json:"metadata,omitempty"` // plaintext JSON (console opened the agent_dek envelope) unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *SearchHit) Reset() { *x = SearchHit{} - mi := &file_vault_service_proto_msgTypes[5] + mi := &file_service_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -366,7 +366,7 @@ func (x *SearchHit) String() string { func (*SearchHit) ProtoMessage() {} func (x *SearchHit) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[5] + mi := &file_service_proto_msgTypes[5] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -379,7 +379,7 @@ func (x *SearchHit) ProtoReflect() protoreflect.Message { // Deprecated: Use SearchHit.ProtoReflect.Descriptor instead. func (*SearchHit) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{5} + return file_service_proto_rawDescGZIP(), []int{5} } func (x *SearchHit) GetId() string { @@ -413,7 +413,7 @@ type SearchResponse struct { func (x *SearchResponse) Reset() { *x = SearchResponse{} - mi := &file_vault_service_proto_msgTypes[6] + mi := &file_service_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -425,7 +425,7 @@ func (x *SearchResponse) String() string { func (*SearchResponse) ProtoMessage() {} func (x *SearchResponse) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[6] + mi := &file_service_proto_msgTypes[6] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -438,7 +438,7 @@ func (x *SearchResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use SearchResponse.ProtoReflect.Descriptor instead. func (*SearchResponse) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{6} + return file_service_proto_rawDescGZIP(), []int{6} } func (x *SearchResponse) GetHits() []*SearchHit { @@ -465,7 +465,7 @@ type GetCentroidsRequest struct { func (x *GetCentroidsRequest) Reset() { *x = GetCentroidsRequest{} - mi := &file_vault_service_proto_msgTypes[7] + mi := &file_service_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -477,7 +477,7 @@ func (x *GetCentroidsRequest) String() string { func (*GetCentroidsRequest) ProtoMessage() {} func (x *GetCentroidsRequest) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[7] + mi := &file_service_proto_msgTypes[7] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -490,7 +490,7 @@ func (x *GetCentroidsRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use GetCentroidsRequest.ProtoReflect.Descriptor instead. func (*GetCentroidsRequest) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{7} + return file_service_proto_rawDescGZIP(), []int{7} } func (x *GetCentroidsRequest) GetToken() string { @@ -513,7 +513,7 @@ type CentroidChunk struct { func (x *CentroidChunk) Reset() { *x = CentroidChunk{} - mi := &file_vault_service_proto_msgTypes[8] + mi := &file_service_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -525,7 +525,7 @@ func (x *CentroidChunk) String() string { func (*CentroidChunk) ProtoMessage() {} func (x *CentroidChunk) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[8] + mi := &file_service_proto_msgTypes[8] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -538,7 +538,7 @@ func (x *CentroidChunk) ProtoReflect() protoreflect.Message { // Deprecated: Use CentroidChunk.ProtoReflect.Descriptor instead. func (*CentroidChunk) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{8} + return file_service_proto_rawDescGZIP(), []int{8} } func (x *CentroidChunk) GetPayload() isCentroidChunk_Payload { @@ -597,7 +597,7 @@ type CentroidSetHeader struct { func (x *CentroidSetHeader) Reset() { *x = CentroidSetHeader{} - mi := &file_vault_service_proto_msgTypes[9] + mi := &file_service_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -609,7 +609,7 @@ func (x *CentroidSetHeader) String() string { func (*CentroidSetHeader) ProtoMessage() {} func (x *CentroidSetHeader) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[9] + mi := &file_service_proto_msgTypes[9] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -622,7 +622,7 @@ func (x *CentroidSetHeader) ProtoReflect() protoreflect.Message { // Deprecated: Use CentroidSetHeader.ProtoReflect.Descriptor instead. func (*CentroidSetHeader) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{9} + return file_service_proto_rawDescGZIP(), []int{9} } func (x *CentroidSetHeader) GetVersion() string { @@ -662,7 +662,7 @@ type CentroidBatch struct { func (x *CentroidBatch) Reset() { *x = CentroidBatch{} - mi := &file_vault_service_proto_msgTypes[10] + mi := &file_service_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -674,7 +674,7 @@ func (x *CentroidBatch) String() string { func (*CentroidBatch) ProtoMessage() {} func (x *CentroidBatch) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[10] + mi := &file_service_proto_msgTypes[10] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -687,7 +687,7 @@ func (x *CentroidBatch) ProtoReflect() protoreflect.Message { // Deprecated: Use CentroidBatch.ProtoReflect.Descriptor instead. func (*CentroidBatch) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{10} + return file_service_proto_rawDescGZIP(), []int{10} } func (x *CentroidBatch) GetCentroids() []*Centroid { @@ -707,7 +707,7 @@ type Centroid struct { func (x *Centroid) Reset() { *x = Centroid{} - mi := &file_vault_service_proto_msgTypes[11] + mi := &file_service_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -719,7 +719,7 @@ func (x *Centroid) String() string { func (*Centroid) ProtoMessage() {} func (x *Centroid) ProtoReflect() protoreflect.Message { - mi := &file_vault_service_proto_msgTypes[11] + mi := &file_service_proto_msgTypes[11] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -732,7 +732,7 @@ func (x *Centroid) ProtoReflect() protoreflect.Message { // Deprecated: Use Centroid.ProtoReflect.Descriptor instead. func (*Centroid) Descriptor() ([]byte, []int) { - return file_vault_service_proto_rawDescGZIP(), []int{11} + return file_service_proto_rawDescGZIP(), []int{11} } func (x *Centroid) GetId() uint32 { @@ -749,11 +749,11 @@ func (x *Centroid) GetVec() []float32 { return nil } -var File_vault_service_proto protoreflect.FileDescriptor +var File_service_proto protoreflect.FileDescriptor -const file_vault_service_proto_rawDesc = "" + +const file_service_proto_rawDesc = "" + "\n" + - "\x13vault_service.proto\x12\rrune.vault.v1\x1a\x1bbuf/validate/validate.proto\":\n" + + "\rservice.proto\x12\x0frune.console.v1\x1a\x1bbuf/validate/validate.proto\":\n" + "\x17GetAgentManifestRequest\x12\x1f\n" + "\x05token\x18\x01 \x01(\tB\t\xbaH\x06r\x04\x10$\x18$R\x05token\"U\n" + "\x18GetAgentManifestResponse\x12#\n" + @@ -779,72 +779,72 @@ const file_vault_service_proto_rawDesc = "" + "\tSearchHit\x12\x0e\n" + "\x02id\x18\x01 \x01(\tR\x02id\x12\x14\n" + "\x05score\x18\x02 \x01(\x01R\x05score\x12\x1a\n" + - "\bmetadata\x18\x03 \x01(\tR\bmetadata\"T\n" + - "\x0eSearchResponse\x12,\n" + - "\x04hits\x18\x01 \x03(\v2\x18.rune.vault.v1.SearchHitR\x04hits\x12\x14\n" + + "\bmetadata\x18\x03 \x01(\tR\bmetadata\"V\n" + + "\x0eSearchResponse\x12.\n" + + "\x04hits\x18\x01 \x03(\v2\x1a.rune.console.v1.SearchHitR\x04hits\x12\x14\n" + "\x05error\x18\x02 \x01(\tR\x05error\"6\n" + "\x13GetCentroidsRequest\x12\x1f\n" + - "\x05token\x18\x01 \x01(\tB\t\xbaH\x06r\x04\x10$\x18$R\x05token\"\x8c\x01\n" + - "\rCentroidChunk\x12:\n" + - "\x06header\x18\x01 \x01(\v2 .rune.vault.v1.CentroidSetHeaderH\x00R\x06header\x124\n" + - "\x05batch\x18\x02 \x01(\v2\x1c.rune.vault.v1.CentroidBatchH\x00R\x05batchB\t\n" + + "\x05token\x18\x01 \x01(\tB\t\xbaH\x06r\x04\x10$\x18$R\x05token\"\x90\x01\n" + + "\rCentroidChunk\x12<\n" + + "\x06header\x18\x01 \x01(\v2\".rune.console.v1.CentroidSetHeaderH\x00R\x06header\x126\n" + + "\x05batch\x18\x02 \x01(\v2\x1e.rune.console.v1.CentroidBatchH\x00R\x05batchB\t\n" + "\apayload\"m\n" + "\x11CentroidSetHeader\x12\x18\n" + "\aversion\x18\x01 \x01(\tR\aversion\x12\x10\n" + "\x03dim\x18\x02 \x01(\rR\x03dim\x12\x14\n" + "\x05nlist\x18\x03 \x01(\rR\x05nlist\x12\x16\n" + - "\x06preset\x18\x04 \x01(\tR\x06preset\"F\n" + - "\rCentroidBatch\x125\n" + - "\tcentroids\x18\x01 \x03(\v2\x17.rune.vault.v1.CentroidR\tcentroids\"0\n" + + "\x06preset\x18\x04 \x01(\tR\x06preset\"H\n" + + "\rCentroidBatch\x127\n" + + "\tcentroids\x18\x01 \x03(\v2\x19.rune.console.v1.CentroidR\tcentroids\"0\n" + "\bCentroid\x12\x0e\n" + "\x02id\x18\x01 \x01(\rR\x02id\x12\x14\n" + - "\x03vec\x18\x02 \x03(\x02B\x02\x10\x01R\x03vec2\xd5\x02\n" + - "\fVaultService\x12c\n" + - "\x10GetAgentManifest\x12&.rune.vault.v1.GetAgentManifestRequest\x1a'.rune.vault.v1.GetAgentManifestResponse\x12E\n" + - "\x06Insert\x12\x1c.rune.vault.v1.InsertRequest\x1a\x1d.rune.vault.v1.InsertResponse\x12E\n" + - "\x06Search\x12\x1c.rune.vault.v1.SearchRequest\x1a\x1d.rune.vault.v1.SearchResponse\x12R\n" + - "\fGetCentroids\x12\".rune.vault.v1.GetCentroidsRequest\x1a\x1c.rune.vault.v1.CentroidChunk0\x01b\x06proto3" + "\x03vec\x18\x02 \x03(\x02B\x02\x10\x01R\x03vec2\xe7\x02\n" + + "\x0eConsoleService\x12g\n" + + "\x10GetAgentManifest\x12(.rune.console.v1.GetAgentManifestRequest\x1a).rune.console.v1.GetAgentManifestResponse\x12I\n" + + "\x06Insert\x12\x1e.rune.console.v1.InsertRequest\x1a\x1f.rune.console.v1.InsertResponse\x12I\n" + + "\x06Search\x12\x1e.rune.console.v1.SearchRequest\x1a\x1f.rune.console.v1.SearchResponse\x12V\n" + + "\fGetCentroids\x12$.rune.console.v1.GetCentroidsRequest\x1a\x1e.rune.console.v1.CentroidChunk0\x01b\x06proto3" var ( - file_vault_service_proto_rawDescOnce sync.Once - file_vault_service_proto_rawDescData []byte + file_service_proto_rawDescOnce sync.Once + file_service_proto_rawDescData []byte ) -func file_vault_service_proto_rawDescGZIP() []byte { - file_vault_service_proto_rawDescOnce.Do(func() { - file_vault_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_vault_service_proto_rawDesc), len(file_vault_service_proto_rawDesc))) +func file_service_proto_rawDescGZIP() []byte { + file_service_proto_rawDescOnce.Do(func() { + file_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_service_proto_rawDesc), len(file_service_proto_rawDesc))) }) - return file_vault_service_proto_rawDescData -} - -var file_vault_service_proto_msgTypes = make([]protoimpl.MessageInfo, 12) -var file_vault_service_proto_goTypes = []any{ - (*GetAgentManifestRequest)(nil), // 0: rune.vault.v1.GetAgentManifestRequest - (*GetAgentManifestResponse)(nil), // 1: rune.vault.v1.GetAgentManifestResponse - (*InsertRequest)(nil), // 2: rune.vault.v1.InsertRequest - (*InsertResponse)(nil), // 3: rune.vault.v1.InsertResponse - (*SearchRequest)(nil), // 4: rune.vault.v1.SearchRequest - (*SearchHit)(nil), // 5: rune.vault.v1.SearchHit - (*SearchResponse)(nil), // 6: rune.vault.v1.SearchResponse - (*GetCentroidsRequest)(nil), // 7: rune.vault.v1.GetCentroidsRequest - (*CentroidChunk)(nil), // 8: rune.vault.v1.CentroidChunk - (*CentroidSetHeader)(nil), // 9: rune.vault.v1.CentroidSetHeader - (*CentroidBatch)(nil), // 10: rune.vault.v1.CentroidBatch - (*Centroid)(nil), // 11: rune.vault.v1.Centroid -} -var file_vault_service_proto_depIdxs = []int32{ - 5, // 0: rune.vault.v1.SearchResponse.hits:type_name -> rune.vault.v1.SearchHit - 9, // 1: rune.vault.v1.CentroidChunk.header:type_name -> rune.vault.v1.CentroidSetHeader - 10, // 2: rune.vault.v1.CentroidChunk.batch:type_name -> rune.vault.v1.CentroidBatch - 11, // 3: rune.vault.v1.CentroidBatch.centroids:type_name -> rune.vault.v1.Centroid - 0, // 4: rune.vault.v1.VaultService.GetAgentManifest:input_type -> rune.vault.v1.GetAgentManifestRequest - 2, // 5: rune.vault.v1.VaultService.Insert:input_type -> rune.vault.v1.InsertRequest - 4, // 6: rune.vault.v1.VaultService.Search:input_type -> rune.vault.v1.SearchRequest - 7, // 7: rune.vault.v1.VaultService.GetCentroids:input_type -> rune.vault.v1.GetCentroidsRequest - 1, // 8: rune.vault.v1.VaultService.GetAgentManifest:output_type -> rune.vault.v1.GetAgentManifestResponse - 3, // 9: rune.vault.v1.VaultService.Insert:output_type -> rune.vault.v1.InsertResponse - 6, // 10: rune.vault.v1.VaultService.Search:output_type -> rune.vault.v1.SearchResponse - 8, // 11: rune.vault.v1.VaultService.GetCentroids:output_type -> rune.vault.v1.CentroidChunk + return file_service_proto_rawDescData +} + +var file_service_proto_msgTypes = make([]protoimpl.MessageInfo, 12) +var file_service_proto_goTypes = []any{ + (*GetAgentManifestRequest)(nil), // 0: rune.console.v1.GetAgentManifestRequest + (*GetAgentManifestResponse)(nil), // 1: rune.console.v1.GetAgentManifestResponse + (*InsertRequest)(nil), // 2: rune.console.v1.InsertRequest + (*InsertResponse)(nil), // 3: rune.console.v1.InsertResponse + (*SearchRequest)(nil), // 4: rune.console.v1.SearchRequest + (*SearchHit)(nil), // 5: rune.console.v1.SearchHit + (*SearchResponse)(nil), // 6: rune.console.v1.SearchResponse + (*GetCentroidsRequest)(nil), // 7: rune.console.v1.GetCentroidsRequest + (*CentroidChunk)(nil), // 8: rune.console.v1.CentroidChunk + (*CentroidSetHeader)(nil), // 9: rune.console.v1.CentroidSetHeader + (*CentroidBatch)(nil), // 10: rune.console.v1.CentroidBatch + (*Centroid)(nil), // 11: rune.console.v1.Centroid +} +var file_service_proto_depIdxs = []int32{ + 5, // 0: rune.console.v1.SearchResponse.hits:type_name -> rune.console.v1.SearchHit + 9, // 1: rune.console.v1.CentroidChunk.header:type_name -> rune.console.v1.CentroidSetHeader + 10, // 2: rune.console.v1.CentroidChunk.batch:type_name -> rune.console.v1.CentroidBatch + 11, // 3: rune.console.v1.CentroidBatch.centroids:type_name -> rune.console.v1.Centroid + 0, // 4: rune.console.v1.ConsoleService.GetAgentManifest:input_type -> rune.console.v1.GetAgentManifestRequest + 2, // 5: rune.console.v1.ConsoleService.Insert:input_type -> rune.console.v1.InsertRequest + 4, // 6: rune.console.v1.ConsoleService.Search:input_type -> rune.console.v1.SearchRequest + 7, // 7: rune.console.v1.ConsoleService.GetCentroids:input_type -> rune.console.v1.GetCentroidsRequest + 1, // 8: rune.console.v1.ConsoleService.GetAgentManifest:output_type -> rune.console.v1.GetAgentManifestResponse + 3, // 9: rune.console.v1.ConsoleService.Insert:output_type -> rune.console.v1.InsertResponse + 6, // 10: rune.console.v1.ConsoleService.Search:output_type -> rune.console.v1.SearchResponse + 8, // 11: rune.console.v1.ConsoleService.GetCentroids:output_type -> rune.console.v1.CentroidChunk 8, // [8:12] is the sub-list for method output_type 4, // [4:8] is the sub-list for method input_type 4, // [4:4] is the sub-list for extension type_name @@ -852,12 +852,12 @@ var file_vault_service_proto_depIdxs = []int32{ 0, // [0:4] is the sub-list for field type_name } -func init() { file_vault_service_proto_init() } -func file_vault_service_proto_init() { - if File_vault_service_proto != nil { +func init() { file_service_proto_init() } +func file_service_proto_init() { + if File_service_proto != nil { return } - file_vault_service_proto_msgTypes[8].OneofWrappers = []any{ + file_service_proto_msgTypes[8].OneofWrappers = []any{ (*CentroidChunk_Header)(nil), (*CentroidChunk_Batch)(nil), } @@ -865,17 +865,17 @@ func file_vault_service_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: unsafe.Slice(unsafe.StringData(file_vault_service_proto_rawDesc), len(file_vault_service_proto_rawDesc)), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_service_proto_rawDesc), len(file_service_proto_rawDesc)), NumEnums: 0, NumMessages: 12, NumExtensions: 0, NumServices: 1, }, - GoTypes: file_vault_service_proto_goTypes, - DependencyIndexes: file_vault_service_proto_depIdxs, - MessageInfos: file_vault_service_proto_msgTypes, + GoTypes: file_service_proto_goTypes, + DependencyIndexes: file_service_proto_depIdxs, + MessageInfos: file_service_proto_msgTypes, }.Build() - File_vault_service_proto = out.File - file_vault_service_proto_goTypes = nil - file_vault_service_proto_depIdxs = nil + File_service_proto = out.File + file_service_proto_goTypes = nil + file_service_proto_depIdxs = nil } diff --git a/vault/pkg/vaultpb/vault_service_grpc.pb.go b/runeconsole/pkg/consolepb/service_grpc.pb.go similarity index 54% rename from vault/pkg/vaultpb/vault_service_grpc.pb.go rename to runeconsole/pkg/consolepb/service_grpc.pb.go index b807d09..586baa4 100644 --- a/vault/pkg/vaultpb/vault_service_grpc.pb.go +++ b/runeconsole/pkg/consolepb/service_grpc.pb.go @@ -2,9 +2,9 @@ // versions: // - protoc-gen-go-grpc v1.6.2 // - protoc (unknown) -// source: vault_service.proto +// source: service.proto -package vaultpb +package consolepb import ( context "context" @@ -19,33 +19,33 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - VaultService_GetAgentManifest_FullMethodName = "/rune.vault.v1.VaultService/GetAgentManifest" - VaultService_Insert_FullMethodName = "/rune.vault.v1.VaultService/Insert" - VaultService_Search_FullMethodName = "/rune.vault.v1.VaultService/Search" - VaultService_GetCentroids_FullMethodName = "/rune.vault.v1.VaultService/GetCentroids" + ConsoleService_GetAgentManifest_FullMethodName = "/rune.console.v1.ConsoleService/GetAgentManifest" + ConsoleService_Insert_FullMethodName = "/rune.console.v1.ConsoleService/Insert" + ConsoleService_Search_FullMethodName = "/rune.console.v1.ConsoleService/Search" + ConsoleService_GetCentroids_FullMethodName = "/rune.console.v1.ConsoleService/GetCentroids" ) -// VaultServiceClient is the client API for VaultService service. +// ConsoleServiceClient is the client API for ConsoleService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. // -// Rune-Vault gRPC service. -// The vault generates and custodies the FHE key set. The PUBLIC EncKey and +// Rune-console gRPC service. +// The console generates and custodies the FHE key set. The PUBLIC EncKey and // the caller's derived agent_dek are handed to rune-mcp via GetAgentManifest // so capture encryption/sealing happens on the developer machine; SecKey, -// EvalKey, and team_secret never leave this server. The vault is the SOLE +// EvalKey, and team_secret never leave this server. The console is the SOLE // runespace client — rune-mcp talks only to this service and forwards // ciphertext through it. -type VaultServiceClient interface { +type ConsoleServiceClient interface { // Returns the agent manifest: EncKey (RMP+MM, public), the caller's // agent_dek, index config, centroid_set_version, and capability flags. GetAgentManifest(ctx context.Context, in *GetAgentManifestRequest, opts ...grpc.CallOption) (*GetAgentManifestResponse, error) // Capture write: forward a client-encrypted item (EncryptFlat + // EncryptClustered blobs, plaintext cluster routing, sealed metadata) - // verbatim to runespace. The vault sees no plaintext content. + // verbatim to runespace. The console sees no plaintext content. Insert(ctx context.Context, in *InsertRequest, opts ...grpc.CallOption) (*InsertResponse, error) // Blind vector search over runespace (recall + capture-time novelty check). - // The plaintext query is sent to runespace (PCMM); the vault decrypts the + // The plaintext query is sent to runespace (PCMM); the console decrypts the // score blobs (SecKey), ranks, resolves and opens metadata (agent_dek), and // returns ranked plaintext hits. Search(ctx context.Context, in *SearchRequest, opts ...grpc.CallOption) (*SearchResponse, error) @@ -55,47 +55,47 @@ type VaultServiceClient interface { GetCentroids(ctx context.Context, in *GetCentroidsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[CentroidChunk], error) } -type vaultServiceClient struct { +type consoleServiceClient struct { cc grpc.ClientConnInterface } -func NewVaultServiceClient(cc grpc.ClientConnInterface) VaultServiceClient { - return &vaultServiceClient{cc} +func NewConsoleServiceClient(cc grpc.ClientConnInterface) ConsoleServiceClient { + return &consoleServiceClient{cc} } -func (c *vaultServiceClient) GetAgentManifest(ctx context.Context, in *GetAgentManifestRequest, opts ...grpc.CallOption) (*GetAgentManifestResponse, error) { +func (c *consoleServiceClient) GetAgentManifest(ctx context.Context, in *GetAgentManifestRequest, opts ...grpc.CallOption) (*GetAgentManifestResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(GetAgentManifestResponse) - err := c.cc.Invoke(ctx, VaultService_GetAgentManifest_FullMethodName, in, out, cOpts...) + err := c.cc.Invoke(ctx, ConsoleService_GetAgentManifest_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *vaultServiceClient) Insert(ctx context.Context, in *InsertRequest, opts ...grpc.CallOption) (*InsertResponse, error) { +func (c *consoleServiceClient) Insert(ctx context.Context, in *InsertRequest, opts ...grpc.CallOption) (*InsertResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(InsertResponse) - err := c.cc.Invoke(ctx, VaultService_Insert_FullMethodName, in, out, cOpts...) + err := c.cc.Invoke(ctx, ConsoleService_Insert_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *vaultServiceClient) Search(ctx context.Context, in *SearchRequest, opts ...grpc.CallOption) (*SearchResponse, error) { +func (c *consoleServiceClient) Search(ctx context.Context, in *SearchRequest, opts ...grpc.CallOption) (*SearchResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(SearchResponse) - err := c.cc.Invoke(ctx, VaultService_Search_FullMethodName, in, out, cOpts...) + err := c.cc.Invoke(ctx, ConsoleService_Search_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } return out, nil } -func (c *vaultServiceClient) GetCentroids(ctx context.Context, in *GetCentroidsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[CentroidChunk], error) { +func (c *consoleServiceClient) GetCentroids(ctx context.Context, in *GetCentroidsRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[CentroidChunk], error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - stream, err := c.cc.NewStream(ctx, &VaultService_ServiceDesc.Streams[0], VaultService_GetCentroids_FullMethodName, cOpts...) + stream, err := c.cc.NewStream(ctx, &ConsoleService_ServiceDesc.Streams[0], ConsoleService_GetCentroids_FullMethodName, cOpts...) if err != nil { return nil, err } @@ -110,29 +110,29 @@ func (c *vaultServiceClient) GetCentroids(ctx context.Context, in *GetCentroidsR } // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. -type VaultService_GetCentroidsClient = grpc.ServerStreamingClient[CentroidChunk] +type ConsoleService_GetCentroidsClient = grpc.ServerStreamingClient[CentroidChunk] -// VaultServiceServer is the server API for VaultService service. -// All implementations must embed UnimplementedVaultServiceServer +// ConsoleServiceServer is the server API for ConsoleService service. +// All implementations must embed UnimplementedConsoleServiceServer // for forward compatibility. // -// Rune-Vault gRPC service. -// The vault generates and custodies the FHE key set. The PUBLIC EncKey and +// Rune-console gRPC service. +// The console generates and custodies the FHE key set. The PUBLIC EncKey and // the caller's derived agent_dek are handed to rune-mcp via GetAgentManifest // so capture encryption/sealing happens on the developer machine; SecKey, -// EvalKey, and team_secret never leave this server. The vault is the SOLE +// EvalKey, and team_secret never leave this server. The console is the SOLE // runespace client — rune-mcp talks only to this service and forwards // ciphertext through it. -type VaultServiceServer interface { +type ConsoleServiceServer interface { // Returns the agent manifest: EncKey (RMP+MM, public), the caller's // agent_dek, index config, centroid_set_version, and capability flags. GetAgentManifest(context.Context, *GetAgentManifestRequest) (*GetAgentManifestResponse, error) // Capture write: forward a client-encrypted item (EncryptFlat + // EncryptClustered blobs, plaintext cluster routing, sealed metadata) - // verbatim to runespace. The vault sees no plaintext content. + // verbatim to runespace. The console sees no plaintext content. Insert(context.Context, *InsertRequest) (*InsertResponse, error) // Blind vector search over runespace (recall + capture-time novelty check). - // The plaintext query is sent to runespace (PCMM); the vault decrypts the + // The plaintext query is sent to runespace (PCMM); the console decrypts the // score blobs (SecKey), ranks, resolves and opens metadata (agent_dek), and // returns ranked plaintext hits. Search(context.Context, *SearchRequest) (*SearchResponse, error) @@ -140,140 +140,140 @@ type VaultServiceServer interface { // so rune-mcp can push it down to runed for insert routing. Public // structural data — same wire shape as runespace's GetCentroids. GetCentroids(*GetCentroidsRequest, grpc.ServerStreamingServer[CentroidChunk]) error - mustEmbedUnimplementedVaultServiceServer() + mustEmbedUnimplementedConsoleServiceServer() } -// UnimplementedVaultServiceServer must be embedded to have +// UnimplementedConsoleServiceServer must be embedded to have // forward compatible implementations. // // NOTE: this should be embedded by value instead of pointer to avoid a nil // pointer dereference when methods are called. -type UnimplementedVaultServiceServer struct{} +type UnimplementedConsoleServiceServer struct{} -func (UnimplementedVaultServiceServer) GetAgentManifest(context.Context, *GetAgentManifestRequest) (*GetAgentManifestResponse, error) { +func (UnimplementedConsoleServiceServer) GetAgentManifest(context.Context, *GetAgentManifestRequest) (*GetAgentManifestResponse, error) { return nil, status.Error(codes.Unimplemented, "method GetAgentManifest not implemented") } -func (UnimplementedVaultServiceServer) Insert(context.Context, *InsertRequest) (*InsertResponse, error) { +func (UnimplementedConsoleServiceServer) Insert(context.Context, *InsertRequest) (*InsertResponse, error) { return nil, status.Error(codes.Unimplemented, "method Insert not implemented") } -func (UnimplementedVaultServiceServer) Search(context.Context, *SearchRequest) (*SearchResponse, error) { +func (UnimplementedConsoleServiceServer) Search(context.Context, *SearchRequest) (*SearchResponse, error) { return nil, status.Error(codes.Unimplemented, "method Search not implemented") } -func (UnimplementedVaultServiceServer) GetCentroids(*GetCentroidsRequest, grpc.ServerStreamingServer[CentroidChunk]) error { +func (UnimplementedConsoleServiceServer) GetCentroids(*GetCentroidsRequest, grpc.ServerStreamingServer[CentroidChunk]) error { return status.Error(codes.Unimplemented, "method GetCentroids not implemented") } -func (UnimplementedVaultServiceServer) mustEmbedUnimplementedVaultServiceServer() {} -func (UnimplementedVaultServiceServer) testEmbeddedByValue() {} +func (UnimplementedConsoleServiceServer) mustEmbedUnimplementedConsoleServiceServer() {} +func (UnimplementedConsoleServiceServer) testEmbeddedByValue() {} -// UnsafeVaultServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to VaultServiceServer will +// UnsafeConsoleServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to ConsoleServiceServer will // result in compilation errors. -type UnsafeVaultServiceServer interface { - mustEmbedUnimplementedVaultServiceServer() +type UnsafeConsoleServiceServer interface { + mustEmbedUnimplementedConsoleServiceServer() } -func RegisterVaultServiceServer(s grpc.ServiceRegistrar, srv VaultServiceServer) { - // If the following call panics, it indicates UnimplementedVaultServiceServer was +func RegisterConsoleServiceServer(s grpc.ServiceRegistrar, srv ConsoleServiceServer) { + // If the following call panics, it indicates UnimplementedConsoleServiceServer was // embedded by pointer and is nil. This will cause panics if an // unimplemented method is ever invoked, so we test this at initialization // time to prevent it from happening at runtime later due to I/O. if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { t.testEmbeddedByValue() } - s.RegisterService(&VaultService_ServiceDesc, srv) + s.RegisterService(&ConsoleService_ServiceDesc, srv) } -func _VaultService_GetAgentManifest_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { +func _ConsoleService_GetAgentManifest_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(GetAgentManifestRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(VaultServiceServer).GetAgentManifest(ctx, in) + return srv.(ConsoleServiceServer).GetAgentManifest(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: VaultService_GetAgentManifest_FullMethodName, + FullMethod: ConsoleService_GetAgentManifest_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(VaultServiceServer).GetAgentManifest(ctx, req.(*GetAgentManifestRequest)) + return srv.(ConsoleServiceServer).GetAgentManifest(ctx, req.(*GetAgentManifestRequest)) } return interceptor(ctx, in, info, handler) } -func _VaultService_Insert_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { +func _ConsoleService_Insert_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(InsertRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(VaultServiceServer).Insert(ctx, in) + return srv.(ConsoleServiceServer).Insert(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: VaultService_Insert_FullMethodName, + FullMethod: ConsoleService_Insert_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(VaultServiceServer).Insert(ctx, req.(*InsertRequest)) + return srv.(ConsoleServiceServer).Insert(ctx, req.(*InsertRequest)) } return interceptor(ctx, in, info, handler) } -func _VaultService_Search_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { +func _ConsoleService_Search_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(SearchRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(VaultServiceServer).Search(ctx, in) + return srv.(ConsoleServiceServer).Search(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: VaultService_Search_FullMethodName, + FullMethod: ConsoleService_Search_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(VaultServiceServer).Search(ctx, req.(*SearchRequest)) + return srv.(ConsoleServiceServer).Search(ctx, req.(*SearchRequest)) } return interceptor(ctx, in, info, handler) } -func _VaultService_GetCentroids_Handler(srv interface{}, stream grpc.ServerStream) error { +func _ConsoleService_GetCentroids_Handler(srv interface{}, stream grpc.ServerStream) error { m := new(GetCentroidsRequest) if err := stream.RecvMsg(m); err != nil { return err } - return srv.(VaultServiceServer).GetCentroids(m, &grpc.GenericServerStream[GetCentroidsRequest, CentroidChunk]{ServerStream: stream}) + return srv.(ConsoleServiceServer).GetCentroids(m, &grpc.GenericServerStream[GetCentroidsRequest, CentroidChunk]{ServerStream: stream}) } // This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name. -type VaultService_GetCentroidsServer = grpc.ServerStreamingServer[CentroidChunk] +type ConsoleService_GetCentroidsServer = grpc.ServerStreamingServer[CentroidChunk] -// VaultService_ServiceDesc is the grpc.ServiceDesc for VaultService service. +// ConsoleService_ServiceDesc is the grpc.ServiceDesc for ConsoleService service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) -var VaultService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "rune.vault.v1.VaultService", - HandlerType: (*VaultServiceServer)(nil), +var ConsoleService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "rune.console.v1.ConsoleService", + HandlerType: (*ConsoleServiceServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "GetAgentManifest", - Handler: _VaultService_GetAgentManifest_Handler, + Handler: _ConsoleService_GetAgentManifest_Handler, }, { MethodName: "Insert", - Handler: _VaultService_Insert_Handler, + Handler: _ConsoleService_Insert_Handler, }, { MethodName: "Search", - Handler: _VaultService_Search_Handler, + Handler: _ConsoleService_Search_Handler, }, }, Streams: []grpc.StreamDesc{ { StreamName: "GetCentroids", - Handler: _VaultService_GetCentroids_Handler, + Handler: _ConsoleService_GetCentroids_Handler, ServerStreams: true, }, }, - Metadata: "vault_service.proto", + Metadata: "service.proto", } diff --git a/vault/proto/vault_service.proto b/runeconsole/proto/service.proto similarity index 89% rename from vault/proto/vault_service.proto rename to runeconsole/proto/service.proto index d892803..2fa7663 100644 --- a/vault/proto/vault_service.proto +++ b/runeconsole/proto/service.proto @@ -1,28 +1,28 @@ syntax = "proto3"; -package rune.vault.v1; +package rune.console.v1; import "buf/validate/validate.proto"; -// Rune-Vault gRPC service. -// The vault generates and custodies the FHE key set. The PUBLIC EncKey and +// Rune-console gRPC service. +// The console generates and custodies the FHE key set. The PUBLIC EncKey and // the caller's derived agent_dek are handed to rune-mcp via GetAgentManifest // so capture encryption/sealing happens on the developer machine; SecKey, -// EvalKey, and team_secret never leave this server. The vault is the SOLE +// EvalKey, and team_secret never leave this server. The console is the SOLE // runespace client — rune-mcp talks only to this service and forwards // ciphertext through it. -service VaultService { +service ConsoleService { // Returns the agent manifest: EncKey (RMP+MM, public), the caller's // agent_dek, index config, centroid_set_version, and capability flags. rpc GetAgentManifest(GetAgentManifestRequest) returns (GetAgentManifestResponse); // Capture write: forward a client-encrypted item (EncryptFlat + // EncryptClustered blobs, plaintext cluster routing, sealed metadata) - // verbatim to runespace. The vault sees no plaintext content. + // verbatim to runespace. The console sees no plaintext content. rpc Insert(InsertRequest) returns (InsertResponse); // Blind vector search over runespace (recall + capture-time novelty check). - // The plaintext query is sent to runespace (PCMM); the vault decrypts the + // The plaintext query is sent to runespace (PCMM); the console decrypts the // score blobs (SecKey), ranks, resolves and opens metadata (agent_dek), and // returns ranked plaintext hits. rpc Search(SearchRequest) returns (SearchResponse); @@ -58,11 +58,11 @@ message InsertRequest { // Auth token. Required, fixed 36 chars. string token = 1 [(buf.validate.field).string = {min_len: 36, max_len: 36}]; // Field 2 was the plaintext embedding of the integration experiment. - // The vault never receives plaintext content anymore. + // The console never receives plaintext content anymore. reserved 2; reserved "vector"; // Sealed metadata envelope ({"a","c"}), client-sealed with agent_dek. - // Stored verbatim; the vault does not open or re-seal it on insert. + // Stored verbatim; the console does not open or re-seal it on insert. string metadata = 3; // Client-generated opaque UUID. Required: retries at any hop reuse it so // a re-insert is an idempotent no-op. @@ -96,7 +96,7 @@ message SearchRequest { message SearchHit { string id = 1; double score = 2; - string metadata = 3; // plaintext JSON (vault opened the agent_dek envelope) + string metadata = 3; // plaintext JSON (console opened the agent_dek envelope) } message SearchResponse { diff --git a/scripts/generate-certs.sh b/scripts/generate-certs.sh index ed98101..2d2ec6c 100755 --- a/scripts/generate-certs.sh +++ b/scripts/generate-certs.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # -# Generate self-signed CA + server certificate for Rune-Vault TLS. +# Generate self-signed CA + server certificate for Rune-console TLS. # # Usage: # ./scripts/generate-certs.sh [output-dir] [hostname] @@ -12,13 +12,13 @@ # /server.key — Server private key # # The certificate SAN automatically includes: -# - localhost, vault, rune-vault, 127.0.0.1 (always) +# - localhost, runeconsole, 127.0.0.1 (always) # - argument (if provided) # - Public IP via ifconfig.me (auto-detected) set -euo pipefail -OUTPUT_DIR="${1:-vault/certs}" +OUTPUT_DIR="${1:-runeconsole/certs}" HOSTNAME="${2:-localhost}" CA_DAYS=3650 # 10 years @@ -43,7 +43,7 @@ openssl req -new -x509 \ -key "$OUTPUT_DIR/ca.key" \ -out "$OUTPUT_DIR/ca.pem" \ -days "$CA_DAYS" \ - -subj "/CN=Rune-Vault CA" \ + -subj "/CN=Rune-console CA" \ -sha256 echo "==> Generating server key (2048-bit)..." @@ -66,9 +66,8 @@ subjectAltName = @alt_names [alt_names] DNS.1 = localhost -DNS.2 = vault -DNS.3 = rune-vault -DNS.4 = ${HOSTNAME} +DNS.2 = runeconsole +DNS.3 = ${HOSTNAME} IP.1 = 127.0.0.1 $([ -n "$PUBLIC_IP" ] && echo "IP.2 = $PUBLIC_IP") EOF @@ -104,6 +103,6 @@ echo " ca.key — CA private key (keep secret)" echo " server.pem — Server certificate" echo " server.key — Server private key" echo "" -SAN_SUMMARY="localhost, vault, rune-vault, ${HOSTNAME}, 127.0.0.1" +SAN_SUMMARY="localhost, runeconsole, ${HOSTNAME}, 127.0.0.1" [ -n "$PUBLIC_IP" ] && SAN_SUMMARY="${SAN_SUMMARY}, ${PUBLIC_IP}" echo "Server cert SANs: ${SAN_SUMMARY}" diff --git a/scripts/generate-test-fixtures.py b/scripts/generate-test-fixtures.py index d09ba69..7cbe409 100644 --- a/scripts/generate-test-fixtures.py +++ b/scripts/generate-test-fixtures.py @@ -7,7 +7,7 @@ to tests/fixtures/ for use in CI without cloud access. Usage: - ENVECTOR_ENDPOINT=... ENVECTOR_API_KEY=... python scripts/generate-test-fixtures.py + RUNESPACE_ENDPOINT=... RUNESPACE_TOKEN=... python scripts/generate-test-fixtures.py """ import base64 @@ -30,10 +30,10 @@ def main(): - endpoint = os.getenv("ENVECTOR_ENDPOINT") - api_key = os.getenv("ENVECTOR_API_KEY") - if not endpoint or not api_key: - print("Error: ENVECTOR_ENDPOINT and ENVECTOR_API_KEY must be set.") + endpoint = os.getenv("RUNESPACE_ENDPOINT") + token = os.getenv("RUNESPACE_TOKEN") + if not endpoint or not token: + print("Error: RUNESPACE_ENDPOINT and RUNESPACE_TOKEN must be set.") sys.exit(1) import pyenvector as ev @@ -68,7 +68,7 @@ def main(): dim=DIM, eval_mode="rmp", auto_key_setup=False, - access_token=api_key, + access_token=token, query_encryption="plain", ) try: @@ -90,7 +90,7 @@ def main(): dim=DIM, eval_mode="rmp", auto_key_setup=True, - access_token=api_key, + access_token=token, query_encryption="plain", ) print(" Connected with fresh keys.") diff --git a/scripts/install-dev.sh b/scripts/install-dev.sh index ef0d58a..098a060 100755 --- a/scripts/install-dev.sh +++ b/scripts/install-dev.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash # -# Rune-Vault dev installer (sibling of install.sh). +# Rune-console dev installer (sibling of install.sh). # -# Installs the runevault daemon from your local working tree — never from a +# Installs the runeconsole daemon from your local working tree — never from a # published release. Use this to verify in-progress source code on your local # machine or on a CSP VM (AWS, GCP, OCI) before cutting a release. # @@ -11,7 +11,7 @@ # # Options: # --target Install/uninstall target (default: prompt if TTY, else local) -# --install-dir CSP install dir (default: $HOME/rune-vault-) +# --install-dir CSP install dir (default: $HOME/runeconsole-) # --prefix Local-only: rootless test prefix # --non-interactive Skip all prompts; supply secrets via env vars # --uninstall Forward uninstall to install.sh (local or CSP target) @@ -25,36 +25,36 @@ # over SSH after cloud-init finishes. # # Non-interactive env vars (CSP install — operator workstation): -# RUNEVAULT_ENVECTOR_ENDPOINT enVector endpoint URL (required) -# RUNEVAULT_ENVECTOR_API_KEY enVector API key (required) -# RUNEVAULT_TEAM_NAME Team name (required) -# RUNEVAULT_TARGET Pre-select target without interactive menu -# RUNEVAULT_INSTALL_DIR Pre-set CSP install directory -# RUNEVAULT_CSP_REGION Cloud region -# RUNEVAULT_GCP_PROJECT_ID GCP: project ID (required for GCP) -# RUNEVAULT_OCI_COMPARTMENT_ID OCI: compartment OCID (required for OCI) +# RUNECONSOLE_RUNESPACE_ENDPOINT Runespace endpoint URL (required) +# RUNECONSOLE_RUNESPACE_TOKEN Runespace API key (required) +# RUNECONSOLE_TEAM_NAME Team name (required) +# RUNECONSOLE_TARGET Pre-select target without interactive menu +# RUNECONSOLE_INSTALL_DIR Pre-set CSP install directory +# RUNECONSOLE_CSP_REGION Cloud region +# RUNECONSOLE_GCP_PROJECT_ID GCP: project ID (required for GCP) +# RUNECONSOLE_OCI_COMPARTMENT_ID OCI: compartment OCID (required for OCI) set -euo pipefail # ── Constants ────────────────────────────────────────────────────────────────── SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd) REPO_ROOT=$(cd "${SCRIPT_DIR}/.." && pwd) -LOCAL_BINARY_HOST="${REPO_ROOT}/vault/bin/runevault" +LOCAL_BINARY_HOST="${REPO_ROOT}/runeconsole/bin/runeconsole" TARGET_OS=linux TARGET_ARCH=amd64 -LINUX_BINARY="${REPO_ROOT}/vault/bin/runevault-${TARGET_OS}-${TARGET_ARCH}" +LINUX_BINARY="${REPO_ROOT}/runeconsole/bin/runeconsole-${TARGET_OS}-${TARGET_ARCH}" BUILDER_IMAGE="golang:1.26-bookworm" GRPC_PORT=50051 # Overridable by env (mirrors install.sh) -TARGET="${RUNEVAULT_TARGET:-}" -INSTALL_DIR_CSP="${RUNEVAULT_INSTALL_DIR:-}" +TARGET="${RUNECONSOLE_TARGET:-}" +INSTALL_DIR_CSP="${RUNECONSOLE_INSTALL_DIR:-}" CSP_PUBLIC_IP="" # CSP config (populated by dev_csp_prompt_config) TEAM_NAME="" -ENVECTOR_ENDPOINT="" -ENVECTOR_API_KEY="" +RUNESPACE_ENDPOINT="" +RUNESPACE_TOKEN="" CSP_REGION="" GCP_PROJECT_ID="" OCI_COMPARTMENT_ID="" @@ -109,7 +109,7 @@ print_banner() { commit=$(cd "$REPO_ROOT" && git rev-parse --short HEAD 2>/dev/null || echo unknown) printf '\n' printf ' ╭───────────────────────────────────────────────────────────────────╮\n' - printf ' │ Rune-Vault dev installer │\n' + printf ' │ Rune-console dev installer │\n' printf ' │ Source: local working tree (not a published release) │\n' printf ' │ Commit: %-56s │\n' "$commit" printf ' ╰───────────────────────────────────────────────────────────────────╯\n' @@ -181,8 +181,8 @@ dev_preflight() { [[ "$(id -u)" -eq 0 ]] || die "This installer must be run as root (use sudo)." fi - [[ -d "${REPO_ROOT}/vault" ]] \ - || die "vault/ directory not found under ${REPO_ROOT}. Run from a clone of rune-admin." + [[ -d "${REPO_ROOT}/runeconsole" ]] \ + || die "runeconsole/ directory not found under ${REPO_ROOT}. Run from a clone of Rune-console." local missing=() for tool in git mise; do @@ -217,7 +217,7 @@ dev_check_docker() { # ── Build ────────────────────────────────────────────────────────────────────── dev_build_local_binary() { - info "Building runevault for host (${HOST_OS}/${HOST_ARCH})..." + info "Building runeconsole for host (${HOST_OS}/${HOST_ARCH})..." local build_user="${SUDO_USER:-$(id -un)}" (cd "$REPO_ROOT" && sudo -u "$build_user" -H bash -lc 'mise run go:build') [[ -x "$LOCAL_BINARY_HOST" ]] || die "Build did not produce ${LOCAL_BINARY_HOST}." @@ -225,7 +225,7 @@ dev_build_local_binary() { } dev_build_linux_binary() { - info "Building runevault for ${TARGET_OS}/${TARGET_ARCH} via Docker (${BUILDER_IMAGE})..." + info "Building runeconsole for ${TARGET_OS}/${TARGET_ARCH} via Docker (${BUILDER_IMAGE})..." local build_user="${SUDO_USER:-$(id -un)}" local user_home commit version date pkg user_home="${SUDO_USER:+$(eval echo ~"${SUDO_USER}")}" @@ -233,20 +233,20 @@ dev_build_linux_binary() { commit=$(cd "$REPO_ROOT" && git rev-parse --short HEAD 2>/dev/null || echo none) version=dev date=$(date -u +%Y-%m-%dT%H:%M:%SZ) - pkg="github.com/CryptoLabInc/rune-admin/vault/internal/commands" + pkg="github.com/CryptoLabInc/rune-console/runeconsole/internal/commands" local ldflags="-X '${pkg}.buildVersion=${version}' -X '${pkg}.buildCommit=${commit}' -X '${pkg}.buildDate=${date}'" - local out_rel="bin/runevault-${TARGET_OS}-${TARGET_ARCH}" + local out_rel="bin/runeconsole-${TARGET_OS}-${TARGET_ARCH}" mkdir -p "${user_home}/go/pkg/mod" - mkdir -p "${REPO_ROOT}/vault/bin" - [[ -n "${SUDO_USER:-}" ]] && chown "${SUDO_USER}" "${REPO_ROOT}/vault/bin" + mkdir -p "${REPO_ROOT}/runeconsole/bin" + [[ -n "${SUDO_USER:-}" ]] && chown "${SUDO_USER}" "${REPO_ROOT}/runeconsole/bin" # Run docker as the invoking user so written files are owned correctly and # the user's go module cache is reused for speed. sudo -u "$build_user" -H docker run --rm \ --platform "${TARGET_OS}/${TARGET_ARCH}" \ - -v "${REPO_ROOT}/vault:/src" \ + -v "${REPO_ROOT}/runeconsole:/src" \ -v "${user_home}/go/pkg/mod:/go/pkg/mod" \ -w /src \ -e CGO_ENABLED=1 \ @@ -272,17 +272,17 @@ dev_local_prompt_config() { printf '══════════════════════════════════════════════════════════\n' printf '\n' - _prompt RUNEVAULT_TEAM_NAME "Team name" "devteam" - _prompt RUNEVAULT_ENVECTOR_ENDPOINT "enVector endpoint" "" - _prompt RUNEVAULT_ENVECTOR_API_KEY "enVector API key" "" + _prompt RUNECONSOLE_TEAM_NAME "Team name" "devteam" + _prompt RUNECONSOLE_RUNESPACE_ENDPOINT "Runespace endpoint" "" + _prompt RUNECONSOLE_RUNESPACE_TOKEN "Runespace API key" "" printf '\n' - [[ -n "${RUNEVAULT_ENVECTOR_ENDPOINT:-}" ]] || die "enVector endpoint is required." - [[ -n "${RUNEVAULT_ENVECTOR_API_KEY:-}" ]] || die "enVector API key is required." + [[ -n "${RUNECONSOLE_RUNESPACE_ENDPOINT:-}" ]] || die "Runespace endpoint is required." + [[ -n "${RUNECONSOLE_RUNESPACE_TOKEN:-}" ]] || die "Runespace API key is required." else - RUNEVAULT_TEAM_NAME="${RUNEVAULT_TEAM_NAME:-devteam}" - RUNEVAULT_ENVECTOR_ENDPOINT="${RUNEVAULT_ENVECTOR_ENDPOINT:-https://envector.example.com}" - RUNEVAULT_ENVECTOR_API_KEY="${RUNEVAULT_ENVECTOR_API_KEY:-dev-api-key-placeholder}" + RUNECONSOLE_TEAM_NAME="${RUNECONSOLE_TEAM_NAME:-devteam}" + RUNECONSOLE_RUNESPACE_ENDPOINT="${RUNECONSOLE_RUNESPACE_ENDPOINT:-https://runespace.example.com}" + RUNECONSOLE_RUNESPACE_TOKEN="${RUNECONSOLE_RUNESPACE_TOKEN:-dev-api-key-placeholder}" fi } @@ -291,15 +291,15 @@ dev_local_install() { dev_build_local_binary dev_local_prompt_config - export RUNEVAULT_LOCAL_BINARY="$LOCAL_BINARY_HOST" - export RUNEVAULT_TEAM_NAME - export RUNEVAULT_ENVECTOR_ENDPOINT - export RUNEVAULT_ENVECTOR_API_KEY + export RUNECONSOLE_LOCAL_BINARY="$LOCAL_BINARY_HOST" + export RUNECONSOLE_TEAM_NAME + export RUNECONSOLE_RUNESPACE_ENDPOINT + export RUNECONSOLE_RUNESPACE_TOKEN if [[ -n "$PREFIX" ]]; then - export RUNEVAULT_INSTALL_PREFIX="$PREFIX" - export RUNEVAULT_BINARY_PATH="${PREFIX}/runevault" - export RUNEVAULT_SKIP_SERVICE=1 + export RUNECONSOLE_INSTALL_PREFIX="$PREFIX" + export RUNECONSOLE_BINARY_PATH="${PREFIX}/runeconsole" + export RUNECONSOLE_SKIP_SERVICE=1 fi exec bash "${REPO_ROOT}/install.sh" --target local "${PASSTHROUGH_ARGS[@]+"${PASSTHROUGH_ARGS[@]}"}" @@ -315,8 +315,8 @@ dev_forward_uninstall() { [[ "$NON_INTERACTIVE" -eq 1 ]] && args+=(--non-interactive) if [[ "$TARGET" = "local" && -n "$PREFIX" ]]; then - export RUNEVAULT_INSTALL_PREFIX="$PREFIX" - export RUNEVAULT_BINARY_PATH="${PREFIX}/runevault" + export RUNECONSOLE_INSTALL_PREFIX="$PREFIX" + export RUNECONSOLE_BINARY_PATH="${PREFIX}/runeconsole" fi exec bash "${REPO_ROOT}/install.sh" "${args[@]}" @@ -374,8 +374,8 @@ dev_csp_prompt_config() { printf '\n' _prompt TEAM_NAME "Team name" "devteam" - _prompt ENVECTOR_ENDPOINT "enVector endpoint" "" - _prompt ENVECTOR_API_KEY "enVector API key" "" + _prompt RUNESPACE_ENDPOINT "Runespace endpoint" "" + _prompt RUNESPACE_TOKEN "Runespace API key" "" case "$csp" in aws) _prompt CSP_REGION "AWS region" "us-east-1" ;; @@ -390,19 +390,19 @@ dev_csp_prompt_config() { esac printf '\n' else - TEAM_NAME="${RUNEVAULT_TEAM_NAME:-}" - ENVECTOR_ENDPOINT="${RUNEVAULT_ENVECTOR_ENDPOINT:-}" - ENVECTOR_API_KEY="${RUNEVAULT_ENVECTOR_API_KEY:-}" - CSP_REGION="${RUNEVAULT_CSP_REGION:-}" - GCP_PROJECT_ID="${RUNEVAULT_GCP_PROJECT_ID:-}" - OCI_COMPARTMENT_ID="${RUNEVAULT_OCI_COMPARTMENT_ID:-}" + TEAM_NAME="${RUNECONSOLE_TEAM_NAME:-}" + RUNESPACE_ENDPOINT="${RUNECONSOLE_RUNESPACE_ENDPOINT:-}" + RUNESPACE_TOKEN="${RUNECONSOLE_RUNESPACE_TOKEN:-}" + CSP_REGION="${RUNECONSOLE_CSP_REGION:-}" + GCP_PROJECT_ID="${RUNECONSOLE_GCP_PROJECT_ID:-}" + OCI_COMPARTMENT_ID="${RUNECONSOLE_OCI_COMPARTMENT_ID:-}" local missing=() - [[ -z "$TEAM_NAME" ]] && missing+=("RUNEVAULT_TEAM_NAME") - [[ -z "$ENVECTOR_ENDPOINT" ]] && missing+=("RUNEVAULT_ENVECTOR_ENDPOINT") - [[ -z "$ENVECTOR_API_KEY" ]] && missing+=("RUNEVAULT_ENVECTOR_API_KEY") - [[ "$csp" = gcp && -z "$GCP_PROJECT_ID" ]] && missing+=("RUNEVAULT_GCP_PROJECT_ID") - [[ "$csp" = oci && -z "$OCI_COMPARTMENT_ID" ]] && missing+=("RUNEVAULT_OCI_COMPARTMENT_ID") + [[ -z "$TEAM_NAME" ]] && missing+=("RUNECONSOLE_TEAM_NAME") + [[ -z "$RUNESPACE_ENDPOINT" ]] && missing+=("RUNECONSOLE_RUNESPACE_ENDPOINT") + [[ -z "$RUNESPACE_TOKEN" ]] && missing+=("RUNECONSOLE_RUNESPACE_TOKEN") + [[ "$csp" = gcp && -z "$GCP_PROJECT_ID" ]] && missing+=("RUNECONSOLE_GCP_PROJECT_ID") + [[ "$csp" = oci && -z "$OCI_COMPARTMENT_ID" ]] && missing+=("RUNECONSOLE_OCI_COMPARTMENT_ID") if [[ ${#missing[@]} -gt 0 ]]; then printf 'ERROR: Missing required env vars:\n' >&2 for v in "${missing[@]}"; do printf ' %s\n' "$v" >&2; done @@ -411,8 +411,8 @@ dev_csp_prompt_config() { fi [[ -n "$TEAM_NAME" ]] || die "Team name is required." - [[ -n "$ENVECTOR_ENDPOINT" ]] || die "enVector endpoint is required." - [[ -n "$ENVECTOR_API_KEY" ]] || die "enVector API key is required." + [[ -n "$RUNESPACE_ENDPOINT" ]] || die "Runespace endpoint is required." + [[ -n "$RUNESPACE_TOKEN" ]] || die "Runespace API key is required." if [[ "$csp" = gcp ]]; then [[ -n "$GCP_PROJECT_ID" ]] || die "GCP project ID is required." fi @@ -489,9 +489,9 @@ dev_csp_render_tfvars() { { printf 'team_name = "%s"\n' "$(escape_tf "${TEAM_NAME:-default}")" printf 'tls_mode = "self-signed"\n' - printf 'envector_endpoint = "%s"\n' "$(escape_tf "${ENVECTOR_ENDPOINT}")" - printf 'envector_api_key = "%s"\n' "$(escape_tf "${ENVECTOR_API_KEY}")" - printf 'runevault_version = "dev"\n' + printf 'runespace_endpoint = "%s"\n' "$(escape_tf "${RUNESPACE_ENDPOINT}")" + printf 'runespace_token = "%s"\n' "$(escape_tf "${RUNESPACE_TOKEN}")" + printf 'runeconsole_version = "dev"\n' printf 'public_key = "%s"\n' "$(escape_tf "${public_key}")" printf 'region = "%s"\n' "$(escape_tf "${CSP_REGION}")" case "$csp" in @@ -529,8 +529,8 @@ dev_csp_upload_and_install() { local ssh_user=ubuntu local public_ip - public_ip=$(cd "$tf_dir" && sudo -u "$tf_user" terraform output -raw vault_public_ip 2>/dev/null) \ - || die "Could not read vault_public_ip from terraform output." + public_ip=$(cd "$tf_dir" && sudo -u "$tf_user" terraform output -raw runeconsole_public_ip 2>/dev/null) \ + || die "Could not read runeconsole_public_ip from terraform output." CSP_PUBLIC_IP="$public_ip" local ssh_opts="-o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=15" @@ -560,7 +560,7 @@ dev_csp_upload_and_install() { while [[ $(date +%s) -lt $deadline ]]; do # shellcheck disable=SC2086 if $ssh_prefix ssh $ssh_opts -i "$key_path" "${ssh_user}@${public_ip}" \ - "test -e /var/run/runevault-dev-ready" 2>/dev/null; then + "test -e /var/run/runeconsole-dev-ready" 2>/dev/null; then prereqs_ready=1 break fi @@ -571,7 +571,7 @@ dev_csp_upload_and_install() { success "Cloud-init-dev complete." # 3. SCP install.sh + linux/amd64 binary to /tmp. - info "Uploading install.sh and runevault binary to ${public_ip}..." + info "Uploading install.sh and runeconsole binary to ${public_ip}..." # shellcheck disable=SC2086 $ssh_prefix scp $ssh_opts -i "$key_path" \ "${REPO_ROOT}/install.sh" \ @@ -584,14 +584,14 @@ dev_csp_upload_and_install() { info "Running install.sh on the VM..." local tn ee ek tn=$(escape_single "$TEAM_NAME") - ee=$(escape_single "$ENVECTOR_ENDPOINT") - ek=$(escape_single "$ENVECTOR_API_KEY") + ee=$(escape_single "$RUNESPACE_ENDPOINT") + ek=$(escape_single "$RUNESPACE_TOKEN") local remote_cmd remote_cmd="sudo \ - RUNEVAULT_LOCAL_BINARY=/tmp/runevault-${TARGET_OS}-${TARGET_ARCH} \ - RUNEVAULT_TEAM_NAME='${tn}' \ - RUNEVAULT_ENVECTOR_ENDPOINT='${ee}' \ - RUNEVAULT_ENVECTOR_API_KEY='${ek}' \ + RUNECONSOLE_LOCAL_BINARY=/tmp/runeconsole-${TARGET_OS}-${TARGET_ARCH} \ + RUNECONSOLE_TEAM_NAME='${tn}' \ + RUNECONSOLE_RUNESPACE_ENDPOINT='${ee}' \ + RUNECONSOLE_RUNESPACE_TOKEN='${ek}' \ bash /tmp/install.sh --target local --non-interactive --version dev" # shellcheck disable=SC2086 @@ -605,7 +605,7 @@ dev_csp_upload_and_install() { [[ -n "${SUDO_USER:-}" ]] && chown "${SUDO_USER}" "${INSTALL_DIR_CSP}/certs" # shellcheck disable=SC2086 $ssh_prefix scp $ssh_opts -i "$key_path" \ - "${ssh_user}@${public_ip}:/opt/runevault/certs/ca.pem" \ + "${ssh_user}@${public_ip}:/opt/runeconsole/certs/ca.pem" \ "${INSTALL_DIR_CSP}/certs/ca.pem" \ || die "CA cert fetch failed." success "CA certificate saved: ${INSTALL_DIR_CSP}/certs/ca.pem" @@ -621,7 +621,7 @@ dev_csp_summary() { commit=$(cd "$REPO_ROOT" && git rev-parse --short HEAD 2>/dev/null || echo unknown) printf '\n' - success "Rune-Vault deployed to $(printf '%s' "$csp" | tr 'a-z' 'A-Z') (dev mode)." + success "Rune-console deployed to $(printf '%s' "$csp" | tr 'a-z' 'A-Z') (dev mode)." printf '\n' printf ' Endpoint: %s:%s\n' "$public_ip" "$GRPC_PORT" printf ' CA cert: %s\n' "${INSTALL_DIR_CSP}/certs/ca.pem" @@ -635,10 +635,10 @@ dev_csp_summary() { printf 'Next steps (SSH into the VM, then run on the VM):\n' printf ' ssh -i %s ubuntu@%s\n' "$key_path" "$public_ip" printf '\n' - printf ' Issue a token: runevault token issue --user --role member\n' - printf ' Check status: runevault status\n' - printf ' View logs: runevault logs\n' - printf ' Manage daemon: sudo systemctl start|stop|restart runevault\n' + printf ' Issue a token: runeconsole token issue --user --role member\n' + printf ' Check status: runeconsole status\n' + printf ' View logs: runeconsole logs\n' + printf ' Manage daemon: sudo systemctl start|stop|restart runeconsole\n' printf '\n' warn "BACKUP: Keep this safe — it cannot be recovered if lost:" warn " Terraform state: ${tf_dir}/terraform.tfstate" @@ -649,7 +649,7 @@ dev_csp_dispatch() { local csp="$TARGET" local user_home="${SUDO_USER:+$(eval echo ~"${SUDO_USER}")}" user_home="${user_home:-$HOME}" - INSTALL_DIR_CSP="${INSTALL_DIR_CSP:-${user_home}/rune-vault-${csp}}" + INSTALL_DIR_CSP="${INSTALL_DIR_CSP:-${user_home}/runeconsole-${csp}}" mkdir -p "$INSTALL_DIR_CSP" [[ -n "${SUDO_USER:-}" ]] && chown "${SUDO_USER}" "$INSTALL_DIR_CSP" diff --git a/tests/FIXTURES.md b/tests/FIXTURES.md index 7549fe1..2466d82 100644 --- a/tests/FIXTURES.md +++ b/tests/FIXTURES.md @@ -17,7 +17,7 @@ The CI workflow (`ci.yml`) always references one of these by name. A fixture upd ### Prerequisites -- enVector Cloud access (`ENVECTOR_ENDPOINT`, `ENVECTOR_API_KEY`) +- Runespace access (`RUNESPACE_ENDPOINT`, `RUNESPACE_TOKEN`) - GitHub repo admin access (to update Secrets) - `mise run setup` completed @@ -54,10 +54,10 @@ gh secret set FIXTURES_GPG_PASSPHRASE_ALT #### 4. Generate new fixtures ```bash -ENVECTOR_ENDPOINT=... ENVECTOR_API_KEY=... python scripts/generate-test-fixtures.py +RUNESPACE_ENDPOINT=... RUNESPACE_TOKEN=... python scripts/generate-test-fixtures.py ``` -This connects to enVector Cloud and writes plaintext fixtures to `tests/fixtures/`. +This connects to Runespace and writes plaintext fixtures to `tests/fixtures/`. #### 5. Encrypt fixtures with the new passphrase diff --git a/vault/buf.gen.yaml b/vault/buf.gen.yaml deleted file mode 100644 index 0497bba..0000000 --- a/vault/buf.gen.yaml +++ /dev/null @@ -1,13 +0,0 @@ -version: v2 -clean: true -plugins: - - remote: buf.build/protocolbuffers/go - out: pkg/vaultpb - opt: - - module=github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb - - Mvault_service.proto=github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb;vaultpb - - remote: buf.build/grpc/go - out: pkg/vaultpb - opt: - - module=github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb - - Mvault_service.proto=github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb;vaultpb diff --git a/vault/internal/server/ensure_vault.go b/vault/internal/server/ensure_vault.go deleted file mode 100644 index aa283b7..0000000 --- a/vault/internal/server/ensure_vault.go +++ /dev/null @@ -1,7 +0,0 @@ -package server - -// runespace integration: the former EnsureVault (enVector cloud key -// registration + index creation) is obsolete. Under the runespace model the -// vault registers its eval key directly with the runespace engine via -// crypto.OpenEngine (RegisterKeys) at daemon startup, so there is no separate -// cloud-setup step here. diff --git a/vault/internal/server/testdata/runevault.conf.example b/vault/internal/server/testdata/runevault.conf.example deleted file mode 100644 index 70243e9..0000000 --- a/vault/internal/server/testdata/runevault.conf.example +++ /dev/null @@ -1,40 +0,0 @@ -# runevault.conf — example deployment configuration. -# -# Lookup order: -# 1. --config CLI flag -# 2. /opt/rune-vault/configs/runevault.conf -# 3. ./runevault.conf (cwd, dev only) -# -# This file should be mode 0600, owned by the vault-user. -# Replace placeholder values before use. - -server: - grpc: - host: 0.0.0.0 - port: 50051 - tls: - cert: /opt/rune-vault/certs/server.pem - key: /opt/rune-vault/certs/server.key - disable: false # true for dev only — never in production - admin: - socket: /opt/rune-vault/admin.sock - -keys: - path: /opt/rune-vault/vault-keys - index_name: my-team - embedding_dim: 1024 - -envector: - endpoint: https://envector.example.com - api_key: REPLACE_WITH_API_KEY - # Alternative: api_key_file: /run/secrets/envector_api_key - -tokens: - team_secret: REPLACE_WITH_RANDOM_HEX_32 - # Alternative: team_secret_file: /run/secrets/team_secret - roles_file: /opt/rune-vault/configs/roles.yml - tokens_file: /opt/rune-vault/configs/tokens.yml - -audit: - mode: file+stdout # one of: "", file, stdout, file+stdout - path: /opt/rune-vault/logs/audit.log