Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,15 +65,15 @@ jobs:
VERSION=$(git describe --tags --always 2>/dev/null || echo "dev")
fi
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "archive=runevault_${VERSION}_${{ matrix.os }}_${{ matrix.arch }}.tar.gz" >> "$GITHUB_OUTPUT"
echo "archive=runeconsole_${VERSION}_${{ matrix.os }}_${{ matrix.arch }}.tar.gz" >> "$GITHUB_OUTPUT"
- name: Build binary
env:
GOOS: ${{ matrix.os }}
GOARCH: ${{ matrix.arch }}
VERSION: ${{ steps.meta.outputs.version }}
run: |
PKG="github.com/CryptoLabInc/rune-admin/vault/internal/commands"
PKG="github.com/CryptoLabInc/rune-console/runeconsole/internal/commands"
COMMIT=$(git rev-parse --short HEAD)
DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
if [ "${{ matrix.os }}" = "darwin" ] && [ "${{ matrix.arch }}" = "amd64" ]; then
Expand All @@ -82,24 +82,24 @@ jobs:
export CGO_CFLAGS="-arch x86_64 -I/usr/local/opt/openssl@3/include"
export CGO_LDFLAGS="-arch x86_64 -L/usr/local/opt/openssl@3/lib"
fi
cd vault && go build \
cd runeconsole && go build \
-trimpath \
-ldflags "-s -w -X '${PKG}.buildVersion=${VERSION}' -X '${PKG}.buildCommit=${COMMIT}' -X '${PKG}.buildDate=${DATE}'" \
-o bin/runevault \
-o bin/runeconsole \
./cmd
- name: Smoke test
run: |
if [ "${{ matrix.os }}" = "darwin" ] && [ "${{ matrix.arch }}" = "amd64" ]; then
arch -x86_64 ./vault/bin/runevault version
arch -x86_64 ./runeconsole/bin/runeconsole version
else
./vault/bin/runevault version
./runeconsole/bin/runeconsole version
fi
- name: Package
run: |
mkdir -p _dist
cp vault/bin/runevault _dist/
cp runeconsole/bin/runeconsole _dist/
cp LICENSE _dist/
tar -czf "${{ steps.meta.outputs.archive }}" -C _dist .
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/sync-to-public.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Mirrors the latest state of this repository's main branch to the public
# CryptoLabInc/rune-admin repository as a single squashed commit. Commit
# CryptoLabInc/rune-console repository as a single squashed commit. Commit
# history, messages, and author details from this repository are not
# transferred — only the resulting file tree is published.
name: Sync to public repository
Expand All @@ -16,7 +16,7 @@ jobs:
sync:
# Only run in the private development repository, never in the public
# mirror or forks.
if: github.repository == 'geuna0204/rune-admin-private'
if: github.repository == 'geuna0204/rune-console-private'
runs-on: ubuntu-latest
steps:
- name: Check deploy key availability
Expand Down Expand Up @@ -51,7 +51,7 @@ jobs:
if: steps.guard.outputs.enabled == 'true'
run: |
set -euo pipefail
git remote add public git@github.com:CryptoLabInc/rune-admin.git
git remote add public git@github.com:CryptoLabInc/rune-console.git
git fetch public main
PARENT=$(git rev-parse FETCH_HEAD)
# Build the published tree from HEAD with internal-only paths
Expand All @@ -72,6 +72,6 @@ jobs:
export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL"
COMMIT=$(git commit-tree "$TREE" -p "$PARENT" \
-m "chore: sync from development repository" \
-m "Source: rune-admin-private@$(git rev-parse --short HEAD)")
-m "Source: rune-console-private@$(git rev-parse --short HEAD)")
git push public "$COMMIT:refs/heads/main"
echo "Pushed $COMMIT to CryptoLabInc/rune-admin main."
echo "Pushed $COMMIT to CryptoLabInc/rune-console main."
14 changes: 7 additions & 7 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ htmlcov/
*.sec
*.pub
*_token
vault_token.txt
runeconsole-token.txt
certs/

# Logs
Expand Down Expand Up @@ -97,9 +97,9 @@ Thumbs.db
*.dylib

# Go build artifacts
vault/bin/
vault/**/*.test
vault/**/*.out
runeconsole/bin/
runeconsole/**/*.test
runeconsole/**/*.out

# Database
*.db
Expand All @@ -109,9 +109,9 @@ vault/**/*.out
# Credentials
credentials.json
service-account.json
vault-credentials/
runeconsole-credentials/
team_keys/
vault_keys/
runeconsole-keys/

# Test artifacts
test-results/
Expand All @@ -121,4 +121,4 @@ test-results/
tests/fixtures/

# Local dev runtime files (config, socket, keys, pid)
vault/dev/
runeconsole/dev/
46 changes: 23 additions & 23 deletions .mise.toml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Rune-Vault Development Environment
# Rune-console Development Environment
# Run `mise install` to set up all tools, then `mise run setup` to bootstrap.
# Prerequisites: mise (https://mise.jdx.dev)

Expand All @@ -25,10 +25,10 @@ run = """
set -euo pipefail

echo "==> Resolving Go modules..."
cd vault && go mod download && cd ..
cd runeconsole && go mod download && cd ..

echo "==> Generating Go proto stubs..."
cd vault && buf generate && cd ..
cd runeconsole && buf generate && cd ..

echo "==> Configuring git hooks..."
git config core.hooksPath .githooks
Expand All @@ -43,7 +43,7 @@ description = "Run all quality checks (gofmt + go vet + unit tests)"
run = """
#!/usr/bin/env bash
set -euo pipefail
cd vault
cd runeconsole
echo "==> Checking Go format..."
diff=$(gofmt -l .)
if [ -n "$diff" ]; then
Expand All @@ -60,60 +60,60 @@ echo "All checks passed."
"""

[tasks."proto:go"]
description = "Regenerate Go protobuf/gRPC stubs into vault/pkg/vaultpb"
run = "cd vault && buf generate"
description = "Regenerate Go protobuf/gRPC stubs into runeconsole/pkg/consolepb"
run = "cd runeconsole && buf generate"

[tasks."go:build"]
description = "Build runevault binary to vault/bin/runevault"
description = "Build runeconsole binary to runeconsole/bin/runeconsole"
run = """
#!/usr/bin/env bash
set -euo pipefail
VERSION="${VERSION:-dev}"
COMMIT=$(git rev-parse --short HEAD 2>/dev/null || echo "none")
DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
PKG="github.com/CryptoLabInc/rune-admin/vault/internal/commands"
cd vault && go build \
-o bin/runevault \
PKG="github.com/CryptoLabInc/rune-console/runeconsole/internal/commands"
cd runeconsole && go build \
-o bin/runeconsole \
-ldflags "-X '${PKG}.buildVersion=${VERSION}' -X '${PKG}.buildCommit=${COMMIT}' -X '${PKG}.buildDate=${DATE}'" \
./cmd
"""

[tasks."go:test"]
description = "Run all tests including E2E (requires pre-built binary via RUNEVAULT_TEST_BINARY)"
run = "cd vault && go test -race -tags e2e ./..."
description = "Run all tests including E2E (requires pre-built binary via RUNECONSOLE_TEST_BINARY)"
run = "cd runeconsole && go test -race -tags e2e ./..."

[tasks."go:test:unit"]
description = "Run unit tests only (E2E excluded by build tag)"
run = "cd vault && go test -race ./..."
run = "cd runeconsole && go test -race ./..."

[tasks."go:test:e2e"]
description = "Run E2E tests against the pre-built runevault binary (run go:build first)"
description = "Run E2E tests against the pre-built runeconsole binary (run go:build first)"
run = """
#!/usr/bin/env bash
set -euo pipefail
BINARY="${RUNEVAULT_TEST_BINARY:-$(pwd)/vault/bin/runevault}"
BINARY="${RUNECONSOLE_TEST_BINARY:-$(pwd)/runeconsole/bin/runeconsole}"
if [ ! -x "$BINARY" ]; then
echo "runevault binary not found at $BINARY — run 'mise run go:build' first" >&2
echo "runeconsole binary not found at $BINARY — run 'mise run go:build' first" >&2
exit 1
fi
export RUNEVAULT_TEST_BINARY="$BINARY"
cd vault && go test -race -tags e2e ./internal/tests/...
export RUNECONSOLE_TEST_BINARY="$BINARY"
cd runeconsole && go test -race -tags e2e ./internal/tests/...
"""

[tasks."go:vet"]
description = "Run go vet on all Go packages"
run = "cd vault && go vet ./..."
run = "cd runeconsole && go vet ./..."

[tasks."go:fmt"]
description = "Format Go source files"
run = "cd vault && gofmt -w ."
run = "cd runeconsole && gofmt -w ."

[tasks."go:fmt:check"]
description = "Check Go formatting without modifying"
run = """
#!/usr/bin/env bash
set -euo pipefail
cd vault
cd runeconsole
diff=$(gofmt -l .)
if [ -n "$diff" ]; then
echo "gofmt found unformatted files:" >&2
Expand All @@ -123,8 +123,8 @@ fi
"""

[tasks.dev]
description = "Run runevault daemon in foreground for development"
run = "cd vault && go run ./cmd/runevault --config dev/runevault.conf daemon start"
description = "Run runeconsole daemon in foreground for development"
run = "cd runeconsole && go run ./cmd/runeconsole --config dev/runeconsole.conf daemon start"

[tasks."fixtures:decrypt"]
description = "Decrypt test fixtures from GPG archive"
Expand Down
24 changes: 12 additions & 12 deletions AGENTS.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Rune-Vault (rune-admin)
# Rune-console (rune-console)

Single-binary Go gRPC server (`runevault`) for FHE-encrypted organizational
memory. Built on `github.com/CryptoLabInc/envector-go-sdk`. The secret key
Single-binary Go gRPC server (`runeconsole`) for FHE-encrypted organizational
memory. Built on `github.com/CryptoLabInc/runespace-sdk`. The secret key
never leaves this server.

## Setup
Expand All @@ -17,15 +17,15 @@ Do NOT run go, gofmt, or buf directly.
|---------|-------------|
| `mise run setup` | Bootstrap (Go modules + proto stubs) |
| `mise run check` | All checks: gofmt + go vet + unit tests (race) |
| `mise run go:build` | Build the runevault binary to `vault/bin/runevault` |
| `mise run go:test` | Run all tests including E2E (requires `RUNEVAULT_TEST_BINARY`) |
| `mise run go:build` | Build the runeconsole binary to `runeconsole/bin/runeconsole` |
| `mise run go:test` | Run all tests including E2E (requires `RUNECONSOLE_TEST_BINARY`) |
| `mise run go:test:unit` | Run unit tests only (E2E excluded by build tag) |
| `mise run go:test:e2e` | Run E2E tests against pre-built binary (run `go:build` first) |
| `mise run go:vet` | Run go vet on all Go packages |
| `mise run go:fmt` | Format Go source files |
| `mise run go:fmt:check` | Check Go formatting without modifying |
| `mise run proto:go` | Regenerate Go protobuf/gRPC stubs into `vault/pkg/vaultpb` |
| `mise run dev` | Run runevault daemon in foreground (uses `vault/dev/runevault.conf`) |
| `mise run proto:go` | Regenerate Go protobuf/gRPC stubs into `runeconsole/pkg/consolepb` |
| `mise run dev` | Run runeconsole daemon in foreground (uses `runeconsole/dev/runeconsole.conf`) |
| `mise run certs` | Generate self-signed TLS certificates |
| `mise run fixtures:decrypt` | Decrypt test fixtures (requires `FIXTURES_GPG_PASSPHRASE`) |
| `mise run fixtures:encrypt` | Re-encrypt test fixtures |
Expand All @@ -35,15 +35,15 @@ Do NOT run go, gofmt, or buf directly.
- English only in code, commit messages, PR descriptions, and issue bodies
- Do not amend commits or force-push unless explicitly instructed
- All exported Go identifiers need a doc comment
- New gRPC methods need corresponding unit tests in `vault/internal/server/grpc_test.go`
- Token/auth changes must update `vault/internal/tokens/store_test.go`
- New gRPC methods need corresponding unit tests in `runeconsole/internal/server/grpc_test.go`
- Token/auth changes must update `runeconsole/internal/tokens/store_test.go`
- Run `mise run check` before committing

## Security invariants

- Secret key (`vault-keys/<key-id>/SecKey.json`) must never be logged, returned in API responses, or leave the server process
- Admin transport is a Unix domain socket (mode 0600, vault-user owned) — never expose externally
- Token secrets and FHE keys live in `runevault.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments
- Secret key (`runeconsole-keys/<key-id>/SecKey.json`) must never be logged, returned in API responses, or leave the server process
- Admin transport is a Unix domain socket (mode 0600, runeconsole-user owned) — never expose externally
- Token secrets and FHE keys live in `runeconsole.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments
- TLS is required for all cloud deployments (`server.grpc.tls.disable: true` is dev-only)

## Worktree setup
Expand Down
24 changes: 12 additions & 12 deletions CLAUDE.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Rune-Vault (rune-admin)
# Rune-console (rune-console)

Single-binary Go gRPC server (`runevault`) for FHE-encrypted organizational
memory. Built on `github.com/CryptoLabInc/envector-go-sdk`. The secret key
Single-binary Go gRPC server (`runeconsole`) for FHE-encrypted organizational
memory. Built on `github.com/CryptoLabInc/runespace-sdk`. The secret key
never leaves this server.

## Setup
Expand All @@ -17,15 +17,15 @@ Do NOT run go, gofmt, or buf directly.
|---------|-------------|
| `mise run setup` | Bootstrap (Go modules + proto stubs) |
| `mise run check` | All checks: gofmt + go vet + unit tests (race) |
| `mise run go:build` | Build the runevault binary to `vault/bin/runevault` |
| `mise run go:test` | Run all tests including E2E (requires `RUNEVAULT_TEST_BINARY`) |
| `mise run go:build` | Build the runeconsole binary to `runeconsole/bin/runeconsole` |
| `mise run go:test` | Run all tests including E2E (requires `RUNECONSOLE_TEST_BINARY`) |
| `mise run go:test:unit` | Run unit tests only (E2E excluded by build tag) |
| `mise run go:test:e2e` | Run E2E tests against pre-built binary (run `go:build` first) |
| `mise run go:vet` | Run go vet on all Go packages |
| `mise run go:fmt` | Format Go source files |
| `mise run go:fmt:check` | Check Go formatting without modifying |
| `mise run proto:go` | Regenerate Go protobuf/gRPC stubs into `vault/pkg/vaultpb` |
| `mise run dev` | Run runevault daemon in foreground (uses `vault/dev/runevault.conf`) |
| `mise run proto:go` | Regenerate Go protobuf/gRPC stubs into `runeconsole/pkg/consolepb` |
| `mise run dev` | Run runeconsole daemon in foreground (uses `runeconsole/dev/runeconsole.conf`) |
| `mise run certs` | Generate self-signed TLS certificates |
| `mise run fixtures:decrypt` | Decrypt test fixtures (requires `FIXTURES_GPG_PASSPHRASE`) |
| `mise run fixtures:encrypt` | Re-encrypt test fixtures |
Expand All @@ -35,8 +35,8 @@ Do NOT run go, gofmt, or buf directly.
- English only in code, commit messages, PR descriptions, and issue bodies
- Do not amend commits or force-push unless explicitly instructed
- All exported Go identifiers need a doc comment
- New gRPC methods need corresponding unit tests in `vault/internal/server/grpc_test.go`
- Token/auth changes must update `vault/internal/tokens/store_test.go`
- New gRPC methods need corresponding unit tests in `runeconsole/internal/server/grpc_test.go`
- Token/auth changes must update `runeconsole/internal/tokens/store_test.go`
- Run `mise run check` before committing

## Documentation
Expand All @@ -52,9 +52,9 @@ Do NOT run go, gofmt, or buf directly.

## Security invariants

- Secret key (`vault-keys/<key-id>/SecKey.json`) must never be logged, returned in API responses, or leave the server process
- Admin transport is a Unix domain socket (mode 0600, vault-user owned) — never expose externally
- Token secrets and FHE keys live in `runevault.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments
- Secret key (`runeconsole-keys/<key-id>/SecKey.json`) must never be logged, returned in API responses, or leave the server process
- Admin transport is a Unix domain socket (mode 0600, runeconsole-user owned) — never expose externally
- Token secrets and FHE keys live in `runeconsole.conf` (mode 0600); secret YAML fields support `*_file` indirection for KMS-backed deployments
- TLS is required for all cloud deployments (`server.grpc.tls.disable: true` is dev-only)

## Worktree setup
Expand Down
Loading