tencrypt-cli 0.1.1

Command-line interface for tencrypt certificate issuance and reconcile flows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

# tencrypt

Traefik-backed certificate workflow tooling with a contracts-first lifecycle model, auditable evidence output, and support for either direct CLI execution or CellOS-orchestrated cells.

Source: https://github.com/0ryant/tencrypt
Support: ryan@0ryant.com

## What it is

tencrypt provides three publishable Rust packages:

- `tencrypt-core` for certificate lifecycle types, reconcile logic, and evidence primitives
- `tencrypt-cli` for direct operational commands such as dry-run issuance and reconcile
- `tencrypt-metrics-snapshot` for one-shot JSON metrics output from a state file

The project is intentionally usable without CellOS. CellOS is an orchestration layer around the same bounded CLI commands, not a runtime dependency for core logic.

## Current phase

M4: CellOS integration and run-to-completion CLI execution model.

## Quick start

Run the full local quality gate:

```bash
just check
```

Run a direct CLI issuance simulation:

```bash
cargo run -q --bin tencrypt -- dry-run --hostname app.example.com
```

Run a direct reconcile pass without CellOS:

```bash
mkdir -p state evidence
cargo run -q --bin tencrypt -- reconcile --state-file state/certs.json --evidence-dir evidence/
```

Render a Traefik config:

```bash
cargo run -q --bin tencrypt -- render-static-config --email ops@example.com --output deploy/traefik.yml
```

Read one-shot metrics:

```bash
cargo run -q --bin tencrypt-metrics-snapshot -- --state-file state/certs.json
```

Run through CellOS if desired:

```bash
just cell-reconcile
just cell-issue
just cell-render-traefik
```

## Why no NATS yet?

NATS is not required for M1 correctness. The service currently emits audit and CloudEvents-compatible JSONL locally. A message bus adapter can be added later without changing core state-machine semantics.

## Crates.io packaging

This workspace is prepared for publication as:

- `tencrypt-core` — reusable state-machine and evidence primitives
- `tencrypt-cli` — the `tencrypt` command-line interface
- `tencrypt-metrics-snapshot` — one-shot metrics JSON snapshot tool

Publish order matters because the binary crates depend on `tencrypt-core`:

```bash
cargo publish -p tencrypt-core
cargo publish -p tencrypt-cli
cargo publish -p tencrypt-metrics-snapshot
```

Pre-publish validation:

```bash
just release-version-check
just release-check
just publish-dry-run
```

See `docs/RELEASE.md` for the full release checklist.

## Build artifacts for Traefik

- Static config: `deploy/traefik.yml`
- Router labels example: `deploy/router-labels.txt`

## Runtime model

- No long-lived tencrypt HTTP server
- All operations run as bounded CLI commands (directly or via CellOS cells)
- Reconcile is expected to run on a schedule (CellOS supervisor, cron, or systemd timer)

## Observability

- `evidence/audit.jsonl` append-only audit trail
- `evidence/events.cloudevents.jsonl` CloudEvents-compatible transition stream
- `tencrypt-metrics-snapshot` one-shot metrics JSON for scraping or ingestion

## Quality

- Quality: local `just check`, CI workflow at `.github/workflows/quality.yml`
- CI also validates `cells/*.cell.json` against CellOS execution-cell schema.

## Release notes

The current release plan and initial release notes live in `CHANGELOG.md`.