tencrypt-core 0.1.1

Core types and state-machine logic for tencrypt certificate workflows
Documentation

tencrypt

Traefik-backed certificate workflow tooling with a contracts-first lifecycle model, auditable evidence output, and support for either direct CLI execution or CellOS-orchestrated cells.

Source: https://github.com/0ryant/tencrypt Support: ryan@0ryant.com

What it is

tencrypt provides three publishable Rust packages:

  • tencrypt-core for certificate lifecycle types, reconcile logic, and evidence primitives
  • tencrypt-cli for direct operational commands such as dry-run issuance and reconcile
  • tencrypt-metrics-snapshot for one-shot JSON metrics output from a state file

The project is intentionally usable without CellOS. CellOS is an orchestration layer around the same bounded CLI commands, not a runtime dependency for core logic.

Current phase

M4: CellOS integration and run-to-completion CLI execution model.

Quick start

Run the full local quality gate:

just check

Run a direct CLI issuance simulation:

cargo run -q --bin tencrypt -- dry-run --hostname app.example.com

Run a direct reconcile pass without CellOS:

mkdir -p state evidence
cargo run -q --bin tencrypt -- reconcile --state-file state/certs.json --evidence-dir evidence/

Render a Traefik config:

cargo run -q --bin tencrypt -- render-static-config --email ops@example.com --output deploy/traefik.yml

Read one-shot metrics:

cargo run -q --bin tencrypt-metrics-snapshot -- --state-file state/certs.json

Run through CellOS if desired:

just cell-reconcile
just cell-issue
just cell-render-traefik

Why no NATS yet?

NATS is not required for M1 correctness. The service currently emits audit and CloudEvents-compatible JSONL locally. A message bus adapter can be added later without changing core state-machine semantics.

Crates.io packaging

This workspace is prepared for publication as:

  • tencrypt-core — reusable state-machine and evidence primitives
  • tencrypt-cli — the tencrypt command-line interface
  • tencrypt-metrics-snapshot — one-shot metrics JSON snapshot tool

Publish order matters because the binary crates depend on tencrypt-core:

cargo publish -p tencrypt-core
cargo publish -p tencrypt-cli
cargo publish -p tencrypt-metrics-snapshot

Pre-publish validation:

just release-version-check
just release-check
just publish-dry-run

See docs/RELEASE.md for the full release checklist.

Build artifacts for Traefik

  • Static config: deploy/traefik.yml
  • Router labels example: deploy/router-labels.txt

Runtime model

  • No long-lived tencrypt HTTP server
  • All operations run as bounded CLI commands (directly or via CellOS cells)
  • Reconcile is expected to run on a schedule (CellOS supervisor, cron, or systemd timer)

Observability

  • evidence/audit.jsonl append-only audit trail
  • evidence/events.cloudevents.jsonl CloudEvents-compatible transition stream
  • tencrypt-metrics-snapshot one-shot metrics JSON for scraping or ingestion

Quality

  • Quality: local just check, CI workflow at .github/workflows/quality.yml
  • CI also validates cells/*.cell.json against CellOS execution-cell schema.

Release notes

The current release plan and initial release notes live in CHANGELOG.md.