Local development uses deployments/docker-compose.yaml with localstack to simulate AWS services. All workflows are driven through make targets, which handle dependency ordering automatically.
For architecture, deployment topology, and the security model, see architecture.md. For test conventions and coverage expectations, see testing.md.
- Go 1.25+
- Docker and Docker Compose
- Make
pre-commit(install viabrew install pre-commit, thenpre-commit install)
| Command | Description |
|---|---|
make up |
Build local enclave Docker image and start localstack |
make down |
Tear down the local environment: stop the app (via app.pid) and run docker-compose down --remove-orphans |
make dev |
make up + launch the app (typical dev entry point) |
| Command | Description |
|---|---|
make proto |
Regenerate protocol buffer Go code |
make build |
Generate protos and build binary to ./bin/app |
See testing.md for the full test matrix and conventions. Top-level entry points:
| Command | Scope |
|---|---|
make test |
Unit + lint |
make test-it |
Unit + integration (starts localstack) |
make smoke |
Smoke tests against a running service |
make test-all |
All of the above |
- Go version: 1.25
- Copyright header: All
.gofiles must carry the Circle Internet Group Apache 2.0 license header. Enforced by thecheck-copyright-golangpre-commit hook. - Commit messages:
type(ticket|NOSTORY): description, following Conventional Commits for thetypesemantics. Valid tickets follow the project's Jira prefix. - Mocking:
github.com/golang/mock(v1.6.0). Mocks are*_mock.gofiles co-located with the interfaces they mock; regenerate withmockgen. - Config: Viper-based, env var prefix
APP_. See architecture.md#configuration. - Logging: Use the repo-local logger in
internal/common/logging/. - Protocol Buffers: Managed by
buf(config version v2), definitions inproto/. Runmake protoafter editing. - gRPC: Shared foundation in
internal/common/grpc/with standardized client/server lifecycle and error normalization.
Enforced via .pre-commit-config.yaml:
go-fmt,golangci-lint,go-mod-tidy,go-unit-testsno-go-testing— usetestifyassertions, not rawtestingcheck-copyright-golang— Circle copyright header on every.gofileterraform_fmt— fordeploy/configs
Run pre-commit install once after cloning to enable the hooks locally.
make build— confirm the binary compiles (includes proto generation)make test— unit tests + lint for code changesmake test-it— when changes touch provider integrations, gRPC behavior, enclave communication, or configmake test-all— for high-risk or release-critical changes
.
├── cmd/ # CLI entry points
├── internal/
│ ├── app/ # Proxy (host-side)
│ │ ├── public/ # gRPC handlers
│ │ ├── service/ # Business logic
│ │ └── provider/ # AWS integrations (KMS, Secrets Manager)
│ ├── enclave/ # Enclave-side (inside Nitro Enclave)
│ │ ├── public/ # Enclave gRPC handlers
│ │ ├── service/ # Enclave business logic
│ │ └── provider/ # Key storage, attestation
│ ├── common/ # Shared infrastructure
│ │ ├── crypto/ # AES, random generation
│ │ ├── grpc/ # gRPC client/server/interceptors
│ │ ├── logging/ # Structured logging
│ │ ├── metric/ # Datadog metrics
│ │ └── telemetry/ # OpenTelemetry
│ └── smoke/ # End-to-end smoke tests
├── proto/ # Protocol buffers
│ ├── arc/signer/v1/ # SignerService (external API)
│ └── arc/enclave/v1/ # EnclaveService (internal API)
├── docker/ # Docker build configuration
├── deployments/ # Docker Compose (localstack)
└── scripts/ # Build and utility scripts