refactor: rename GetPublicKey to GetAgentManifest, drop EvalKey from manifest

- Proto: GetPublicKey → GetAgentManifest, key_bundle_json → manifest_json
- crypto: ReadPublicKeyBundle → ReadEncKey (string return, no EvalKey read)
- buildBundle: remove EvalKey.json field; avoid unnecessary multi-MB disk read
- Update interceptor method map, type switch, and all tests

Author: jh-lee-cryptolab

vault/internal/crypto/keys.go

@@ -86,26 +86,14 @@ func (f *EnvectorKeys) Decrypt(blob []byte) (scores [][]float64, shardIdx []int3
 	return f.keys.Decrypt(blob)
 }
 
-// PublicKeyBundle reads EncKey.json and EvalKey.json file contents from
-// disk. The strings are returned verbatim for inclusion in the GetPublicKey
-// gRPC response — clients re-parse them with their own SDK.
-type PublicKeyBundle struct {
-	EncKey  string
-	EvalKey string
-}
-
-func ReadPublicKeyBundle(p KeysParams) (*PublicKeyBundle, error) {
-	encPath := filepath.Join(p.keyDir(), "EncKey.json")
-	evalPath := filepath.Join(p.keyDir(), "EvalKey.json")
-	enc, err := os.ReadFile(encPath)
-	if err != nil {
-		return nil, fmt.Errorf("crypto: read EncKey.json: %w", err)
-	}
-	eval, err := os.ReadFile(evalPath)
+// ReadEncKey reads EncKey.json from disk and returns its contents verbatim
+// for inclusion in the GetAgentManifest gRPC response.
+func ReadEncKey(p KeysParams) (string, error) {
+	enc, err := os.ReadFile(filepath.Join(p.keyDir(), "EncKey.json"))
 	if err != nil {
-		return nil, fmt.Errorf("crypto: read EvalKey.json: %w", err)
+		return "", fmt.Errorf("crypto: read EncKey.json: %w", err)
 	}
-	return &PublicKeyBundle{EncKey: string(enc), EvalKey: string(eval)}, nil
+	return string(enc), nil
 }
 
 func (f *EnvectorKeys) Close() error {

vault/internal/crypto/keys_test.go

@@ -27,10 +27,10 @@ func TestOpenSecretKeyMissingReturnsError(t *testing.T) {
 	}
 }
 
-func TestReadPublicKeyBundleMissingReturnsError(t *testing.T) {
+func TestReadEncKeyMissingReturnsError(t *testing.T) {
 	p := KeysParams{Root: t.TempDir(), KeyID: "vault-key", Dim: 1024}
-	if _, err := ReadPublicKeyBundle(p); err == nil {
-		t.Error("ReadPublicKeyBundle on missing keys returned nil error")
+	if _, err := ReadEncKey(p); err == nil {
+		t.Error("ReadEncKey on missing keys returned nil error")
 	}
 }
 

vault/internal/server/grpc.go

@@ -18,7 +18,7 @@ import (
 	pb "github.com/CryptoLabInc/rune-admin/vault/pkg/vaultpb"
 )
 
-// MaxMessageSize bounds gRPC frames. EvalKey alone can be tens of MB.
+// MaxMessageSize bounds gRPC frames.
 const MaxMessageSize = 256 * 1024 * 1024
 
 // Vault is the runtime container shared by all RPC handlers and the
@@ -79,9 +79,9 @@ type VaultGRPC struct {
 
 func NewVaultGRPC(v *Vault) *VaultGRPC { return &VaultGRPC{v: v} }
 
-// ── GetPublicKey ──────────────────────────────────────────────────
+// ── GetAgentManifest ─────────────────────────────────────────────
 
-func (s *VaultGRPC) GetPublicKey(ctx context.Context, req *pb.GetPublicKeyRequest) (*pb.GetPublicKeyResponse, error) {
+func (s *VaultGRPC) GetAgentManifest(ctx context.Context, req *pb.GetAgentManifestRequest) (*pb.GetAgentManifestResponse, error) {
 	start := time.Now()
 	user := s.v.tokens.GetUsername(req.GetToken())
 	if user == "" {
@@ -91,52 +91,51 @@ func (s *VaultGRPC) GetPublicKey(ctx context.Context, req *pb.GetPublicKeyReques
 	statusStr := "success"
 	var errDetail *string
 	defer func() {
-		s.emit(ctx, "get_public_key", user, nil, resultCount, statusStr, errDetail, time.Since(start))
+		s.emit(ctx, "get_agent_manifest", user, nil, resultCount, statusStr, errDetail, time.Since(start))
 	}()
 
 	username, role, err := s.v.tokens.Validate(req.GetToken())
 	if err != nil {
 		st, msg := mapTokenError(err)
 		statusStr, errDetail = errStatus(err)
-		return &pb.GetPublicKeyResponse{Error: msg}, status.Error(st, msg)
+		return &pb.GetAgentManifestResponse{Error: msg}, status.Error(st, msg)
 	}
 	user = username
 	if err := role.CheckScope("get_public_key"); err != nil {
 		statusStr = "denied"
 		ed := err.Error()
 		errDetail = &ed
-		return &pb.GetPublicKeyResponse{Error: err.Error()}, status.Error(codes.PermissionDenied, err.Error())
+		return &pb.GetAgentManifestResponse{Error: err.Error()}, status.Error(codes.PermissionDenied, err.Error())
 	}
 
 	bundle, err := s.v.buildBundle(req.GetToken())
 	if err != nil {
 		statusStr = "error"
 		ed := err.Error()
 		errDetail = &ed
-		return &pb.GetPublicKeyResponse{Error: err.Error()}, status.Error(codes.Internal, err.Error())
+		return &pb.GetAgentManifestResponse{Error: err.Error()}, status.Error(codes.Internal, err.Error())
 	}
 	js, err := json.Marshal(bundle)
 	if err != nil {
 		statusStr = "error"
 		ed := err.Error()
 		errDetail = &ed
-		return &pb.GetPublicKeyResponse{Error: err.Error()}, status.Error(codes.Internal, err.Error())
+		return &pb.GetAgentManifestResponse{Error: err.Error()}, status.Error(codes.Internal, err.Error())
 	}
 	resultCount = 1
-	return &pb.GetPublicKeyResponse{KeyBundleJson: string(js)}, nil
+	return &pb.GetAgentManifestResponse{ManifestJson: string(js)}, nil
 }
 
-// buildBundle assembles the per-token JSON bundle returned by GetPublicKey.
+// buildBundle assembles the per-token JSON manifest returned by GetAgentManifest.
 // Order of keys is irrelevant — clients parse by name.
 func (s *Vault) buildBundle(token string) (map[string]any, error) {
-	pub, err := crypto.ReadPublicKeyBundle(s.bundleParams)
+	encKey, err := crypto.ReadEncKey(s.bundleParams)
 	if err != nil {
 		return nil, err
 	}
 	bundle := map[string]any{
-		"EncKey.json":  pub.EncKey,
-		"EvalKey.json": pub.EvalKey,
-		"key_id":       s.bundleParams.KeyID,
+		"EncKey.json": encKey,
+		"key_id":      s.bundleParams.KeyID,
 	}
 	if s.cfg.Keys.IndexName != "" {
 		bundle["index_name"] = s.cfg.Keys.IndexName

vault/internal/server/grpc_test.go

@@ -103,10 +103,10 @@ func newTestVault(t *testing.T) *Vault {
 	return NewVault(cfg, store, nil, audit)
 }
 
-func TestGetPublicKeyInvalidToken(t *testing.T) {
+func TestGetAgentManifestInvalidToken(t *testing.T) {
 	v := newTestVault(t)
 	srv := NewVaultGRPC(v)
-	resp, err := srv.GetPublicKey(context.Background(), &pb.GetPublicKeyRequest{
+	resp, err := srv.GetAgentManifest(context.Background(), &pb.GetAgentManifestRequest{
 		Token: "evt_ffffffffffffffffffffffffffffffff",
 	})
 	if status.Code(err) != codes.Unauthenticated {

vault/internal/server/interceptors.go

@@ -19,9 +19,9 @@ import (
 // vaultMethods enumerates the gRPC method paths owned by VaultService.
 // Other services routed through the same gRPC server bypass runtime checks.
 var vaultMethods = map[string]bool{
-	"/rune.vault.v1.VaultService/GetPublicKey":    true,
-	"/rune.vault.v1.VaultService/DecryptScores":   true,
-	"/rune.vault.v1.VaultService/DecryptMetadata": true,
+	"/rune.vault.v1.VaultService/GetAgentManifest": true,
+	"/rune.vault.v1.VaultService/DecryptScores":    true,
+	"/rune.vault.v1.VaultService/DecryptMetadata":  true,
 }
 
 // NewValidationInterceptor returns a unary server interceptor that runs
@@ -55,7 +55,7 @@ func NewValidationInterceptor() (grpc.UnaryServerInterceptor, error) {
 func runtimeCheckToken(req any) error {
 	var token string
 	switch r := req.(type) {
-	case *pb.GetPublicKeyRequest:
+	case *pb.GetAgentManifestRequest:
 		token = r.GetToken()
 	case *pb.DecryptScoresRequest:
 		token = r.GetToken()

vault/internal/server/interceptors_test.go

@@ -52,8 +52,8 @@ func vaultMethodInfo(name string) *grpc.UnaryServerInfo {
 
 func TestInterceptorPassesValidRequest(t *testing.T) {
 	ic := mustInterceptor(t)
-	req := &pb.GetPublicKeyRequest{Token: "evt_0123456789abcdef0123456789abcdef"}
-	out, err := ic(context.Background(), req, vaultMethodInfo("GetPublicKey"), noopHandler)
+	req := &pb.GetAgentManifestRequest{Token: "evt_0123456789abcdef0123456789abcdef"}
+	out, err := ic(context.Background(), req, vaultMethodInfo("GetAgentManifest"), noopHandler)
 	if err != nil {
 		t.Fatalf("err = %v, want nil", err)
 	}
@@ -65,8 +65,8 @@ func TestInterceptorPassesValidRequest(t *testing.T) {
 func TestInterceptorRejectsBadProtovalidate(t *testing.T) {
 	ic := mustInterceptor(t)
 	// Token shorter than 36 fails the proto-level constraint.
-	req := &pb.GetPublicKeyRequest{Token: "too_short"}
-	_, err := ic(context.Background(), req, vaultMethodInfo("GetPublicKey"), noopHandler)
+	req := &pb.GetAgentManifestRequest{Token: "too_short"}
+	_, err := ic(context.Background(), req, vaultMethodInfo("GetAgentManifest"), noopHandler)
 	if err == nil {
 		t.Fatal("err = nil, want validation error")
 	}
@@ -79,11 +79,11 @@ func TestInterceptorRejectsControlCharToken(t *testing.T) {
 	ic := mustInterceptor(t)
 	// 36-char token containing a control byte (\x00) inside.
 	// protovalidate only checks length, so the runtime layer catches this.
-	req := &pb.GetPublicKeyRequest{Token: "evt_0123456789abcdef0123456789abc\x00ef"}
+	req := &pb.GetAgentManifestRequest{Token: "evt_0123456789abcdef0123456789abc\x00ef"}
 	if len(req.Token) != 36 {
 		t.Fatalf("test setup: token length = %d, want 36", len(req.Token))
 	}
-	_, err := ic(context.Background(), req, vaultMethodInfo("GetPublicKey"), noopHandler)
+	_, err := ic(context.Background(), req, vaultMethodInfo("GetAgentManifest"), noopHandler)
 	if err == nil {
 		t.Fatal("err = nil, want runtime error")
 	}
@@ -97,7 +97,7 @@ func TestInterceptorAllowsNonVaultMethod(t *testing.T) {
 	// Whitespace-around token would normally fail runtime check, but
 	// non-Vault methods skip runtime checks (and the proto for this
 	// dummy message doesn't apply).
-	req := &pb.GetPublicKeyRequest{Token: "evt_0123456789abcdef0123456789abcdef"}
+	req := &pb.GetAgentManifestRequest{Token: "evt_0123456789abcdef0123456789abcdef"}
 	info := &grpc.UnaryServerInfo{FullMethod: "/grpc.health.v1.Health/Check"}
 	if _, err := ic(context.Background(), req, info, noopHandler); err != nil {
 		t.Errorf("non-vault method blocked: %v", err)