Add FIDO2/WebAuthn passkey authentication

Phase 14: Full WebAuthn support for passwordless passkey login and
hardware security key 2FA.

- go-webauthn/webauthn v0.16.1 dependency
- WebAuthnConfig with RPID/RPOrigin/DisplayName validation
- Migration 000009: webauthn_credentials table
- DB CRUD with ownership checks and admin operations
- internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM
- REST: register begin/finish, login begin/finish, list, delete
- Web UI: profile enrollment, login passkey button, admin management
- gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs
- mciasdb: webauthn list/delete/reset subcommands
- OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema
- Policy: self-service enrollment rule, admin remove via wildcard
- Tests: DB CRUD, adapter round-trip, interface compliance
- Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14

Security: Credential IDs and public keys encrypted at rest with
AES-256-GCM via vault master key. Challenge ceremonies use 128-bit
nonces with 120s TTL in sync.Map. Sign counter validated on each
assertion to detect cloned authenticators. Password re-auth required
for registration (SEC-01 pattern). No credential material in API
responses or logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cmd/mciasdb/account.go

@@ -13,7 +13,7 @@ import (
 
 func (t *tool) runAccount(args []string) {
 	if len(args) == 0 {
-		fatalf("account requires a subcommand: list, get, create, set-password, set-status, reset-totp")
+		fatalf("account requires a subcommand: list, get, create, set-password, set-status, reset-totp, reset-webauthn")
 	}
 	switch args[0] {
 	case "list":
@@ -28,6 +28,8 @@ func (t *tool) runAccount(args []string) {
 		t.accountSetStatus(args[1:])
 	case "reset-totp":
 		t.accountResetTOTP(args[1:])
+	case "reset-webauthn":
+		t.webauthnReset(args[1:])
 	default:
 		fatalf("unknown account subcommand %q", args[0])
 	}

cmd/mciasdb/main.go

@@ -109,6 +109,8 @@ func main() {
 		tool.runAudit(subArgs)
 	case "pgcreds":
 		tool.runPGCreds(subArgs)
+	case "webauthn":
+		tool.runWebAuthn(subArgs)
 	case "rekey":
 		tool.runRekey(subArgs)
 	default:
@@ -245,6 +247,11 @@ Commands:
   account set-password   --id UUID  (prompts interactively)
   account set-status     --id UUID --status active|inactive|deleted
   account reset-totp     --id UUID
+  account reset-webauthn --id UUID
+
+  webauthn list          --id UUID
+  webauthn delete        --id UUID --credential-id N
+  webauthn reset         --id UUID
 
   role list              --id UUID
   role grant             --id UUID --role ROLE

cmd/mciasdb/webauthn.go

@@ -0,0 +1,121 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"strings"
+)
+
+func (t *tool) runWebAuthn(args []string) {
+	if len(args) == 0 {
+		fatalf("webauthn requires a subcommand: list, delete, reset")
+	}
+	switch args[0] {
+	case "list":
+		t.webauthnList(args[1:])
+	case "delete":
+		t.webauthnDelete(args[1:])
+	case "reset":
+		t.webauthnReset(args[1:])
+	default:
+		fatalf("unknown webauthn subcommand %q", args[0])
+	}
+}
+
+func (t *tool) webauthnList(args []string) {
+	fs := flag.NewFlagSet("webauthn list", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" {
+		fatalf("webauthn list: --id is required")
+	}
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	creds, err := t.db.GetWebAuthnCredentials(a.ID)
+	if err != nil {
+		fatalf("list webauthn credentials: %v", err)
+	}
+
+	if len(creds) == 0 {
+		fmt.Printf("No WebAuthn credentials for account %s\n", a.Username)
+		return
+	}
+
+	fmt.Printf("WebAuthn credentials for %s:\n\n", a.Username)
+	fmt.Printf("%-6s  %-20s  %-12s  %-8s  %-20s  %-20s\n",
+		"ID", "NAME", "DISCOVERABLE", "COUNT", "CREATED", "LAST USED")
+	fmt.Println(strings.Repeat("-", 96))
+	for _, c := range creds {
+		disc := "no"
+		if c.Discoverable {
+			disc = "yes"
+		}
+		lastUsed := "never"
+		if c.LastUsedAt != nil {
+			lastUsed = c.LastUsedAt.UTC().Format("2006-01-02 15:04:05")
+		}
+		fmt.Printf("%-6d  %-20s  %-12s  %-8d  %-20s  %-20s\n",
+			c.ID, c.Name, disc, c.SignCount,
+			c.CreatedAt.UTC().Format("2006-01-02 15:04:05"), lastUsed)
+	}
+}
+
+func (t *tool) webauthnDelete(args []string) {
+	fs := flag.NewFlagSet("webauthn delete", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	credID := fs.Int64("credential-id", 0, "credential DB row ID (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" || *credID == 0 {
+		fatalf("webauthn delete: --id and --credential-id are required")
+	}
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	if err := t.db.DeleteWebAuthnCredential(*credID, a.ID); err != nil {
+		fatalf("delete webauthn credential: %v", err)
+	}
+
+	if err := t.db.WriteAuditEvent("webauthn_removed", nil, &a.ID, "",
+		fmt.Sprintf(`{"actor":"mciasdb","credential_id":%d}`, *credID)); err != nil {
+		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
+	}
+
+	fmt.Printf("WebAuthn credential %d deleted from account %s\n", *credID, a.Username)
+}
+
+func (t *tool) webauthnReset(args []string) {
+	fs := flag.NewFlagSet("webauthn reset", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" {
+		fatalf("webauthn reset: --id is required")
+	}
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	count, err := t.db.DeleteAllWebAuthnCredentials(a.ID)
+	if err != nil {
+		fatalf("delete all webauthn credentials: %v", err)
+	}
+
+	if err := t.db.WriteAuditEvent("webauthn_removed", nil, &a.ID, "",
+		fmt.Sprintf(`{"actor":"mciasdb","action":"reset_webauthn","count":%d}`, count)); err != nil {
+		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
+	}
+
+	fmt.Printf("Removed %d WebAuthn credential(s) from account %s\n", count, a.Username)
+}