Add FIDO2/WebAuthn passkey authentication

Phase 14: Full WebAuthn support for passwordless passkey login and
hardware security key 2FA.

- go-webauthn/webauthn v0.16.1 dependency
- WebAuthnConfig with RPID/RPOrigin/DisplayName validation
- Migration 000009: webauthn_credentials table
- DB CRUD with ownership checks and admin operations
- internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM
- REST: register begin/finish, login begin/finish, list, delete
- Web UI: profile enrollment, login passkey button, admin management
- gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs
- mciasdb: webauthn list/delete/reset subcommands
- OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema
- Policy: self-service enrollment rule, admin remove via wildcard
- Tests: DB CRUD, adapter round-trip, interface compliance
- Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14

Security: Credential IDs and public keys encrypted at rest with
AES-256-GCM via vault master key. Challenge ceremonies use 128-bit
nonces with 120s TTL in sync.Map. Sign counter validated on each
assertion to detect cloned authenticators. Password re-auth required
for registration (SEC-01 pattern). No credential material in API
responses or logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/ui/ui.go

@@ -177,6 +177,13 @@ func New(database *db.DB, cfg *config.Config, v *vault.Vault, logger *slog.Logge
 			}
 			return *actorID == *cred.OwnerID
 		},
+		// derefTime dereferences a *time.Time, returning the zero time for nil.
+		"derefTime": func(p *time.Time) time.Time {
+			if p == nil {
+				return time.Time{}
+			}
+			return *p
+		},
 		"add": func(a, b int) int { return a + b },
 		"sub": func(a, b int) int { return a - b },
 		"gt":  func(a, b int) bool { return a > b },
@@ -213,6 +220,8 @@ func New(database *db.DB, cfg *config.Config, v *vault.Vault, logger *slog.Logge
 		"templates/fragments/password_reset_form.html",
 		"templates/fragments/password_change_form.html",
 		"templates/fragments/token_delegates.html",
+		"templates/fragments/webauthn_credentials.html",
+		"templates/fragments/webauthn_enroll.html",
 	}
 	base, err := template.New("").Funcs(funcMap).ParseFS(web.TemplateFS, sharedFiles...)
 	if err != nil {
@@ -378,6 +387,9 @@ func (u *UIServer) Register(mux *http.ServeMux) {
 	uiMux.HandleFunc("GET /login", u.handleLoginPage)
 	uiMux.Handle("POST /login", loginRateLimit(http.HandlerFunc(u.handleLoginPost)))
 	uiMux.HandleFunc("POST /logout", u.handleLogout)
+	// WebAuthn login routes (public, rate-limited).
+	uiMux.Handle("POST /login/webauthn/begin", loginRateLimit(http.HandlerFunc(u.handleWebAuthnLoginBegin)))
+	uiMux.Handle("POST /login/webauthn/finish", loginRateLimit(http.HandlerFunc(u.handleWebAuthnLoginFinish)))
 
 	// Protected routes.
 	//
@@ -432,6 +444,12 @@ func (u *UIServer) Register(mux *http.ServeMux) {
 	// Profile routes — accessible to any authenticated user (not admin-only).
 	uiMux.Handle("GET /profile", authed(http.HandlerFunc(u.handleProfilePage)))
 	uiMux.Handle("PUT /profile/password", authed(u.requireCSRF(http.HandlerFunc(u.handleSelfChangePassword))))
+	// WebAuthn profile routes (enrollment and management).
+	uiMux.Handle("POST /profile/webauthn/begin", authed(u.requireCSRF(http.HandlerFunc(u.handleWebAuthnBegin))))
+	uiMux.Handle("POST /profile/webauthn/finish", authed(u.requireCSRF(http.HandlerFunc(u.handleWebAuthnFinish))))
+	uiMux.Handle("DELETE /profile/webauthn/{id}", authed(u.requireCSRF(http.HandlerFunc(u.handleWebAuthnDelete))))
+	// Admin WebAuthn management.
+	uiMux.Handle("DELETE /accounts/{id}/webauthn/{credentialId}", admin(u.handleAdminWebAuthnDelete))
 
 	// Mount the wrapped UI mux on the parent mux. The "/" pattern acts as a
 	// catch-all for all UI paths; the more-specific /v1/ API patterns registered
@@ -729,6 +747,8 @@ type LoginData struct {
 	// a short-lived server-side nonce is issued after successful password
 	// verification, and only the nonce is embedded in the TOTP step form.
 	Nonce string // single-use server-side nonce replacing the password hidden field
+	// WebAuthnEnabled indicates whether the passkey login button should appear.
+	WebAuthnEnabled bool
 }
 
 // DashboardData is the view model for the dashboard page.
@@ -746,7 +766,7 @@ type AccountsData struct {
 }
 
 // AccountDetailData is the view model for the account detail page.
-type AccountDetailData struct {
+type AccountDetailData struct { //nolint:govet // fieldalignment: readability over alignment for view model
 	Account *model.Account
 	// PGCred is nil if none stored or the account is not a system account.
 	PGCred *model.PGCredential
@@ -772,10 +792,15 @@ type AccountDetailData struct {
 	AllRoles []string
 	Tags     []string
 	Tokens   []*model.TokenRecord
+	// WebAuthnCreds lists the WebAuthn credentials for this account (metadata only).
+	WebAuthnCreds []*model.WebAuthnCredential
+	// DeletePrefix is the URL prefix for WebAuthn credential delete buttons.
+	DeletePrefix string
 	// CanIssueToken is true when the viewing actor may issue tokens for this
 	// system account (admin role or explicit delegate grant).
 	// Placed last to minimise GC scan area.
-	CanIssueToken bool
+	CanIssueToken   bool
+	WebAuthnEnabled bool
 }
 
 // ServiceAccountsData is the view model for the /service-accounts page.
@@ -832,8 +857,11 @@ type PoliciesData struct {
 }
 
 // ProfileData is the view model for the profile/settings page.
-type ProfileData struct {
+type ProfileData struct { //nolint:govet // fieldalignment: readability over alignment for view model
 	PageData
+	WebAuthnCreds   []*model.WebAuthnCredential
+	DeletePrefix    string // URL prefix for delete buttons (e.g. "/profile/webauthn")
+	WebAuthnEnabled bool
 }
 
 // PGCredsData is the view model for the "My PG Credentials" list page.