Fix SEC-01: require password for TOTP enroll

- REST handleTOTPEnroll now requires password field in request body
- gRPC EnrollTOTP updated with password field in proto message
- Both handlers check lockout status and record failures on bad password
- Updated Go, Python, and Rust client libraries to pass password
- Updated OpenAPI specs with new requestBody schema
- Added TestTOTPEnrollRequiresPassword with no-password, wrong-password,
  and correct-password sub-tests

Security: TOTP enrollment now requires the current password to prevent
session-theft escalation to persistent account takeover. Lockout and
failure recording use the same Argon2id constant-time path as login.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/server/server.go

@@ -780,6 +780,10 @@ func (s *Server) handleRevokeRole(w http.ResponseWriter, r *http.Request) {
 
 // ---- TOTP endpoints ----
 
+type totpEnrollRequest struct {
+	Password string `json:"password"` // security: current password required to prevent session-theft escalation
+}
+
 type totpEnrollResponse struct {
 	Secret     string `json:"secret"` // base32-encoded
 	OTPAuthURI string `json:"otpauth_uri"`
@@ -789,6 +793,12 @@ type totpConfirmRequest struct {
 	Code string `json:"code"`
 }
 
+// handleTOTPEnroll begins TOTP enrollment for the calling account.
+//
+// Security (SEC-01): the current password is required in the request body to
+// prevent a stolen session token from being used to enroll attacker-controlled
+// MFA on the victim's account.  Lockout is checked and failures are recorded
+// to prevent brute-force use of this endpoint as a password oracle.
 func (s *Server) handleTOTPEnroll(w http.ResponseWriter, r *http.Request) {
 	claims := middleware.ClaimsFromContext(r.Context())
 	acct, err := s.db.GetAccountByUUID(claims.Subject)
@@ -797,6 +807,38 @@ func (s *Server) handleTOTPEnroll(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var req totpEnrollRequest
+	if !decodeJSON(w, r, &req) {
+		return
+	}
+
+	if req.Password == "" {
+		middleware.WriteError(w, http.StatusBadRequest, "password is required", "bad_request")
+		return
+	}
+
+	// Security: check lockout before verifying (same as login and password-change flows)
+	// so an attacker cannot use this endpoint to brute-force the current password.
+	locked, lockErr := s.db.IsLockedOut(acct.ID)
+	if lockErr != nil {
+		s.logger.Error("lockout check (TOTP enroll)", "error", lockErr)
+	}
+	if locked {
+		s.writeAudit(r, model.EventTOTPEnrolled, &acct.ID, &acct.ID, `{"result":"locked"}`)
+		middleware.WriteError(w, http.StatusTooManyRequests, "account temporarily locked", "account_locked")
+		return
+	}
+
+	// Security: verify the current password with the same constant-time
+	// Argon2id path used at login to prevent timing oracles.
+	ok, verifyErr := auth.VerifyPassword(req.Password, acct.PasswordHash)
+	if verifyErr != nil || !ok {
+		_ = s.db.RecordLoginFailure(acct.ID)
+		s.writeAudit(r, model.EventTOTPEnrolled, &acct.ID, &acct.ID, `{"result":"wrong_password"}`)
+		middleware.WriteError(w, http.StatusUnauthorized, "password is incorrect", "unauthorized")
+		return
+	}
+
 	rawSecret, b32Secret, err := auth.GenerateTOTPSecret()
 	if err != nil {
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")