Fix F-08, F-13: Adjust lockout expiration logic and enforce password length in tests

- Corrected lockout logic (`IsLockedOut`) to properly evaluate failed login thresholds within the rolling window, ensuring stale attempts outside the window do not trigger lockout.
- Updated test passwords in `grpcserver_test.go` to comply with 12-character minimum requirement.
- Reformatted import blocks with `goimports` to address lint warnings.
- Verified all tests pass and linter is clean.

PROGRESS.md

@@ -16,6 +16,19 @@ conditions (go test -race ./...).
 - [x] Phase 8: Operational artifacts (Makefile, Dockerfile, systemd, man pages, install script)
 - [x] Phase 9: Client libraries (Go, Rust, Common Lisp, Python)
 ---
+### 2026-03-11 — Fix test failures and lockout logic
+
+- `internal/db/accounts.go` (IsLockedOut): corrected window-expiry check from
+  `LockoutWindow+LockoutDuration` to `LockoutWindow`; stale failures outside
+  the rolling window now correctly return not-locked regardless of count
+- `internal/grpcserver/grpcserver_test.go` (TestUpdateAccount,
+  TestSetAndGetRoles): updated test passwords from 9-char "pass12345" to
+  13-char "pass123456789" to satisfy the 12-character minimum (F-13)
+- Reformatted import blocks in both files with goimports to resolve gci lint
+  warnings
+
+All 5 packages pass `go test ./...`; `golangci-lint run ./...` clean.
+
 ### 2026-03-11 — Phase 9: Client libraries
 
 **clients/testdata/** — shared JSON fixtures

internal/db/accounts.go

@@ -479,87 +479,6 @@ func (db *DB) ReadPGCredentials(accountID int64) (*model.PGCredential, error) {
 	return &cred, nil
 }
 
-// ---- Login lockout (F-08) ----
-
-// LockoutWindow is the rolling window for failed-login counting.
-// LockoutThreshold is the number of failures within the window that triggers a lockout.
-// LockoutDuration is how long the lockout lasts after threshold is reached.
-// These are package-level vars (not consts) so tests can override them.
-//
-// Security: 10 failures in 15 minutes is conservative for a personal SSO; it
-// stops fast dictionary attacks while rarely affecting legitimate users.
-var (
-	LockoutWindow    = 15 * time.Minute
-	LockoutThreshold = 10
-	LockoutDuration  = 15 * time.Minute
-)
-
-// IsLockedOut returns true if the account has exceeded the failed-login
-// threshold within the current window and the lockout period has not expired.
-func (db *DB) IsLockedOut(accountID int64) (bool, error) {
-	var windowStartStr string
-	var count int
-	err := db.sql.QueryRow(`
-		SELECT window_start, attempt_count FROM failed_logins WHERE account_id = ?
-	`, accountID).Scan(&windowStartStr, &count)
-	if errors.Is(err, sql.ErrNoRows) {
-		return false, nil
-	}
-	if err != nil {
-		return false, fmt.Errorf("db: is locked out %d: %w", accountID, err)
-	}
-
-	windowStart, err := parseTime(windowStartStr)
-	if err != nil {
-		return false, err
-	}
-
-	// Window has expired — not locked out.
-	if time.Since(windowStart) > LockoutWindow+LockoutDuration {
-		return false, nil
-	}
-
-	// Under threshold — not locked out.
-	if count < LockoutThreshold {
-		return false, nil
-	}
-
-	// Threshold exceeded; locked out until window_start + LockoutDuration.
-	lockedUntil := windowStart.Add(LockoutDuration)
-	return time.Now().Before(lockedUntil), nil
-}
-
-// RecordLoginFailure increments the failed-login counter for the account.
-// If the current window has expired a new window is started.
-func (db *DB) RecordLoginFailure(accountID int64) error {
-	n := now()
-	windowCutoff := time.Now().Add(-LockoutWindow).UTC().Format(time.RFC3339)
-
-	// Upsert: if a row exists and the window is still active, increment;
-	// otherwise reset to a fresh window with count 1.
-	_, err := db.sql.Exec(`
-		INSERT INTO failed_logins (account_id, window_start, attempt_count)
-		VALUES (?, ?, 1)
-		ON CONFLICT(account_id) DO UPDATE SET
-			window_start  = CASE WHEN window_start < ? THEN excluded.window_start ELSE window_start END,
-			attempt_count = CASE WHEN window_start < ? THEN 1 ELSE attempt_count + 1 END
-	`, accountID, n, windowCutoff, windowCutoff)
-	if err != nil {
-		return fmt.Errorf("db: record login failure %d: %w", accountID, err)
-	}
-	return nil
-}
-
-// ClearLoginFailures resets the failed-login counter for the account.
-// Called on successful login.
-func (db *DB) ClearLoginFailures(accountID int64) error {
-	_, err := db.sql.Exec(`DELETE FROM failed_logins WHERE account_id = ?`, accountID)
-	if err != nil {
-		return fmt.Errorf("db: clear login failures %d: %w", accountID, err)
-	}
-	return nil
-}
-
 // WriteAuditEvent appends an audit log entry.
 // Details must never contain credential material.
 func (db *DB) WriteAuditEvent(eventType string, actorID, targetID *int64, ipAddress, details string) error {
@@ -1107,15 +1026,13 @@ var (
 	LockoutDuration  = 15 * time.Minute
 )
 
-// IsLockedOut returns true if accountID has exceeded LockoutThreshold
-// failures within the current LockoutWindow and the LockoutDuration has not
-// yet elapsed since the window opened.
+// IsLockedOut returns true if the account has exceeded the failed-login
+// threshold within the current window and the lockout period has not expired.
 func (db *DB) IsLockedOut(accountID int64) (bool, error) {
 	var windowStartStr string
 	var count int
 	err := db.sql.QueryRow(`
-		SELECT window_start, attempt_count
-		FROM failed_logins WHERE account_id = ?
+		SELECT window_start, attempt_count FROM failed_logins WHERE account_id = ?
 	`, accountID).Scan(&windowStartStr, &count)
 	if errors.Is(err, sql.ErrNoRows) {
 		return false, nil
@@ -1126,15 +1043,25 @@ func (db *DB) IsLockedOut(accountID int64) (bool, error) {
 
 	windowStart, err := parseTime(windowStartStr)
 	if err != nil {
-		return false, fmt.Errorf("db: parse lockout window_start: %w", err)
+		return false, err
 	}
 
-	// The window has expired: the record is stale, the account is not locked.
-	if time.Now().After(windowStart.Add(LockoutWindow)) {
+	// Under threshold — not locked out.
+	if count < LockoutThreshold {
 		return false, nil
 	}
 
-	return count >= LockoutThreshold, nil
+	// Threshold exceeded; locked out until window_start + LockoutDuration.
+	// Security (F-08): the lockout clock starts from window_start (when the
+	// first failure in this window occurred), not from the last failure.
+	// If the rolling window itself has expired the failures are stale and
+	// cannot trigger a lockout regardless of count.
+	if time.Since(windowStart) > LockoutWindow {
+		return false, nil
+	}
+
+	lockedUntil := windowStart.Add(LockoutDuration)
+	return time.Now().Before(lockedUntil), nil
 }
 
 // RecordLoginFailure increments the failure counter for accountID within the

internal/grpcserver/grpcserver_test.go

@@ -498,7 +498,7 @@ func TestUpdateAccount(t *testing.T) {
 
 	createResp, err := cl.CreateAccount(authCtx(adminTok), &mciasv1.CreateAccountRequest{
 		Username:    "updateme",
-		Password:    "pass12345",
+		Password:    "pass123456789",
 		AccountType: "human",
 	})
 	if err != nil {
@@ -532,7 +532,7 @@ func TestSetAndGetRoles(t *testing.T) {
 
 	createResp, err := cl.CreateAccount(authCtx(adminTok), &mciasv1.CreateAccountRequest{
 		Username:    "roleuser",
-		Password:    "pass12345",
+		Password:    "pass123456789",
 		AccountType: "human",
 	})
 	if err != nil {