Add vault seal/unseal lifecycle

- New internal/vault package: thread-safe Vault struct with
  seal/unseal state, key material zeroing, and key derivation
- REST: POST /v1/vault/unseal, POST /v1/vault/seal,
  GET /v1/vault/status; health returns sealed status
- UI: /unseal page with passphrase form, redirect when sealed
- gRPC: sealedInterceptor rejects RPCs when sealed
- Middleware: RequireUnsealed blocks all routes except exempt
  paths; RequireAuth reads pubkey from vault at request time
- Startup: server starts sealed when passphrase unavailable
- All servers share single *vault.Vault by pointer
- CSRF manager derives key lazily from vault

Security: Key material is zeroed on seal. Sealed middleware
runs before auth. Handlers fail closed if vault becomes sealed
mid-request. Unseal endpoint is rate-limited (3/s burst 5).
No CSRF on unseal page (no session to protect; chicken-and-egg
with master key). Passphrase never logged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/middleware/middleware.go

@@ -13,7 +13,6 @@ package middleware
 
 import (
 	"context"
-	"crypto/ed25519"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -27,6 +26,7 @@ import (
 	"git.wntrmute.dev/kyle/mcias/internal/db"
 	"git.wntrmute.dev/kyle/mcias/internal/policy"
 	"git.wntrmute.dev/kyle/mcias/internal/token"
+	"git.wntrmute.dev/kyle/mcias/internal/vault"
 )
 
 // contextKey is the unexported type for context keys in this package, preventing
@@ -90,12 +90,18 @@ func (rw *responseWriter) WriteHeader(code int) {
 // RequireAuth returns middleware that validates a Bearer JWT and injects the
 // claims into the request context. Returns 401 on any auth failure.
 //
+// The public key is read from the vault at request time so that the middleware
+// works correctly across seal/unseal transitions. When the vault is sealed,
+// the sealed middleware (RequireUnsealed) prevents reaching this handler, but
+// the vault check here provides defense in depth (fail closed).
+//
 // Security: Token validation order:
 // 1. Extract Bearer token from Authorization header.
-// 2. Validate the JWT (alg=EdDSA, signature, expiry, issuer).
-// 3. Check the JTI against the revocation table in the database.
-// 4. Inject validated claims into context for downstream handlers.
-func RequireAuth(pubKey ed25519.PublicKey, database *db.DB, issuer string) func(http.Handler) http.Handler {
+// 2. Read public key from vault (fail closed if sealed).
+// 3. Validate the JWT (alg=EdDSA, signature, expiry, issuer).
+// 4. Check the JTI against the revocation table in the database.
+// 5. Inject validated claims into context for downstream handlers.
+func RequireAuth(v *vault.Vault, database *db.DB, issuer string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			tokenStr, err := extractBearerToken(r)
@@ -104,6 +110,14 @@ func RequireAuth(pubKey ed25519.PublicKey, database *db.DB, issuer string) func(
 				return
 			}
 
+			// Security: read the public key from vault at request time.
+			// If the vault is sealed, fail closed with 503.
+			pubKey, err := v.PubKey()
+			if err != nil {
+				writeError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
+				return
+			}
+
 			claims, err := token.ValidateToken(pubKey, tokenStr, issuer)
 			if err != nil {
 				// Security: Map all token errors to a generic 401; do not
@@ -437,3 +451,47 @@ func RequirePolicy(
 		})
 	}
 }
+
+// RequireUnsealed returns middleware that blocks requests when the vault is sealed.
+//
+// Exempt paths (served normally even when sealed):
+//   - GET /v1/health, GET /v1/vault/status, POST /v1/vault/unseal
+//   - GET /unseal, POST /unseal
+//   - GET /static/* (CSS/JS needed by the unseal page)
+//
+// API paths (/v1/*) receive a JSON 503 response. All other paths (UI) receive
+// a 302 redirect to /unseal.
+//
+// Security: This middleware is the first in the chain (after global security
+// headers). It ensures no authenticated or data-serving handler runs while the
+// vault is sealed and key material is unavailable.
+func RequireUnsealed(v *vault.Vault) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if !v.IsSealed() {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			path := r.URL.Path
+
+			// Exempt paths that must work while sealed.
+			if path == "/v1/health" || path == "/v1/vault/status" ||
+				path == "/v1/vault/unseal" ||
+				path == "/unseal" ||
+				strings.HasPrefix(path, "/static/") {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// API paths: JSON 503.
+			if strings.HasPrefix(path, "/v1/") {
+				writeError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
+				return
+			}
+
+			// UI paths: redirect to unseal page.
+			http.Redirect(w, r, "/unseal", http.StatusFound)
+		})
+	}
+}

internal/middleware/middleware_test.go

@@ -15,6 +15,7 @@ import (
 	"git.wntrmute.dev/kyle/mcias/internal/db"
 	"git.wntrmute.dev/kyle/mcias/internal/model"
 	"git.wntrmute.dev/kyle/mcias/internal/token"
+	"git.wntrmute.dev/kyle/mcias/internal/vault"
 )
 
 func generateTestKey(t *testing.T) (ed25519.PublicKey, ed25519.PrivateKey) {
@@ -26,6 +27,15 @@ func generateTestKey(t *testing.T) (ed25519.PublicKey, ed25519.PrivateKey) {
 	return pub, priv
 }
 
+func testVault(t *testing.T, priv ed25519.PrivateKey, pub ed25519.PublicKey) *vault.Vault {
+	t.Helper()
+	mk := make([]byte, 32)
+	if _, err := rand.Read(mk); err != nil {
+		t.Fatalf("generate master key: %v", err)
+	}
+	return vault.NewUnsealed(mk, priv, pub)
+}
+
 func openTestDB(t *testing.T) *db.DB {
 	t.Helper()
 	database, err := db.Open(":memory:")
@@ -96,7 +106,7 @@ func TestRequireAuthValid(t *testing.T) {
 	tokenStr := issueAndTrackToken(t, priv, database, acct.ID, []string{"reader"})
 
 	reached := false
-	handler := RequireAuth(pub, database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := RequireAuth(testVault(t, priv, pub), database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		reached = true
 		claims := ClaimsFromContext(r.Context())
 		if claims == nil {
@@ -123,7 +133,7 @@ func TestRequireAuthMissingHeader(t *testing.T) {
 	_ = priv
 	database := openTestDB(t)
 
-	handler := RequireAuth(pub, database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+	handler := RequireAuth(testVault(t, priv, pub), database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		t.Error("handler should not be reached without auth")
 		w.WriteHeader(http.StatusOK)
 	}))
@@ -138,10 +148,10 @@ func TestRequireAuthMissingHeader(t *testing.T) {
 }
 
 func TestRequireAuthInvalidToken(t *testing.T) {
-	pub, _ := generateTestKey(t)
+	pub, priv := generateTestKey(t)
 	database := openTestDB(t)
 
-	handler := RequireAuth(pub, database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+	handler := RequireAuth(testVault(t, priv, pub), database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		t.Error("handler should not be reached with invalid token")
 		w.WriteHeader(http.StatusOK)
 	}))
@@ -176,7 +186,7 @@ func TestRequireAuthRevokedToken(t *testing.T) {
 		t.Fatalf("RevokeToken: %v", err)
 	}
 
-	handler := RequireAuth(pub, database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+	handler := RequireAuth(testVault(t, priv, pub), database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		t.Error("handler should not be reached with revoked token")
 		w.WriteHeader(http.StatusOK)
 	}))
@@ -201,7 +211,7 @@ func TestRequireAuthExpiredToken(t *testing.T) {
 		t.Fatalf("IssueToken: %v", err)
 	}
 
-	handler := RequireAuth(pub, database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+	handler := RequireAuth(testVault(t, priv, pub), database, testIssuer)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		t.Error("handler should not be reached with expired token")
 		w.WriteHeader(http.StatusOK)
 	}))