Add vault seal/unseal lifecycle

- New internal/vault package: thread-safe Vault struct with seal/unseal state, key material zeroing, and key derivation - REST: POST /v1/vault/unseal, POST /v1/vault/seal, GET /v1/vault/status; health returns sealed status - UI: /unseal page with passphrase form, redirect when sealed - gRPC: sealedInterceptor rejects RPCs when sealed - Middleware: RequireUnsealed blocks all routes except exempt paths; RequireAuth reads pubkey from vault at request time - Startup: server starts sealed when passphrase unavailable - All servers share single *vault.Vault by pointer - CSRF manager derives key lazily from vault Security: Key material is zeroed on seal. Sealed middleware runs before auth. Handlers fail closed if vault becomes sealed mid-request. Unseal endpoint is rate-limited (3/s burst 5). No CSRF on unseal page (no session to protect; chicken-and-egg with master key). Passphrase never logged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 23:55:37 -07:00
parent 5c242f8abb
commit d87b4b4042
28 changed files with 1292 additions and 119 deletions
--- a/internal/model/model.go
+++ b/internal/model/model.go
@@ -178,6 +178,9 @@ const (
 	EventPGCredAccessed = "pgcred_accessed"
 	EventPGCredUpdated  = "pgcred_updated" //nolint:gosec // G101: audit event type string, not a credential

+	EventVaultSealed   = "vault_sealed"
+	EventVaultUnsealed = "vault_unsealed"
+
 	EventTagAdded   = "tag_added"
 	EventTagRemoved = "tag_removed"