trusted proxy, TOTP replay protection, new tests

- Trusted proxy config option for proxy-aware IP extraction
  used by rate limiting and audit logs; validates proxy IP
  before trusting X-Forwarded-For / X-Real-IP headers
- TOTP replay protection via counter-based validation to
  reject reused codes within the same time step (±30s)
- RateLimit middleware updated to extract client IP from
  proxy headers without IP spoofing risk
- New tests for ClientIP proxy logic (spoofed headers,
  fallback) and extended rate-limit proxy coverage
- HTMX error banner script integrated into web UI base
- .gitignore updated for mciasdb build artifact

Security: resolves CRIT-01 (TOTP replay attack) and
DEF-03 (proxy-unaware rate limiting); gRPC TOTP
enrollment aligned with REST via StorePendingTOTP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/db/accounts.go

@@ -70,7 +70,10 @@ func (db *DB) GetAccountByID(id int64) (*model.Account, error) {
 	`, id))
 }
 
-// GetAccountByUsername retrieves an account by username (case-insensitive).
+// GetAccountByUsername retrieves an account by username.
+// Matching is case-sensitive: SQLite uses BINARY collation by default, so
+// "admin" and "Admin" are distinct usernames.  This is intentional for an
+// SSO system where usernames should be treated as opaque identifiers.
 // Returns ErrNotFound if no matching account exists.
 func (db *DB) GetAccountByUsername(username string) (*model.Account, error) {
 	return db.scanAccount(db.sql.QueryRow(`
@@ -184,6 +187,46 @@ func (db *DB) SetTOTP(accountID int64, secretEnc, secretNonce []byte) error {
 	return nil
 }
 
+// CheckAndUpdateTOTPCounter atomically verifies that counter is strictly
+// greater than the last accepted TOTP counter for the account, and if so,
+// stores counter as the new last accepted value.
+//
+// Returns ErrTOTPReplay if counter ≤ the stored value, preventing a replay
+// of a previously accepted code within the ±1 time-step validity window.
+// On the first successful TOTP login (stored value NULL) any counter is
+// accepted.
+//
+// Security (CRIT-01): RFC 6238 §5.2 recommends recording the last OTP
+// counter used and rejecting any code that does not advance it.  Without
+// this, an intercepted code remains valid for up to 90 seconds.  The update
+// is performed in a single parameterized SQL statement, so there is no
+// TOCTOU window between the check and the write.
+func (db *DB) CheckAndUpdateTOTPCounter(accountID int64, counter int64) error {
+	result, err := db.sql.Exec(`
+		UPDATE accounts
+		SET last_totp_counter = ?, updated_at = ?
+		WHERE id = ?
+		  AND (last_totp_counter IS NULL OR last_totp_counter < ?)
+	`, counter, now(), accountID, counter)
+	if err != nil {
+		return fmt.Errorf("db: check-and-update TOTP counter: %w", err)
+	}
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("db: check-and-update TOTP counter rows affected: %w", err)
+	}
+	if rows == 0 {
+		// Security: the counter was not advanced — this code has already been
+		// used within its validity window.  Treat as authentication failure.
+		return ErrTOTPReplay
+	}
+	return nil
+}
+
+// ErrTOTPReplay is returned by CheckAndUpdateTOTPCounter when the submitted
+// TOTP code corresponds to a counter value that has already been accepted.
+var ErrTOTPReplay = errors.New("db: TOTP code already used (replay)")
+
 // ClearTOTP removes the TOTP secret and disables TOTP requirement.
 func (db *DB) ClearTOTP(accountID int64) error {
 	_, err := db.sql.Exec(`
@@ -300,6 +343,12 @@ func (db *DB) GetRoles(accountID int64) ([]string, error) {
 
 // GrantRole adds a role to an account. If the role already exists, it is a no-op.
 func (db *DB) GrantRole(accountID int64, role string, grantedBy *int64) error {
+	// Security (DEF-10): reject unknown roles before writing to the DB so
+	// that typos (e.g. "admim") are caught immediately rather than silently
+	// creating an unmatchable role.
+	if err := model.ValidateRole(role); err != nil {
+		return err
+	}
 	_, err := db.sql.Exec(`
 		INSERT OR IGNORE INTO account_roles (account_id, role, granted_by, granted_at)
 		VALUES (?, ?, ?, ?)
@@ -323,6 +372,14 @@ func (db *DB) RevokeRole(accountID int64, role string) error {
 
 // SetRoles replaces the full role set for an account atomically.
 func (db *DB) SetRoles(accountID int64, roles []string, grantedBy *int64) error {
+	// Security (DEF-10): validate all roles before opening the transaction so
+	// we fail fast without touching the database on an invalid input.
+	for _, role := range roles {
+		if err := model.ValidateRole(role); err != nil {
+			return err
+		}
+	}
+
 	tx, err := db.sql.Begin()
 	if err != nil {
 		return fmt.Errorf("db: set roles begin tx: %w", err)

internal/db/db.go

@@ -65,7 +65,14 @@ func (db *DB) configure() error {
 		"PRAGMA journal_mode=WAL",
 		"PRAGMA foreign_keys=ON",
 		"PRAGMA busy_timeout=5000",
-		"PRAGMA synchronous=NORMAL",
+		// Security (DEF-07): FULL synchronous mode ensures every write is
+		// flushed to disk before SQLite considers it committed.  With WAL
+		// mode + NORMAL, a power failure between a write and the next
+		// checkpoint could lose the most recent committed transactions,
+		// including token issuance and revocation records — which must be
+		// durable.  The performance cost is negligible for a single-node
+		// personal SSO server.
+		"PRAGMA synchronous=FULL",
 	}
 	for _, p := range pragmas {
 		if _, err := db.sql.Exec(p); err != nil {

internal/db/db_test.go

@@ -162,7 +162,7 @@ func TestRoleOperations(t *testing.T) {
 	}
 
 	// SetRoles
-	if err := db.SetRoles(acct.ID, []string{"reader", "writer"}, nil); err != nil {
+	if err := db.SetRoles(acct.ID, []string{"admin", "user"}, nil); err != nil {
 		t.Fatalf("SetRoles: %v", err)
 	}
 	roles, err = db.GetRoles(acct.ID)

internal/db/migrate.go

@@ -22,7 +22,7 @@ var migrationsFS embed.FS
 // LatestSchemaVersion is the highest migration version defined in the
 // migrations/ directory.  Update this constant whenever a new migration file
 // is added.
-const LatestSchemaVersion = 6
+const LatestSchemaVersion = 7
 
 // newMigrate constructs a migrate.Migrate instance backed by the embedded SQL
 // files.  It opens a dedicated *sql.DB using the same DSN as the main

internal/db/migrations/000007_totp_counter.up.sql

@@ -0,0 +1,9 @@
+-- Add last_totp_counter to track the most recently accepted TOTP counter value
+-- per account.  This is used to prevent TOTP replay attacks within the ±1
+-- time-step validity window.  NULL means no TOTP code has ever been accepted
+-- for this account (fresh enrollment or TOTP not yet used).
+--
+-- Security (CRIT-01): RFC 6238 §5.2 recommends recording the last OTP counter
+-- used and rejecting codes that do not advance it, eliminating the ~90-second
+-- replay window that would otherwise be exploitable.
+ALTER TABLE accounts ADD COLUMN last_totp_counter INTEGER DEFAULT NULL;