clients: expand Go, Python, Rust client APIs

- Add TOTP enrollment/confirmation/removal to all clients - Add password change and admin set-password endpoints - Add account listing, status update, and tag management - Add audit log listing with filter support - Add policy rule CRUD operations - Expand test coverage for all new endpoints across clients - Fix .gitignore to exclude built binaries Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
trusted proxy, TOTP replay protection, new tests
2026-03-12 20:29:11 -07:00 · 2026-03-12 17:44:01 -07:00 · 2026-03-12 15:33:19 -07:00 · 2026-03-12 14:39:14 -07:00 · 2026-03-12 14:38:38 -07:00 · 2026-03-12 11:52:39 -07:00
84 changed files with 6242 additions and 936 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -1 +1,30 @@
-{}
+{
  "permissions": {
    "allow": [
      "Bash(go test:*)",
      "Bash(golangci-lint run:*)",
      "Bash(git restore:*)",
      "Bash(git add:*)",
      "Bash(git commit:*)",
      "Bash(grep -n \"handleAdminResetPassword\\\\|handleChangePassword\" /Users/kyle/src/mcias/internal/ui/*.go)",
      "Bash(go build:*)",
      "Bash(sqlite3 /Users/kyle/src/mcias/run/mcias.db \"PRAGMA table_info\\(policy_rules\\);\" 2>&1)",
      "Bash(sqlite3 /Users/kyle/src/mcias/run/mcias.db \"SELECT * FROM schema_version;\" 2>&1; sqlite3 /Users/kyle/src/mcias/run/mcias.db \"SELECT * FROM schema_migrations;\" 2>&1)",
      "Bash(go run:*)",
      "Bash(go list:*)"
    ]
  },
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Edit|Write",
        "hooks": [
          {
            "type": "command",
            "command": "go build ./... 2>&1 | head -20"
          }
        ]
      }
    ]
  }
 }
--- a/.claude/skills/checkpoint/SKILL.md
+++ b/.claude/skills/checkpoint/SKILL.md
@@ -0,0 +1,8 @@
 # Checkpoint Skill
 1. Run `go build ./...`  abort if errors
 2. Run `go test ./...`  abort if failures
 3. Run `go vet ./...`
 4. Run `git add -A && git status`  show user what will be committed
 5. Generate an appropriate commit message based on your instructions.
 6. Run `git commit -m "<message>"` and verify with `git log -1`
--- a/.claude/tasks/security-audit/TASK.md
+++ b/.claude/tasks/security-audit/TASK.md
@@ -0,0 +1,8 @@
 Run a full security audit of this Go codebase. For each finding rated
 HIGH or CRITICAL: spawn a sub-agent using Task to implement the fix
 across all affected files (models, handlers, migrations, templates,
 tests). Each sub-agent must: 1) write a failing test that reproduces the
 vulnerability, 2) implement the fix, 3) run `go test ./...` and `go vet
 ./...` in a loop until all pass, 4) commit with a message referencing
 the finding ID. After all sub-agents complete, generate a summary of
 what was fixed and what needs manual review.
--- a/.gitignore
+++ b/.gitignore
@@ -34,4 +34,10 @@ clients/python/*.egg-info/
 clients/lisp/**/*.fasl
 # manual testing
-/run/
+run/
 .env
 /cmd/mciasctl/mciasctl
 /cmd/mciasdb/mciasdb
 /cmd/mciasgrpcctl/mciasgrpcctl
 /cmd/mciassrv/mciassrv
--- a/.junie/memory/errors.md
+++ b/.junie/memory/errors.md
--- a/.junie/memory/feedback.md
+++ b/.junie/memory/feedback.md
--- a/.junie/memory/language.json
+++ b/.junie/memory/language.json
@@ -0,0 +1 @@
 [{"lang":"en","usageCount":1}]
--- a/.junie/memory/memory.version
+++ b/.junie/memory/memory.version
@@ -0,0 +1 @@
 1.0
--- a/.junie/memory/tasks.md
+++ b/.junie/memory/tasks.md
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,83 @@
 # CLAUDE.md
 ## Project Overview
 MCIAS (Metacircular Identity and Access System) is a single-sign-on (SSO) and Identity & Access Management (IAM) system for personal projects. The target audience is a single developer building personal apps, with support for onboarding friends onto those apps.
 **Priorities (in order):** security, robustness, correctness. Performance is secondary.
 ## Tech Stack
 - **Language:** Go
 - **Database:** SQLite
 - **Logging/Utilities:** git.wntrmute.dev/kyle/goutils
 - **Crypto:** Ed25519 (signatures), Argon2 (password hashing)
 - **Tokens:** JWT signed with Ed25519 (algorithm: EdDSA); always validate the `alg` header on receipt — never accept `none` or symmetric algorithms
 - **Auth:** Username/password + optional TOTP; future FIDO/Yubikey support
 ## Binaries
 - `mciassrv` — authentication server (REST + gRPC over HTTPS/TLS, with HTMX web UI)
 - `mciasctl` — admin CLI for account/token/credential/policy management (REST)
 - `mciasdb` — offline SQLite maintenance tool (schema, accounts, tokens, audit, pgcreds)
 - `mciasgrpcctl` — admin CLI for gRPC interface
 ## Development Workflow
 If PROGRESS.md does not yet exist, create it before proceeding. It is the source of truth for current state.
 1. Check PROGRESS.md for current state and next steps
 2. Define discrete next steps with actionable acceptance criteria
 3. Implement, adversarially verify correctness, write tests
 4. Commit to git, update PROGRESS.md
 5. Repeat
 When instructed to checkpoint:
 - Verify that the project lints cleanly.
 - Verify that the project unit tests complete successfully.
 - Ensure that all integration and end-to-end tests complete successfully.
 - Commit to git and update PROGRESS.md.
 ## Security Constraints
 This is a security-critical project. The following rules are non-negotiable:
 - Never implement custom crypto. Use standard library (`crypto/...`) or well-audited packages only.
 - Always validate the `alg` header in JWTs before processing; reject `none` and any non-EdDSA algorithm.
 - Argon2id parameters must meet current OWASP recommendations; never reduce them for convenience.
 - Credential storage (passwords, tokens, secrets) must never appear in logs, error messages, or API responses.
 - Any code touching authentication flows, token issuance/validation, or credential storage must include a comment citing the rationale for each security decision.
 - When in doubt about a crypto or auth decision, halt and ask rather than guess.
 - Review all crypto primitives against current best practices before use; flag any deviation in the commit body.
 ## Testing Requirements
 - Tests live alongside source in the same package, using the `_test.go` suffix
 - Run with `go test ./...`; CI must pass with zero failures
 - Unit tests for all exported functions and security-critical internal functions
 - Integration tests for all subsystems (database layer, token issuance, auth flows)
 - End-to-end tests for complete login, token renewal, and revocation flows
 - Adversarially verify all outputs: test invalid inputs, boundary conditions, and known attack patterns (e.g., JWT `alg` confusion, timing attacks on credential comparison)
 - Use `crypto/subtle.ConstantTimeCompare` wherever token or credential equality is checked
 ## Git Commit Style
 - First line: single line, max 55 characters
 - Body (optional): bullet points describing work done
 - Security-sensitive changes (crypto primitives, auth flows, token handling, credential storage, session management) must be explicitly flagged in the commit body with a `Security:` line describing what changed and why it is safe
 ## Go Conventions
 - Format all code with `goimports` before committing
 - Lint with `golangci-lint`; resolve all warnings unless explicitly justified. This must be done after every step.
 - Wrap errors with `fmt.Errorf("context: %w", err)` to preserve stack context
 - Prefer explicit error handling over panics; never silently discard errors
 - Use `log/slog` (or goutils equivalents) for structured logging; never `fmt.Println` in production paths
 ## Key Documents
 - `PROJECT.md` — Project specifications and requirements
 - `ARCHITECTURE.md` — **Required before any implementation.** Covers token lifecycle, session management, multi-app trust boundaries, and database schema. Do not generate code until this document exists.
 - `PROJECT_PLAN.md` — Discrete implementation steps (to be written)
 - `PROGRESS.md` — Development progress tracking (to be written)
 - `openapi.yaml` - Must be kept in sync with any API changes.
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -245,6 +245,61 @@ Key properties:
 - Admin can revoke all tokens for a user (e.g., on account suspension)
 - Token expiry is enforced at validation time, regardless of revocation table
 ### Password Change Flows
 Two distinct flows exist for changing a password, with different trust assumptions:
 #### Self-Service Password Change (`PUT /v1/auth/password`)
 Used by a human account holder to change their own password.
 1. Caller presents a valid JWT and supplies both `current_password` and
   `new_password` in the request body.
 2. The server looks up the account by the JWT subject.
 3. **Lockout check** — same policy as login (10 failures in 15 min → 15 min
   lockout). An attacker with a stolen token cannot use this endpoint to
   brute-force the current password without hitting the lockout.
 4. **Current password verified** with `auth.VerifyPassword` (Argon2id,
   constant-time via `crypto/subtle.ConstantTimeCompare`). On failure a login
   failure is recorded and HTTP 401 is returned.
 5. New password is validated (minimum 12 characters) and hashed with Argon2id
   using the server's configured parameters.
 6. The new hash is written atomically to the `accounts` table.
 7. **All tokens except the caller's current JTI are revoked** (reason:
   `password_changed`). The caller keeps their active session; all other
   concurrent sessions are invalidated. This limits the blast radius of a
   credential compromise without logging the user out mid-operation.
 8. Login failure counter is cleared (successful proof of knowledge).
 9. Audit event `password_changed` is written with `{"via":"self_service"}`.
 #### Admin Password Reset (`PUT /v1/accounts/{id}/password`)
 Used by an administrator to reset a human account's password for recovery
 purposes (e.g. user forgot their password, account handover).
 1. Caller presents an admin JWT.
 2. Only `new_password` is required; no `current_password` verification is
   performed. The admin role represents a higher trust level.
 3. New password is validated (minimum 12 characters) and hashed with Argon2id.
 4. The new hash is written to the `accounts` table.
 5. **All active tokens for the target account are revoked** (reason:
   `password_reset`). Unlike the self-service flow, the admin cannot preserve
   the user's session because the reset is typically done during an outage of
   the user's access.
 6. Audit event `password_changed` is written with `{"via":"admin_reset"}`.
 #### Security Notes
 - The current password requirement on the self-service path prevents an
  attacker who steals a JWT from changing credentials. A stolen token grants
  access to resources for its remaining lifetime but cannot be used to
  permanently take over the account.
 - Admin resets are always audited with both actor and target IDs so the log
  shows which admin performed the reset.
 - Plaintext passwords are never logged, stored, or included in any response.
 - Both flows use the same Argon2id parameters (OWASP 2023: time=3, memory=64 MB,
  threads=4, hash length=32 bytes).
 ---
 ## 7. Multi-App Trust Boundaries
@@ -285,6 +340,7 @@ All endpoints use JSON request/response bodies. All responses include a
 | POST | `/v1/auth/login` | none | Username/password (+TOTP) login → JWT |
 | POST | `/v1/auth/logout` | bearer JWT | Revoke current token |
 | POST | `/v1/auth/renew` | bearer JWT | Exchange token for new token |
 | PUT | `/v1/auth/password` | bearer JWT | Self-service password change (requires current password) |
 ### Token Endpoints
@@ -304,6 +360,13 @@ All endpoints use JSON request/response bodies. All responses include a
 | PATCH | `/v1/accounts/{id}` | admin JWT | Update account (status, roles, etc.) |
 | DELETE | `/v1/accounts/{id}` | admin JWT | Soft-delete account |
 ### Password Endpoints
 | Method | Path | Auth required | Description |
 |---|---|---|---|
 | PUT | `/v1/auth/password` | bearer JWT | Self-service: change own password (current password required) |
 | PUT | `/v1/accounts/{id}/password` | admin JWT | Admin reset: set any human account's password |
 ### Role Endpoints (admin only)
 | Method | Path | Auth required | Description |
@@ -356,6 +419,38 @@ All endpoints use JSON request/response bodies. All responses include a
 | GET | `/v1/health` | none | Health check |
 | GET | `/v1/keys/public` | none | Ed25519 public key (JWK format) |
 ### Web Management UI
 mciassrv embeds an HTMX-based web management interface served alongside the
 REST API. The UI is an admin-only interface providing a visual alternative to
 `mciasctl` for day-to-day management.
 **Package:** `internal/ui/` — UI handlers call internal Go functions directly;
 no internal HTTP round-trips to the REST API.
 **Template engine:** Go `html/template` with templates embedded at compile time
 via `web/` (`embed.FS`). Templates are parsed once at startup.
 **Session management:** JWT stored as `HttpOnly; Secure; SameSite=Strict`
 cookie (`mcias_session`). CSRF protection uses HMAC-signed double-submit
 cookie pattern (`mcias_csrf`).
 **Pages and features:**
 | Path | Description |
 |---|---|
 | `/login` | Username/password login with optional TOTP step |
 | `/` | Dashboard (account summary) |
 | `/accounts` | Account list |
 | `/accounts/{id}` | Account detail — status, roles, tags, PG credentials (system accounts) |
 | `/pgcreds` | Postgres credentials list (owned + granted) with create form |
 | `/policies` | Policy rules management — create, enable/disable, delete |
 | `/audit` | Audit log viewer |
 **HTMX fragments:** Mutating operations (role updates, tag edits, credential
 saves, policy toggles, access grants) use HTMX partial-page updates for a
 responsive experience without full-page reloads.
 ---
 ## 9. Database Schema
@@ -445,10 +540,22 @@ CREATE TABLE system_tokens (
    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 -- Per-account failed login attempts for brute-force lockout enforcement.
 -- One row per account; window_start resets when the window expires or on
 -- a successful login.
 CREATE TABLE failed_logins (
    account_id    INTEGER NOT NULL PRIMARY KEY REFERENCES accounts(id) ON DELETE CASCADE,
    window_start  TEXT    NOT NULL,
    attempt_count INTEGER NOT NULL DEFAULT 1
 );
 -- Postgres credentials for system accounts, encrypted at rest.
 CREATE TABLE pg_credentials (
    id                  INTEGER PRIMARY KEY,
    account_id          INTEGER NOT NULL UNIQUE REFERENCES accounts(id) ON DELETE CASCADE,
    -- owner_id: account that administers the credentials and may grant/revoke
    -- access.  Nullable for backwards compatibility with pre-migration-5 rows.
    owner_id            INTEGER REFERENCES accounts(id),
    pg_host             TEXT    NOT NULL,
    pg_port             INTEGER NOT NULL DEFAULT 5432,
    pg_database         TEXT    NOT NULL,
@@ -459,6 +566,21 @@ CREATE TABLE pg_credentials (
    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 -- Explicit read-access grants from a credential owner to another account.
 -- Grantees may view connection metadata but the password is never decrypted
 -- for them in the UI.  Only the owner may update or delete the credential set.
 CREATE TABLE pg_credential_access (
    id              INTEGER PRIMARY KEY,
    credential_id   INTEGER NOT NULL REFERENCES pg_credentials(id) ON DELETE CASCADE,
    grantee_id      INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
    granted_by      INTEGER REFERENCES accounts(id),
    granted_at      TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    UNIQUE (credential_id, grantee_id)
 );
 CREATE INDEX idx_pgcred_access_cred    ON pg_credential_access (credential_id);
 CREATE INDEX idx_pgcred_access_grantee ON pg_credential_access (grantee_id);
 -- Audit log — append-only. Never contains credentials or secret material.
 CREATE TABLE audit_log (
    id          INTEGER PRIMARY KEY,
@@ -496,7 +618,9 @@ CREATE TABLE policy_rules (
    enabled     INTEGER NOT NULL DEFAULT 1 CHECK (enabled IN (0,1)),
    created_by  INTEGER REFERENCES accounts(id),
    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
-    updated_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+    updated_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    not_before  TEXT    DEFAULT NULL,  -- optional: earliest activation time (RFC3339)
    expires_at  TEXT    DEFAULT NULL   -- optional: expiry time (RFC3339)
 );
 ```
@@ -1440,6 +1564,26 @@ For belt-and-suspenders, an explicit deny for production tags:
 No `ServiceNames` or `RequiredTags` field means this matches any service account.
 **Scenario D — Time-scoped access:**
 The `deploy-agent` needs temporary access to production pgcreds for a 4-hour
 maintenance window. Instead of creating a rule and remembering to delete it,
 the operator sets `not_before` and `expires_at`:
 ```
 mciasctl policy create \
  -description "deploy-agent: temp production access" \
  -json rule.json \
  -not-before 2026-03-12T02:00:00Z \
  -expires-at 2026-03-12T06:00:00Z
 ```
 The policy engine filters rules at cache-load time (`Engine.SetRules`): rules
 where `not_before > now()` or `expires_at <= now()` are excluded from the
 cached rule set. No changes to the `Evaluate()` or `matches()` functions are
 needed. Both fields are optional and nullable; `NULL` means no constraint
 (always active / never expires).
 ### Middleware Integration
 `internal/middleware.RequirePolicy(engine, action, resourceType)` is a drop-in
--- a/AUDIT.md
+++ b/AUDIT.md
@@ -1,258 +1,202 @@
 # MCIAS Security Audit Report
-**Scope:** Full codebase review of `git.wntrmute.dev/kyle/mcias` (commit `4596ea0`) aka mcias.
+**Date:** 2026-03-12
-**Auditor:** Comprehensive source review of all Go source files, protobuf definitions, Dockerfile, systemd unit, and client libraries
+**Scope:** Full codebase — authentication flows, token lifecycle, cryptography, database layer, REST/gRPC/UI servers, authorization, and operational security.
-**Classification:** Findings rated as **CRITICAL**, **HIGH**, **MEDIUM**, **LOW**, or **INFORMATIONAL**
+**Methodology:** Static code analysis of all source files with adversarial focus on auth flows, crypto usage, input handling, and inter-component trust boundaries.
 ---
 ## Executive Summary
-MCIAS is well-engineered for a security-critical system. The code demonstrates strong awareness of common vulnerability classes: JWT algorithm confusion is properly mitigated, constant-time comparisons are used throughout, timing-uniform dummy operations prevent user enumeration, and credential material is systematically excluded from logs and API responses. The cryptographic choices are sound and current.
+MCIAS demonstrates strong security awareness throughout. The cryptographic foundations are sound, credential handling is careful, and the most common web/API authentication vulnerabilities have been explicitly addressed. The codebase shows consistent attention to defense-in-depth: constant-time comparisons, dummy Argon2 operations for unknown users, algorithm-confusion prevention in JWT validation, parameterized SQL, audit logging, and CSRF protection with HMAC-signed double-submit.
-That said, I identified **16 findings** ranging from medium-severity design issues to low-severity hardening opportunities. There are no critical vulnerabilities that would allow immediate remote compromise, but several medium-severity items warrant remediation before production deployment.
+**Two confirmed bugs with real security impact were found**, along with several defense-in-depth gaps that should be addressed before production deployment. The overall security posture is well above average for this class of system.
 ---
-## FINDINGS
+## Confirmed Vulnerabilities
-### F-01: TOTP Enrollment Sets `totp_required=1` Before Confirmation (MEDIUM)
+### CRIT-01 — TOTP Replay Attack (Medium-High)
-**Location:** `internal/db/accounts.go:131-141`, `internal/server/server.go:651-658`
+**File:** `internal/auth/auth.go:208-230`, `internal/grpcserver/auth.go:84`, `internal/ui/handlers_auth.go:152`
-`SetTOTP` unconditionally sets `totp_required = 1`. This means during the enrollment phase (before the user has confirmed), the TOTP requirement flag is already true. If the user abandons enrollment after calling `/v1/auth/totp/enroll` but before calling `/confirm`, the account is now locked: TOTP is "required" but the user was never shown a QR code they can use to generate valid codes.
+`ValidateTOTP` accepts any code falling in the current ±1 time-step window (±30 seconds, so a given code is valid for ~90 seconds) but **never records which codes have already been used**. The same valid TOTP code can be submitted an unlimited number of times within that window. There is no `last_used_totp_counter` or `last_used_totp_at` field in the schema.
-**Recommendation:** Add a separate `StorePendingTOTP(accountID, secretEnc, secretNonce)` that writes the encrypted secret but leaves `totp_required = 0`. Only set `totp_required = 1` in the confirm handler via the existing `SetTOTP`. Alternatively, add a `ClearTOTP` recovery step to the enrollment flow on timeout/failure.
+**Attack scenario:** An attacker who has observed a valid TOTP code (e.g. from a compromised session, shoulder surfing, or a MITM that delayed delivery) can reuse that code to authenticate within its validity window.
 **Fix:** Track the last accepted TOTP counter per account in the database. Reject any counter ≤ the last accepted one. This requires a new column (`last_totp_counter INTEGER`) on the `accounts` table and a check-and-update in `ValidateTOTP`'s callers (or within it, with a DB reference passed in).
 ---
-### F-02: Password Embedded in HTML Hidden Fields During TOTP Step (MEDIUM)
+### CRIT-02 — gRPC `EnrollTOTP` Enables TOTP Before Confirmation (Medium)
-**Location:** `internal/ui/handlers_auth.go:74-84`
+**File:** `internal/grpcserver/auth.go:202` vs `internal/server/server.go:724-728`
-During the TOTP step of UI login, the plaintext password is embedded as a hidden form field so it can be re-verified on the second POST. This means:
+The REST `EnrollTOTP` handler explicitly uses `StorePendingTOTP` (which keeps `totp_required=0`) and a comment at line 724 explains why:
 1. The password exists in the DOM and is accessible to any browser extension or XSS-via-extension vector.
 2. The password is sent over the wire a second time (TLS protects transit, but it doubles the exposure window).
 3. Browser form autofill or "view source" can reveal it.
-**Recommendation:** On successful password verification in the first step, issue a short-lived (e.g., 60-second), single-use, server-side nonce that represents "password verified for user X". Store this nonce in the DB or an in-memory cache. The TOTP confirmation step presents this nonce instead of the password. The server validates the nonce + TOTP code and issues the session token.
+```go
-
+// Security: use StorePendingTOTP (not SetTOTP) so that totp_required
---
+// is not enabled until the user confirms the code.
 ### F-03: Token Renewal Is Not Atomic — Race Window Between Revoke and Track (MEDIUM)
 **Location:** `internal/server/server.go:281-289`, `internal/grpcserver/auth.go:148-155`
 The token renewal flow revokes the old token and tracks the new one as separate operations. The code comments acknowledge "atomically is not possible in SQLite without a transaction." However, SQLite does support transactions, and both operations use the same `*db.DB` instance with `MaxOpenConns(1)`. If the revoke succeeds but `TrackToken` fails, the user's old token is revoked but no new token is tracked, leaving them in a broken state.
 **Recommendation:** Wrap the revoke-old + track-new pair in a single SQLite transaction. Add a method like `db.RenewToken(oldJTI, reason, newJTI, accountID, issuedAt, expiresAt)` that performs both in one `tx`.
 ---
 ### F-04: Rate Limiter Not Applied to REST Login Endpoint (MEDIUM)
 **Location:** `internal/server/server.go:96-100`
 Despite the comment saying "login-path rate limiting," the REST server applies `RequestLogger` as global middleware but **does not apply the `RateLimit` middleware at all**. The rate limiter is imported but never wired into the handler chain for the REST server. The `/v1/auth/login` endpoint has no rate limiting on the REST side.
 In contrast, the gRPC server correctly applies `rateLimitInterceptor` in its interceptor chain (applied to all RPCs).
 **Recommendation:** Apply `middleware.RateLimit(...)` to at minimum the `/v1/auth/login` and `/v1/token/validate` routes in the REST server. Consider a more restrictive rate for login (e.g., 5/min) versus general API endpoints.
 ---
 ### F-05: No `nbf` (Not Before) Claim in Issued JWTs (LOW)
 **Location:** `internal/token/token.go:68-99`
 Tokens are issued with `iss`, `sub`, `iat`, `exp`, and `jti` but not `nbf` (Not Before). While the architecture document states `nbf` is validated "if present," it is never set during issuance. Setting `nbf = iat` is a defense-in-depth measure that prevents premature token use if there is any clock skew between systems, and ensures relying parties that validate `nbf` don't reject MCIAS tokens.
 **Recommendation:** Set `NotBefore: jwt.NewNumericDate(now)` in the `jwtClaims.RegisteredClaims`.
 ---
 ### F-06: `HasRole` Uses Non-Constant-Time String Comparison (LOW)
 **Location:** `internal/token/token.go:174-181`
 `HasRole` uses plain `==` string comparison for role names. Role names are not secret material, and this is authorization (not authentication), so this is low severity. However, if role names ever contained sensitive information, this could leak information via timing. Given the project's stated principle of using constant-time comparisons "wherever token or credential equality is checked," this is a minor inconsistency.
 **Recommendation:** Acceptable as-is since role names are public knowledge. Document the decision.
 ---
 ### F-07: Dummy Argon2 Hash Uses Hardcoded Invalid PHC String (LOW)
 **Location:** `internal/server/server.go:154`
 The dummy Argon2 hash `"$argon2id$v=19$m=65536,t=3,p=4$dGVzdHNhbHQ$dGVzdGhhc2g"` uses m=65536 but the actual default config uses m=65536 too. The timing should be close. However, the dummy hash uses a 6-byte salt ("testsalt" base64) and a 6-byte hash ("testhash" base64), while real hashes use 16-byte salt and 32-byte hash. This produces a slightly different (faster) Argon2 computation than a real password verification.
 **Recommendation:** Pre-compute a real dummy hash at server startup using `auth.HashPassword("dummy-password", actualArgonParams)` and store it as a `sync.Once` variable. This guarantees identical timing regardless of configuration.
 ---
 ### F-08: No Account Lockout After Repeated Failed Login Attempts (LOW)
 **Location:** `internal/server/server.go:138-176`
 There is no mechanism to lock an account after N failed login attempts. The system relies solely on rate limiting (which, per F-04, isn't applied on the REST side). An attacker with distributed IPs could attempt brute-force attacks against accounts without triggering any lockout.
 **Recommendation:** Implement a configurable per-account failed login counter (e.g., 10 failures in 15 minutes triggers a 15-minute lockout). The counter should be stored in the DB or in memory with per-account tracking. Audit events for `login_fail` already exist and can be queried, but proactive lockout would be more effective.
 ---
 ### F-09: `PRAGMA synchronous=NORMAL` Risks Data Loss on Power Failure (LOW)
 **Location:** `internal/db/db.go:50`
 `PRAGMA synchronous=NORMAL` combined with WAL mode means a power failure could lose the most recent committed transactions. For a security-critical system where audit log integrity and token revocation records matter, `synchronous=FULL` is safer.
 **Recommendation:** Change to `PRAGMA synchronous=FULL` for production deployments. The performance impact on a personal SSO system is negligible. Alternatively, document this trade-off and leave `NORMAL` as a conscious choice.
 ---
 ### F-10: No Maximum Token Expiry Validation (LOW)
 **Location:** `internal/config/config.go:150-159`
 Token expiry durations are validated to be positive but have no maximum. An operator could accidentally configure `default_expiry = "876000h"` (100 years). The config validation should enforce reasonable ceilings.
 **Recommendation:** Add maximum expiry validation: e.g., `default_expiry <= 8760h` (1 year), `admin_expiry <= 168h` (1 week), `service_expiry <= 87600h` (10 years). These can be generous ceilings that prevent obvious misconfiguration.
 ---
 ### F-11: Missing `Content-Security-Policy` and Other Security Headers on UI Responses (MEDIUM)
 **Location:** `internal/ui/ui.go:318-333`
 The UI serves HTML pages but sets no security headers: no `Content-Security-Policy`, no `X-Content-Type-Options`, no `X-Frame-Options`, no `Strict-Transport-Security`. Since this is an admin panel for an authentication system:
 - Without CSP, any XSS vector (e.g., via a malicious username stored in the DB) could execute arbitrary JavaScript in the admin's browser.
 - Without `X-Frame-Options: DENY`, the admin panel could be framed for clickjacking.
 - Without HSTS, a MITM could strip TLS on the first connection.
 **Recommendation:** Add a middleware that sets:
 ```
 Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'
 X-Content-Type-Options: nosniff
 X-Frame-Options: DENY
 Strict-Transport-Security: max-age=63072000; includeSubDomains
 Referrer-Policy: no-referrer
 ```
---
+The gRPC `EnrollTOTP` handler at line 202 calls `SetTOTP` directly, which immediately sets `totp_required=1`. Any user who initiates TOTP enrollment over gRPC but does not immediately confirm will have their account locked out — they cannot log in because TOTP is required, but no working TOTP secret is confirmed.
-### F-12: No Input Validation on Username Length or Character Set (LOW)
+**Fix:** Change `grpcserver/auth.go:202` from `a.s.db.SetTOTP(...)` to `a.s.db.StorePendingTOTP(...)`, matching the REST server's behavior and the documented intent of those two DB methods.
 **Location:** `internal/server/server.go:465-507`
 `handleCreateAccount` checks that username is non-empty but does not validate length or character set. A username containing control characters, null bytes, or extremely long strings (up to SQLite's TEXT limit) could cause rendering issues in the UI, log injection, or storage abuse.
 **Recommendation:** Validate: length 1-255, alphanumeric + limited symbols (e.g., `^[a-zA-Z0-9._@-]{1,255}$`). Reject control characters, embedded NULs, and newlines.
 ---
-### F-13: No Password Complexity or Minimum Length Enforcement (LOW)
+## Defense-in-Depth Gaps
-**Location:** `internal/auth/auth.go:63-66`
+### DEF-01 — No Rate Limiting on the UI Login Endpoint (Medium)
-`HashPassword` only checks that the password is non-empty. A 1-character password is accepted and hashed. While Argon2id makes brute-force expensive, a minimum password length of 8-12 characters (per NIST SP 800-63B) would prevent trivially weak passwords.
+**File:** `internal/ui/ui.go:264`
-**Recommendation:** Enforce a minimum password length (e.g., 12 characters) at the server/handler level before passing to `HashPassword`. Optionally check against a breached-password list.
+```go
 uiMux.HandleFunc("POST /login", u.handleLoginPost)
 ```
 The REST `/v1/auth/login` endpoint is wrapped with `loginRateLimit` (10 req/s per IP). The UI `/login` endpoint has no equivalent middleware. Account lockout (10 failures per 15 minutes) partially mitigates brute force, but an attacker can still enumerate whether accounts exist at full network speed before triggering lockout, and can trigger lockout against many accounts in parallel with no rate friction.
 **Fix:** Apply the same `middleware.RateLimit(10, 10)` to `POST /login` in the UI mux. A simpler option is to wrap the entire `uiMux` with the rate limiter since the UI is also a sensitive surface.
 ---
-### F-14: Passphrase Not Zeroed After Use in `loadMasterKey` (LOW)
+### DEF-02 — `pendingLogins` Map Has No Expiry Cleanup (Low)
-**Location:** `cmd/mciassrv/main.go:246-272`
+**File:** `internal/ui/ui.go:57`
-The passphrase is read from the environment variable and passed to `crypto.DeriveKey`, but the Go `string` holding the passphrase is not zeroed afterward. The environment variable is correctly unset, and the master key is zeroed on shutdown, but the passphrase string remains in the Go heap until GC'd. Go strings are immutable, so zeroing is not straightforward, but converting to `[]byte` first and zeroing after KDF would reduce the exposure window.
+The `pendingLogins sync.Map` stores short-lived TOTP nonces (90-second TTL). When consumed via `consumeTOTPNonce`, entries are deleted via `LoadAndDelete`. However, entries that are created but never consumed (user abandons login at the TOTP step, closes browser) **accumulate indefinitely** — they are checked for expiry on read but never proactively deleted.
-**Recommendation:** Read the environment variable into a `[]byte` (via `os.Getenv` then `[]byte` copy), pass it to a modified `DeriveKey` that accepts `[]byte`, then zero the `[]byte` immediately after. Alternatively, accept this as a Go language limitation and document it.
+In normal operation this is a minor memory leak. Under adversarial conditions — an attacker repeatedly sending username+password to step 1 without proceeding to step 2 — the map grows without bound. At scale this could be used for memory exhaustion.
 **Fix:** Add a background goroutine (matching the pattern in `middleware.RateLimit`) that periodically iterates the map and deletes expired entries. A 5-minute cleanup interval is sufficient given the 90-second TTL.
 ---
-### F-15: `extractBearerFromRequest` Does Not Verify "Bearer" Prefix Case-Insensitively (INFORMATIONAL)
+### DEF-03 — Rate Limiter Uses `RemoteAddr`, Not `X-Forwarded-For` (Low)
-**Location:** `internal/server/server.go:932-942`
+**File:** `internal/middleware/middleware.go:200`
-The REST `extractBearerFromRequest` (used by `handleTokenValidate`) does a substring check with `auth[len("Bearer ")]` without verifying the prefix actually says "Bearer". It trusts that if the header is long enough, the prefix is correct. Meanwhile, the middleware's `extractBearerToken` correctly uses `strings.EqualFold`. The gRPC `extractBearerFromMD` also correctly uses `strings.EqualFold`.
+The comment already acknowledges this: the rate limiter extracts the client IP from `r.RemoteAddr`. When the server is deployed behind a reverse proxy (nginx, Caddy, a load balancer), `RemoteAddr` will be the proxy's IP for all requests, collapsing all clients into a single rate-limit bucket. This effectively disables per-IP rate limiting in proxy deployments.
-**Recommendation:** Use `strings.EqualFold` for the prefix check in `extractBearerFromRequest` for consistency.
+**Fix:** Add a configurable `TrustedProxy` setting. When set, extract the real client IP from `X-Forwarded-For` or `X-Real-IP` headers only for requests coming from that proxy address. Never trust those headers unconditionally — doing so allows IP spoofing.
 ---
-### F-16: UI System Token Issuance Does Not Revoke Previous System Token (LOW)
+### DEF-04 — Missing `nbf` (Not Before) Claim on Issued Tokens (Low)
-**Location:** `internal/ui/handlers_accounts.go:334-403`
+**File:** `internal/token/token.go:73-82`
-The REST `handleTokenIssue` and gRPC `IssueServiceToken` both revoke the existing system token before issuing a new one. However, `handleIssueSystemToken` in the UI handler does not revoke the old system token — it calls `SetSystemToken` (which updates the system_tokens table via UPSERT) but never revokes the old token's entry in the token_revocation table. The old token remains valid until it naturally expires.
+`IssueToken` sets `iss`, `sub`, `iat`, `exp`, and `jti`, but not `nbf`. Without a not-before constraint, a token is valid from the moment of issuance and a slightly clock-skewed client or intermediate could present it early. This is a defense-in-depth measure, not a practical attack at the moment, but it costs nothing to add.
-**Recommendation:** Before issuing a new token in `handleIssueSystemToken`, replicate the pattern from the REST handler: look up `GetSystemToken`, and if found, call `RevokeToken(existing.JTI, "rotated")`.
+**Fix:** Add `NotBefore: jwt.NewNumericDate(now)` to the `RegisteredClaims` struct. Add the corresponding validation step in `ValidateToken` (using `jwt.WithNotBefore()` or a manual check).
 ---
-## Positive Findings (Things Done Well)
+### DEF-05 — No Maximum Token Expiry Ceiling in Config Validation (Low)
-1. **JWT algorithm confusion defense** is correctly implemented. The `alg` header is validated inside the key function before signature verification, and only `EdDSA` is accepted. This is the correct implementation pattern.
+**File:** `internal/config/config.go:150-158`
-2. **Constant-time comparisons** are consistently used for password verification, TOTP validation, and CSRF token validation via `crypto/subtle.ConstantTimeCompare`.
+The config validator enforces that expiry durations are positive but not that they are bounded above. An operator misconfiguration (e.g. `service_expiry = "876000h"`) would issue tokens valid for 100 years. For human sessions (`default_expiry`, `admin_expiry`) this is a significant risk in the event of token theft.
-3. **Timing uniformity** for failed logins: dummy Argon2 operations run for unknown users and inactive accounts, preventing username enumeration via timing differences.
+**Fix:** Add upper-bound checks in `validate()`. Suggested maximums: 30 days for `default_expiry`, 24 hours for `admin_expiry`, 5 years for `service_expiry`. At minimum, log a warning when values exceed reasonable thresholds.
 4. **Credential material exclusion** is thorough: `json:"-"` tags on `PasswordHash`, `TOTPSecretEnc`, `TOTPSecretNonce`, `PGPasswordEnc`, `PGPasswordNonce` in model types, plus deliberate omission from API responses and log statements.
 5. **Parameterized SQL** is used consistently throughout. No string concatenation in queries. The dynamic query builder in `ListAuditEvents`/`ListAuditEventsPaged` correctly uses parameter placeholders.
 6. **TLS configuration** is solid: TLS 1.2 minimum, X25519/P256 curves, enforced at the listener level with no plaintext fallback.
 7. **Master key handling** is well-designed: passphrase derived via Argon2id with strong parameters (128 MiB memory), env var cleared after reading, key zeroed on shutdown.
 8. **Systemd hardening** is comprehensive: `ProtectSystem=strict`, `NoNewPrivileges`, `MemoryDenyWriteExecute`, empty `CapabilityBoundingSet`, and `PrivateDevices`.
 9. **AES-GCM usage** is correct: fresh random nonces per encryption, key size validated, error details not exposed on decryption failure.
 10. **CSRF protection** is well-implemented with HMAC-signed double-submit cookies and `SameSite=Strict`.
 ---
-## Summary Table
+### DEF-06 — `GetAccountByUsername` Comment Incorrect re: Case Sensitivity (Informational)
-| Fixed? | ID | Severity | Title | Effort |
+**File:** `internal/db/accounts.go:73`
-|--------|----|----------|-------|--------|
+
-| Yes | F-01 | MEDIUM | TOTP enrollment sets required=1 before confirmation | Small |
+The comment reads "case-insensitive" but the query uses `WHERE username = ?` with SQLite's default BINARY collation, which is **case-sensitive**. This means `admin` and `Admin` would be treated as distinct accounts. This is not a security bug by itself, but it contradicts the comment and could mask confusion.
-| Yes | F-02 | MEDIUM | Password in HTML hidden fields during TOTP step | Medium |
+
-| Yes | F-03 | MEDIUM | Token renewal not atomic (race window) | Small |
+**Fix:** If case-insensitive matching is intended, add `COLLATE NOCASE` to the column definition or the query. If case-sensitive is correct (more common for SSO systems), remove the word "case-insensitive" from the comment.
 | Yes | F-04 | MEDIUM | Rate limiter not applied to REST login endpoint | Small |
 | Yes | F-11 | MEDIUM | Missing security headers on UI responses | Small |
 | No  | F-05 | LOW | No `nbf` claim in issued JWTs | Trivial |
 | No  | F-06 | LOW | `HasRole` uses non-constant-time comparison | Trivial |
 | Yes | F-07 | LOW | Dummy Argon2 hash timing mismatch | Small |
 | Yes | F-08 | LOW | No account lockout after repeated failures | Medium |
 | No  | F-09 | LOW | `synchronous=NORMAL` risks audit data loss | Trivial |
 | No  | F-10 | LOW | No maximum token expiry validation | Small |
 | Yes | F-12 | LOW | No username length/charset validation | Small |
 | Yes | F-13 | LOW | No minimum password length enforcement | Small |
 | No  | F-14 | LOW | Passphrase string not zeroed after KDF | Small |
 | Yes | F-16 | LOW | UI system token issuance skips old token revocation | Small |
 | No  | F-15 | INFO | Bearer prefix check inconsistency | Trivial |
 ---
-## Recommended Remediation Priority
+### DEF-07 — SQLite `synchronous=NORMAL` in WAL Mode (Low)
-**Immediate (before production deployment):**
+**File:** `internal/db/db.go:68`
 1. F-04 — Wire the rate limiter into the REST server. This is the most impactful gap.
 2. F-11 — Add security headers to UI responses.
 3. F-01 — Fix TOTP enrollment to not lock accounts prematurely.
-**Short-term:**
+With `PRAGMA synchronous=NORMAL` and `journal_mode=WAL`, SQLite syncs the WAL file on checkpoints but not on every write. A power failure between a write and the next checkpoint could lose the most recent transactions. For an authentication system — where token issuance and revocation records must be durable — this is a meaningful risk.
 4. F-03 — Make token renewal atomic.
 5. F-02 — Replace password-in-hidden-field with a server-side nonce.
 6. F-16 — Fix UI system token issuance to revoke old tokens.
 7. F-07 — Use a real dummy hash with matching parameters.
-**Medium-term:**
+**Fix:** Change to `PRAGMA synchronous=FULL`. For a single-node personal SSO the performance impact is negligible; durability of token revocations is worth it.
-8. F-08 — Implement account lockout.
+
-9. F-12, F-13 — Input validation for usernames and passwords.
+---
-10. Remaining LOW/INFO items at maintainer discretion.
+
 ### DEF-08 — gRPC `Login` Counts TOTP-Missing as a Login Failure (Low)
 **File:** `internal/grpcserver/auth.go:76-77`
 When TOTP is required but no code is provided (`req.TotpCode == ""`), the gRPC handler calls `RecordLoginFailure`. In the two-step UI flow this is defensible, but via the gRPC single-step `Login` RPC, a well-behaved client that has not yet obtained the TOTP code (not an attacker) will increment the failure counter. Repeated retries could trigger account lockout unintentionally.
 **Fix:** Either document that gRPC clients must always include the TOTP code and treat its omission as a deliberate attempt, or do not count "TOTP code required" as a failure (since the password was verified successfully at that point).
 ---
 ### DEF-09 — Security Headers Missing on REST API Docs Endpoints (Informational)
 **File:** `internal/server/server.go:85-94`
 The `/docs` and `/docs/openapi.yaml` endpoints are served from the parent `mux` and therefore do not receive the `securityHeaders` middleware applied to the UI sub-mux. The Swagger UI page at `/docs` is served without `X-Frame-Options`, `Content-Security-Policy`, etc.
 **Fix:** Apply a security-headers middleware to the docs handlers, or move them into the UI sub-mux.
 ---
 ### DEF-10 — Role Strings Not Validated Against an Allowlist (Low)
 **File:** `internal/db/accounts.go:302-311` (`GrantRole`)
 There is no allowlist for role strings written to the `account_roles` table. Any string can be stored. While the admin-only constraint prevents non-admins from calling these endpoints, a typo by an admin (e.g. `"admim"`) would silently create an unknown role that silently grants nothing. The `RequireRole` check would never match it, causing a confusing failure mode.
 **Fix:** Maintain a compile-time allowlist of valid roles (e.g. `"admin"`, `"user"`) and reject unknown role names at the handler layer before writing to the database.
 ---
 ## Positive Findings
 The following implementation details are exemplary and should be preserved:
 | Area | Detail |
 |------|--------|
 | JWT alg confusion | `ValidateToken` enforces `alg=EdDSA` in the key function, before signature verification — the only correct place |
 | Constant-time comparisons | `crypto/subtle.ConstantTimeCompare` used consistently for password hashes, TOTP codes, and CSRF tokens |
 | Timing uniformity | Dummy Argon2 computed (once, with full production parameters via `sync.Once`) for unknown/inactive users on both REST and gRPC paths |
 | Token revocation | Every token is tracked by JTI; unknown tokens are rejected (fail-closed) rather than silently accepted |
 | Token renewal atomicity | `RenewToken` wraps revocation + insertion in a single SQLite transaction |
 | TOTP nonce design | Two-step UI login uses a 128-bit single-use server-side nonce to avoid transmitting the password twice |
 | CSRF protection | HMAC-SHA256 signed double-submit cookie with `SameSite=Strict` and constant-time validation |
 | Credential exclusion | `json:"-"` tags on all credential fields; proto messages omit them too |
 | Security headers | All UI responses receive CSP, `X-Content-Type-Options`, `X-Frame-Options`, HSTS, and `Referrer-Policy` |
 | Account lockout | 10-attempt, 15-minute rolling lockout checked before Argon2 to prevent timing oracle |
 | Argon2id parameters | Config validator enforces OWASP 2023 minimums and rejects weakening |
 | SQL injection | All queries use parameterized statements; no string concatenation anywhere |
 | Audit log | Append-only with actor/target/IP; no delete path provided |
 | Master key handling | Env var cleared after reading; signing key zeroed on shutdown |
 ---
 ## Remediation Priority
 | Fixed | Priority | ID | Severity | Action |
 |-------|----------|----|----------|--------|
 | Yes | 1 | CRIT-02 | Medium | Change `grpcserver/auth.go:202` to call `StorePendingTOTP` instead of `SetTOTP` |
 | Yes | 2 | CRIT-01 | Medium | Add `last_totp_counter` tracking to prevent TOTP replay within the validity window |
 | Yes | 3 | DEF-01 | Medium | Apply IP rate limiting to the UI `POST /login` endpoint |
 | Yes | 4 | DEF-02 | Low | Add background cleanup goroutine for the `pendingLogins` map |
 | Yes | 5 | DEF-03 | Low | Support trusted-proxy IP extraction for accurate per-client rate limiting |
 | Yes | 6 | DEF-04 | Low | Add `nbf` claim to issued tokens and validate it on receipt |
 | Yes | 7 | DEF-05 | Low | Add upper-bound caps on token expiry durations in config validation |
 | Yes | 8 | DEF-07 | Low | Change SQLite to `PRAGMA synchronous=FULL` |
 | Yes | 9 | DEF-08 | Low | Do not count gRPC TOTP-missing as a login failure |
 | Yes | 10 | DEF-10 | Low | Validate role strings against an allowlist before writing to the DB |
 | Yes | 11 | DEF-09 | Info | Apply security headers to `/docs` endpoints |
 | Yes | 12 | DEF-06 | Info | Correct the misleading "case-insensitive" comment in `GetAccountByUsername` |
 ---
 ## Schema Observations
 The migration chain (migrations 001–006) is sound. Foreign key cascades are appropriate. Indexes are present on all commonly-queried columns. The `failed_logins` table uses a rolling window query approach which is correct.
 One note: the `accounts` table has no unique index enforcing `COLLATE NOCASE` on `username`. This is consistent with treating usernames as case-sensitive but should be documented explicitly to avoid future ambiguity.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -17,8 +17,10 @@ MCIAS (Metacircular Identity and Access System) is a single-sign-on (SSO) and Id
 ## Binaries
- `mciassrv` — authentication server (REST API over HTTPS/TLS)
+- `mciassrv` — authentication server (REST + gRPC over HTTPS/TLS, with HTMX web UI)
- `mciasctl` — admin CLI for account/token/credential management
+- `mciasctl` — admin CLI for account/token/credential/policy management (REST)
 - `mciasdb` — offline SQLite maintenance tool (schema, accounts, tokens, audit, pgcreds)
 - `mciasgrpcctl` — admin CLI for gRPC interface
 ## Development Workflow
@@ -72,6 +74,26 @@ This is a security-critical project. The following rules are non-negotiable:
 - Prefer explicit error handling over panics; never silently discard errors
 - Use `log/slog` (or goutils equivalents) for structured logging; never `fmt.Println` in production paths
 ## Verification
 After any code edit, always verify the fix by running `go build ./...` and `go test ./...` before claiming the issue is resolved. Never claim lint/tests pass without actually running them.
 ## Database
 When working with migrations (golang-migrate or SQLite), always test migrations against a fresh database AND an existing database to catch duplicate column/table errors. SQLite does not support IF NOT EXISTS for ALTER TABLE.
 ## File Editing
 Before editing files, re-read the current on-disk version to confirm it matches expectations. If files seem inconsistent, stop and flag this to the user before proceeding.
 ## Project Context
 For this project (MCIAS): Go codebase, uses golang-migrate, SQLite (with shared-cache for in-memory), htmx frontend with Go html/template, golangci-lint (use `go vet` if version incompatible), and cert tool for TLS certificates. Check `docs/` for tool-specific usage before guessing CLI flags.
 ## UI Development
 When implementing UI features, ensure they work for the empty-state case (e.g., no credentials exist yet, no accounts created). Always test with zero records.
 ## Key Documents
 - `PROJECT.md` — Project specifications and requirements
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -4,6 +4,357 @@ Source of truth for current development state.
 ---
 All phases complete. **v1.0.0 tagged.** All packages pass `go test ./...`; `golangci-lint run ./...` clean.
 ### 2026-03-12 — Checkpoint: password change UI enforcement + migration recovery
 **internal/ui/handlers_accounts.go**
 - `handleAdminResetPassword`: added server-side admin role check at the top of
  the handler; any authenticated non-admin calling this route now receives 403.
  Previously only cookie validity + CSRF were checked.
 **internal/ui/handlers_auth.go**
 - Added `handleProfilePage`: renders the new `/profile` page for any
  authenticated user.
 - Added `handleSelfChangePassword`: self-service password change for non-admin
  users; validates current password (Argon2id, lockout-checked), enforces
  server-side confirmation equality check, hashes new password, revokes all
  other sessions, audits as `{"via":"ui_self_service"}`.
 **internal/ui/ui.go**
 - Added `ProfileData` view model.
 - Registered `GET /profile` and `PUT /profile/password` routes (cookie auth +
  CSRF; no admin role required).
 - Added `password_change_form.html` to shared template list; added `profile`
  page template.
 - Nav bar actor-name span changed to a link pointing to `/profile`.
 **web/templates/fragments/password_change_form.html** (new)
 - HTMX form with `current_password`, `new_password`, `confirm_password` fields.
 - Client-side JS confirmation guard; server-side equality check in handler.
 **web/templates/profile.html** (new)
 - Profile page hosting the self-service password change form.
 **internal/db/migrate.go**
 - Compatibility shim now only calls `m.Force(legacyVersion)` when
  `schema_migrations` is completely empty (`ErrNilVersion`); leaves existing
  version entries (including dirty ones) alone to prevent re-running already-
  attempted migrations.
 - Added duplicate-column-name recovery: when `m.Up()` fails with "duplicate
  column name" and the dirty version equals `LatestSchemaVersion`, the migrator
  is force-cleaned and returns nil (handles databases where columns were added
  outside the runner before migration 006 existed).
 - Added `ForceSchemaVersion(database *DB, version int) error`: break-glass
  exported function; forces golang-migrate version without running SQL.
 **cmd/mciasdb/schema.go**
 - Added `schema force --version N` subcommand backed by `db.ForceSchemaVersion`.
 **cmd/mciasdb/main.go**
 - `schema` commands now open the database via `openDBRaw` (no auto-migration)
  so the tool stays usable when the database is in a dirty migration state.
 - `openDB` refactored to call `openDBRaw` then `db.Migrate`.
 - Updated usage text.
 All tests pass; `golangci-lint run ./...` clean.
 ### 2026-03-12 — Password change: self-service and admin reset
 Added the ability for users to change their own password and for admins to
 reset any human account's password.
 **Two new REST endpoints:**
 - `PUT /v1/auth/password` — self-service: authenticated user changes their own
  password; requires `current_password` for verification; revokes all tokens
  except the caller's current session on success.
 - `PUT /v1/accounts/{id}/password` — admin reset: no current password needed;
  revokes all active sessions for the target account.
 **internal/model/model.go**
 - Added `EventPasswordChanged = "password_changed"` audit event constant.
 **internal/db/accounts.go**
 - Added `RevokeAllUserTokensExcept(accountID, exceptJTI, reason)`: revokes all
  non-expired tokens for an account except one specific JTI (used by the
  self-service flow to preserve the caller's session).
 **internal/server/server.go**
 - `handleAdminSetPassword`: admin password reset handler; validates new
  password, hashes with Argon2id, revokes all target tokens, writes audit event.
 - `handleChangePassword`: self-service handler; verifies current password with
  Argon2id (same lockout/timing path as login), hashes new password, revokes
  all other tokens, clears failure counter.
 - Both routes registered in `Handler()`.
 **internal/ui/handlers_accounts.go**
 - `handleAdminResetPassword`: web UI counterpart to the admin REST handler;
  renders `password_reset_result` fragment on success.
 **internal/ui/ui.go**
 - `PUT /accounts/{id}/password` route registered with admin+CSRF middleware.
 - `templates/fragments/password_reset_form.html` added to shared template list.
 **web/templates/fragments/password_reset_form.html** (new)
 - HTMX form fragment for the admin password reset UI.
 - `password_reset_result` template shows a success flash message followed by
  the reset form.
 **web/templates/account_detail.html**
 - Added "Reset Password" card (human accounts only) using the new fragment.
 **cmd/mciasctl/main.go**
 - `auth change-password`: self-service password change; both passwords always
  prompted interactively (no flag form — prevents shell-history exposure).
 - `account set-password -id UUID`: admin reset; new password always prompted
  interactively (no flag form).
 - `auth login`: `-password` flag removed; password always prompted.
 - `account create`: `-password` flag removed; password always prompted for
  human accounts.
 - All passwords read via `term.ReadPassword` (terminal echo disabled); raw
  byte slices zeroed after use.
 **openapi.yaml + web/static/openapi.yaml**
 - `PUT /v1/auth/password`: self-service endpoint documented (Auth tag).
 - `PUT /v1/accounts/{id}/password`: admin reset documented (Admin — Accounts
  tag).
 **ARCHITECTURE.md**
 - API endpoint tables updated with both new endpoints.
 - New "Password Change Flows" section in §6 (Session Management) documents the
  self-service and admin flows, their security properties, and differences.
 All tests pass; golangci-lint clean.
 ### 2026-03-12 — Checkpoint: fix fieldalignment lint warning
 **internal/policy/engine_wrapper.go**
 - Reordered `PolicyRecord` fields: `*time.Time` pointer fields moved before
  string fields, shrinking the GC pointer-scan bitmap from 56 to 40 bytes
  (govet fieldalignment)
 All tests pass; `golangci-lint run ./...` clean.
 ### 2026-03-12 — Add time-scoped policy rule expiry
 Policy rules now support optional `not_before` and `expires_at` fields for
 time-limited validity windows. Rules outside their validity window are
 automatically excluded at cache-load time (`Engine.SetRules`).
 **internal/db/migrations/000006_policy_rule_expiry.up.sql** (new)
 - `ALTER TABLE policy_rules ADD COLUMN not_before TEXT DEFAULT NULL`
 - `ALTER TABLE policy_rules ADD COLUMN expires_at TEXT DEFAULT NULL`
 **internal/db/migrate.go**
 - `LatestSchemaVersion` bumped from 5 to 6
 **internal/model/model.go**
 - Added `NotBefore *time.Time` and `ExpiresAt *time.Time` to `PolicyRuleRecord`
 **internal/db/policy.go**
 - `policyRuleCols` updated with `not_before, expires_at`
 - `CreatePolicyRule`: new params `notBefore, expiresAt *time.Time`
 - `UpdatePolicyRule`: new params `notBefore, expiresAt **time.Time` (double-pointer
  for three-state semantics: nil=no change, non-nil→nil=clear, non-nil→value=set)
 - `finishPolicyRuleScan`: extended to populate `NotBefore`/`ExpiresAt` via
  `nullableTime()`
 - Added `formatNullableTime(*time.Time) *string` helper
 **internal/policy/engine_wrapper.go**
 - Added `NotBefore *time.Time` and `ExpiresAt *time.Time` to `PolicyRecord`
 - `SetRules`: filters out rules where `not_before > now()` or `expires_at <= now()`
  after the existing `Enabled` check
 **internal/server/handlers_policy.go**
 - `policyRuleResponse`: added `not_before` and `expires_at` (RFC3339, omitempty)
 - `createPolicyRuleRequest`: added `not_before` and `expires_at`
 - `updatePolicyRuleRequest`: added `not_before`, `expires_at`,
  `clear_not_before`, `clear_expires_at`
 - `handleCreatePolicyRule`: parses/validates RFC3339 times; rejects
  `expires_at <= not_before`
 - `handleUpdatePolicyRule`: parses times, handles clear booleans via
  double-pointer pattern
 **internal/ui/**
 - `PolicyRuleView`: added `NotBefore`, `ExpiresAt`, `IsExpired`, `IsPending`
 - `policyRuleToView`: populates time fields and computes expired/pending status
 - `handleCreatePolicyRule`: parses `datetime-local` form inputs for time fields
 **web/templates/fragments/**
 - `policy_form.html`: added `datetime-local` inputs for not_before and expires_at
 - `policy_row.html`: shows time info and expired/scheduled badges
 **cmd/mciasctl/main.go**
 - `policyCreate`: added `-not-before` and `-expires-at` flags (RFC3339)
 - `policyUpdate`: added `-not-before`, `-expires-at`, `-clear-not-before`,
  `-clear-expires-at` flags
 **openapi.yaml**
 - `PolicyRule` schema: added `not_before` and `expires_at` (nullable date-time)
 - Create request: added `not_before` and `expires_at`
 - Update request: added `not_before`, `expires_at`, `clear_not_before`,
  `clear_expires_at`
 **Tests**
 - `internal/db/policy_test.go`: 5 new tests — `WithExpiresAt`, `WithNotBefore`,
  `WithBothTimes`, `SetExpiresAt`, `ClearExpiresAt`; all existing tests updated
  with new `CreatePolicyRule`/`UpdatePolicyRule` signatures
 - `internal/policy/engine_test.go`: 4 new tests — `SkipsExpiredRule`,
  `SkipsNotYetActiveRule`, `IncludesActiveWindowRule`, `NilTimesAlwaysActive`
 **ARCHITECTURE.md**
 - Schema: added `not_before` and `expires_at` columns to `policy_rules` DDL
 - Added Scenario D (time-scoped access) to §20
 All new and existing policy tests pass; no new lint warnings.
 ### 2026-03-12 — Integrate golang-migrate for database migrations
 **internal/db/migrations/** (new directory — 5 embedded SQL files)
 - `000001_initial_schema.up.sql` — full initial schema (verbatim from migration 1)
 - `000002_master_key_salt.up.sql` — adds `master_key_salt` to server_config
 - `000003_failed_logins.up.sql` — `failed_logins` table for brute-force lockout
 - `000004_tags_and_policy.up.sql` — `account_tags` and `policy_rules` tables
 - `000005_pgcred_access.up.sql` — `owner_id` column + `pg_credential_access` table
 - Files are embedded at compile time via `//go:embed migrations/*.sql`; no
  runtime filesystem access is needed
 **internal/db/migrate.go** (rewritten)
 - Removed hand-rolled `migration` struct and `migrations []migration` slice
 - Uses `github.com/golang-migrate/migrate/v4` with the `database/sqlite`
  driver (modernc.org/sqlite, pure Go, no CGO) and `source/iofs` for embedded
  SQL files
 - `LatestSchemaVersion` changed from `var` to `const = 5`
 - `Migrate(db *DB) error`: compatibility shim reads legacy `schema_version`
  table; if version > 0, calls `m.Force(legacyVersion)` before `m.Up()` so
  existing databases are not re-migrated.  Returns nil on ErrNoChange.
 - `SchemaVersion(db *DB) (int, error)`: delegates to `m.Version()`; returns 0
  on ErrNilVersion
 - `newMigrate(*DB)`: opens a **dedicated** `*sql.DB` for the migrator so that
  `m.Close()` (which closes the underlying connection) does not affect the
  caller's shared connection
 - `legacySchemaVersion(*DB)`: reads old schema_version table; returns 0 if
  absent (fresh DB or already on golang-migrate only)
 **internal/db/db.go**
 - Added `path string` field to `DB` struct for the migrator's dedicated
  connection
 - `Open(":memory:")` now translates to a named shared-cache URI
  `file:mcias_N?mode=memory&cache=shared` (N is atomic counter) so the
  migration runner can open a second connection to the same in-memory database
  without sharing the `*sql.DB` handle that golang-migrate will close
 **go.mod / go.sum**
 - Added `github.com/golang-migrate/migrate/v4 v4.19.1` (direct)
 - Transitive: `hashicorp/errwrap`, `hashicorp/go-multierror`,
  `go.uber.org/atomic`
 All callers (`cmd/mciassrv`, `cmd/mciasdb`, all test helpers) continue to call
 `db.Open(path)` and `db.Migrate(database)` unchanged.
 All tests pass (`go test ./...`); `golangci-lint run ./...` reports 0 issues.
 ### 2026-03-12 — UI: pgcreds create button; show logged-in user
 **web/templates/pgcreds.html**
 - "New Credentials" card is now always rendered; an "Add Credentials" toggle
  button reveals the create form (hidden by default). When all system accounts
  already have credentials, a message is shown instead of the form. Previously
  the entire card was hidden when `UncredentialedAccounts` was empty.
 **internal/ui/ui.go**
 - Added `ActorName string` field to `PageData` (embedded in every page view struct)
 - Added `actorName(r *http.Request) string` helper — resolves username from JWT
  claims via a DB lookup; returns `""` if unauthenticated
 **internal/ui/handlers_{accounts,audit,dashboard,policy}.go**
 - All full-page `PageData` constructors now pass `ActorName: u.actorName(r)`
 **web/templates/base.html**
 - Nav bar renders the actor's username as a muted label immediately before the
  Logout button when logged in
 **web/static/style.css**
 - Added `.nav-actor` rule (muted grey, 0.85rem) for the username label
 All tests pass (`go test ./...`); `golangci-lint run ./...` clean.
 ### 2026-03-12 — PG credentials create form on /pgcreds page
 **internal/ui/handlers_accounts.go**
 - `handlePGCredsList`: extended to build `UncredentialedAccounts` — system
  accounts that have no credentials yet, passed to the template for the create
  form; filters from `ListAccounts()` by type and excludes accounts already in
  the accessible-credentials set
 - `handleCreatePGCreds`: `POST /pgcreds` — validates selected account UUID
  (must be a system account), host, port, database, username, password;
  encrypts password with AES-256-GCM; calls `WritePGCredentials` then
  `SetPGCredentialOwner`; writes `EventPGCredUpdated` audit event; redirects
  to `GET /pgcreds` on success
 **internal/ui/ui.go**
 - Registered `POST /pgcreds` route
 - Added `UncredentialedAccounts []*model.Account` field to `PGCredsData`
 **web/templates/pgcreds.html**
 - New "New Credentials" card shown when `UncredentialedAccounts` is non-empty;
  contains a plain POST form (no HTMX, redirect on success) with:
  - Service Account dropdown populated from `UncredentialedAccounts`
  - Host / Port / Database / Username / Password inputs
  - CSRF token hidden field
 All tests pass (`go test ./...`); `golangci-lint run ./...` clean.
 ### 2026-03-12 — PG credentials access grants UI
 **internal/ui/handlers_accounts.go**
 - `handleGrantPGCredAccess`: `POST /accounts/{id}/pgcreds/access` — grants a
  nominated account read access to the credential set; ownership enforced
  server-side by comparing stored `owner_id` with the logged-in actor;
  grantee resolved via UUID lookup (not raw ID); writes
  `EventPGCredAccessGranted` audit event; re-renders `pgcreds_form` fragment
 - `handleRevokePGCredAccess`: `DELETE /accounts/{id}/pgcreds/access/{grantee}`
  — removes a specific grantee's read access; same ownership check as grant;
  writes `EventPGCredAccessRevoked` audit event; re-renders fragment
 - `handlePGCredsList`: `GET /pgcreds` — lists all pg_credentials accessible to
  the currently logged-in user (owned + explicitly granted)
 **internal/ui/ui.go**
 - Registered three new routes: `POST /accounts/{id}/pgcreds/access`,
  `DELETE /accounts/{id}/pgcreds/access/{grantee}`, `GET /pgcreds`
 - Added `pgcreds` to the page template map (renders `pgcreds.html`)
 - Added `isPGCredOwner(*int64, *model.PGCredential) bool` template function
  — nil-safe ownership check used in `pgcreds_form` to gate owner-only controls
 - Added `derefInt64(*int64) int64` template function (nil-safe dereference)
 **internal/model/model.go**
 - Added `ServiceAccountUUID string` field to `PGCredential` — populated by
  list queries so the PG creds list page can link to the account detail page
 **internal/db/pgcred_access.go**
 - `ListAccessiblePGCreds`: extended SELECT to also fetch `a.uuid`; updated
  `scanPGCredWithUsername` to populate `ServiceAccountUUID`
 **web/templates/fragments/pgcreds_form.html**
 - Owner sees a collapsible "Update credentials" `<details>` block; non-owners
  and grantees see metadata read-only
 - Non-owners who haven't yet created a credential see the full create form
  (first save sets them as owner)
 - New "Access Grants" section below the credential metadata:
  - Table listing all grantees with username and grant timestamp
  - Revoke button (DELETE HTMX, `hx-confirm`) — owner only
  - "Grant Access" dropdown form (POST HTMX) — owner only, populated with
    all accounts
 **web/templates/pgcreds.html** (new page)
 - Lists all accessible credentials in a table: service account, host:port,
  database, username, updated-at, link to account detail page
 - Falls back to "No Postgres credentials accessible" when list is empty
 **web/templates/base.html**
 - Added "PG Creds" nav link pointing to `/pgcreds`
 All tests pass (`go test ./...`); `golangci-lint run ./...` clean.
 ### 2026-03-11 — Postgres Credentials UI + Policy/Tags UI completion
 **internal/ui/**
@@ -84,7 +435,7 @@ All tests pass (`go test ./...`); `golangci-lint run ./...` reports 0 issues.
 - [x] Phase 6: mciasdb — direct SQLite maintenance tool
 - [x] Phase 7: gRPC interface (alternate transport; dual-stack with REST)
 - [x] Phase 8: Operational artifacts (Makefile, Dockerfile, systemd, man pages, install script)
- [x] Phase 9: Client libraries (Go, Rust, Common Lisp, Python)
+- [ ] Phase 9: Client libraries (Go, Rust, Common Lisp, Python) — designed in ARCHITECTURE.md §19 but not yet implemented; `clients/` directory does not exist
 - [x] Phase 10: Policy engine — ABAC with machine/service gating
 ---
 ### 2026-03-11 — Phase 10: Policy engine (ABAC + machine/service gating)
@@ -96,9 +447,10 @@ All tests pass (`go test ./...`); `golangci-lint run ./...` reports 0 issues.
 - `engine.go` — `Evaluate(input, operatorRules) (Effect, *Rule)`: pure function;
  merges operator rules with default rules, sorts by priority, deny-wins,
  then first allow, then default-deny
- `defaults.go` — 6 compiled-in rules (IDs -1 to -6, Priority 0): admin
+- `defaults.go` — 7 compiled-in rules (IDs -1 to -7, Priority 0): admin
-  wildcard, self-service logout/renew, self-service TOTP, system account own
+  wildcard, self-service logout/renew, self-service TOTP, self-service password
-  pgcreds, system account own service token, public login/validate endpoints
+  change (human only), system account own pgcreds, system account own service
  token, public login/validate endpoints
 - `engine_wrapper.go` — `Engine` struct with `sync.RWMutex`; `SetRules()`
  decodes DB records; `PolicyRecord` type avoids import cycle
 - `engine_test.go` — 11 tests: DefaultDeny, AdminWildcard, SelfService*,
@@ -188,44 +540,15 @@ All tests pass; `go test ./...` clean; `golangci-lint run ./...` clean.
 All 5 packages pass `go test ./...`; `golangci-lint run ./...` clean.
-### 2026-03-11 — Phase 9: Client libraries
+### 2026-03-11 — Phase 9: Client libraries (DESIGNED, NOT IMPLEMENTED)
-**clients/testdata/** — shared JSON fixtures
+**NOTE:** The client libraries described in ARCHITECTURE.md §19 were designed
- login_response.json, account_response.json, accounts_list_response.json
+but never committed to the repository. The `clients/` directory does not exist.
- validate_token_response.json, public_key_response.json, pgcreds_response.json
+Only `test/mock/mockserver.go` was implemented. The designs remain in
- error_response.json, roles_response.json
+ARCHITECTURE.md for future implementation.
 **clients/go/** — Go client library
 - Module: `git.wntrmute.dev/kyle/mcias/clients/go`; package `mciasgoclient`
 - Typed errors: `MciasAuthError`, `MciasForbiddenError`, `MciasNotFoundError`,
  `MciasInputError`, `MciasConflictError`, `MciasServerError`
 - TLS 1.2+ enforced via `tls.Config{MinVersion: tls.VersionTLS12}`
 - Token state guarded by `sync.RWMutex` for concurrent safety
 - JSON decoded with `DisallowUnknownFields` on all responses
 - 25 tests in `client_test.go`; all pass with `go test -race`
 **clients/rust/** — Rust async client library
 - Crate: `mcias-client`; tokio async, reqwest + rustls-tls (no OpenSSL dep)
 - `MciasError` enum via `thiserror`; `Arc<RwLock<Option<String>>>` for token
 - 23 integration tests using `wiremock`; `cargo clippy -- -D warnings` clean
 **clients/lisp/** — Common Lisp client library
 - ASDF system `mcias-client`; HTTP via dexador, JSON via yason
 - CLOS class `mcias-client`; plain functions for all operations
 - Conditions: `mcias-error` base + 6 typed subclasses
 - Mock server: Hunchentoot `mock-dispatcher` subclass (port 0, random per test)
 - 37 fiveam checks; all pass on SBCL 2.6.1
 - Fixed: yason decodes JSON `false` as `:false`; `validate-token` normalises
  to `t`/`nil` before returning
 **clients/python/** — Python 3.11+ client library
 - Package `mcias_client` (setuptools, pyproject.toml); dep: `httpx >= 0.27`
 - `Client` context manager; `py.typed` marker; all symbols fully annotated
 - Dataclasses: `Account`, `PublicKey`, `PGCreds`
 - 32 pytest tests using `respx` mock transport; `mypy --strict` clean; `ruff` clean
 **test/mock/mockserver.go** — Go in-memory mock server
- `Server` struct with `sync.RWMutex`; used by Go client integration test
+- `Server` struct with `sync.RWMutex`; used for Go integration tests
 - `NewServer()`, `AddAccount()`, `ServeHTTP()` for httptest.Server use
 ---
--- a/README.md
+++ b/README.md
@@ -2,7 +2,8 @@
 MCIAS is a self-hosted SSO and IAM service for personal projects.
 It provides authentication (JWT/Ed25519), account management, TOTP, and
-Postgres credential storage over a REST API (HTTPS) and a gRPC API (TLS).
+Postgres credential storage over a REST API (HTTPS), a gRPC API (TLS),
 and an HTMX-based web management UI.
 See [ARCHITECTURE.md](ARCHITECTURE.md) for the technical design and
 [PROJECT_PLAN.md](PROJECT_PLAN.md) for the implementation roadmap.
@@ -177,7 +178,7 @@ TOKEN=$(curl -sk https://localhost:8443/v1/auth/login \
 export MCIAS_TOKEN=$TOKEN
 mciasctl -server https://localhost:8443 account list
-mciasctl account create -username alice -password s3cr3t
+mciasctl account create -username alice          # password prompted interactively
 mciasctl role set -id $UUID -roles admin
 mciasctl token issue -id $SYSTEM_UUID
 mciasctl pgcreds set -id $UUID -host db.example.com -port 5432 \
@@ -241,6 +242,24 @@ See `man mciasgrpcctl` and [ARCHITECTURE.md](ARCHITECTURE.md) §17.
 ---
 ## Web Management UI
 mciassrv includes a built-in web interface for day-to-day administration.
 After starting the server, navigate to `https://localhost:8443/login` and
 log in with an admin account.
 The UI provides:
 - **Dashboard** — account summary overview
 - **Accounts** — list, create, update, delete accounts; manage roles and tags
 - **PG Credentials** — view, create, and manage Postgres credential access grants
 - **Policies** — create and manage ABAC policy rules
 - **Audit** — browse the audit log
 Sessions use `HttpOnly; Secure; SameSite=Strict` cookies with CSRF protection.
 See [ARCHITECTURE.md](ARCHITECTURE.md) §8 (Web Management UI) for design details.
 ---
 ## Deploying with Docker
 ```sh
--- a/clients/go/client.go
+++ b/clients/go/client.go
@@ -3,6 +3,7 @@
 // Security: bearer tokens are stored under a sync.RWMutex and are never written
 // to logs or included in error messages anywhere in this package.
 package mciasgoclient
 import (
 	"bytes"
 	"crypto/tls"
@@ -15,32 +16,43 @@ import (
 	"strings"
 	"sync"
 )
 // ---------------------------------------------------------------------------
 // Error types
 // ---------------------------------------------------------------------------
 // MciasError is the base error type for all MCIAS client errors.
 type MciasError struct {
 	StatusCode int
 	Message    string
 }
 func (e *MciasError) Error() string {
 	return fmt.Sprintf("mciasgoclient: HTTP %d: %s", e.StatusCode, e.Message)
 }
 // MciasAuthError is returned for 401 Unauthorized responses.
 type MciasAuthError struct{ MciasError }
 // MciasForbiddenError is returned for 403 Forbidden responses.
 type MciasForbiddenError struct{ MciasError }
 // MciasNotFoundError is returned for 404 Not Found responses.
 type MciasNotFoundError struct{ MciasError }
 // MciasInputError is returned for 400 Bad Request responses.
 type MciasInputError struct{ MciasError }
 // MciasConflictError is returned for 409 Conflict responses.
 type MciasConflictError struct{ MciasError }
 // MciasServerError is returned for 5xx responses.
 type MciasServerError struct{ MciasError }
 // ---------------------------------------------------------------------------
 // Data types
 // ---------------------------------------------------------------------------
 // Account represents a user or service account.
 type Account struct {
 	ID          string `json:"id"`
@@ -51,6 +63,7 @@ type Account struct {
 	UpdatedAt   string `json:"updated_at"`
 	TOTPEnabled bool   `json:"totp_enabled"`
 }
 // PublicKey represents the server's Ed25519 public key in JWK format.
 type PublicKey struct {
 	Kty string `json:"kty"`
@@ -59,6 +72,7 @@ type PublicKey struct {
 	Use string `json:"use,omitempty"`
 	Alg string `json:"alg,omitempty"`
 }
 // TokenClaims is returned by ValidateToken.
 type TokenClaims struct {
 	Valid     bool     `json:"valid"`
@@ -66,6 +80,7 @@ type TokenClaims struct {
 	Roles     []string `json:"roles,omitempty"`
 	ExpiresAt string   `json:"expires_at,omitempty"`
 }
 // PGCreds holds Postgres connection credentials.
 type PGCreds struct {
 	Host     string `json:"host"`
@@ -74,9 +89,94 @@ type PGCreds struct {
 	Username string `json:"username"`
 	Password string `json:"password"`
 }
 // TOTPEnrollResponse is returned by EnrollTOTP.
 type TOTPEnrollResponse struct {
 	Secret     string `json:"secret"`
 	OTPAuthURI string `json:"otpauth_uri"`
 }
 // AuditEvent is a single entry in the audit log.
 type AuditEvent struct {
 	ID        int    `json:"id"`
 	EventType string `json:"event_type"`
 	EventTime string `json:"event_time"`
 	ActorID   string `json:"actor_id,omitempty"`
 	TargetID  string `json:"target_id,omitempty"`
 	IPAddress string `json:"ip_address"`
 	Details   string `json:"details,omitempty"`
 }
 // AuditListResponse is returned by ListAudit.
 type AuditListResponse struct {
 	Events []AuditEvent `json:"events"`
 	Total  int          `json:"total"`
 	Limit  int          `json:"limit"`
 	Offset int          `json:"offset"`
 }
 // AuditFilter holds optional filter parameters for ListAudit.
 type AuditFilter struct {
 	Limit     int
 	Offset    int
 	EventType string
 	ActorID   string
 }
 // PolicyRuleBody holds the match conditions and effect of a policy rule.
 // All fields except Effect are optional; an omitted field acts as a wildcard.
 type PolicyRuleBody struct {
 	Effect              string   `json:"effect"`
 	Roles               []string `json:"roles,omitempty"`
 	AccountTypes        []string `json:"account_types,omitempty"`
 	SubjectUUID         string   `json:"subject_uuid,omitempty"`
 	Actions             []string `json:"actions,omitempty"`
 	ResourceType        string   `json:"resource_type,omitempty"`
 	OwnerMatchesSubject bool     `json:"owner_matches_subject,omitempty"`
 	ServiceNames        []string `json:"service_names,omitempty"`
 	RequiredTags        []string `json:"required_tags,omitempty"`
 }
 // PolicyRule is a complete operator-defined policy rule as returned by the API.
 type PolicyRule struct {
 	ID          int            `json:"id"`
 	Priority    int            `json:"priority"`
 	Description string         `json:"description"`
 	Rule        PolicyRuleBody `json:"rule"`
 	Enabled     bool           `json:"enabled"`
 	NotBefore   string         `json:"not_before,omitempty"`
 	ExpiresAt   string         `json:"expires_at,omitempty"`
 	CreatedAt   string         `json:"created_at"`
 	UpdatedAt   string         `json:"updated_at"`
 }
 // CreatePolicyRuleRequest holds the parameters for creating a policy rule.
 type CreatePolicyRuleRequest struct {
 	Description string         `json:"description"`
 	Priority    int            `json:"priority,omitempty"`
 	Rule        PolicyRuleBody `json:"rule"`
 	NotBefore   string         `json:"not_before,omitempty"`
 	ExpiresAt   string         `json:"expires_at,omitempty"`
 }
 // UpdatePolicyRuleRequest holds the parameters for updating a policy rule.
 // All fields are optional; omitted fields are left unchanged.
 // Set ClearNotBefore or ClearExpiresAt to true to remove those constraints.
 type UpdatePolicyRuleRequest struct {
 	Description    string          `json:"description,omitempty"`
 	Priority       *int            `json:"priority,omitempty"`
 	Enabled        *bool           `json:"enabled,omitempty"`
 	Rule           *PolicyRuleBody `json:"rule,omitempty"`
 	NotBefore      string          `json:"not_before,omitempty"`
 	ExpiresAt      string          `json:"expires_at,omitempty"`
 	ClearNotBefore bool            `json:"clear_not_before,omitempty"`
 	ClearExpiresAt bool            `json:"clear_expires_at,omitempty"`
 }
 // ---------------------------------------------------------------------------
 // Options and Client struct
 // ---------------------------------------------------------------------------
 // Options configures the MCIAS client.
 type Options struct {
 	// CACertPath is an optional path to a PEM-encoded CA certificate for TLS
@@ -85,6 +185,7 @@ type Options struct {
 	// Token is an optional pre-existing bearer token.
 	Token string
 }
 // Client is a thread-safe MCIAS REST API client.
 // Security: the bearer token is guarded by a sync.RWMutex; it is never
 // written to logs or included in error messages in this library.
@@ -94,9 +195,11 @@ type Client struct {
 	mu      sync.RWMutex
 	token   string
 }
 // ---------------------------------------------------------------------------
 // Constructor
 // ---------------------------------------------------------------------------
 // New creates a new Client for the given serverURL.
 // TLS 1.2 is the minimum version enforced on all connections.
 // If opts.CACertPath is set, that CA certificate is added to the trust pool.
@@ -126,20 +229,24 @@ func New(serverURL string, opts Options) (*Client, error) {
 	}
 	return c, nil
 }
 // Token returns the current bearer token (empty string if not logged in).
 func (c *Client) Token() string {
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 	return c.token
 }
 // ---------------------------------------------------------------------------
 // Internal helpers
 // ---------------------------------------------------------------------------
 func (c *Client) setToken(tok string) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	c.token = tok
 }
 func (c *Client) do(method, path string, body interface{}, out interface{}) error {
 	var reqBody io.Reader
 	if body != nil {
@@ -195,6 +302,7 @@ func (c *Client) do(method, path string, body interface{}, out interface{}) erro
 	}
 	return nil
 }
 func makeError(status int, msg string) error {
 	base := MciasError{StatusCode: status, Message: msg}
 	switch {
@@ -212,13 +320,16 @@ func makeError(status int, msg string) error {
 		return &MciasServerError{base}
 	}
 }
 // ---------------------------------------------------------------------------
-// API methods
+// API methods — Public
 // ---------------------------------------------------------------------------
 // Health calls GET /v1/health. Returns nil if the server is healthy.
 func (c *Client) Health() error {
 	return c.do(http.MethodGet, "/v1/health", nil, nil)
 }
 // GetPublicKey returns the server's Ed25519 public key in JWK format.
 func (c *Client) GetPublicKey() (*PublicKey, error) {
 	var pk PublicKey
@@ -227,6 +338,7 @@ func (c *Client) GetPublicKey() (*PublicKey, error) {
 	}
 	return &pk, nil
 }
 // Login authenticates with username and password. On success the token is
 // stored in the Client and returned along with the expiry timestamp.
 // totpCode may be empty for accounts without TOTP.
@@ -245,6 +357,23 @@ func (c *Client) Login(username, password, totpCode string) (token, expiresAt st
 	c.setToken(resp.Token)
 	return resp.Token, resp.ExpiresAt, nil
 }
 // ValidateToken validates a token string against the server.
 // Returns claims; Valid is false (not an error) if the token is expired or
 // revoked.
 func (c *Client) ValidateToken(token string) (*TokenClaims, error) {
 	var claims TokenClaims
 	if err := c.do(http.MethodPost, "/v1/token/validate",
 		map[string]string{"token": token}, &claims); err != nil {
 		return nil, err
 	}
 	return &claims, nil
 }
 // ---------------------------------------------------------------------------
 // API methods — Authenticated
 // ---------------------------------------------------------------------------
 // Logout revokes the current token on the server and clears it from the client.
 func (c *Client) Logout() error {
 	if err := c.do(http.MethodPost, "/v1/auth/logout", nil, nil); err != nil {
@@ -253,6 +382,7 @@ func (c *Client) Logout() error {
 	c.setToken("")
 	return nil
 }
 // RenewToken exchanges the current token for a fresh one.
 // The new token is stored in the client and returned.
 func (c *Client) RenewToken() (token, expiresAt string, err error) {
@@ -266,17 +396,63 @@ func (c *Client) RenewToken() (token, expiresAt string, err error) {
 	c.setToken(resp.Token)
 	return resp.Token, resp.ExpiresAt, nil
 }
-// ValidateToken validates a token string against the server.
+
-// Returns claims; Valid is false (not an error) if the token is expired or
+// EnrollTOTP begins TOTP enrollment for the authenticated account.
-// revoked.
+// Returns a base32 secret and an otpauth:// URI for QR-code generation.
-func (c *Client) ValidateToken(token string) (*TokenClaims, error) {
+// The secret is shown once; it is not retrievable after this call.
-	var claims TokenClaims
+// TOTP is not enforced until confirmed via ConfirmTOTP.
-	if err := c.do(http.MethodPost, "/v1/token/validate",
+func (c *Client) EnrollTOTP() (*TOTPEnrollResponse, error) {
-		map[string]string{"token": token}, &claims); err != nil {
+	var resp TOTPEnrollResponse
 	if err := c.do(http.MethodPost, "/v1/auth/totp/enroll", nil, &resp); err != nil {
 		return nil, err
 	}
-	return &claims, nil
+	return &resp, nil
 }
 // ConfirmTOTP completes TOTP enrollment by verifying the current code against
 // the pending secret. On success, TOTP becomes required for all future logins.
 func (c *Client) ConfirmTOTP(code string) error {
 	return c.do(http.MethodPost, "/v1/auth/totp/confirm",
 		map[string]string{"code": code}, nil)
 }
 // ChangePassword changes the password of the currently authenticated human
 // account. currentPassword is required to prevent token-theft attacks.
 // On success, all active sessions except the caller's are revoked.
 //
 // Security: both passwords are transmitted over TLS only; the server verifies
 // currentPassword with constant-time comparison before accepting the change.
 func (c *Client) ChangePassword(currentPassword, newPassword string) error {
 	return c.do(http.MethodPut, "/v1/auth/password", map[string]string{
 		"current_password": currentPassword,
 		"new_password":     newPassword,
 	}, nil)
 }
 // ---------------------------------------------------------------------------
 // API methods — Admin: Auth
 // ---------------------------------------------------------------------------
 // RemoveTOTP clears TOTP enrollment for the given account (admin).
 // Use for account recovery when a user has lost their TOTP device.
 func (c *Client) RemoveTOTP(accountID string) error {
 	return c.do(http.MethodDelete, "/v1/auth/totp",
 		map[string]string{"account_id": accountID}, nil)
 }
 // ---------------------------------------------------------------------------
 // API methods — Admin: Accounts
 // ---------------------------------------------------------------------------
 // ListAccounts returns all accounts. Requires admin role.
 func (c *Client) ListAccounts() ([]Account, error) {
 	var accounts []Account
 	if err := c.do(http.MethodGet, "/v1/accounts", nil, &accounts); err != nil {
 		return nil, err
 	}
 	return accounts, nil
 }
 // CreateAccount creates a new account. accountType is "human" or "system".
 // password is required for human accounts.
 func (c *Client) CreateAccount(username, accountType, password string) (*Account, error) {
@@ -293,14 +469,7 @@ func (c *Client) CreateAccount(username, accountType, password string) (*Account
 	}
 	return &acct, nil
 }
-// ListAccounts returns all accounts. Requires admin role.
+
 func (c *Client) ListAccounts() ([]Account, error) {
 	var accounts []Account
 	if err := c.do(http.MethodGet, "/v1/accounts", nil, &accounts); err != nil {
 		return nil, err
 	}
 	return accounts, nil
 }
 // GetAccount returns the account with the given ID. Requires admin role.
 func (c *Client) GetAccount(id string) (*Account, error) {
 	var acct Account
@@ -309,23 +478,22 @@ func (c *Client) GetAccount(id string) (*Account, error) {
 	}
 	return &acct, nil
 }
-// UpdateAccount updates mutable account fields. Requires admin role.
+
-// Pass an empty string for fields that should not be changed.
+// UpdateAccount updates mutable account fields (currently only status).
-func (c *Client) UpdateAccount(id, status string) (*Account, error) {
+// Requires admin role. Returns nil on success (HTTP 204).
 func (c *Client) UpdateAccount(id, status string) error {
 	req := map[string]string{}
 	if status != "" {
 		req["status"] = status
 	}
-	var acct Account
+	return c.do(http.MethodPatch, "/v1/accounts/"+id, req, nil)
 	if err := c.do(http.MethodPatch, "/v1/accounts/"+id, req, &acct); err != nil {
 		return nil, err
 	}
 	return &acct, nil
 }
 // DeleteAccount soft-deletes the account with the given ID. Requires admin.
 func (c *Client) DeleteAccount(id string) error {
 	return c.do(http.MethodDelete, "/v1/accounts/"+id, nil, nil)
 }
 // GetRoles returns the roles for accountID. Requires admin.
 func (c *Client) GetRoles(accountID string) ([]string, error) {
 	var resp struct {
@@ -336,11 +504,49 @@ func (c *Client) GetRoles(accountID string) ([]string, error) {
 	}
 	return resp.Roles, nil
 }
 // SetRoles replaces the role set for accountID. Requires admin.
 func (c *Client) SetRoles(accountID string, roles []string) error {
 	return c.do(http.MethodPut, "/v1/accounts/"+accountID+"/roles",
 		map[string][]string{"roles": roles}, nil)
 }
 // AdminSetPassword resets a human account's password without requiring the
 // current password. Requires admin. All active sessions for the target account
 // are revoked on success.
 func (c *Client) AdminSetPassword(accountID, newPassword string) error {
 	return c.do(http.MethodPut, "/v1/accounts/"+accountID+"/password",
 		map[string]string{"new_password": newPassword}, nil)
 }
 // GetAccountTags returns the current tag set for an account. Requires admin.
 func (c *Client) GetAccountTags(accountID string) ([]string, error) {
 	var resp struct {
 		Tags []string `json:"tags"`
 	}
 	if err := c.do(http.MethodGet, "/v1/accounts/"+accountID+"/tags", nil, &resp); err != nil {
 		return nil, err
 	}
 	return resp.Tags, nil
 }
 // SetAccountTags replaces the full tag set for an account atomically.
 // Pass an empty slice to clear all tags. Requires admin.
 func (c *Client) SetAccountTags(accountID string, tags []string) ([]string, error) {
 	var resp struct {
 		Tags []string `json:"tags"`
 	}
 	if err := c.do(http.MethodPut, "/v1/accounts/"+accountID+"/tags",
 		map[string][]string{"tags": tags}, &resp); err != nil {
 		return nil, err
 	}
 	return resp.Tags, nil
 }
 // ---------------------------------------------------------------------------
 // API methods — Admin: Tokens
 // ---------------------------------------------------------------------------
 // IssueServiceToken issues a long-lived token for a system account. Requires admin.
 func (c *Client) IssueServiceToken(accountID string) (token, expiresAt string, err error) {
 	var resp struct {
@@ -353,10 +559,16 @@ func (c *Client) IssueServiceToken(accountID string) (token, expiresAt string, e
 	}
 	return resp.Token, resp.ExpiresAt, nil
 }
 // RevokeToken revokes a token by JTI. Requires admin.
 func (c *Client) RevokeToken(jti string) error {
 	return c.do(http.MethodDelete, "/v1/token/"+jti, nil, nil)
 }
 // ---------------------------------------------------------------------------
 // API methods — Admin: Credentials
 // ---------------------------------------------------------------------------
 // GetPGCreds returns Postgres credentials for accountID. Requires admin.
 func (c *Client) GetPGCreds(accountID string) (*PGCreds, error) {
 	var creds PGCreds
@@ -365,6 +577,7 @@ func (c *Client) GetPGCreds(accountID string) (*PGCreds, error) {
 	}
 	return &creds, nil
 }
 // SetPGCreds stores Postgres credentials for accountID. Requires admin.
 // The password is sent over TLS and encrypted at rest server-side.
 func (c *Client) SetPGCreds(accountID, host string, port int, database, username, password string) error {
@@ -376,3 +589,78 @@ func (c *Client) SetPGCreds(accountID, host string, port int, database, username
 		"password": password,
 	}, nil)
 }
 // ---------------------------------------------------------------------------
 // API methods — Admin: Audit
 // ---------------------------------------------------------------------------
 // ListAudit retrieves audit log entries, newest first. Requires admin.
 // f may be zero-valued to use defaults (limit=50, offset=0, no filter).
 func (c *Client) ListAudit(f AuditFilter) (*AuditListResponse, error) {
 	path := "/v1/audit?"
 	if f.Limit > 0 {
 		path += fmt.Sprintf("limit=%d&", f.Limit)
 	}
 	if f.Offset > 0 {
 		path += fmt.Sprintf("offset=%d&", f.Offset)
 	}
 	if f.EventType != "" {
 		path += fmt.Sprintf("event_type=%s&", f.EventType)
 	}
 	if f.ActorID != "" {
 		path += fmt.Sprintf("actor_id=%s&", f.ActorID)
 	}
 	path = strings.TrimRight(path, "&?")
 	var resp AuditListResponse
 	if err := c.do(http.MethodGet, path, nil, &resp); err != nil {
 		return nil, err
 	}
 	return &resp, nil
 }
 // ---------------------------------------------------------------------------
 // API methods — Admin: Policy
 // ---------------------------------------------------------------------------
 // ListPolicyRules returns all operator-defined policy rules ordered by
 // priority (ascending). Requires admin.
 func (c *Client) ListPolicyRules() ([]PolicyRule, error) {
 	var rules []PolicyRule
 	if err := c.do(http.MethodGet, "/v1/policy/rules", nil, &rules); err != nil {
 		return nil, err
 	}
 	return rules, nil
 }
 // CreatePolicyRule creates a new policy rule. Requires admin.
 func (c *Client) CreatePolicyRule(req CreatePolicyRuleRequest) (*PolicyRule, error) {
 	var rule PolicyRule
 	if err := c.do(http.MethodPost, "/v1/policy/rules", req, &rule); err != nil {
 		return nil, err
 	}
 	return &rule, nil
 }
 // GetPolicyRule returns a single policy rule by integer ID. Requires admin.
 func (c *Client) GetPolicyRule(id int) (*PolicyRule, error) {
 	var rule PolicyRule
 	if err := c.do(http.MethodGet, fmt.Sprintf("/v1/policy/rules/%d", id), nil, &rule); err != nil {
 		return nil, err
 	}
 	return &rule, nil
 }
 // UpdatePolicyRule updates one or more fields of an existing policy rule.
 // Requires admin.
 func (c *Client) UpdatePolicyRule(id int, req UpdatePolicyRuleRequest) (*PolicyRule, error) {
 	var rule PolicyRule
 	if err := c.do(http.MethodPatch, fmt.Sprintf("/v1/policy/rules/%d", id), req, &rule); err != nil {
 		return nil, err
 	}
 	return &rule, nil
 }
 // DeletePolicyRule permanently deletes a policy rule. Requires admin.
 func (c *Client) DeletePolicyRule(id int) error {
 	return c.do(http.MethodDelete, fmt.Sprintf("/v1/policy/rules/%d", id), nil, nil)
 }
--- a/clients/go/client_test.go
+++ b/clients/go/client_test.go
@@ -2,6 +2,7 @@
 // All tests use inline httptest.NewServer mocks to keep this module
 // self-contained (no cross-module imports).
 package mciasgoclient_test
 import (
 	"encoding/json"
 	"errors"
@@ -9,12 +10,14 @@ import (
 	"net/http/httptest"
 	"strings"
 	"testing"
 	mciasgoclient "git.wntrmute.dev/kyle/mcias/clients/go"
 )
 // ---------------------------------------------------------------------------
 // helpers
 // ---------------------------------------------------------------------------
-// newTestClient creates a client pointed at the given test server URL.
+
 func newTestClient(t *testing.T, serverURL string) *mciasgoclient.Client {
 	t.Helper()
 	c, err := mciasgoclient.New(serverURL, mciasgoclient.Options{})
@@ -23,19 +26,21 @@ func newTestClient(t *testing.T, serverURL string) *mciasgoclient.Client {
 	}
 	return c
 }
-// writeJSON is a shorthand for writing a JSON response.
+
 func writeJSON(w http.ResponseWriter, status int, v interface{}) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)
 	_ = json.NewEncoder(w).Encode(v)
 }
-// writeError writes a JSON error body with the given status code.
+
 func writeError(w http.ResponseWriter, status int, msg string) {
 	writeJSON(w, status, map[string]string{"error": msg})
 }
 // ---------------------------------------------------------------------------
 // TestNew
 // ---------------------------------------------------------------------------
 func TestNew(t *testing.T) {
 	c, err := mciasgoclient.New("https://example.com", mciasgoclient.Options{})
 	if err != nil {
@@ -45,6 +50,7 @@ func TestNew(t *testing.T) {
 		t.Fatal("expected non-nil client")
 	}
 }
 func TestNewWithPresetToken(t *testing.T) {
 	c, err := mciasgoclient.New("https://example.com", mciasgoclient.Options{Token: "preset-tok"})
 	if err != nil {
@@ -54,15 +60,18 @@ func TestNewWithPresetToken(t *testing.T) {
 		t.Errorf("expected preset-tok, got %q", c.Token())
 	}
 }
 func TestNewBadCACert(t *testing.T) {
 	_, err := mciasgoclient.New("https://example.com", mciasgoclient.Options{CACertPath: "/nonexistent/ca.pem"})
 	if err == nil {
 		t.Fatal("expected error for missing CA cert file")
 	}
 }
 // ---------------------------------------------------------------------------
 // TestHealth
 // ---------------------------------------------------------------------------
 func TestHealth(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/health" || r.Method != http.MethodGet {
@@ -77,9 +86,7 @@ func TestHealth(t *testing.T) {
 		t.Fatalf("Health: unexpected error: %v", err)
 	}
 }
-// ---------------------------------------------------------------------------
+
 // TestHealthError
 // ---------------------------------------------------------------------------
 func TestHealthError(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusServiceUnavailable, "service unavailable")
@@ -98,9 +105,11 @@ func TestHealthError(t *testing.T) {
 		t.Errorf("expected StatusCode 503, got %d", srvErr.StatusCode)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestGetPublicKey
 // ---------------------------------------------------------------------------
 func TestGetPublicKey(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/keys/public" {
@@ -131,9 +140,11 @@ func TestGetPublicKey(t *testing.T) {
 		t.Error("expected non-empty x")
 	}
 }
 // ---------------------------------------------------------------------------
 // TestLogin
 // ---------------------------------------------------------------------------
 func TestLogin(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/auth/login" || r.Method != http.MethodPost {
@@ -157,14 +168,11 @@ func TestLogin(t *testing.T) {
 	if exp == "" {
 		t.Error("expected non-empty expires_at")
 	}
 	// Token must be stored in the client.
 	if c.Token() != "tok-abc123" {
 		t.Errorf("Token() = %q, want tok-abc123", c.Token())
 	}
 }
-// ---------------------------------------------------------------------------
+
 // TestLoginUnauthorized
 // ---------------------------------------------------------------------------
 func TestLoginUnauthorized(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusUnauthorized, "invalid credentials")
@@ -180,16 +188,17 @@ func TestLoginUnauthorized(t *testing.T) {
 		t.Errorf("expected MciasAuthError, got %T: %v", err, err)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestLogout
 // ---------------------------------------------------------------------------
 func TestLogout(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/v1/auth/login":
 			writeJSON(w, http.StatusOK, map[string]string{
-				"token":      "tok-logout",
+				"token": "tok-logout", "expires_at": "2099-01-01T00:00:00Z",
 				"expires_at": "2099-01-01T00:00:00Z",
 			})
 		case "/v1/auth/logout":
 			w.WriteHeader(http.StatusOK)
@@ -212,21 +221,21 @@ func TestLogout(t *testing.T) {
 		t.Errorf("expected empty token after logout, got %q", c.Token())
 	}
 }
 // ---------------------------------------------------------------------------
 // TestRenewToken
 // ---------------------------------------------------------------------------
 func TestRenewToken(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/v1/auth/login":
 			writeJSON(w, http.StatusOK, map[string]string{
-				"token":      "tok-old",
+				"token": "tok-old", "expires_at": "2099-01-01T00:00:00Z",
 				"expires_at": "2099-01-01T00:00:00Z",
 			})
 		case "/v1/auth/renew":
 			writeJSON(w, http.StatusOK, map[string]string{
-				"token":      "tok-new",
+				"token": "tok-new", "expires_at": "2099-06-01T00:00:00Z",
 				"expires_at": "2099-06-01T00:00:00Z",
 			})
 		default:
 			http.Error(w, "not found", http.StatusNotFound)
@@ -248,9 +257,125 @@ func TestRenewToken(t *testing.T) {
 		t.Errorf("Token() = %q, want tok-new", c.Token())
 	}
 }
 // ---------------------------------------------------------------------------
 // TestEnrollTOTP / TestConfirmTOTP
 // ---------------------------------------------------------------------------
 func TestEnrollTOTP(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/auth/totp/enroll" || r.Method != http.MethodPost {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]string{
 			"secret":      "JBSWY3DPEHPK3PXP",
 			"otpauth_uri": "otpauth://totp/MCIAS:alice?secret=JBSWY3DPEHPK3PXP&issuer=MCIAS",
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	resp, err := c.EnrollTOTP()
 	if err != nil {
 		t.Fatalf("EnrollTOTP: %v", err)
 	}
 	if resp.Secret != "JBSWY3DPEHPK3PXP" {
 		t.Errorf("expected secret=JBSWY3DPEHPK3PXP, got %q", resp.Secret)
 	}
 	if resp.OTPAuthURI == "" {
 		t.Error("expected non-empty otpauth_uri")
 	}
 }
 func TestConfirmTOTP(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/auth/totp/confirm" || r.Method != http.MethodPost {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		w.WriteHeader(http.StatusNoContent)
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	if err := c.ConfirmTOTP("123456"); err != nil {
 		t.Fatalf("ConfirmTOTP: unexpected error: %v", err)
 	}
 }
 func TestConfirmTOTPBadCode(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusBadRequest, "invalid TOTP code")
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	err := c.ConfirmTOTP("000000")
 	if err == nil {
 		t.Fatal("expected error for bad TOTP code")
 	}
 	var inputErr *mciasgoclient.MciasInputError
 	if !errors.As(err, &inputErr) {
 		t.Errorf("expected MciasInputError, got %T: %v", err, err)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestChangePassword
 // ---------------------------------------------------------------------------
 func TestChangePassword(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/auth/password" || r.Method != http.MethodPut {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		w.WriteHeader(http.StatusNoContent)
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	if err := c.ChangePassword("old-s3cr3t", "new-s3cr3t-long"); err != nil {
 		t.Fatalf("ChangePassword: unexpected error: %v", err)
 	}
 }
 func TestChangePasswordWrongCurrent(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusUnauthorized, "current password is incorrect")
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	err := c.ChangePassword("wrong", "new-s3cr3t-long")
 	if err == nil {
 		t.Fatal("expected error for wrong current password")
 	}
 	var authErr *mciasgoclient.MciasAuthError
 	if !errors.As(err, &authErr) {
 		t.Errorf("expected MciasAuthError, got %T: %v", err, err)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestRemoveTOTP
 // ---------------------------------------------------------------------------
 func TestRemoveTOTP(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/auth/totp" || r.Method != http.MethodDelete {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		w.WriteHeader(http.StatusNoContent)
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	if err := c.RemoveTOTP("acct-uuid-42"); err != nil {
 		t.Fatalf("RemoveTOTP: unexpected error: %v", err)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestValidateToken
 // ---------------------------------------------------------------------------
 func TestValidateToken(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/token/validate" {
@@ -258,10 +383,8 @@ func TestValidateToken(t *testing.T) {
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]interface{}{
-			"valid":      true,
+			"valid": true, "sub": "user-uuid-1",
-			"sub":        "user-uuid-1",
+			"roles": []string{"admin"}, "expires_at": "2099-01-01T00:00:00Z",
 			"roles":      []string{"admin"},
 			"expires_at": "2099-01-01T00:00:00Z",
 		})
 	}))
 	defer srv.Close()
@@ -277,15 +400,10 @@ func TestValidateToken(t *testing.T) {
 		t.Errorf("expected sub=user-uuid-1, got %q", claims.Sub)
 	}
 }
-// ---------------------------------------------------------------------------
+
 // TestValidateTokenInvalid
 // ---------------------------------------------------------------------------
 func TestValidateTokenInvalid(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Server returns 200 with valid=false for an expired/revoked token.
+		writeJSON(w, http.StatusOK, map[string]interface{}{"valid": false})
 		writeJSON(w, http.StatusOK, map[string]interface{}{
 			"valid": false,
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
@@ -297,9 +415,11 @@ func TestValidateTokenInvalid(t *testing.T) {
 		t.Error("expected claims.Valid = false")
 	}
 }
 // ---------------------------------------------------------------------------
 // TestCreateAccount
 // ---------------------------------------------------------------------------
 func TestCreateAccount(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/accounts" || r.Method != http.MethodPost {
@@ -307,13 +427,9 @@ func TestCreateAccount(t *testing.T) {
 			return
 		}
 		writeJSON(w, http.StatusCreated, map[string]interface{}{
-			"id":           "acct-uuid-1",
+			"id": "acct-uuid-1", "username": "bob", "account_type": "human",
-			"username":     "bob",
+			"status": "active", "created_at": "2024-01-01T00:00:00Z",
-			"account_type": "human",
+			"updated_at": "2024-01-01T00:00:00Z", "totp_enabled": false,
 			"status":       "active",
 			"created_at":   "2024-01-01T00:00:00Z",
 			"updated_at":   "2024-01-01T00:00:00Z",
 			"totp_enabled": false,
 		})
 	}))
 	defer srv.Close()
@@ -329,9 +445,7 @@ func TestCreateAccount(t *testing.T) {
 		t.Errorf("expected username=bob, got %q", acct.Username)
 	}
 }
-// ---------------------------------------------------------------------------
+
 // TestCreateAccountConflict
 // ---------------------------------------------------------------------------
 func TestCreateAccountConflict(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusConflict, "username already exists")
@@ -347,21 +461,19 @@ func TestCreateAccountConflict(t *testing.T) {
 		t.Errorf("expected MciasConflictError, got %T: %v", err, err)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestListAccounts
 // ---------------------------------------------------------------------------
 func TestListAccounts(t *testing.T) {
 	accounts := []map[string]interface{}{
-		{
+		{"id": "acct-1", "username": "alice", "account_type": "human",
 			"id": "acct-1", "username": "alice", "account_type": "human",
 			"status": "active", "created_at": "2024-01-01T00:00:00Z",
-			"updated_at": "2024-01-01T00:00:00Z", "totp_enabled": false,
+			"updated_at": "2024-01-01T00:00:00Z", "totp_enabled": false},
-		},
+		{"id": "acct-2", "username": "bob", "account_type": "human",
 		{
 			"id": "acct-2", "username": "bob", "account_type": "human",
 			"status": "active", "created_at": "2024-01-02T00:00:00Z",
-			"updated_at": "2024-01-02T00:00:00Z", "totp_enabled": false,
+			"updated_at": "2024-01-02T00:00:00Z", "totp_enabled": false},
 		},
 	}
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/accounts" || r.Method != http.MethodGet {
@@ -383,27 +495,21 @@ func TestListAccounts(t *testing.T) {
 		t.Errorf("expected alice, got %q", list[0].Username)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestGetAccount
 // ---------------------------------------------------------------------------
 func TestGetAccount(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodGet {
+		if r.Method != http.MethodGet || !strings.HasPrefix(r.URL.Path, "/v1/accounts/") {
 			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 			return
 		}
 		if !strings.HasPrefix(r.URL.Path, "/v1/accounts/") {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]interface{}{
-			"id":           "acct-uuid-42",
+			"id": "acct-uuid-42", "username": "carol", "account_type": "human",
-			"username":     "carol",
+			"status": "active", "created_at": "2024-01-01T00:00:00Z",
-			"account_type": "human",
+			"updated_at": "2024-01-01T00:00:00Z", "totp_enabled": false,
 			"status":       "active",
 			"created_at":   "2024-01-01T00:00:00Z",
 			"updated_at":   "2024-01-01T00:00:00Z",
 			"totp_enabled": false,
 		})
 	}))
 	defer srv.Close()
@@ -416,38 +522,30 @@ func TestGetAccount(t *testing.T) {
 		t.Errorf("expected acct-uuid-42, got %q", acct.ID)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestUpdateAccount
 // ---------------------------------------------------------------------------
 func TestUpdateAccount(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodPatch {
 			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 			return
 		}
-		writeJSON(w, http.StatusOK, map[string]interface{}{
+		w.WriteHeader(http.StatusNoContent)
 			"id":           "acct-uuid-42",
 			"username":     "carol",
 			"account_type": "human",
 			"status":       "disabled",
 			"created_at":   "2024-01-01T00:00:00Z",
 			"updated_at":   "2024-02-01T00:00:00Z",
 			"totp_enabled": false,
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
-	acct, err := c.UpdateAccount("acct-uuid-42", "disabled")
+	if err := c.UpdateAccount("acct-uuid-42", "inactive"); err != nil {
-	if err != nil {
+		t.Fatalf("UpdateAccount: unexpected error: %v", err)
 		t.Fatalf("UpdateAccount: %v", err)
 	}
 	if acct.Status != "disabled" {
 		t.Errorf("expected status=disabled, got %q", acct.Status)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestDeleteAccount
 // ---------------------------------------------------------------------------
 func TestDeleteAccount(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodDelete {
@@ -462,16 +560,33 @@ func TestDeleteAccount(t *testing.T) {
 		t.Fatalf("DeleteAccount: unexpected error: %v", err)
 	}
 }
 // ---------------------------------------------------------------------------
-// TestGetRoles
+// TestAdminSetPassword
 // ---------------------------------------------------------------------------
-func TestGetRoles(t *testing.T) {
+
 func TestAdminSetPassword(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodGet {
+		if r.Method != http.MethodPut || !strings.HasSuffix(r.URL.Path, "/password") {
-			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
-		if !strings.HasSuffix(r.URL.Path, "/roles") {
+		w.WriteHeader(http.StatusNoContent)
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	if err := c.AdminSetPassword("acct-uuid-42", "new-s3cr3t-long"); err != nil {
 		t.Fatalf("AdminSetPassword: unexpected error: %v", err)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestGetRoles / TestSetRoles
 // ---------------------------------------------------------------------------
 func TestGetRoles(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodGet || !strings.HasSuffix(r.URL.Path, "/roles") {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
@@ -492,9 +607,7 @@ func TestGetRoles(t *testing.T) {
 		t.Errorf("expected roles[0]=admin, got %q", roles[0])
 	}
 }
-// ---------------------------------------------------------------------------
+
 // TestSetRoles
 // ---------------------------------------------------------------------------
 func TestSetRoles(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodPut {
@@ -509,9 +622,79 @@ func TestSetRoles(t *testing.T) {
 		t.Fatalf("SetRoles: unexpected error: %v", err)
 	}
 }
 // ---------------------------------------------------------------------------
-// TestIssueServiceToken
+// TestGetAccountTags / TestSetAccountTags
 // ---------------------------------------------------------------------------
 func TestGetAccountTags(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodGet || !strings.HasSuffix(r.URL.Path, "/tags") {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]interface{}{
 			"tags": []string{"env:production", "svc:payments-api"},
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	tags, err := c.GetAccountTags("acct-uuid-42")
 	if err != nil {
 		t.Fatalf("GetAccountTags: %v", err)
 	}
 	if len(tags) != 2 {
 		t.Errorf("expected 2 tags, got %d", len(tags))
 	}
 	if tags[0] != "env:production" {
 		t.Errorf("expected tags[0]=env:production, got %q", tags[0])
 	}
 }
 func TestSetAccountTags(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodPut || !strings.HasSuffix(r.URL.Path, "/tags") {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]interface{}{
 			"tags": []string{"env:staging"},
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	tags, err := c.SetAccountTags("acct-uuid-42", []string{"env:staging"})
 	if err != nil {
 		t.Fatalf("SetAccountTags: unexpected error: %v", err)
 	}
 	if len(tags) != 1 || tags[0] != "env:staging" {
 		t.Errorf("expected [env:staging], got %v", tags)
 	}
 }
 func TestSetAccountTagsClear(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodPut {
 			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]interface{}{"tags": []string{}})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	tags, err := c.SetAccountTags("acct-uuid-42", []string{})
 	if err != nil {
 		t.Fatalf("SetAccountTags (clear): unexpected error: %v", err)
 	}
 	if len(tags) != 0 {
 		t.Errorf("expected empty tags, got %v", tags)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestIssueServiceToken / TestRevokeToken
 // ---------------------------------------------------------------------------
 func TestIssueServiceToken(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/token/issue" || r.Method != http.MethodPost {
@@ -519,8 +702,7 @@ func TestIssueServiceToken(t *testing.T) {
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]string{
-			"token":      "svc-tok-xyz",
+			"token": "svc-tok-xyz", "expires_at": "2099-01-01T00:00:00Z",
 			"expires_at": "2099-01-01T00:00:00Z",
 		})
 	}))
 	defer srv.Close()
@@ -536,16 +718,10 @@ func TestIssueServiceToken(t *testing.T) {
 		t.Error("expected non-empty expires_at")
 	}
 }
-// ---------------------------------------------------------------------------
+
 // TestRevokeToken
 // ---------------------------------------------------------------------------
 func TestRevokeToken(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodDelete {
+		if r.Method != http.MethodDelete || !strings.HasPrefix(r.URL.Path, "/v1/token/") {
 			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 			return
 		}
 		if !strings.HasPrefix(r.URL.Path, "/v1/token/") {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
@@ -557,25 +733,20 @@ func TestRevokeToken(t *testing.T) {
 		t.Fatalf("RevokeToken: unexpected error: %v", err)
 	}
 }
 // ---------------------------------------------------------------------------
-// TestGetPGCreds
+// TestGetPGCreds / TestSetPGCreds
 // ---------------------------------------------------------------------------
 func TestGetPGCreds(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodGet {
+		if r.Method != http.MethodGet || !strings.HasSuffix(r.URL.Path, "/pgcreds") {
 			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 			return
 		}
 		if !strings.HasSuffix(r.URL.Path, "/pgcreds") {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]interface{}{
-			"host":     "db.example.com",
+			"host": "db.example.com", "port": 5432,
-			"port":     5432,
+			"database": "myapp", "username": "appuser", "password": "secretpw",
 			"database": "myapp",
 			"username": "appuser",
 			"password": "secretpw",
 		})
 	}))
 	defer srv.Close()
@@ -594,16 +765,10 @@ func TestGetPGCreds(t *testing.T) {
 		t.Errorf("expected password=secretpw, got %q", creds.Password)
 	}
 }
-// ---------------------------------------------------------------------------
+
 // TestSetPGCreds
 // ---------------------------------------------------------------------------
 func TestSetPGCreds(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodPut {
+		if r.Method != http.MethodPut || !strings.HasSuffix(r.URL.Path, "/pgcreds") {
 			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 			return
 		}
 		if !strings.HasSuffix(r.URL.Path, "/pgcreds") {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
@@ -611,14 +776,238 @@ func TestSetPGCreds(t *testing.T) {
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
-	err := c.SetPGCreds("acct-uuid-42", "db.example.com", 5432, "myapp", "appuser", "secretpw")
+	if err := c.SetPGCreds("acct-uuid-42", "db.example.com", 5432, "myapp", "appuser", "secretpw"); err != nil {
 	if err != nil {
 		t.Fatalf("SetPGCreds: unexpected error: %v", err)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestListAudit
 // ---------------------------------------------------------------------------
 func TestListAudit(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if !strings.HasPrefix(r.URL.Path, "/v1/audit") || r.Method != http.MethodGet {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]interface{}{
 			"events": []map[string]interface{}{
 				{"id": 42, "event_type": "login_ok", "event_time": "2026-03-11T09:01:23Z",
 					"actor_id": "acct-uuid-1", "ip_address": "192.0.2.1"},
 			},
 			"total": 1, "limit": 50, "offset": 0,
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	resp, err := c.ListAudit(mciasgoclient.AuditFilter{})
 	if err != nil {
 		t.Fatalf("ListAudit: %v", err)
 	}
 	if resp.Total != 1 {
 		t.Errorf("expected total=1, got %d", resp.Total)
 	}
 	if len(resp.Events) != 1 {
 		t.Fatalf("expected 1 event, got %d", len(resp.Events))
 	}
 	if resp.Events[0].EventType != "login_ok" {
 		t.Errorf("expected event_type=login_ok, got %q", resp.Events[0].EventType)
 	}
 }
 func TestListAuditWithFilter(t *testing.T) {
 	var capturedQuery string
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		capturedQuery = r.URL.RawQuery
 		writeJSON(w, http.StatusOK, map[string]interface{}{
 			"events": []map[string]interface{}{},
 			"total": 0, "limit": 10, "offset": 5,
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	_, err := c.ListAudit(mciasgoclient.AuditFilter{
 		Limit: 10, Offset: 5, EventType: "login_fail", ActorID: "acct-uuid-1",
 	})
 	if err != nil {
 		t.Fatalf("ListAudit: %v", err)
 	}
 	for _, want := range []string{"limit=10", "offset=5", "event_type=login_fail", "actor_id=acct-uuid-1"} {
 		if !strings.Contains(capturedQuery, want) {
 			t.Errorf("expected %q in query string, got %q", want, capturedQuery)
 		}
 	}
 }
 // ---------------------------------------------------------------------------
 // TestListPolicyRules
 // ---------------------------------------------------------------------------
 func TestListPolicyRules(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/policy/rules" || r.Method != http.MethodGet {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusOK, []map[string]interface{}{
 			{
 				"id": 1, "priority": 100,
 				"description": "Allow payments-api to read its own pgcreds",
 				"rule":        map[string]interface{}{"effect": "allow", "actions": []string{"pgcreds:read"}},
 				"enabled":     true,
 				"created_at":  "2026-03-11T09:00:00Z", "updated_at": "2026-03-11T09:00:00Z",
 			},
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	rules, err := c.ListPolicyRules()
 	if err != nil {
 		t.Fatalf("ListPolicyRules: %v", err)
 	}
 	if len(rules) != 1 {
 		t.Fatalf("expected 1 rule, got %d", len(rules))
 	}
 	if rules[0].ID != 1 {
 		t.Errorf("expected id=1, got %d", rules[0].ID)
 	}
 	if rules[0].Description != "Allow payments-api to read its own pgcreds" {
 		t.Errorf("unexpected description: %q", rules[0].Description)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestCreatePolicyRule
 // ---------------------------------------------------------------------------
 func TestCreatePolicyRule(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/v1/policy/rules" || r.Method != http.MethodPost {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusCreated, map[string]interface{}{
 			"id": 7, "priority": 50, "description": "Test rule",
 			"rule":       map[string]interface{}{"effect": "deny"},
 			"enabled":    true,
 			"created_at": "2026-03-11T09:00:00Z", "updated_at": "2026-03-11T09:00:00Z",
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	rule, err := c.CreatePolicyRule(mciasgoclient.CreatePolicyRuleRequest{
 		Description: "Test rule",
 		Priority:    50,
 		Rule:        mciasgoclient.PolicyRuleBody{Effect: "deny"},
 	})
 	if err != nil {
 		t.Fatalf("CreatePolicyRule: %v", err)
 	}
 	if rule.ID != 7 {
 		t.Errorf("expected id=7, got %d", rule.ID)
 	}
 	if rule.Priority != 50 {
 		t.Errorf("expected priority=50, got %d", rule.Priority)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestGetPolicyRule
 // ---------------------------------------------------------------------------
 func TestGetPolicyRule(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodGet || r.URL.Path != "/v1/policy/rules/7" {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]interface{}{
 			"id": 7, "priority": 50, "description": "Test rule",
 			"rule":       map[string]interface{}{"effect": "allow"},
 			"enabled":    true,
 			"created_at": "2026-03-11T09:00:00Z", "updated_at": "2026-03-11T09:00:00Z",
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	rule, err := c.GetPolicyRule(7)
 	if err != nil {
 		t.Fatalf("GetPolicyRule: %v", err)
 	}
 	if rule.ID != 7 {
 		t.Errorf("expected id=7, got %d", rule.ID)
 	}
 }
 func TestGetPolicyRuleNotFound(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusNotFound, "rule not found")
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	_, err := c.GetPolicyRule(999)
 	if err == nil {
 		t.Fatal("expected error for 404")
 	}
 	var notFoundErr *mciasgoclient.MciasNotFoundError
 	if !errors.As(err, &notFoundErr) {
 		t.Errorf("expected MciasNotFoundError, got %T: %v", err, err)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestUpdatePolicyRule
 // ---------------------------------------------------------------------------
 func TestUpdatePolicyRule(t *testing.T) {
 	enabled := false
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodPatch || r.URL.Path != "/v1/policy/rules/7" {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]interface{}{
 			"id": 7, "priority": 50, "description": "Test rule",
 			"rule":       map[string]interface{}{"effect": "allow"},
 			"enabled":    false,
 			"created_at": "2026-03-11T09:00:00Z", "updated_at": "2026-03-12T10:00:00Z",
 		})
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	rule, err := c.UpdatePolicyRule(7, mciasgoclient.UpdatePolicyRuleRequest{Enabled: &enabled})
 	if err != nil {
 		t.Fatalf("UpdatePolicyRule: %v", err)
 	}
 	if rule.Enabled {
 		t.Error("expected enabled=false after update")
 	}
 }
 // ---------------------------------------------------------------------------
 // TestDeletePolicyRule
 // ---------------------------------------------------------------------------
 func TestDeletePolicyRule(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodDelete || r.URL.Path != "/v1/policy/rules/7" {
 			http.Error(w, "not found", http.StatusNotFound)
 			return
 		}
 		w.WriteHeader(http.StatusNoContent)
 	}))
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
 	if err := c.DeletePolicyRule(7); err != nil {
 		t.Fatalf("DeletePolicyRule: unexpected error: %v", err)
 	}
 }
 // ---------------------------------------------------------------------------
 // TestIntegration: full login → validate → logout flow
 // ---------------------------------------------------------------------------
 func TestIntegration(t *testing.T) {
 	const sessionToken = "integration-tok-999"
 	mux := http.NewServeMux()
@@ -640,8 +1029,7 @@ func TestIntegration(t *testing.T) {
 			return
 		}
 		writeJSON(w, http.StatusOK, map[string]string{
-			"token":      sessionToken,
+			"token": sessionToken, "expires_at": "2099-01-01T00:00:00Z",
 			"expires_at": "2099-01-01T00:00:00Z",
 		})
 	})
 	mux.HandleFunc("/v1/token/validate", func(w http.ResponseWriter, r *http.Request) {
@@ -658,15 +1046,11 @@ func TestIntegration(t *testing.T) {
 		}
 		if body.Token == sessionToken {
 			writeJSON(w, http.StatusOK, map[string]interface{}{
-				"valid":      true,
+				"valid": true, "sub": "alice-uuid",
-				"sub":        "alice-uuid",
+				"roles": []string{"user"}, "expires_at": "2099-01-01T00:00:00Z",
 				"roles":      []string{"user"},
 				"expires_at": "2099-01-01T00:00:00Z",
 			})
 		} else {
-			writeJSON(w, http.StatusOK, map[string]interface{}{
+			writeJSON(w, http.StatusOK, map[string]interface{}{"valid": false})
 				"valid": false,
 			})
 		}
 	})
 	mux.HandleFunc("/v1/auth/logout", func(w http.ResponseWriter, r *http.Request) {
@@ -674,9 +1058,7 @@ func TestIntegration(t *testing.T) {
 			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 			return
 		}
-		// Verify Authorization header is present.
+		if r.Header.Get("Authorization") == "" {
 		auth := r.Header.Get("Authorization")
 		if auth == "" {
 			writeError(w, http.StatusUnauthorized, "missing token")
 			return
 		}
@@ -685,7 +1067,8 @@ func TestIntegration(t *testing.T) {
 	srv := httptest.NewServer(mux)
 	defer srv.Close()
 	c := newTestClient(t, srv.URL)
-	// Step 1: login with wrong credentials should fail.
+
 	// Step 1: wrong credentials → MciasAuthError.
 	_, _, err := c.Login("alice", "wrong-password", "")
 	if err == nil {
 		t.Fatal("expected error for wrong credentials")
@@ -694,7 +1077,8 @@ func TestIntegration(t *testing.T) {
 	if !errors.As(err, &authErr) {
 		t.Errorf("expected MciasAuthError, got %T", err)
 	}
-	// Step 2: login with correct credentials.
+
 	// Step 2: correct login.
 	tok, _, err := c.Login("alice", "correct-horse", "")
 	if err != nil {
 		t.Fatalf("Login: %v", err)
@@ -702,7 +1086,8 @@ func TestIntegration(t *testing.T) {
 	if tok != sessionToken {
 		t.Errorf("expected %q, got %q", sessionToken, tok)
 	}
-	// Step 3: validate the returned token.
+
 	// Step 3: validate → valid=true.
 	claims, err := c.ValidateToken(tok)
 	if err != nil {
 		t.Fatalf("ValidateToken: %v", err)
@@ -713,7 +1098,8 @@ func TestIntegration(t *testing.T) {
 	if claims.Sub != "alice-uuid" {
 		t.Errorf("expected sub=alice-uuid, got %q", claims.Sub)
 	}
-	// Step 4: validate an unknown token returns Valid=false, not an error.
+
 	// Step 4: garbage token → valid=false (not an error).
 	claims2, err := c.ValidateToken("garbage-token")
 	if err != nil {
 		t.Fatalf("ValidateToken(garbage): unexpected error: %v", err)
@@ -721,7 +1107,8 @@ func TestIntegration(t *testing.T) {
 	if claims2.Valid {
 		t.Error("expected Valid=false for garbage token")
 	}
-	// Step 5: logout clears the stored token.
+
 	// Step 5: logout clears stored token.
 	if err := c.Logout(); err != nil {
 		t.Fatalf("Logout: %v", err)
 	}
--- a/clients/python/mcias_client/init.py
+++ b/clients/python/mcias_client/init.py
@@ -7,9 +7,10 @@ from ._errors import (
    MciasForbiddenError,
    MciasInputError,
    MciasNotFoundError,
    MciasRateLimitError,
    MciasServerError,
 )
-from ._models import Account, PGCreds, PublicKey, TokenClaims
+from ._models import Account, PGCreds, PolicyRule, PublicKey, RuleBody, TokenClaims
 __all__ = [
    "Client",
@@ -19,9 +20,12 @@ __all__ = [
    "MciasNotFoundError",
    "MciasInputError",
    "MciasConflictError",
    "MciasRateLimitError",
    "MciasServerError",
    "Account",
    "PublicKey",
    "TokenClaims",
    "PGCreds",
    "PolicyRule",
    "RuleBody",
 ]
--- a/clients/python/mcias_client/_client.py
+++ b/clients/python/mcias_client/_client.py
@@ -8,7 +8,7 @@ from typing import Any
 import httpx
 from ._errors import raise_for_status
-from ._models import Account, PGCreds, PublicKey, TokenClaims
+from ._models import Account, PGCreds, PolicyRule, PublicKey, RuleBody, TokenClaims
 class Client:
@@ -76,6 +76,29 @@ class Client:
        if status == 204 or not response.content:
            return None
        return response.json()  # type: ignore[no-any-return]
    def _request_list(
        self,
        method: str,
        path: str,
        *,
        json: dict[str, Any] | None = None,
    ) -> list[dict[str, Any]]:
        """Send a request that returns a JSON array at the top level."""
        url = f"{self._base_url}{path}"
        headers: dict[str, str] = {}
        if self.token is not None:
            headers["Authorization"] = f"Bearer {self.token}"
        response = self._http.request(method, url, json=json, headers=headers)
        status = response.status_code
        if status >= 400:
            try:
                body = response.json()
                message = str(body.get("error", response.text))
            except Exception:
                message = response.text
            raise_for_status(status, message)
        return response.json()  # type: ignore[no-any-return]
    # ── Public ────────────────────────────────────────────────────────────────
    def health(self) -> None:
        """GET /v1/health — liveness check."""
        self._request("GET", "/v1/health")
@@ -105,6 +128,12 @@ class Client:
        expires_at = str(data["expires_at"])
        self.token = token
        return token, expires_at
    def validate_token(self, token: str) -> TokenClaims:
        """POST /v1/token/validate — check whether a token is valid."""
        data = self._request("POST", "/v1/token/validate", json={"token": token})
        assert data is not None
        return TokenClaims.from_dict(data)
    # ── Authenticated ──────────────────────────────────────────────────────────
    def logout(self) -> None:
        """POST /v1/auth/logout — invalidate the current token."""
        self._request("POST", "/v1/auth/logout")
@@ -119,11 +148,45 @@ class Client:
        expires_at = str(data["expires_at"])
        self.token = token
        return token, expires_at
-    def validate_token(self, token: str) -> TokenClaims:
+    def enroll_totp(self) -> tuple[str, str]:
-        """POST /v1/token/validate — check whether a token is valid."""
+        """POST /v1/auth/totp/enroll — begin TOTP enrollment.
-        data = self._request("POST", "/v1/token/validate", json={"token": token})
+        Returns (secret, otpauth_uri). The secret is shown only once.
        """
        data = self._request("POST", "/v1/auth/totp/enroll")
        assert data is not None
-        return TokenClaims.from_dict(data)
+        return str(data["secret"]), str(data["otpauth_uri"])
    def confirm_totp(self, code: str) -> None:
        """POST /v1/auth/totp/confirm — confirm TOTP enrollment with a code."""
        self._request("POST", "/v1/auth/totp/confirm", json={"code": code})
    def change_password(self, current_password: str, new_password: str) -> None:
        """PUT /v1/auth/password — change own password (self-service)."""
        self._request(
            "PUT",
            "/v1/auth/password",
            json={"current_password": current_password, "new_password": new_password},
        )
    # ── Admin — Auth ──────────────────────────────────────────────────────────
    def remove_totp(self, account_id: str) -> None:
        """DELETE /v1/auth/totp — remove TOTP from an account (admin)."""
        self._request("DELETE", "/v1/auth/totp", json={"account_id": account_id})
    # ── Admin — Tokens ────────────────────────────────────────────────────────
    def issue_service_token(self, account_id: str) -> tuple[str, str]:
        """POST /v1/token/issue — issue a long-lived service token (admin).
        Returns (token, expires_at).
        """
        data = self._request("POST", "/v1/token/issue", json={"account_id": account_id})
        assert data is not None
        return str(data["token"]), str(data["expires_at"])
    def revoke_token(self, jti: str) -> None:
        """DELETE /v1/token/{jti} — revoke a token by JTI (admin)."""
        self._request("DELETE", f"/v1/token/{jti}")
    # ── Admin — Accounts ──────────────────────────────────────────────────────
    def list_accounts(self) -> list[Account]:
        """GET /v1/accounts — list all accounts (admin).
        The API returns a JSON array directly (no wrapper object).
        """
        items = self._request_list("GET", "/v1/accounts")
        return [Account.from_dict(a) for a in items]
    def create_account(
        self,
        username: str,
@@ -131,7 +194,7 @@ class Client:
        *,
        password: str | None = None,
    ) -> Account:
-        """POST /v1/accounts — create a new account."""
+        """POST /v1/accounts — create a new account (admin)."""
        payload: dict[str, Any] = {
            "username": username,
            "account_type": account_type,
@@ -141,14 +204,8 @@ class Client:
        data = self._request("POST", "/v1/accounts", json=payload)
        assert data is not None
        return Account.from_dict(data)
    def list_accounts(self) -> list[Account]:
        """GET /v1/accounts — list all accounts."""
        data = self._request("GET", "/v1/accounts")
        assert data is not None
        accounts_raw = data.get("accounts") or []
        return [Account.from_dict(a) for a in accounts_raw]
    def get_account(self, account_id: str) -> Account:
-        """GET /v1/accounts/{id} — retrieve a single account."""
+        """GET /v1/accounts/{id} — retrieve a single account (admin)."""
        data = self._request("GET", f"/v1/accounts/{account_id}")
        assert data is not None
        return Account.from_dict(data)
@@ -157,42 +214,40 @@ class Client:
        account_id: str,
        *,
        status: str | None = None,
-    ) -> Account:
+    ) -> None:
-        """PATCH /v1/accounts/{id} — update account fields."""
+        """PATCH /v1/accounts/{id} — update account fields (admin).
        Currently only `status` is patchable. Returns None (204 No Content).
        """
        payload: dict[str, Any] = {}
        if status is not None:
            payload["status"] = status
-        data = self._request("PATCH", f"/v1/accounts/{account_id}", json=payload)
+        self._request("PATCH", f"/v1/accounts/{account_id}", json=payload)
        assert data is not None
        return Account.from_dict(data)
    def delete_account(self, account_id: str) -> None:
-        """DELETE /v1/accounts/{id} — permanently remove an account."""
+        """DELETE /v1/accounts/{id} — soft-delete an account (admin)."""
        self._request("DELETE", f"/v1/accounts/{account_id}")
    def get_roles(self, account_id: str) -> list[str]:
-        """GET /v1/accounts/{id}/roles — list roles for an account."""
+        """GET /v1/accounts/{id}/roles — list roles for an account (admin)."""
        data = self._request("GET", f"/v1/accounts/{account_id}/roles")
        assert data is not None
        roles_raw = data.get("roles") or []
        return [str(r) for r in roles_raw]
    def set_roles(self, account_id: str, roles: list[str]) -> None:
-        """PUT /v1/accounts/{id}/roles — replace the full role set."""
+        """PUT /v1/accounts/{id}/roles — replace the full role set (admin)."""
        self._request(
            "PUT",
            f"/v1/accounts/{account_id}/roles",
            json={"roles": roles},
        )
-    def issue_service_token(self, account_id: str) -> tuple[str, str]:
+    def admin_set_password(self, account_id: str, new_password: str) -> None:
-        """POST /v1/accounts/{id}/token — issue a long-lived service token.
+        """PUT /v1/accounts/{id}/password — reset a password without the old one (admin)."""
-        Returns (token, expires_at).
+        self._request(
-        """
+            "PUT",
-        data = self._request("POST", f"/v1/accounts/{account_id}/token")
+            f"/v1/accounts/{account_id}/password",
-        assert data is not None
+            json={"new_password": new_password},
-        return str(data["token"]), str(data["expires_at"])
+        )
-    def revoke_token(self, jti: str) -> None:
+    # ── Admin — Credentials ───────────────────────────────────────────────────
        """DELETE /v1/token/{jti} — revoke a token by JTI."""
        self._request("DELETE", f"/v1/token/{jti}")
    def get_pg_creds(self, account_id: str) -> PGCreds:
-        """GET /v1/accounts/{id}/pgcreds — retrieve Postgres credentials."""
+        """GET /v1/accounts/{id}/pgcreds — retrieve Postgres credentials (admin)."""
        data = self._request("GET", f"/v1/accounts/{account_id}/pgcreds")
        assert data is not None
        return PGCreds.from_dict(data)
@@ -205,7 +260,7 @@ class Client:
        username: str,
        password: str,
    ) -> None:
-        """PUT /v1/accounts/{id}/pgcreds — store or replace Postgres credentials."""
+        """PUT /v1/accounts/{id}/pgcreds — store or replace Postgres credentials (admin)."""
        payload: dict[str, Any] = {
            "host": host,
            "port": port,
@@ -214,3 +269,89 @@ class Client:
            "password": password,
        }
        self._request("PUT", f"/v1/accounts/{account_id}/pgcreds", json=payload)
    # ── Admin — Policy ────────────────────────────────────────────────────────
    def get_account_tags(self, account_id: str) -> list[str]:
        """GET /v1/accounts/{id}/tags — get account tags (admin)."""
        data = self._request("GET", f"/v1/accounts/{account_id}/tags")
        assert data is not None
        return [str(t) for t in (data.get("tags") or [])]
    def set_account_tags(self, account_id: str, tags: list[str]) -> list[str]:
        """PUT /v1/accounts/{id}/tags — replace the full tag set (admin).
        Returns the updated tag list.
        """
        data = self._request(
            "PUT",
            f"/v1/accounts/{account_id}/tags",
            json={"tags": tags},
        )
        assert data is not None
        return [str(t) for t in (data.get("tags") or [])]
    def list_policy_rules(self) -> list[PolicyRule]:
        """GET /v1/policy/rules — list all operator policy rules (admin)."""
        items = self._request_list("GET", "/v1/policy/rules")
        return [PolicyRule.from_dict(r) for r in items]
    def create_policy_rule(
        self,
        description: str,
        rule: RuleBody,
        *,
        priority: int | None = None,
        not_before: str | None = None,
        expires_at: str | None = None,
    ) -> PolicyRule:
        """POST /v1/policy/rules — create a policy rule (admin)."""
        payload: dict[str, Any] = {
            "description": description,
            "rule": rule.to_dict(),
        }
        if priority is not None:
            payload["priority"] = priority
        if not_before is not None:
            payload["not_before"] = not_before
        if expires_at is not None:
            payload["expires_at"] = expires_at
        data = self._request("POST", "/v1/policy/rules", json=payload)
        assert data is not None
        return PolicyRule.from_dict(data)
    def get_policy_rule(self, rule_id: int) -> PolicyRule:
        """GET /v1/policy/rules/{id} — get a policy rule (admin)."""
        data = self._request("GET", f"/v1/policy/rules/{rule_id}")
        assert data is not None
        return PolicyRule.from_dict(data)
    def update_policy_rule(
        self,
        rule_id: int,
        *,
        description: str | None = None,
        priority: int | None = None,
        enabled: bool | None = None,
        rule: RuleBody | None = None,
        not_before: str | None = None,
        expires_at: str | None = None,
        clear_not_before: bool | None = None,
        clear_expires_at: bool | None = None,
    ) -> PolicyRule:
        """PATCH /v1/policy/rules/{id} — update a policy rule (admin)."""
        payload: dict[str, Any] = {}
        if description is not None:
            payload["description"] = description
        if priority is not None:
            payload["priority"] = priority
        if enabled is not None:
            payload["enabled"] = enabled
        if rule is not None:
            payload["rule"] = rule.to_dict()
        if not_before is not None:
            payload["not_before"] = not_before
        if expires_at is not None:
            payload["expires_at"] = expires_at
        if clear_not_before is not None:
            payload["clear_not_before"] = clear_not_before
        if clear_expires_at is not None:
            payload["clear_expires_at"] = clear_expires_at
        data = self._request("PATCH", f"/v1/policy/rules/{rule_id}", json=payload)
        assert data is not None
        return PolicyRule.from_dict(data)
    def delete_policy_rule(self, rule_id: int) -> None:
        """DELETE /v1/policy/rules/{id} — delete a policy rule (admin)."""
        self._request("DELETE", f"/v1/policy/rules/{rule_id}")
--- a/clients/python/mcias_client/_errors.py
+++ b/clients/python/mcias_client/_errors.py
@@ -15,6 +15,8 @@ class MciasInputError(MciasError):
    """400 Bad Request — malformed request."""
 class MciasConflictError(MciasError):
    """409 Conflict — e.g. duplicate username."""
 class MciasRateLimitError(MciasError):
    """429 Too Many Requests — rate limit exceeded."""
 class MciasServerError(MciasError):
    """5xx — unexpected server error."""
 def raise_for_status(status_code: int, message: str) -> None:
@@ -25,6 +27,7 @@ def raise_for_status(status_code: int, message: str) -> None:
        403: MciasForbiddenError,
        404: MciasNotFoundError,
        409: MciasConflictError,
        429: MciasRateLimitError,
    }
    cls = exc_map.get(status_code, MciasServerError)
    raise cls(status_code, message)
--- a/clients/python/mcias_client/_models.py
+++ b/clients/python/mcias_client/_models.py
@@ -1,6 +1,6 @@
 """Data models for MCIAS API responses."""
 from dataclasses import dataclass, field
-from typing import cast
+from typing import Any, cast
@dataclass
@@ -74,3 +74,73 @@ class PGCreds:
            username=str(d["username"]),
            password=str(d["password"]),
        )
@dataclass
 class RuleBody:
    """Match conditions and effect of a policy rule."""
    effect: str
    roles: list[str] = field(default_factory=list)
    account_types: list[str] = field(default_factory=list)
    subject_uuid: str | None = None
    actions: list[str] = field(default_factory=list)
    resource_type: str | None = None
    owner_matches_subject: bool | None = None
    service_names: list[str] = field(default_factory=list)
    required_tags: list[str] = field(default_factory=list)
    @classmethod
    def from_dict(cls, d: dict[str, object]) -> "RuleBody":
        return cls(
            effect=str(d["effect"]),
            roles=[str(r) for r in cast(list[Any], d.get("roles") or [])],
            account_types=[str(t) for t in cast(list[Any], d.get("account_types") or [])],
            subject_uuid=str(d["subject_uuid"]) if d.get("subject_uuid") is not None else None,
            actions=[str(a) for a in cast(list[Any], d.get("actions") or [])],
            resource_type=str(d["resource_type"]) if d.get("resource_type") is not None else None,
            owner_matches_subject=bool(d["owner_matches_subject"]) if d.get("owner_matches_subject") is not None else None,
            service_names=[str(s) for s in cast(list[Any], d.get("service_names") or [])],
            required_tags=[str(t) for t in cast(list[Any], d.get("required_tags") or [])],
        )
    def to_dict(self) -> dict[str, Any]:
        """Serialise to a JSON-compatible dict, omitting None/empty fields."""
        out: dict[str, Any] = {"effect": self.effect}
        if self.roles:
            out["roles"] = self.roles
        if self.account_types:
            out["account_types"] = self.account_types
        if self.subject_uuid is not None:
            out["subject_uuid"] = self.subject_uuid
        if self.actions:
            out["actions"] = self.actions
        if self.resource_type is not None:
            out["resource_type"] = self.resource_type
        if self.owner_matches_subject is not None:
            out["owner_matches_subject"] = self.owner_matches_subject
        if self.service_names:
            out["service_names"] = self.service_names
        if self.required_tags:
            out["required_tags"] = self.required_tags
        return out
@dataclass
 class PolicyRule:
    """An operator-defined policy rule."""
    id: int
    priority: int
    description: str
    rule: RuleBody
    enabled: bool
    created_at: str
    updated_at: str
    not_before: str | None = None
    expires_at: str | None = None
    @classmethod
    def from_dict(cls, d: dict[str, object]) -> "PolicyRule":
        return cls(
            id=int(cast(int, d["id"])),
            priority=int(cast(int, d["priority"])),
            description=str(d["description"]),
            rule=RuleBody.from_dict(cast(dict[str, object], d["rule"])),
            enabled=bool(d["enabled"]),
            created_at=str(d["created_at"]),
            updated_at=str(d["updated_at"]),
            not_before=str(d["not_before"]) if d.get("not_before") is not None else None,
            expires_at=str(d["expires_at"]) if d.get("expires_at") is not None else None,
        )
--- a/clients/python/tests/test_client.py
+++ b/clients/python/tests/test_client.py
@@ -13,15 +13,16 @@ from mcias_client import (
    MciasForbiddenError,
    MciasInputError,
    MciasNotFoundError,
    MciasRateLimitError,
    MciasServerError,
 )
-from mcias_client._models import Account, PGCreds, PublicKey, TokenClaims
+from mcias_client._models import Account, PGCreds, PolicyRule, PublicKey, RuleBody, TokenClaims
 BASE_URL = "https://auth.example.com"
 SAMPLE_ACCOUNT: dict[str, object] = {
    "id": "acc-001",
    "username": "alice",
-    "account_type": "user",
+    "account_type": "human",
    "status": "active",
    "created_at": "2024-01-01T00:00:00Z",
    "updated_at": "2024-01-01T00:00:00Z",
@@ -34,6 +35,24 @@ SAMPLE_PK: dict[str, object] = {
    "use": "sig",
    "alg": "EdDSA",
 }
 SAMPLE_RULE_BODY: dict[str, object] = {
    "effect": "allow",
    "roles": ["svc:payments-api"],
    "actions": ["pgcreds:read"],
    "resource_type": "pgcreds",
    "owner_matches_subject": True,
 }
 SAMPLE_POLICY_RULE: dict[str, object] = {
    "id": 1,
    "priority": 100,
    "description": "Allow payments-api to read its own pgcreds",
    "rule": SAMPLE_RULE_BODY,
    "enabled": True,
    "not_before": None,
    "expires_at": None,
    "created_at": "2026-03-11T09:00:00Z",
    "updated_at": "2026-03-11T09:00:00Z",
 }
@pytest.fixture
 def client() -> Client:
    return Client(BASE_URL)
@@ -88,6 +107,16 @@ def test_login_success(client: Client) -> None:
    assert expires_at == "2099-01-01T00:00:00Z"
    assert client.token == "jwt-token-abc"
@respx.mock
 def test_login_with_totp(client: Client) -> None:
    respx.post(f"{BASE_URL}/v1/auth/login").mock(
        return_value=httpx.Response(
            200,
            json={"token": "jwt-token-totp", "expires_at": "2099-01-01T00:00:00Z"},
        )
    )
    token, _ = client.login("alice", "s3cr3t", totp_code="123456")
    assert token == "jwt-token-totp"
@respx.mock
 def test_login_unauthorized(client: Client) -> None:
    respx.post(f"{BASE_URL}/v1/auth/login").mock(
        return_value=httpx.Response(
@@ -98,6 +127,14 @@ def test_login_unauthorized(client: Client) -> None:
        client.login("alice", "wrong")
    assert exc_info.value.status_code == 401
@respx.mock
 def test_login_rate_limited(client: Client) -> None:
    respx.post(f"{BASE_URL}/v1/auth/login").mock(
        return_value=httpx.Response(429, json={"error": "rate limit exceeded", "code": "rate_limited"})
    )
    with pytest.raises(MciasRateLimitError) as exc_info:
        client.login("alice", "s3cr3t")
    assert exc_info.value.status_code == 429
@respx.mock
 def test_logout_clears_token(admin_client: Client) -> None:
    respx.post(f"{BASE_URL}/v1/auth/logout").mock(
        return_value=httpx.Response(204)
@@ -147,11 +184,58 @@ def test_validate_token_invalid(admin_client: Client) -> None:
    claims = admin_client.validate_token("expired-token")
    assert claims.valid is False
@respx.mock
 def test_enroll_totp(admin_client: Client) -> None:
    respx.post(f"{BASE_URL}/v1/auth/totp/enroll").mock(
        return_value=httpx.Response(
            200,
            json={"secret": "JBSWY3DPEHPK3PXP", "otpauth_uri": "otpauth://totp/MCIAS:alice?secret=JBSWY3DPEHPK3PXP&issuer=MCIAS"},
        )
    )
    secret, uri = admin_client.enroll_totp()
    assert secret == "JBSWY3DPEHPK3PXP"
    assert "otpauth://totp/" in uri
@respx.mock
 def test_confirm_totp(admin_client: Client) -> None:
    respx.post(f"{BASE_URL}/v1/auth/totp/confirm").mock(
        return_value=httpx.Response(204)
    )
    admin_client.confirm_totp("123456")  # should not raise
@respx.mock
 def test_change_password(admin_client: Client) -> None:
    respx.put(f"{BASE_URL}/v1/auth/password").mock(
        return_value=httpx.Response(204)
    )
    admin_client.change_password("old-pass", "new-pass-long-enough")  # should not raise
@respx.mock
 def test_remove_totp(admin_client: Client) -> None:
    respx.delete(f"{BASE_URL}/v1/auth/totp").mock(
        return_value=httpx.Response(204)
    )
    admin_client.remove_totp("acc-001")  # should not raise
@respx.mock
 def test_issue_service_token(admin_client: Client) -> None:
    respx.post(f"{BASE_URL}/v1/token/issue").mock(
        return_value=httpx.Response(
            200,
            json={"token": "svc-token-xyz", "expires_at": "2099-12-31T00:00:00Z"},
        )
    )
    token, expires_at = admin_client.issue_service_token("acc-001")
    assert token == "svc-token-xyz"
    assert expires_at == "2099-12-31T00:00:00Z"
@respx.mock
 def test_revoke_token(admin_client: Client) -> None:
    jti = "some-jti-uuid"
    respx.delete(f"{BASE_URL}/v1/token/{jti}").mock(
        return_value=httpx.Response(204)
    )
    admin_client.revoke_token(jti)  # should not raise
@respx.mock
 def test_create_account(admin_client: Client) -> None:
    respx.post(f"{BASE_URL}/v1/accounts").mock(
        return_value=httpx.Response(201, json=SAMPLE_ACCOUNT)
    )
-    acc = admin_client.create_account("alice", "user", password="pass123")
+    acc = admin_client.create_account("alice", "human", password="pass123")
    assert isinstance(acc, Account)
    assert acc.id == "acc-001"
    assert acc.username == "alice"
@@ -161,15 +245,14 @@ def test_create_account_conflict(admin_client: Client) -> None:
        return_value=httpx.Response(409, json={"error": "username already exists"})
    )
    with pytest.raises(MciasConflictError) as exc_info:
-        admin_client.create_account("alice", "user")
+        admin_client.create_account("alice", "human")
    assert exc_info.value.status_code == 409
@respx.mock
 def test_list_accounts(admin_client: Client) -> None:
    second = {**SAMPLE_ACCOUNT, "id": "acc-002"}
    # API returns a plain JSON array, not a wrapper object
    respx.get(f"{BASE_URL}/v1/accounts").mock(
-        return_value=httpx.Response(
+        return_value=httpx.Response(200, json=[SAMPLE_ACCOUNT, second])
            200, json={"accounts": [SAMPLE_ACCOUNT, second]}
        )
    )
    accounts = admin_client.list_accounts()
    assert len(accounts) == 2
@@ -183,12 +266,12 @@ def test_get_account(admin_client: Client) -> None:
    assert acc.id == "acc-001"
@respx.mock
 def test_update_account(admin_client: Client) -> None:
-    updated = {**SAMPLE_ACCOUNT, "status": "suspended"}
+    # PATCH /v1/accounts/{id} returns 204 No Content
    respx.patch(f"{BASE_URL}/v1/accounts/acc-001").mock(
-        return_value=httpx.Response(200, json=updated)
+        return_value=httpx.Response(204)
    )
-    acc = admin_client.update_account("acc-001", status="suspended")
+    result = admin_client.update_account("acc-001", status="inactive")
-    assert acc.status == "suspended"
+    assert result is None
@respx.mock
 def test_delete_account(admin_client: Client) -> None:
    respx.delete(f"{BASE_URL}/v1/accounts/acc-001").mock(
@@ -209,23 +292,11 @@ def test_set_roles(admin_client: Client) -> None:
    )
    admin_client.set_roles("acc-001", ["viewer"])  # should not raise
@respx.mock
-def test_issue_service_token(admin_client: Client) -> None:
+def test_admin_set_password(admin_client: Client) -> None:
-    respx.post(f"{BASE_URL}/v1/accounts/acc-001/token").mock(
+    respx.put(f"{BASE_URL}/v1/accounts/acc-001/password").mock(
        return_value=httpx.Response(
            200,
            json={"token": "svc-token-xyz", "expires_at": "2099-12-31T00:00:00Z"},
        )
    )
    token, expires_at = admin_client.issue_service_token("acc-001")
    assert token == "svc-token-xyz"
    assert expires_at == "2099-12-31T00:00:00Z"
@respx.mock
 def test_revoke_token(admin_client: Client) -> None:
    jti = "some-jti-uuid"
    respx.delete(f"{BASE_URL}/v1/token/{jti}").mock(
        return_value=httpx.Response(204)
    )
-    admin_client.revoke_token(jti)  # should not raise
+    admin_client.admin_set_password("acc-001", "new-secure-password")  # should not raise
 SAMPLE_PG_CREDS: dict[str, object] = {
    "host": "db.example.com",
    "port": 5432,
@@ -256,6 +327,68 @@ def test_set_pg_creds(admin_client: Client) -> None:
        username="appuser",
        password="s3cr3t",
    )  # should not raise
@respx.mock
 def test_get_account_tags(admin_client: Client) -> None:
    respx.get(f"{BASE_URL}/v1/accounts/acc-001/tags").mock(
        return_value=httpx.Response(200, json={"tags": ["env:production", "svc:payments-api"]})
    )
    tags = admin_client.get_account_tags("acc-001")
    assert tags == ["env:production", "svc:payments-api"]
@respx.mock
 def test_set_account_tags(admin_client: Client) -> None:
    respx.put(f"{BASE_URL}/v1/accounts/acc-001/tags").mock(
        return_value=httpx.Response(200, json={"tags": ["env:staging"]})
    )
    tags = admin_client.set_account_tags("acc-001", ["env:staging"])
    assert tags == ["env:staging"]
@respx.mock
 def test_list_policy_rules(admin_client: Client) -> None:
    respx.get(f"{BASE_URL}/v1/policy/rules").mock(
        return_value=httpx.Response(200, json=[SAMPLE_POLICY_RULE])
    )
    rules = admin_client.list_policy_rules()
    assert len(rules) == 1
    assert isinstance(rules[0], PolicyRule)
    assert rules[0].id == 1
    assert rules[0].rule.effect == "allow"
@respx.mock
 def test_create_policy_rule(admin_client: Client) -> None:
    respx.post(f"{BASE_URL}/v1/policy/rules").mock(
        return_value=httpx.Response(201, json=SAMPLE_POLICY_RULE)
    )
    rule_body = RuleBody(effect="allow", actions=["pgcreds:read"], resource_type="pgcreds")
    rule = admin_client.create_policy_rule(
        "Allow payments-api to read its own pgcreds",
        rule_body,
        priority=50,
    )
    assert isinstance(rule, PolicyRule)
    assert rule.id == 1
    assert rule.description == "Allow payments-api to read its own pgcreds"
@respx.mock
 def test_get_policy_rule(admin_client: Client) -> None:
    respx.get(f"{BASE_URL}/v1/policy/rules/1").mock(
        return_value=httpx.Response(200, json=SAMPLE_POLICY_RULE)
    )
    rule = admin_client.get_policy_rule(1)
    assert isinstance(rule, PolicyRule)
    assert rule.id == 1
    assert rule.enabled is True
@respx.mock
 def test_update_policy_rule(admin_client: Client) -> None:
    updated = {**SAMPLE_POLICY_RULE, "enabled": False}
    respx.patch(f"{BASE_URL}/v1/policy/rules/1").mock(
        return_value=httpx.Response(200, json=updated)
    )
    rule = admin_client.update_policy_rule(1, enabled=False)
    assert isinstance(rule, PolicyRule)
    assert rule.enabled is False
@respx.mock
 def test_delete_policy_rule(admin_client: Client) -> None:
    respx.delete(f"{BASE_URL}/v1/policy/rules/1").mock(
        return_value=httpx.Response(204)
    )
    admin_client.delete_policy_rule(1)  # should not raise
@pytest.mark.parametrize(
    ("status_code", "exc_class"),
    [
@@ -264,6 +397,7 @@ def test_set_pg_creds(admin_client: Client) -> None:
        (403, MciasForbiddenError),
        (404, MciasNotFoundError),
        (409, MciasConflictError),
        (429, MciasRateLimitError),
        (500, MciasServerError),
    ],
 )
--- a/clients/rust/src/lib.rs
+++ b/clients/rust/src/lib.rs
@@ -70,7 +70,7 @@ pub enum MciasError {
    Decode(String),
 }
-// ---- Data types ----
+// ---- Public data types ----
 /// Account information returned by the server.
 #[derive(Debug, Clone, Deserialize)]
@@ -101,6 +101,11 @@ pub struct TokenClaims {
 pub struct PublicKey {
    pub kty: String,
    pub crv: String,
    /// Key use — always `"sig"` for the MCIAS signing key.
    #[serde(rename = "use")]
    pub key_use: Option<String>,
    /// Algorithm — always `"EdDSA"`. Validate this before trusting the key.
    pub alg: Option<String>,
    pub x: String,
 }
@@ -114,6 +119,106 @@ pub struct PgCreds {
    pub password: String,
 }
 /// Audit log entry returned by `GET /v1/audit`.
 #[derive(Debug, Clone, Deserialize)]
 pub struct AuditEvent {
    pub id: i64,
    pub event_type: String,
    pub event_time: String,
    pub ip_address: String,
    pub actor_id: Option<String>,
    pub target_id: Option<String>,
    pub details: Option<String>,
 }
 /// Paginated response from `GET /v1/audit`.
 #[derive(Debug, Clone, Deserialize)]
 pub struct AuditPage {
    pub events: Vec<AuditEvent>,
    pub total: i64,
    pub limit: i64,
    pub offset: i64,
 }
 /// Query parameters for `GET /v1/audit`.
 #[derive(Debug, Clone, Default)]
 pub struct AuditQuery {
    pub limit: Option<u32>,
    pub offset: Option<u32>,
    pub event_type: Option<String>,
    pub actor_id: Option<String>,
 }
 /// A single operator-defined policy rule.
 #[derive(Debug, Clone, Deserialize)]
 pub struct PolicyRule {
    pub id: i64,
    pub priority: i64,
    pub description: String,
    pub rule: RuleBody,
    pub enabled: bool,
    pub not_before: Option<String>,
    pub expires_at: Option<String>,
    pub created_at: String,
    pub updated_at: String,
 }
 /// The match conditions and effect of a policy rule.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct RuleBody {
    pub effect: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub roles: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub account_types: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subject_uuid: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actions: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource_type: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner_matches_subject: Option<bool>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_names: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub required_tags: Option<Vec<String>>,
 }
 /// Request body for `POST /v1/policy/rules`.
 #[derive(Debug, Clone, Serialize)]
 pub struct CreatePolicyRuleRequest {
    pub description: String,
    pub rule: RuleBody,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority: Option<i64>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub not_before: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expires_at: Option<String>,
 }
 /// Request body for `PATCH /v1/policy/rules/{id}`.
 #[derive(Debug, Clone, Serialize, Default)]
 pub struct UpdatePolicyRuleRequest {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub description: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority: Option<i64>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enabled: Option<bool>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rule: Option<RuleBody>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub not_before: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expires_at: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub clear_not_before: Option<bool>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub clear_expires_at: Option<bool>,
 }
 // ---- Internal request/response types ----
 #[derive(Serialize)]
@@ -136,6 +241,22 @@ struct ErrorResponse {
    error: String,
 }
 #[derive(Deserialize)]
 struct RolesResponse {
    roles: Vec<String>,
 }
 #[derive(Deserialize)]
 struct TagsResponse {
    tags: Vec<String>,
 }
 #[derive(Deserialize)]
 struct TotpEnrollResponse {
    secret: String,
    otpauth_uri: String,
 }
 // ---- Client options ----
 /// Configuration options for the MCIAS client.
@@ -160,6 +281,7 @@ pub struct Client {
    base_url: String,
    http: reqwest::Client,
    /// Bearer token storage. `Arc<RwLock<...>>` so clones share the token.
    /// Security: the token is never logged or included in error messages.
    token: Arc<RwLock<Option<String>>>,
 }
@@ -285,9 +407,9 @@ impl Client {
    }
    /// Update an account's status. Allowed values: `"active"`, `"inactive"`.
-    pub async fn update_account(&self, id: &str, status: &str) -> Result<Account, MciasError> {
+    pub async fn update_account(&self, id: &str, status: &str) -> Result<(), MciasError> {
        let body = serde_json::json!({ "status": status });
-        self.patch(&format!("/v1/accounts/{id}"), &body).await
+        self.patch_no_content(&format!("/v1/accounts/{id}"), &body).await
    }
    /// Soft-delete an account and revoke all its tokens.
@@ -299,13 +421,17 @@ impl Client {
    /// Get all roles assigned to an account.
    pub async fn get_roles(&self, account_id: &str) -> Result<Vec<String>, MciasError> {
-        self.get(&format!("/v1/accounts/{account_id}/roles")).await
+        // Security: spec wraps roles in {"roles": [...]}, unwrap before returning.
        let resp: RolesResponse = self.get(&format!("/v1/accounts/{account_id}/roles")).await?;
        Ok(resp.roles)
    }
    /// Replace the complete role set for an account.
    pub async fn set_roles(&self, account_id: &str, roles: &[&str]) -> Result<(), MciasError> {
        let url = format!("/v1/accounts/{account_id}/roles");
-        self.put_no_content(&url, roles).await
+        // Spec requires {"roles": [...]} wrapper.
        let body = serde_json::json!({ "roles": roles });
        self.put_no_content(&url, &body).await
    }
    // ---- Token management (admin only) ----
@@ -354,10 +480,142 @@ impl Client {
            .await
    }
    // ---- TOTP enrollment (authenticated) ----
    /// Begin TOTP enrollment. Returns `(secret, otpauth_uri)`.
    /// The secret is shown once; store it in an authenticator app immediately.
    pub async fn enroll_totp(&self) -> Result<(String, String), MciasError> {
        let resp: TotpEnrollResponse =
            self.post("/v1/auth/totp/enroll", &serde_json::json!({})).await?;
        Ok((resp.secret, resp.otpauth_uri))
    }
    /// Confirm TOTP enrollment with the current 6-digit code.
    /// On success, TOTP becomes required for all future logins.
    pub async fn confirm_totp(&self, code: &str) -> Result<(), MciasError> {
        let body = serde_json::json!({ "code": code });
        self.post_empty_body("/v1/auth/totp/confirm", &body).await
    }
    // ---- Password management ----
    /// Change the caller's own password (self-service). Requires the current
    /// password to guard against token-theft attacks.
    pub async fn change_password(
        &self,
        current_password: &str,
        new_password: &str,
    ) -> Result<(), MciasError> {
        let body = serde_json::json!({
            "current_password": current_password,
            "new_password": new_password,
        });
        self.put_no_content("/v1/auth/password", &body).await
    }
    // ---- Admin: TOTP removal ----
    /// Remove TOTP enrollment from an account (admin). Use for recovery when
    /// a user loses their TOTP device.
    pub async fn remove_totp(&self, account_id: &str) -> Result<(), MciasError> {
        let body = serde_json::json!({ "account_id": account_id });
        self.delete_with_body("/v1/auth/totp", &body).await
    }
    // ---- Admin: password reset ----
    /// Reset an account's password without requiring the current password.
    pub async fn admin_set_password(
        &self,
        account_id: &str,
        new_password: &str,
    ) -> Result<(), MciasError> {
        let body = serde_json::json!({ "new_password": new_password });
        self.put_no_content(&format!("/v1/accounts/{account_id}/password"), &body)
            .await
    }
    // ---- Account tags (admin) ----
    /// Get all tags for an account.
    pub async fn get_tags(&self, account_id: &str) -> Result<Vec<String>, MciasError> {
        let resp: TagsResponse =
            self.get(&format!("/v1/accounts/{account_id}/tags")).await?;
        Ok(resp.tags)
    }
    /// Replace the full tag set for an account atomically. Pass an empty slice
    /// to clear all tags. Returns the updated tag list.
    pub async fn set_tags(
        &self,
        account_id: &str,
        tags: &[&str],
    ) -> Result<Vec<String>, MciasError> {
        let body = serde_json::json!({ "tags": tags });
        let resp: TagsResponse =
            self.put_with_response(&format!("/v1/accounts/{account_id}/tags"), &body).await?;
        Ok(resp.tags)
    }
    // ---- Audit log (admin) ----
    /// Query the audit log. Returns a paginated [`AuditPage`].
    pub async fn list_audit(&self, query: AuditQuery) -> Result<AuditPage, MciasError> {
        let mut params: Vec<(&str, String)> = Vec::new();
        if let Some(limit) = query.limit {
            params.push(("limit", limit.to_string()));
        }
        if let Some(offset) = query.offset {
            params.push(("offset", offset.to_string()));
        }
        if let Some(ref et) = query.event_type {
            params.push(("event_type", et.clone()));
        }
        if let Some(ref aid) = query.actor_id {
            params.push(("actor_id", aid.clone()));
        }
        self.get_with_query("/v1/audit", &params).await
    }
    // ---- Policy rules (admin) ----
    /// List all operator-defined policy rules ordered by priority.
    pub async fn list_policy_rules(&self) -> Result<Vec<PolicyRule>, MciasError> {
        self.get("/v1/policy/rules").await
    }
    /// Create a new policy rule.
    pub async fn create_policy_rule(
        &self,
        req: CreatePolicyRuleRequest,
    ) -> Result<PolicyRule, MciasError> {
        self.post_expect_status("/v1/policy/rules", &req, StatusCode::CREATED)
            .await
    }
    /// Get a single policy rule by ID.
    pub async fn get_policy_rule(&self, id: i64) -> Result<PolicyRule, MciasError> {
        self.get(&format!("/v1/policy/rules/{id}")).await
    }
    /// Update a policy rule. Omitted fields are left unchanged.
    pub async fn update_policy_rule(
        &self,
        id: i64,
        req: UpdatePolicyRuleRequest,
    ) -> Result<PolicyRule, MciasError> {
        self.patch(&format!("/v1/policy/rules/{id}"), &req).await
    }
    /// Delete a policy rule permanently.
    pub async fn delete_policy_rule(&self, id: i64) -> Result<(), MciasError> {
        self.delete(&format!("/v1/policy/rules/{id}")).await
    }
    // ---- HTTP helpers ----
-    /// Build a request with the Authorization header set from the stored token.
+    /// Build the Authorization header value from the stored token.
-    /// Security: the token is read under a read-lock and is not logged.
+    /// Security: the token is read under a read-lock and is never logged.
    async fn auth_header(&self) -> Option<header::HeaderValue> {
        let guard = self.token.read().await;
        guard.as_deref().and_then(|tok| {
@@ -383,6 +641,22 @@ impl Client {
        self.expect_success(resp).await
    }
    async fn get_with_query<T: for<'de> Deserialize<'de>>(
        &self,
        path: &str,
        params: &[(&str, String)],
    ) -> Result<T, MciasError> {
        let mut req = self
            .http
            .get(format!("{}{path}", self.base_url))
            .query(params);
        if let Some(auth) = self.auth_header().await {
            req = req.header(header::AUTHORIZATION, auth);
        }
        let resp = req.send().await?;
        self.decode(resp).await
    }
    async fn post<B: Serialize, T: for<'de> Deserialize<'de>>(
        &self,
        path: &str,
@@ -434,6 +708,19 @@ impl Client {
        self.expect_success(resp).await
    }
    /// POST with a JSON body that expects a 2xx (no body) response.
    async fn post_empty_body<B: Serialize>(&self, path: &str, body: &B) -> Result<(), MciasError> {
        let mut req = self
            .http
            .post(format!("{}{path}", self.base_url))
            .json(body);
        if let Some(auth) = self.auth_header().await {
            req = req.header(header::AUTHORIZATION, auth);
        }
        let resp = req.send().await?;
        self.expect_success(resp).await
    }
    async fn patch<B: Serialize, T: for<'de> Deserialize<'de>>(
        &self,
        path: &str,
@@ -450,6 +737,18 @@ impl Client {
        self.decode(resp).await
    }
    async fn patch_no_content<B: Serialize>(&self, path: &str, body: &B) -> Result<(), MciasError> {
        let mut req = self
            .http
            .patch(format!("{}{path}", self.base_url))
            .json(body);
        if let Some(auth) = self.auth_header().await {
            req = req.header(header::AUTHORIZATION, auth);
        }
        let resp = req.send().await?;
        self.expect_success(resp).await
    }
    async fn put_no_content<B: Serialize + ?Sized>(&self, path: &str, body: &B) -> Result<(), MciasError> {
        let mut req = self
            .http
@@ -462,6 +761,22 @@ impl Client {
        self.expect_success(resp).await
    }
    async fn put_with_response<B: Serialize, T: for<'de> Deserialize<'de>>(
        &self,
        path: &str,
        body: &B,
    ) -> Result<T, MciasError> {
        let mut req = self
            .http
            .put(format!("{}{path}", self.base_url))
            .json(body);
        if let Some(auth) = self.auth_header().await {
            req = req.header(header::AUTHORIZATION, auth);
        }
        let resp = req.send().await?;
        self.decode(resp).await
    }
    async fn delete(&self, path: &str) -> Result<(), MciasError> {
        let mut req = self.http.delete(format!("{}{path}", self.base_url));
        if let Some(auth) = self.auth_header().await {
@@ -471,6 +786,19 @@ impl Client {
        self.expect_success(resp).await
    }
    /// DELETE with a JSON request body (used by `DELETE /v1/auth/totp`).
    async fn delete_with_body<B: Serialize>(&self, path: &str, body: &B) -> Result<(), MciasError> {
        let mut req = self
            .http
            .delete(format!("{}{path}", self.base_url))
            .json(body);
        if let Some(auth) = self.auth_header().await {
            req = req.header(header::AUTHORIZATION, auth);
        }
        let resp = req.send().await?;
        self.expect_success(resp).await
    }
    async fn decode<T: for<'de> Deserialize<'de>>(
        &self,
        resp: reqwest::Response,
--- a/clients/rust/tests/client_tests.rs
+++ b/clients/rust/tests/client_tests.rs
@@ -1,12 +1,18 @@
-use mcias_client::{Client, ClientOptions, MciasError};
+use mcias_client::{
    AuditQuery, Client, ClientOptions, CreatePolicyRuleRequest, MciasError, RuleBody,
    UpdatePolicyRuleRequest,
 };
 use wiremock::matchers::{method, path};
 use wiremock::{Mock, MockServer, ResponseTemplate};
 async fn admin_client(server: &MockServer) -> Client {
-    Client::new(&server.uri(), ClientOptions {
+    Client::new(
        &server.uri(),
        ClientOptions {
            token: Some("admin-token".to_string()),
            ..Default::default()
-    })
+        },
    )
    .unwrap()
 }
@@ -48,7 +54,10 @@ async fn test_health_server_error() {
    let c = Client::new(&server.uri(), ClientOptions::default()).unwrap();
    let err = c.health().await.unwrap_err();
-    assert!(matches!(err, MciasError::Server { .. }), "expected Server error, got {err:?}");
+    assert!(
        matches!(err, MciasError::Server { .. }),
        "expected Server error, got {err:?}"
    );
 }
 // ---- public key ----
@@ -61,6 +70,8 @@ async fn test_get_public_key() {
        .respond_with(json_body(serde_json::json!({
            "kty": "OKP",
            "crv": "Ed25519",
            "use": "sig",
            "alg": "EdDSA",
            "x": "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo"
        })))
        .mount(&server)
@@ -70,6 +81,8 @@ async fn test_get_public_key() {
    let pk = c.get_public_key().await.expect("get_public_key should succeed");
    assert_eq!(pk.kty, "OKP");
    assert_eq!(pk.crv, "Ed25519");
    assert_eq!(pk.key_use.as_deref(), Some("sig"));
    assert_eq!(pk.alg.as_deref(), Some("EdDSA"));
 }
 // ---- login ----
@@ -99,7 +112,10 @@ async fn test_login_bad_credentials() {
    let server = MockServer::start().await;
    Mock::given(method("POST"))
        .and(path("/v1/auth/login"))
-        .respond_with(json_body_status(401, serde_json::json!({"error": "invalid credentials"})))
+        .respond_with(json_body_status(
            401,
            serde_json::json!({"error": "invalid credentials"}),
        ))
        .mount(&server)
        .await;
@@ -119,10 +135,13 @@ async fn test_logout_clears_token() {
        .mount(&server)
        .await;
-    let c = Client::new(&server.uri(), ClientOptions {
+    let c = Client::new(
        &server.uri(),
        ClientOptions {
            token: Some("existing-token".to_string()),
            ..Default::default()
-    })
+        },
    )
    .unwrap();
    c.logout().await.unwrap();
    assert!(c.token().await.is_none(), "token should be cleared after logout");
@@ -142,10 +161,13 @@ async fn test_renew_token() {
        .mount(&server)
        .await;
-    let c = Client::new(&server.uri(), ClientOptions {
+    let c = Client::new(
        &server.uri(),
        ClientOptions {
            token: Some("old-token".to_string()),
            ..Default::default()
-    })
+        },
    )
    .unwrap();
    let (tok, _) = c.renew_token().await.unwrap();
    assert_eq!(tok, "new-token");
@@ -224,7 +246,10 @@ async fn test_create_account_conflict() {
    let server = MockServer::start().await;
    Mock::given(method("POST"))
        .and(path("/v1/accounts"))
-        .respond_with(json_body_status(409, serde_json::json!({"error": "username already exists"})))
+        .respond_with(json_body_status(
            409,
            serde_json::json!({"error": "username already exists"}),
        ))
        .mount(&server)
        .await;
@@ -259,7 +284,10 @@ async fn test_get_account_not_found() {
    let server = MockServer::start().await;
    Mock::given(method("GET"))
        .and(path("/v1/accounts/missing"))
-        .respond_with(json_body_status(404, serde_json::json!({"error": "account not found"})))
+        .respond_with(json_body_status(
            404,
            serde_json::json!({"error": "account not found"}),
        ))
        .mount(&server)
        .await;
@@ -271,19 +299,15 @@ async fn test_get_account_not_found() {
 #[tokio::test]
 async fn test_update_account() {
    let server = MockServer::start().await;
    // PATCH /v1/accounts/{id} returns 204 No Content per spec.
    Mock::given(method("PATCH"))
        .and(path("/v1/accounts/uuid-1"))
-        .respond_with(json_body(serde_json::json!({
+        .respond_with(ResponseTemplate::new(204))
            "id": "uuid-1", "username": "alice", "account_type": "human",
            "status": "inactive", "created_at": "2023-11-15T12:00:00Z",
            "updated_at": "2023-11-15T13:00:00Z", "totp_enabled": false
        })))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
-    let a = c.update_account("uuid-1", "inactive").await.unwrap();
+    c.update_account("uuid-1", "inactive").await.unwrap();
    assert_eq!(a.status, "inactive");
 }
 #[tokio::test]
@@ -305,12 +329,14 @@ async fn test_delete_account() {
 async fn test_get_set_roles() {
    let server = MockServer::start().await;
    // Spec wraps the array: {"roles": [...]}
    Mock::given(method("GET"))
        .and(path("/v1/accounts/uuid-1/roles"))
-        .respond_with(json_body(serde_json::json!(["admin", "viewer"])))
+        .respond_with(json_body(serde_json::json!({"roles": ["admin", "viewer"]})))
        .mount(&server)
        .await;
    // Spec requires {"roles": [...]} in the PUT body.
    Mock::given(method("PUT"))
        .and(path("/v1/accounts/uuid-1/roles"))
        .respond_with(ResponseTemplate::new(204))
@@ -363,7 +389,10 @@ async fn test_pg_creds_not_found() {
    let server = MockServer::start().await;
    Mock::given(method("GET"))
        .and(path("/v1/accounts/uuid-1/pgcreds"))
-        .respond_with(json_body_status(404, serde_json::json!({"error": "no pg credentials found"})))
+        .respond_with(json_body_status(
            404,
            serde_json::json!({"error": "no pg credentials found"}),
        ))
        .mount(&server)
        .await;
@@ -405,6 +434,298 @@ async fn test_set_get_pg_creds() {
    assert_eq!(creds.password, "dbpass");
 }
 // ---- TOTP ----
 #[tokio::test]
 async fn test_enroll_totp() {
    let server = MockServer::start().await;
    Mock::given(method("POST"))
        .and(path("/v1/auth/totp/enroll"))
        .respond_with(json_body(serde_json::json!({
            "secret": "JBSWY3DPEHPK3PXP",
            "otpauth_uri": "otpauth://totp/MCIAS:alice?secret=JBSWY3DPEHPK3PXP&issuer=MCIAS"
        })))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    let (secret, uri) = c.enroll_totp().await.unwrap();
    assert_eq!(secret, "JBSWY3DPEHPK3PXP");
    assert!(uri.starts_with("otpauth://totp/"));
 }
 #[tokio::test]
 async fn test_confirm_totp() {
    let server = MockServer::start().await;
    Mock::given(method("POST"))
        .and(path("/v1/auth/totp/confirm"))
        .respond_with(ResponseTemplate::new(204))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    c.confirm_totp("123456").await.unwrap();
 }
 #[tokio::test]
 async fn test_remove_totp() {
    let server = MockServer::start().await;
    Mock::given(method("DELETE"))
        .and(path("/v1/auth/totp"))
        .respond_with(ResponseTemplate::new(204))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    c.remove_totp("some-account-uuid").await.unwrap();
 }
 // ---- password management ----
 #[tokio::test]
 async fn test_change_password() {
    let server = MockServer::start().await;
    Mock::given(method("PUT"))
        .and(path("/v1/auth/password"))
        .respond_with(ResponseTemplate::new(204))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    c.change_password("old-pass", "new-pass-long-enough").await.unwrap();
 }
 #[tokio::test]
 async fn test_change_password_wrong_current() {
    let server = MockServer::start().await;
    Mock::given(method("PUT"))
        .and(path("/v1/auth/password"))
        .respond_with(json_body_status(
            401,
            serde_json::json!({"error": "current password is incorrect", "code": "unauthorized"}),
        ))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    let err = c
        .change_password("wrong", "new-pass-long-enough")
        .await
        .unwrap_err();
    assert!(matches!(err, MciasError::Auth(_)));
 }
 #[tokio::test]
 async fn test_admin_set_password() {
    let server = MockServer::start().await;
    Mock::given(method("PUT"))
        .and(path("/v1/accounts/uuid-1/password"))
        .respond_with(ResponseTemplate::new(204))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    c.admin_set_password("uuid-1", "new-pass-long-enough").await.unwrap();
 }
 // ---- tags ----
 #[tokio::test]
 async fn test_get_set_tags() {
    let server = MockServer::start().await;
    Mock::given(method("GET"))
        .and(path("/v1/accounts/uuid-1/tags"))
        .respond_with(json_body(
            serde_json::json!({"tags": ["env:production", "svc:payments-api"]}),
        ))
        .mount(&server)
        .await;
    Mock::given(method("PUT"))
        .and(path("/v1/accounts/uuid-1/tags"))
        .respond_with(json_body(serde_json::json!({"tags": ["env:staging"]})))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    let tags = c.get_tags("uuid-1").await.unwrap();
    assert_eq!(tags, vec!["env:production", "svc:payments-api"]);
    let updated = c.set_tags("uuid-1", &["env:staging"]).await.unwrap();
    assert_eq!(updated, vec!["env:staging"]);
 }
 // ---- audit log ----
 #[tokio::test]
 async fn test_list_audit() {
    let server = MockServer::start().await;
    Mock::given(method("GET"))
        .and(path("/v1/audit"))
        .respond_with(json_body(serde_json::json!({
            "events": [
                {
                    "id": 1,
                    "event_type": "login_ok",
                    "event_time": "2026-03-11T09:01:23Z",
                    "ip_address": "192.0.2.1",
                    "actor_id": "uuid-1",
                    "target_id": null,
                    "details": null
                }
            ],
            "total": 1,
            "limit": 50,
            "offset": 0
        })))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    let page = c.list_audit(AuditQuery::default()).await.unwrap();
    assert_eq!(page.total, 1);
    assert_eq!(page.events.len(), 1);
    assert_eq!(page.events[0].event_type, "login_ok");
 }
 // ---- policy rules ----
 #[tokio::test]
 async fn test_list_policy_rules() {
    let server = MockServer::start().await;
    Mock::given(method("GET"))
        .and(path("/v1/policy/rules"))
        .respond_with(json_body(serde_json::json!([])))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    let rules = c.list_policy_rules().await.unwrap();
    assert!(rules.is_empty());
 }
 #[tokio::test]
 async fn test_create_policy_rule() {
    let server = MockServer::start().await;
    Mock::given(method("POST"))
        .and(path("/v1/policy/rules"))
        .respond_with(
            ResponseTemplate::new(201)
                .set_body_json(serde_json::json!({
                    "id": 1,
                    "priority": 100,
                    "description": "Allow payments-api to read its own pgcreds",
                    "rule": {"effect": "allow", "roles": ["svc:payments-api"]},
                    "enabled": true,
                    "not_before": null,
                    "expires_at": null,
                    "created_at": "2026-03-11T09:00:00Z",
                    "updated_at": "2026-03-11T09:00:00Z"
                }))
                .insert_header("content-type", "application/json"),
        )
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    let rule = c
        .create_policy_rule(CreatePolicyRuleRequest {
            description: "Allow payments-api to read its own pgcreds".to_string(),
            rule: RuleBody {
                effect: "allow".to_string(),
                roles: Some(vec!["svc:payments-api".to_string()]),
                account_types: None,
                subject_uuid: None,
                actions: None,
                resource_type: None,
                owner_matches_subject: None,
                service_names: None,
                required_tags: None,
            },
            priority: None,
            not_before: None,
            expires_at: None,
        })
        .await
        .unwrap();
    assert_eq!(rule.id, 1);
    assert_eq!(rule.description, "Allow payments-api to read its own pgcreds");
 }
 #[tokio::test]
 async fn test_get_policy_rule() {
    let server = MockServer::start().await;
    Mock::given(method("GET"))
        .and(path("/v1/policy/rules/1"))
        .respond_with(json_body(serde_json::json!({
            "id": 1,
            "priority": 100,
            "description": "test rule",
            "rule": {"effect": "deny"},
            "enabled": true,
            "not_before": null,
            "expires_at": null,
            "created_at": "2026-03-11T09:00:00Z",
            "updated_at": "2026-03-11T09:00:00Z"
        })))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    let rule = c.get_policy_rule(1).await.unwrap();
    assert_eq!(rule.id, 1);
    assert_eq!(rule.rule.effect, "deny");
 }
 #[tokio::test]
 async fn test_update_policy_rule() {
    let server = MockServer::start().await;
    Mock::given(method("PATCH"))
        .and(path("/v1/policy/rules/1"))
        .respond_with(json_body(serde_json::json!({
            "id": 1,
            "priority": 75,
            "description": "updated rule",
            "rule": {"effect": "allow"},
            "enabled": false,
            "not_before": null,
            "expires_at": null,
            "created_at": "2026-03-11T09:00:00Z",
            "updated_at": "2026-03-11T10:00:00Z"
        })))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    let rule = c
        .update_policy_rule(
            1,
            UpdatePolicyRuleRequest {
                enabled: Some(false),
                priority: Some(75),
                ..Default::default()
            },
        )
        .await
        .unwrap();
    assert!(!rule.enabled);
    assert_eq!(rule.priority, 75);
 }
 #[tokio::test]
 async fn test_delete_policy_rule() {
    let server = MockServer::start().await;
    Mock::given(method("DELETE"))
        .and(path("/v1/policy/rules/1"))
        .respond_with(ResponseTemplate::new(204))
        .mount(&server)
        .await;
    let c = admin_client(&server).await;
    c.delete_policy_rule(1).await.unwrap();
 }
 // ---- error type coverage ----
 #[tokio::test]
@@ -416,11 +737,13 @@ async fn test_forbidden_error() {
        .mount(&server)
        .await;
-    // Use a non-admin token.
+    let c = Client::new(
-    let c = Client::new(&server.uri(), ClientOptions {
+        &server.uri(),
        ClientOptions {
            token: Some("user-token".to_string()),
            ..Default::default()
-    })
+        },
    )
    .unwrap();
    let err = c.list_accounts().await.unwrap_err();
    assert!(matches!(err, MciasError::Forbidden(_)));
--- a/cmd/mciasctl/main.go
+++ b/cmd/mciasctl/main.go
@@ -16,13 +16,15 @@
 //
 // Commands:
 //
-//	auth login  -username NAME [-password PASS] [-totp CODE]
+//	auth login           -username NAME [-totp CODE]
 //	auth change-password (passwords always prompted interactively)
 //
 //	account list
-//	account create -username NAME [-password PASS] [-type human|system]
+//	account create       -username NAME [-type human|system]
 //	account get          -id UUID
 //	account update       -id UUID [-status active|inactive]
 //	account delete       -id UUID
 //	account set-password -id UUID
 //
 //	role list   -id UUID
 //	role set    -id UUID -roles role1,role2,...
@@ -34,9 +36,9 @@
 //	pgcreds get -id UUID
 //
 //	policy list
-//	policy create  -description STR -json FILE [-priority N]
+//	policy create  -description STR -json FILE [-priority N] [-not-before RFC3339] [-expires-at RFC3339]
 //	policy get     -id ID
-//	policy update  -id ID [-priority N] [-enabled true|false]
+//	policy update  -id ID [-priority N] [-enabled true|false] [-not-before RFC3339] [-expires-at RFC3339] [-clear-not-before] [-clear-expires-at]
 //	policy delete  -id ID
 //
 //	tag list    -id UUID
@@ -123,28 +125,28 @@ type controller struct {
 func (c *controller) runAuth(args []string) {
 	if len(args) == 0 {
-		fatalf("auth requires a subcommand: login")
+		fatalf("auth requires a subcommand: login, change-password")
 	}
 	switch args[0] {
 	case "login":
 		c.authLogin(args[1:])
 	case "change-password":
 		c.authChangePassword(args[1:])
 	default:
 		fatalf("unknown auth subcommand %q", args[0])
 	}
 }
 // authLogin authenticates with the server using username and password, then
-// prints the resulting bearer token to stdout. If -password is not supplied on
+// prints the resulting bearer token to stdout. The password is always prompted
-// the command line, the user is prompted interactively (input is hidden so the
+// interactively; it is never accepted as a command-line flag to prevent it from
-// password does not appear in shell history or terminal output).
+// appearing in shell history, ps output, and process argument lists.
 //
-// Security: passwords are never stored by this process beyond the lifetime of
+// Security: terminal echo is disabled during password entry
-// the HTTP request. Interactive reads use golang.org/x/term.ReadPassword so
+// (golang.org/x/term.ReadPassword); the raw byte slice is zeroed after use.
 // that terminal echo is disabled; the byte slice is zeroed after use.
 func (c *controller) authLogin(args []string) {
 	fs := flag.NewFlagSet("auth login", flag.ExitOnError)
 	username := fs.String("username", "", "username (required)")
 	password := fs.String("password", "", "password (reads from stdin if omitted)")
 	totpCode := fs.String("totp", "", "TOTP code (required if TOTP is enrolled)")
 	_ = fs.Parse(args)
@@ -152,22 +154,20 @@ func (c *controller) authLogin(args []string) {
 		fatalf("auth login: -username is required")
 	}
-	// If no password flag was provided, prompt interactively so it does not
+	// Security: always prompt interactively; never accept password as a flag.
-	// appear in process arguments or shell history.
+	// This prevents the credential from appearing in shell history, ps output,
-	passwd := *password
+	// and /proc/PID/cmdline.
 	if passwd == "" {
 	fmt.Fprint(os.Stderr, "Password: ")
 	raw, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec // uintptr==int on all target platforms
 	fmt.Fprintln(os.Stderr)                           // newline after hidden input
 	if err != nil {
 		fatalf("read password: %v", err)
 	}
-		passwd = string(raw)
+	passwd := string(raw)
 	// Zero the raw byte slice once copied into the string.
 	for i := range raw {
 		raw[i] = 0
 	}
 	}
 	body := map[string]string{
 		"username": *username,
@@ -191,11 +191,53 @@ func (c *controller) authLogin(args []string) {
 	}
 }
 // authChangePassword allows an authenticated user to change their own password.
 // A valid bearer token must be set (via -token flag or MCIAS_TOKEN env var).
 // Both passwords are always prompted interactively; they are never accepted as
 // command-line flags to prevent them from appearing in shell history, ps
 // output, and process argument lists.
 //
 // Security: terminal echo is disabled during entry (golang.org/x/term);
 // raw byte slices are zeroed after use.  The server requires the current
 // password to prevent token-theft attacks.  On success all other active
 // sessions are revoked server-side.
 func (c *controller) authChangePassword(_ []string) {
 	// Security: always prompt interactively; never accept passwords as flags.
 	fmt.Fprint(os.Stderr, "Current password: ")
 	rawCurrent, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec // uintptr==int on all target platforms
 	fmt.Fprintln(os.Stderr)
 	if err != nil {
 		fatalf("read current password: %v", err)
 	}
 	currentPasswd := string(rawCurrent)
 	for i := range rawCurrent {
 		rawCurrent[i] = 0
 	}
 	fmt.Fprint(os.Stderr, "New password: ")
 	rawNew, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec // uintptr==int on all target platforms
 	fmt.Fprintln(os.Stderr)
 	if err != nil {
 		fatalf("read new password: %v", err)
 	}
 	newPasswd := string(rawNew)
 	for i := range rawNew {
 		rawNew[i] = 0
 	}
 	body := map[string]string{
 		"current_password": currentPasswd,
 		"new_password":     newPasswd,
 	}
 	c.doRequest("PUT", "/v1/auth/password", body, nil)
 	fmt.Println("password changed; other active sessions revoked")
 }
 // ---- account subcommands ----
 func (c *controller) runAccount(args []string) {
 	if len(args) == 0 {
-		fatalf("account requires a subcommand: list, create, get, update, delete")
+		fatalf("account requires a subcommand: list, create, get, update, delete, set-password")
 	}
 	switch args[0] {
 	case "list":
@@ -208,6 +250,8 @@ func (c *controller) runAccount(args []string) {
 		c.accountUpdate(args[1:])
 	case "delete":
 		c.accountDelete(args[1:])
 	case "set-password":
 		c.accountSetPassword(args[1:])
 	default:
 		fatalf("unknown account subcommand %q", args[0])
 	}
@@ -222,7 +266,6 @@ func (c *controller) accountList() {
 func (c *controller) accountCreate(args []string) {
 	fs := flag.NewFlagSet("account create", flag.ExitOnError)
 	username := fs.String("username", "", "username (required)")
 	password := fs.String("password", "", "password for human accounts (prompted if omitted)")
 	accountType := fs.String("type", "human", "account type: human or system")
 	_ = fs.Parse(args)
@@ -230,12 +273,11 @@ func (c *controller) accountCreate(args []string) {
 		fatalf("account create: -username is required")
 	}
-	// For human accounts, prompt for a password interactively if one was not
+	// Security: always prompt interactively for human-account passwords; never
-	// supplied on the command line so it stays out of shell history.
+	// accept them as a flag.  Terminal echo is disabled; the raw byte slice is
 	// Security: terminal echo is disabled during entry; the raw byte slice is
 	// zeroed after conversion to string.  System accounts have no password.
-	passwd := *password
+	var passwd string
-	if passwd == "" && *accountType == "human" {
+	if *accountType == "human" {
 		fmt.Fprint(os.Stderr, "Password: ")
 		raw, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec // uintptr==int on all target platforms
 		fmt.Fprintln(os.Stderr)
@@ -306,6 +348,40 @@ func (c *controller) accountDelete(args []string) {
 	fmt.Println("account deleted")
 }
 // accountSetPassword resets a human account's password (admin operation).
 // No current password is required.  All active sessions for the target account
 // are revoked by the server on success.
 //
 // Security: the new password is always prompted interactively; it is never
 // accepted as a command-line flag to prevent it from appearing in shell
 // history, ps output, and process argument lists.  Terminal echo is disabled
 // (golang.org/x/term); the raw byte slice is zeroed after use.
 func (c *controller) accountSetPassword(args []string) {
 	fs := flag.NewFlagSet("account set-password", flag.ExitOnError)
 	id := fs.String("id", "", "account UUID (required)")
 	_ = fs.Parse(args)
 	if *id == "" {
 		fatalf("account set-password: -id is required")
 	}
 	// Security: always prompt interactively; never accept password as a flag.
 	fmt.Fprint(os.Stderr, "New password: ")
 	raw, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec // uintptr==int on all target platforms
 	fmt.Fprintln(os.Stderr)
 	if err != nil {
 		fatalf("read password: %v", err)
 	}
 	passwd := string(raw)
 	for i := range raw {
 		raw[i] = 0
 	}
 	body := map[string]string{"new_password": passwd}
 	c.doRequest("PUT", "/v1/accounts/"+*id+"/password", body, nil)
 	fmt.Println("password updated; all active sessions revoked")
 }
 // ---- role subcommands ----
 func (c *controller) runRole(args []string) {
@@ -511,6 +587,8 @@ func (c *controller) policyCreate(args []string) {
 	description := fs.String("description", "", "rule description (required)")
 	jsonFile := fs.String("json", "", "path to JSON file containing the rule body (required)")
 	priority := fs.Int("priority", 100, "rule priority (lower = evaluated first)")
 	notBefore := fs.String("not-before", "", "earliest activation time (RFC3339, optional)")
 	expiresAt := fs.String("expires-at", "", "expiry time (RFC3339, optional)")
 	_ = fs.Parse(args)
 	if *description == "" {
@@ -537,6 +615,18 @@ func (c *controller) policyCreate(args []string) {
 		"priority":    *priority,
 		"rule":        ruleBody,
 	}
 	if *notBefore != "" {
 		if _, err := time.Parse(time.RFC3339, *notBefore); err != nil {
 			fatalf("policy create: -not-before must be RFC3339: %v", err)
 		}
 		body["not_before"] = *notBefore
 	}
 	if *expiresAt != "" {
 		if _, err := time.Parse(time.RFC3339, *expiresAt); err != nil {
 			fatalf("policy create: -expires-at must be RFC3339: %v", err)
 		}
 		body["expires_at"] = *expiresAt
 	}
 	var result json.RawMessage
 	c.doRequest("POST", "/v1/policy/rules", body, &result)
@@ -562,6 +652,10 @@ func (c *controller) policyUpdate(args []string) {
 	id := fs.String("id", "", "rule ID (required)")
 	priority := fs.Int("priority", -1, "new priority (-1 = no change)")
 	enabled := fs.String("enabled", "", "true or false")
 	notBefore := fs.String("not-before", "", "earliest activation time (RFC3339)")
 	expiresAt := fs.String("expires-at", "", "expiry time (RFC3339)")
 	clearNotBefore := fs.Bool("clear-not-before", false, "remove not_before constraint")
 	clearExpiresAt := fs.Bool("clear-expires-at", false, "remove expires_at constraint")
 	_ = fs.Parse(args)
 	if *id == "" {
@@ -584,8 +678,24 @@ func (c *controller) policyUpdate(args []string) {
 			fatalf("policy update: -enabled must be true or false")
 		}
 	}
 	if *clearNotBefore {
 		body["clear_not_before"] = true
 	} else if *notBefore != "" {
 		if _, err := time.Parse(time.RFC3339, *notBefore); err != nil {
 			fatalf("policy update: -not-before must be RFC3339: %v", err)
 		}
 		body["not_before"] = *notBefore
 	}
 	if *clearExpiresAt {
 		body["clear_expires_at"] = true
 	} else if *expiresAt != "" {
 		if _, err := time.Parse(time.RFC3339, *expiresAt); err != nil {
 			fatalf("policy update: -expires-at must be RFC3339: %v", err)
 		}
 		body["expires_at"] = *expiresAt
 	}
 	if len(body) == 0 {
-		fatalf("policy update: at least one of -priority or -enabled is required")
+		fatalf("policy update: at least one flag is required")
 	}
 	var result json.RawMessage
@@ -766,16 +876,25 @@ Global flags:
  -cacert  Path to CA certificate for TLS verification
 Commands:
-  auth login  -username NAME [-password PASS] [-totp CODE]
+  auth login  -username NAME [-totp CODE]
-              Obtain a bearer token. Password is prompted if -password is
+              Obtain a bearer token. Password is always prompted interactively
-              omitted. Token is written to stdout; expiry to stderr.
+              (never accepted as a flag) to avoid shell-history exposure.
              Token is written to stdout; expiry to stderr.
              Example: export MCIAS_TOKEN=$(mciasctl auth login -username alice)
  auth change-password
              Change the current user's own password. Requires a valid bearer
              token. Current and new passwords are always prompted interactively.
              Revokes all other active sessions on success.
  account list
-  account create  -username NAME [-password PASS] [-type human|system]
+  account create       -username NAME [-type human|system]
  account get          -id UUID
  account update       -id UUID -status active|inactive
  account delete       -id UUID
  account set-password -id UUID
              Admin: reset a human account's password without requiring the
              current password. New password is always prompted interactively.
              Revokes all active sessions for the account.
  role list  -id UUID
  role set   -id UUID -roles role1,role2,...
@@ -788,10 +907,13 @@ Commands:
  policy list
  policy create  -description STR -json FILE [-priority N]
                 [-not-before RFC3339] [-expires-at RFC3339]
                 FILE must contain a JSON rule body, e.g.:
                 {"effect":"allow","actions":["pgcreds:read"],"resource_type":"pgcreds","owner_matches_subject":true}
  policy get     -id ID
  policy update  -id ID [-priority N] [-enabled true|false]
                 [-not-before RFC3339] [-expires-at RFC3339]
                 [-clear-not-before] [-clear-expires-at]
  policy delete  -id ID
  tag list  -id UUID
--- a/cmd/mciasdb/main.go
+++ b/cmd/mciasdb/main.go
@@ -15,6 +15,7 @@
 //
 //	schema verify
 //	schema migrate
 //	schema force --version N
 //
 //	account list
 //	account get     --id UUID
@@ -62,7 +63,22 @@ func main() {
 		os.Exit(1)
 	}
-	database, masterKey, err := openDB(*configPath)
+	command := args[0]
 	subArgs := args[1:]
 	// schema subcommands manage migrations themselves and must not trigger
 	// auto-migration on open (a dirty database would prevent the tool from
 	// opening at all, blocking recovery operations like "schema force").
 	var (
 		database  *db.DB
 		masterKey []byte
 		err       error
 	)
 	if command == "schema" {
 		database, masterKey, err = openDBRaw(*configPath)
 	} else {
 		database, masterKey, err = openDB(*configPath)
 	}
 	if err != nil {
 		fatalf("%v", err)
 	}
@@ -76,9 +92,6 @@ func main() {
 	tool := &tool{db: database, masterKey: masterKey}
 	command := args[0]
 	subArgs := args[1:]
 	switch command {
 	case "schema":
 		tool.runSchema(subArgs)
@@ -111,6 +124,21 @@ type tool struct {
 // the same passphrase always yields the same key and encrypted secrets remain
 // readable. The passphrase env var is unset immediately after reading.
 func openDB(configPath string) (*db.DB, []byte, error) {
 	database, masterKey, err := openDBRaw(configPath)
 	if err != nil {
 		return nil, nil, err
 	}
 	if err := db.Migrate(database); err != nil {
 		_ = database.Close()
 		return nil, nil, fmt.Errorf("migrate database: %w", err)
 	}
 	return database, masterKey, nil
 }
 // openDBRaw opens the database without running migrations.  Used by schema
 // subcommands so they remain operational even when the database is in a dirty
 // migration state (e.g. to allow "schema force" to clear a dirty flag).
 func openDBRaw(configPath string) (*db.DB, []byte, error) {
 	cfg, err := config.Load(configPath)
 	if err != nil {
 		return nil, nil, fmt.Errorf("load config: %w", err)
@@ -121,11 +149,6 @@ func openDB(configPath string) (*db.DB, []byte, error) {
 		return nil, nil, fmt.Errorf("open database %q: %w", cfg.Database.Path, err)
 	}
 	if err := db.Migrate(database); err != nil {
 		_ = database.Close()
 		return nil, nil, fmt.Errorf("migrate database: %w", err)
 	}
 	masterKey, err := deriveMasterKey(cfg, database)
 	if err != nil {
 		_ = database.Close()
@@ -210,6 +233,7 @@ Global flags:
 Commands:
  schema verify          Check schema version; exit 1 if migrations pending
  schema migrate         Apply any pending schema migrations
  schema force           --version N  Force schema version (clears dirty state)
  account list           List all accounts
  account get            --id UUID
--- a/cmd/mciasdb/mciasdb_test.go
+++ b/cmd/mciasdb/mciasdb_test.go
@@ -206,12 +206,12 @@ func TestRoleRevoke(t *testing.T) {
 		t.Fatalf("create account: %v", err)
 	}
-	if err := tool.db.GrantRole(a.ID, "editor", nil); err != nil {
+	if err := tool.db.GrantRole(a.ID, "user", nil); err != nil {
 		t.Fatalf("grant role: %v", err)
 	}
 	captureStdout(t, func() {
-		tool.roleRevoke([]string{"--id", a.UUID, "--role", "editor"})
+		tool.roleRevoke([]string{"--id", a.UUID, "--role", "user"})
 	})
 	roles, err := tool.db.GetRoles(a.ID)
--- a/cmd/mciasdb/schema.go
+++ b/cmd/mciasdb/schema.go
@@ -1,6 +1,7 @@
 package main
 import (
 	"flag"
 	"fmt"
 	"git.wntrmute.dev/kyle/mcias/internal/db"
@@ -8,13 +9,15 @@ import (
 func (t *tool) runSchema(args []string) {
 	if len(args) == 0 {
-		fatalf("schema requires a subcommand: verify, migrate")
+		fatalf("schema requires a subcommand: verify, migrate, force")
 	}
 	switch args[0] {
 	case "verify":
 		t.schemaVerify()
 	case "migrate":
 		t.schemaMigrate()
 	case "force":
 		t.schemaForce(args[1:])
 	default:
 		fatalf("unknown schema subcommand %q", args[0])
 	}
@@ -39,6 +42,26 @@ func (t *tool) schemaVerify() {
 	fmt.Println("schema is up-to-date")
 }
 // schemaForce marks the database as being at a specific migration version
 // without running any SQL.  Use this to clear a dirty migration state after
 // you have verified that the schema already reflects the target version.
 //
 // Example: mciasdb schema force --version 6
 func (t *tool) schemaForce(args []string) {
 	fs := flag.NewFlagSet("schema force", flag.ExitOnError)
 	version := fs.Int("version", 0, "schema version to force (required)")
 	_ = fs.Parse(args)
 	if *version <= 0 {
 		fatalf("--version must be a positive integer")
 	}
 	if err := db.ForceSchemaVersion(t.db, *version); err != nil {
 		fatalf("force schema version: %v", err)
 	}
 	fmt.Printf("schema version forced to %d; run 'schema migrate' to apply any remaining migrations\n", *version)
 }
 // schemaMigrate applies any pending migrations and reports each one.
 func (t *tool) schemaMigrate() {
 	before, err := db.SchemaVersion(t.db)
--- a/dist/mcias-dev.conf.example
+++ b/dist/mcias-dev.conf.example
@@ -22,6 +22,7 @@ listen_addr = "127.0.0.1:8443"
 grpc_addr   = "127.0.0.1:9443"
 tls_cert    = "/tmp/mcias-dev.crt"
 tls_key     = "/tmp/mcias-dev.key"
 # trusted_proxy not set — direct local development, no reverse proxy.
 [database]
 path = "/tmp/mcias-dev.db"
--- a/dist/mcias.conf.docker.example
+++ b/dist/mcias.conf.docker.example
@@ -25,6 +25,10 @@ listen_addr = "0.0.0.0:8443"
 grpc_addr   = "0.0.0.0:9443"
 tls_cert    = "/etc/mcias/server.crt"
 tls_key     = "/etc/mcias/server.key"
 # If a reverse proxy (nginx, Caddy, Traefik) sits in front of this container,
 # set trusted_proxy to its container IP so real client IPs are used for rate
 # limiting and audit logging. Leave commented out for direct exposure.
 # trusted_proxy = "172.17.0.1"
 [database]
 # VOLUME /data is declared in the Dockerfile; map a named volume here.
--- a/dist/mcias.conf.example
+++ b/dist/mcias.conf.example
@@ -32,6 +32,21 @@ tls_cert = "/etc/mcias/server.crt"
 # Permissions: mode 0640, owner root:mcias.
 tls_key = "/etc/mcias/server.key"
 # OPTIONAL. IP address of a trusted reverse proxy (e.g. nginx, Caddy, HAProxy).
 # When set, the rate limiter and audit log extract the real client IP from the
 # X-Real-IP or X-Forwarded-For header, but ONLY for requests whose TCP source
 # address matches this exact IP. All other requests use RemoteAddr directly,
 # preventing IP spoofing by external clients.
 #
 # Must be an IP address, not a hostname or CIDR range.
 # Omit when running without a reverse proxy (direct Internet exposure).
 #
 # Example — local nginx proxy:
 # trusted_proxy = "127.0.0.1"
 #
 # Example — Docker network gateway:
 # trusted_proxy = "172.17.0.1"
 # ---------------------------------------------------------------------------
 # [database] — SQLite database
 # ---------------------------------------------------------------------------
--- a/go.mod
+++ b/go.mod
@@ -4,10 +4,13 @@ go 1.26.0
 require (
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/uuid v1.6.0
 	github.com/pelletier/go-toml/v2 v2.2.4
-	golang.org/x/crypto v0.33.0
+	golang.org/x/crypto v0.45.0
-	golang.org/x/term v0.29.0
+	golang.org/x/term v0.37.0
 	google.golang.org/grpc v1.74.2
 	google.golang.org/protobuf v1.36.7
 	modernc.org/sqlite v1.46.1
 )
@@ -17,12 +20,10 @@ require (
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect
 	google.golang.org/grpc v1.68.0 // indirect
 	google.golang.org/protobuf v1.36.0 // indirect
 	modernc.org/libc v1.67.6 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,46 +1,78 @@
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
 github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
 go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
 go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
 go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
 go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
 go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
 go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
 go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
 go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
 golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
 golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
 golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c h1:qXWI/sQtv5UKboZ/zUk7h+mrf/lXORyI+n9DKDAusdg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
-google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0=
+google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4=
-google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA=
+google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM=
-google.golang.org/protobuf v1.36.0 h1:mjIs9gYtt56AzC4ZaffQuh88TZurBGhIJMBZGSxNerQ=
+google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
-google.golang.org/protobuf v1.36.0/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
 modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
 modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -200,19 +200,31 @@ func parsePHC(phc string) (ArgonParams, []byte, []byte, error) {
 // ValidateTOTP checks a 6-digit TOTP code against a raw TOTP secret (bytes).
 // A ±1 time-step window (±30s) is allowed to accommodate clock skew.
 //
 // Returns (true, counter, nil) on a valid code where counter is the HOTP
 // counter value that matched.  The caller MUST pass this counter to
 // db.CheckAndUpdateTOTPCounter to prevent replay attacks within the validity
 // window (CRIT-01).
 //
 // Security:
 //   - Comparison uses crypto/subtle.ConstantTimeCompare to resist timing attacks.
 //   - Only RFC 6238-compliant HOTP (HMAC-SHA1) is implemented; no custom crypto.
 //   - A ±1 window is the RFC 6238 recommendation; wider windows increase
 //     exposure to code interception between generation and submission.
-func ValidateTOTP(secret []byte, code string) (bool, error) {
+//   - The returned counter enables replay prevention: callers store it and
 //     reject any future code that does not advance past it (RFC 6238 §5.2).
 func ValidateTOTP(secret []byte, code string) (bool, int64, error) {
 	if len(code) != 6 {
-		return false, nil
+		return false, 0, nil
 	}
 	now := time.Now().Unix()
 	step := int64(30) // RFC 6238 default time step in seconds
 	// Security: evaluate all three counters with constant-time comparisons
 	// before returning.  Early-exit would leak which counter matched via
 	// timing; we instead record the match and continue, returning at the end.
 	var matched bool
 	var matchedCounter int64
 	for _, counter := range []int64{
 		now/step - 1,
 		now / step,
@@ -220,14 +232,21 @@ func ValidateTOTP(secret []byte, code string) (bool, error) {
 	} {
 		expected, err := hotp(secret, uint64(counter)) //nolint:gosec // G115: counter is Unix time / step, always non-negative
 		if err != nil {
-			return false, fmt.Errorf("auth: compute TOTP: %w", err)
+			return false, 0, fmt.Errorf("auth: compute TOTP: %w", err)
 		}
 		// Security: constant-time comparison to prevent timing attack.
 		// We deliberately do NOT break early so that all three comparisons
 		// always execute, preventing a timing side-channel on which counter
 		// slot matched.
 		if subtle.ConstantTimeCompare([]byte(code), []byte(expected)) == 1 {
-			return true, nil
+			matched = true
 			matchedCounter = counter
 		}
 	}
-	return false, nil
+	if matched {
 		return true, matchedCounter, nil
 	}
 	return false, 0, nil
 }
 // hotp computes an HMAC-SHA1-based OTP for a given counter value.
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -101,13 +101,16 @@ func TestValidateTOTP(t *testing.T) {
 		t.Fatalf("hotp: %v", err)
 	}
-	ok, err := ValidateTOTP(rawSecret, code)
+	ok, counter, err := ValidateTOTP(rawSecret, code)
 	if err != nil {
 		t.Fatalf("ValidateTOTP: %v", err)
 	}
 	if !ok {
 		t.Errorf("ValidateTOTP rejected a valid code %q", code)
 	}
 	if ok && counter == 0 {
 		t.Errorf("ValidateTOTP returned zero counter for valid code")
 	}
 }
 // TestValidateTOTPWrongCode verifies that an incorrect code is rejected.
@@ -117,7 +120,7 @@ func TestValidateTOTPWrongCode(t *testing.T) {
 		t.Fatalf("GenerateTOTPSecret: %v", err)
 	}
-	ok, err := ValidateTOTP(rawSecret, "000000")
+	ok, _, err := ValidateTOTP(rawSecret, "000000")
 	if err != nil {
 		t.Fatalf("ValidateTOTP: %v", err)
 	}
@@ -135,7 +138,7 @@ func TestValidateTOTPWrongLength(t *testing.T) {
 	}
 	for _, code := range []string{"", "12345", "1234567", "abcdef"} {
-		ok, err := ValidateTOTP(rawSecret, code)
+		ok, _, err := ValidateTOTP(rawSecret, code)
 		if err != nil {
 			t.Errorf("ValidateTOTP(%q): unexpected error: %v", code, err)
 		}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -6,6 +6,7 @@ package config
 import (
 	"errors"
 	"fmt"
 	"net"
 	"os"
 	"time"
@@ -30,6 +31,17 @@ type ServerConfig struct {
 	GRPCAddr string `toml:"grpc_addr"`
 	TLSCert  string `toml:"tls_cert"`
 	TLSKey   string `toml:"tls_key"`
 	// TrustedProxy is the IP address (not a range) of a reverse proxy that
 	// sits in front of the server and sets X-Forwarded-For or X-Real-IP
 	// headers. When set, the rate limiter and audit log extract the real
 	// client IP from these headers instead of r.RemoteAddr.
 	//
 	// Security: only requests whose r.RemoteAddr matches TrustedProxy are
 	// trusted to carry a valid forwarded-IP header. All other requests use
 	// r.RemoteAddr directly, so this field cannot be exploited for IP
 	// spoofing by external clients. Omit or leave empty when running
 	// without a reverse proxy.
 	TrustedProxy string `toml:"trusted_proxy"`
 }
 // DatabaseConfig holds SQLite database settings.
@@ -137,6 +149,14 @@ func (c *Config) validate() error {
 	if c.Server.TLSKey == "" {
 		errs = append(errs, errors.New("server.tls_key is required"))
 	}
 	// Security (DEF-03): if trusted_proxy is set it must be a valid IP address
 	// (not a hostname or CIDR) so the middleware can compare it to the parsed
 	// host part of r.RemoteAddr using a reliable byte-level equality check.
 	if c.Server.TrustedProxy != "" {
 		if net.ParseIP(c.Server.TrustedProxy) == nil {
 			errs = append(errs, fmt.Errorf("server.trusted_proxy %q is not a valid IP address", c.Server.TrustedProxy))
 		}
 	}
 	// Database
 	if c.Database.Path == "" {
@@ -147,14 +167,31 @@ func (c *Config) validate() error {
 	if c.Tokens.Issuer == "" {
 		errs = append(errs, errors.New("tokens.issuer is required"))
 	}
 	// Security (DEF-05): enforce both lower and upper bounds on token expiry
 	// durations. An operator misconfiguration could otherwise produce tokens
 	// valid for centuries, which would be irrevocable (bar explicit JTI
 	// revocation) if a token were stolen. Upper bounds are intentionally
 	// generous to accommodate a range of legitimate deployments while
 	// catching obvious typos (e.g. "876000h" instead of "8760h").
 	const (
 		maxDefaultExpiry = 30 * 24 * time.Hour  // 30 days
 		maxAdminExpiry   = 24 * time.Hour        // 24 hours
 		maxServiceExpiry = 5 * 365 * 24 * time.Hour // 5 years
 	)
 	if c.Tokens.DefaultExpiry.Duration <= 0 {
 		errs = append(errs, errors.New("tokens.default_expiry must be positive"))
 	} else if c.Tokens.DefaultExpiry.Duration > maxDefaultExpiry {
 		errs = append(errs, fmt.Errorf("tokens.default_expiry must be <= %s (got %s)", maxDefaultExpiry, c.Tokens.DefaultExpiry.Duration))
 	}
 	if c.Tokens.AdminExpiry.Duration <= 0 {
 		errs = append(errs, errors.New("tokens.admin_expiry must be positive"))
 	} else if c.Tokens.AdminExpiry.Duration > maxAdminExpiry {
 		errs = append(errs, fmt.Errorf("tokens.admin_expiry must be <= %s (got %s)", maxAdminExpiry, c.Tokens.AdminExpiry.Duration))
 	}
 	if c.Tokens.ServiceExpiry.Duration <= 0 {
 		errs = append(errs, errors.New("tokens.service_expiry must be positive"))
 	} else if c.Tokens.ServiceExpiry.Duration > maxServiceExpiry {
 		errs = append(errs, fmt.Errorf("tokens.service_expiry must be <= %s (got %s)", maxServiceExpiry, c.Tokens.ServiceExpiry.Duration))
 	}
 	// Argon2 — enforce OWASP 2023 minimums (time=2, memory=65536 KiB).
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -210,6 +210,40 @@ threads = 4
 	}
 }
 // TestTrustedProxyValidation verifies that trusted_proxy must be a valid IP.
 func TestTrustedProxyValidation(t *testing.T) {
 	tests := []struct {
 		name        string
 		proxy       string
 		wantErr     bool
 	}{
 		{"empty is valid (disabled)", "", false},
 		{"valid IPv4", "127.0.0.1", false},
 		{"valid IPv6 loopback", "::1", false},
 		{"valid private IPv4", "10.0.0.1", false},
 		{"hostname rejected", "proxy.example.com", true},
 		{"CIDR rejected", "10.0.0.0/8", true},
 		{"garbage rejected", "not-an-ip", true},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			cfg, _ := Load(writeTempConfig(t, validConfig()))
 			if cfg == nil {
 				t.Fatal("baseline config load failed")
 			}
 			cfg.Server.TrustedProxy = tc.proxy
 			err := cfg.validate()
 			if tc.wantErr && err == nil {
 				t.Errorf("expected validation error for proxy=%q, got nil", tc.proxy)
 			}
 			if !tc.wantErr && err != nil {
 				t.Errorf("unexpected error for proxy=%q: %v", tc.proxy, err)
 			}
 		})
 	}
 }
 func TestDurationParsing(t *testing.T) {
 	var d duration
 	if err := d.UnmarshalText([]byte("1h30m")); err != nil {
--- a/internal/db/accounts.go
+++ b/internal/db/accounts.go
@@ -70,7 +70,10 @@ func (db *DB) GetAccountByID(id int64) (*model.Account, error) {
 	`, id))
 }
-// GetAccountByUsername retrieves an account by username (case-insensitive).
+// GetAccountByUsername retrieves an account by username.
 // Matching is case-sensitive: SQLite uses BINARY collation by default, so
 // "admin" and "Admin" are distinct usernames.  This is intentional for an
 // SSO system where usernames should be treated as opaque identifiers.
 // Returns ErrNotFound if no matching account exists.
 func (db *DB) GetAccountByUsername(username string) (*model.Account, error) {
 	return db.scanAccount(db.sql.QueryRow(`
@@ -128,14 +131,23 @@ func (db *DB) UpdateAccountStatus(accountID int64, status model.AccountStatus) e
 }
 // UpdatePasswordHash updates the Argon2id password hash for an account.
 // Returns ErrNotFound if no active account with the given ID exists, consistent
 // with the RowsAffected checks in RevokeToken and RenewToken.
 func (db *DB) UpdatePasswordHash(accountID int64, hash string) error {
-	_, err := db.sql.Exec(`
+	result, err := db.sql.Exec(`
 		UPDATE accounts SET password_hash = ?, updated_at = ?
 		WHERE id = ?
 	`, hash, now(), accountID)
 	if err != nil {
 		return fmt.Errorf("db: update password hash: %w", err)
 	}
 	rows, err := result.RowsAffected()
 	if err != nil {
 		return fmt.Errorf("db: update password hash rows affected: %w", err)
 	}
 	if rows == 0 {
 		return ErrNotFound
 	}
 	return nil
 }
@@ -175,6 +187,46 @@ func (db *DB) SetTOTP(accountID int64, secretEnc, secretNonce []byte) error {
 	return nil
 }
 // CheckAndUpdateTOTPCounter atomically verifies that counter is strictly
 // greater than the last accepted TOTP counter for the account, and if so,
 // stores counter as the new last accepted value.
 //
 // Returns ErrTOTPReplay if counter ≤ the stored value, preventing a replay
 // of a previously accepted code within the ±1 time-step validity window.
 // On the first successful TOTP login (stored value NULL) any counter is
 // accepted.
 //
 // Security (CRIT-01): RFC 6238 §5.2 recommends recording the last OTP
 // counter used and rejecting any code that does not advance it.  Without
 // this, an intercepted code remains valid for up to 90 seconds.  The update
 // is performed in a single parameterized SQL statement, so there is no
 // TOCTOU window between the check and the write.
 func (db *DB) CheckAndUpdateTOTPCounter(accountID int64, counter int64) error {
 	result, err := db.sql.Exec(`
 		UPDATE accounts
 		SET last_totp_counter = ?, updated_at = ?
 		WHERE id = ?
 		  AND (last_totp_counter IS NULL OR last_totp_counter < ?)
 	`, counter, now(), accountID, counter)
 	if err != nil {
 		return fmt.Errorf("db: check-and-update TOTP counter: %w", err)
 	}
 	rows, err := result.RowsAffected()
 	if err != nil {
 		return fmt.Errorf("db: check-and-update TOTP counter rows affected: %w", err)
 	}
 	if rows == 0 {
 		// Security: the counter was not advanced — this code has already been
 		// used within its validity window.  Treat as authentication failure.
 		return ErrTOTPReplay
 	}
 	return nil
 }
 // ErrTOTPReplay is returned by CheckAndUpdateTOTPCounter when the submitted
 // TOTP code corresponds to a counter value that has already been accepted.
 var ErrTOTPReplay = errors.New("db: TOTP code already used (replay)")
 // ClearTOTP removes the TOTP secret and disables TOTP requirement.
 func (db *DB) ClearTOTP(accountID int64) error {
 	_, err := db.sql.Exec(`
@@ -291,6 +343,12 @@ func (db *DB) GetRoles(accountID int64) ([]string, error) {
 // GrantRole adds a role to an account. If the role already exists, it is a no-op.
 func (db *DB) GrantRole(accountID int64, role string, grantedBy *int64) error {
 	// Security (DEF-10): reject unknown roles before writing to the DB so
 	// that typos (e.g. "admim") are caught immediately rather than silently
 	// creating an unmatchable role.
 	if err := model.ValidateRole(role); err != nil {
 		return err
 	}
 	_, err := db.sql.Exec(`
 		INSERT OR IGNORE INTO account_roles (account_id, role, granted_by, granted_at)
 		VALUES (?, ?, ?, ?)
@@ -314,6 +372,14 @@ func (db *DB) RevokeRole(accountID int64, role string) error {
 // SetRoles replaces the full role set for an account atomically.
 func (db *DB) SetRoles(accountID int64, roles []string, grantedBy *int64) error {
 	// Security (DEF-10): validate all roles before opening the transaction so
 	// we fail fast without touching the database on an invalid input.
 	for _, role := range roles {
 		if err := model.ValidateRole(role); err != nil {
 			return err
 		}
 	}
 	tx, err := db.sql.Begin()
 	if err != nil {
 		return fmt.Errorf("db: set roles begin tx: %w", err)
@@ -450,16 +516,17 @@ func (db *DB) WritePGCredentials(accountID int64, host string, port int, dbName,
 func (db *DB) ReadPGCredentials(accountID int64) (*model.PGCredential, error) {
 	var cred model.PGCredential
 	var createdAtStr, updatedAtStr string
 	var ownerID sql.NullInt64
 	err := db.sql.QueryRow(`
 		SELECT id, account_id, pg_host, pg_port, pg_database, pg_username,
-		       pg_password_enc, pg_password_nonce, created_at, updated_at
+		       pg_password_enc, pg_password_nonce, created_at, updated_at, owner_id
 		FROM pg_credentials WHERE account_id = ?
 	`, accountID).Scan(
 		&cred.ID, &cred.AccountID, &cred.PGHost, &cred.PGPort,
 		&cred.PGDatabase, &cred.PGUsername,
 		&cred.PGPasswordEnc, &cred.PGPasswordNonce,
-		&createdAtStr, &updatedAtStr,
+		&createdAtStr, &updatedAtStr, &ownerID,
 	)
 	if errors.Is(err, sql.ErrNoRows) {
 		return nil, ErrNotFound
@@ -476,6 +543,10 @@ func (db *DB) ReadPGCredentials(accountID int64) (*model.PGCredential, error) {
 	if err != nil {
 		return nil, err
 	}
 	if ownerID.Valid {
 		v := ownerID.Int64
 		cred.OwnerID = &v
 	}
 	return &cred, nil
 }
@@ -635,6 +706,23 @@ func (db *DB) RevokeAllUserTokens(accountID int64, reason string) error {
 	return nil
 }
 // RevokeAllUserTokensExcept revokes all non-expired, non-revoked tokens for an
 // account except for the token identified by exceptJTI.  Used by the
 // self-service password change flow to invalidate all other sessions while
 // keeping the caller's current session active.
 func (db *DB) RevokeAllUserTokensExcept(accountID int64, exceptJTI, reason string) error {
 	n := now()
 	_, err := db.sql.Exec(`
 		UPDATE token_revocation
 		SET revoked_at = ?, revoke_reason = ?
 		WHERE account_id = ? AND jti != ? AND revoked_at IS NULL AND expires_at > ?
 	`, n, nullString(reason), accountID, exceptJTI, n)
 	if err != nil {
 		return fmt.Errorf("db: revoke all tokens except %q for account %d: %w", exceptJTI, accountID, err)
 	}
 	return nil
 }
 // PruneExpiredTokens removes token_revocation rows that are past their expiry.
 // Returns the number of rows deleted.
 func (db *DB) PruneExpiredTokens() (int64, error) {
--- a/internal/db/db.go
+++ b/internal/db/db.go
@@ -12,19 +12,36 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
 	"sync/atomic"
 	"time"
 	_ "modernc.org/sqlite" // register the sqlite3 driver
 )
 // memCounter generates unique names for in-memory shared-cache databases.
 var memCounter atomic.Int64
 // DB wraps a *sql.DB with MCIAS-specific helpers.
 type DB struct {
 	sql *sql.DB
 	// path is the DSN used to open this database.  For in-memory databases
 	// (originally ":memory:") it is a unique shared-cache URI of the form
 	// file:mcias_N?mode=memory&cache=shared so that a second connection can be
 	// opened to the same in-memory database (needed by the migration runner).
 	path string
 }
 // Open opens (or creates) the SQLite database at path and configures it for
 // MCIAS use (WAL mode, foreign keys, busy timeout).
 func Open(path string) (*DB, error) {
 	// Translate bare ":memory:" to a named shared-cache in-memory URI.
 	// This allows the migration runner to open a second connection to the
 	// same in-memory database without sharing the *sql.DB handle (which
 	// would be closed by golang-migrate when the migrator is done).
 	if path == ":memory:" {
 		path = fmt.Sprintf("file:mcias_%d?mode=memory&cache=shared", memCounter.Add(1))
 	}
 	// The modernc.org/sqlite driver is registered as "sqlite".
 	sqlDB, err := sql.Open("sqlite", path)
 	if err != nil {
@@ -34,7 +51,7 @@ func Open(path string) (*DB, error) {
 	// Use a single connection for writes; reads can use the pool.
 	sqlDB.SetMaxOpenConns(1)
-	db := &DB{sql: sqlDB}
+	db := &DB{sql: sqlDB, path: path}
 	if err := db.configure(); err != nil {
 		_ = sqlDB.Close()
 		return nil, err
@@ -48,7 +65,14 @@ func (db *DB) configure() error {
 		"PRAGMA journal_mode=WAL",
 		"PRAGMA foreign_keys=ON",
 		"PRAGMA busy_timeout=5000",
-		"PRAGMA synchronous=NORMAL",
+		// Security (DEF-07): FULL synchronous mode ensures every write is
 		// flushed to disk before SQLite considers it committed.  With WAL
 		// mode + NORMAL, a power failure between a write and the next
 		// checkpoint could lose the most recent committed transactions,
 		// including token issuance and revocation records — which must be
 		// durable.  The performance cost is negligible for a single-node
 		// personal SSO server.
 		"PRAGMA synchronous=FULL",
 	}
 	for _, p := range pragmas {
 		if _, err := db.sql.Exec(p); err != nil {
--- a/internal/db/db_test.go
+++ b/internal/db/db_test.go
@@ -162,7 +162,7 @@ func TestRoleOperations(t *testing.T) {
 	}
 	// SetRoles
-	if err := db.SetRoles(acct.ID, []string{"reader", "writer"}, nil); err != nil {
+	if err := db.SetRoles(acct.ID, []string{"admin", "user"}, nil); err != nil {
 		t.Fatalf("SetRoles: %v", err)
 	}
 	roles, err = db.GetRoles(acct.ID)
--- a/internal/db/migrate.go
+++ b/internal/db/migrate.go
@@ -2,239 +2,188 @@ package db
 import (
 	"database/sql"
 	"embed"
 	"errors"
 	"fmt"
 	"strings"
 	"github.com/golang-migrate/migrate/v4"
 	sqlitedriver "github.com/golang-migrate/migrate/v4/database/sqlite"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 	_ "modernc.org/sqlite" // driver registration
 )
-// migration represents a single schema migration with an ID and SQL statement.
+// migrationsFS embeds all migration SQL files from the migrations/ directory.
-type migration struct {
+// Each file is named NNN_description.up.sql (and optionally .down.sql).
-	sql string
+//
-	id  int
+//go:embed migrations/*.sql
-}
+var migrationsFS embed.FS
-// migrations is the ordered list of schema migrations applied to the database.
+// LatestSchemaVersion is the highest migration version defined in the
-// Once applied, migrations must never be modified — only new ones appended.
+// migrations/ directory.  Update this constant whenever a new migration file
-var migrations = []migration{
+// is added.
-	{
+const LatestSchemaVersion = 7
 		id: 1,
 		sql: `
 CREATE TABLE IF NOT EXISTS schema_version (
    version INTEGER NOT NULL
 );
-CREATE TABLE IF NOT EXISTS server_config (
+// newMigrate constructs a migrate.Migrate instance backed by the embedded SQL
-    id                  INTEGER PRIMARY KEY CHECK (id = 1),
+// files.  It opens a dedicated *sql.DB using the same DSN as the main
-    signing_key_enc     BLOB,
+// database so that calling m.Close() (which closes the underlying connection)
-    signing_key_nonce   BLOB,
+// does not affect the caller's main database connection.
-    created_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+//
-    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+// Security: migration SQL is embedded at compile time from the migrations/
-);
+// directory and is never loaded from the filesystem at runtime, preventing
 // injection of arbitrary SQL via a compromised working directory.
 func newMigrate(database *DB) (*migrate.Migrate, error) {
 	src, err := iofs.New(migrationsFS, "migrations")
 	if err != nil {
 		return nil, fmt.Errorf("db: create migration source: %w", err)
 	}
-CREATE TABLE IF NOT EXISTS accounts (
+	// Open a dedicated connection for the migrator.  golang-migrate's sqlite
-    id                  INTEGER PRIMARY KEY,
+	// driver calls db.Close() when the migrator is closed; using a dedicated
-    uuid                TEXT    NOT NULL UNIQUE,
+	// connection (same DSN, different *sql.DB) prevents it from closing the
-    username            TEXT    NOT NULL UNIQUE COLLATE NOCASE,
+	// shared connection.  For in-memory databases, Open() translates
-    account_type        TEXT    NOT NULL CHECK (account_type IN ('human','system')),
+	// ":memory:" to a named shared-cache URI so both connections see the same
-    password_hash       TEXT,
+	// data.
-    status              TEXT    NOT NULL DEFAULT 'active'
+	migrateDB, err := sql.Open("sqlite", database.path)
-                                CHECK (status IN ('active','inactive','deleted')),
+	if err != nil {
-    totp_required       INTEGER NOT NULL DEFAULT 0 CHECK (totp_required IN (0,1)),
+		return nil, fmt.Errorf("db: open migration connection: %w", err)
-    totp_secret_enc     BLOB,
+	}
-    totp_secret_nonce   BLOB,
+	migrateDB.SetMaxOpenConns(1)
-    created_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+	if _, err := migrateDB.Exec("PRAGMA foreign_keys=ON"); err != nil {
-    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+		_ = migrateDB.Close()
-    deleted_at          TEXT
+		return nil, fmt.Errorf("db: migration connection pragma: %w", err)
-);
+	}
-CREATE INDEX IF NOT EXISTS idx_accounts_username ON accounts (username);
+	driver, err := sqlitedriver.WithInstance(migrateDB, &sqlitedriver.Config{
-CREATE INDEX IF NOT EXISTS idx_accounts_uuid     ON accounts (uuid);
+		MigrationsTable: "schema_migrations",
-CREATE INDEX IF NOT EXISTS idx_accounts_status   ON accounts (status);
+	})
 	if err != nil {
 		_ = migrateDB.Close()
 		return nil, fmt.Errorf("db: create migration driver: %w", err)
 	}
-CREATE TABLE IF NOT EXISTS account_roles (
+	m, err := migrate.NewWithInstance("iofs", src, "sqlite", driver)
-    id          INTEGER PRIMARY KEY,
+	if err != nil {
-    account_id  INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
+		return nil, fmt.Errorf("db: initialise migrator: %w", err)
-    role        TEXT    NOT NULL,
+	}
-    granted_by  INTEGER REFERENCES accounts(id),
+	return m, nil
    granted_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    UNIQUE (account_id, role)
 );
 CREATE INDEX IF NOT EXISTS idx_account_roles_account ON account_roles (account_id);
 CREATE TABLE IF NOT EXISTS token_revocation (
    id            INTEGER PRIMARY KEY,
    jti           TEXT    NOT NULL UNIQUE,
    account_id    INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
    expires_at    TEXT    NOT NULL,
    revoked_at    TEXT,
    revoke_reason TEXT,
    issued_at     TEXT    NOT NULL,
    created_at    TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 CREATE INDEX IF NOT EXISTS idx_token_jti     ON token_revocation (jti);
 CREATE INDEX IF NOT EXISTS idx_token_account ON token_revocation (account_id);
 CREATE INDEX IF NOT EXISTS idx_token_expires ON token_revocation (expires_at);
 CREATE TABLE IF NOT EXISTS system_tokens (
    id          INTEGER PRIMARY KEY,
    account_id  INTEGER NOT NULL UNIQUE REFERENCES accounts(id) ON DELETE CASCADE,
    jti         TEXT    NOT NULL UNIQUE,
    expires_at  TEXT    NOT NULL,
    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 CREATE TABLE IF NOT EXISTS pg_credentials (
    id                  INTEGER PRIMARY KEY,
    account_id          INTEGER NOT NULL UNIQUE REFERENCES accounts(id) ON DELETE CASCADE,
    pg_host             TEXT    NOT NULL,
    pg_port             INTEGER NOT NULL DEFAULT 5432,
    pg_database         TEXT    NOT NULL,
    pg_username         TEXT    NOT NULL,
    pg_password_enc     BLOB    NOT NULL,
    pg_password_nonce   BLOB    NOT NULL,
    created_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 CREATE TABLE IF NOT EXISTS audit_log (
    id          INTEGER PRIMARY KEY,
    event_time  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    event_type  TEXT    NOT NULL,
    actor_id    INTEGER REFERENCES accounts(id),
    target_id   INTEGER REFERENCES accounts(id),
    ip_address  TEXT,
    details     TEXT
 );
 CREATE INDEX IF NOT EXISTS idx_audit_time  ON audit_log (event_time);
 CREATE INDEX IF NOT EXISTS idx_audit_actor ON audit_log (actor_id);
 CREATE INDEX IF NOT EXISTS idx_audit_event ON audit_log (event_type);
 `,
 	},
 	{
 		id: 2,
 		sql: `
 -- Add master_key_salt to server_config for Argon2id KDF salt storage.
 -- The salt must be stable across restarts so the passphrase always yields the same key.
 -- We allow NULL signing_key_enc/nonce temporarily until the first signing key is generated.
 ALTER TABLE server_config ADD COLUMN master_key_salt BLOB;
 `,
 	},
 	{
 		id: 3,
 		sql: `
 -- Track per-account failed login attempts for lockout enforcement (F-08).
 -- One row per account; window_start resets when the window expires or on
 -- a successful login.  The DB layer enforces atomicity via UPDATE+INSERT.
 CREATE TABLE IF NOT EXISTS failed_logins (
    account_id    INTEGER NOT NULL PRIMARY KEY REFERENCES accounts(id) ON DELETE CASCADE,
    window_start  TEXT    NOT NULL,
    attempt_count INTEGER NOT NULL DEFAULT 1
 );
 `,
 	},
 	{
 		id: 4,
 		sql: `
 -- Machine/service tags on accounts (many-to-many).
 -- Used by the policy engine to gate access by machine or service identity
 -- (e.g. env:production, svc:payments-api, machine:db-west-01).
 CREATE TABLE IF NOT EXISTS account_tags (
    account_id  INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
    tag         TEXT    NOT NULL,
    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    PRIMARY KEY (account_id, tag)
 );
 CREATE INDEX IF NOT EXISTS idx_account_tags_account ON account_tags (account_id);
 -- Policy rules stored in the database and evaluated in-process.
 -- rule_json holds a JSON-encoded policy.RuleBody (all match fields + effect).
 -- Built-in default rules are compiled into the binary and are not stored here.
 -- Rows with enabled=0 are loaded but skipped during evaluation.
 CREATE TABLE IF NOT EXISTS policy_rules (
    id          INTEGER PRIMARY KEY,
    priority    INTEGER NOT NULL DEFAULT 100,
    description TEXT    NOT NULL,
    rule_json   TEXT    NOT NULL,
    enabled     INTEGER NOT NULL DEFAULT 1 CHECK (enabled IN (0,1)),
    created_by  INTEGER REFERENCES accounts(id),
    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    updated_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 `,
 	},
 }
 // LatestSchemaVersion is the highest migration ID in the migrations list.
 // It is updated automatically when new migrations are appended.
 var LatestSchemaVersion = migrations[len(migrations)-1].id
 // SchemaVersion returns the current applied schema version of the database.
 // Returns 0 if no migrations have been applied yet.
 func SchemaVersion(database *DB) (int, error) {
 	return currentSchemaVersion(database.sql)
 }
 // Migrate applies any unapplied schema migrations to the database in order.
-// It is idempotent: running it multiple times is safe.
+// It is idempotent: running it on an already-current database is safe and
-func Migrate(db *DB) error {
+// returns nil.
-	// Ensure the schema_version table exists first.
+//
-	if _, err := db.sql.Exec(`
+// Existing databases that were migrated by the previous hand-rolled runner
-		CREATE TABLE IF NOT EXISTS schema_version (
+// (schema_version table) are handled by the compatibility shim below: the
-			version INTEGER NOT NULL
+// legacy version is read and used to fast-forward the golang-migrate state
-		)
+// before calling Up, so no migration is applied twice.
-	`); err != nil {
+func Migrate(database *DB) error {
-		return fmt.Errorf("db: ensure schema_version: %w", err)
+	// Compatibility shim: if the database was previously migrated by the
-	}
+	// hand-rolled runner it has a schema_version table with the current
-
+	// version.  Inform golang-migrate of the existing version so it does
-	currentVersion, err := currentSchemaVersion(db.sql)
+	// not try to re-apply already-applied migrations.
 	legacyVersion, err := legacySchemaVersion(database)
 	if err != nil {
-		return fmt.Errorf("db: get current schema version: %w", err)
+		return fmt.Errorf("db: read legacy schema version: %w", err)
 	}
-	for _, m := range migrations {
+	m, err := newMigrate(database)
 		if m.id <= currentVersion {
 			continue
 		}
 		tx, err := db.sql.Begin()
 	if err != nil {
-			return fmt.Errorf("db: begin migration %d transaction: %w", m.id, err)
+		return err
 	}
 	defer func() { src, drv := m.Close(); _ = src; _ = drv }()
-		if _, err := tx.Exec(m.sql); err != nil {
+	if legacyVersion > 0 {
-			_ = tx.Rollback()
+		// Only fast-forward from the legacy version when golang-migrate has no
-			return fmt.Errorf("db: apply migration %d: %w", m.id, err)
+		// version record of its own yet (ErrNilVersion).  If schema_migrations
 		// already has an entry — including a dirty entry from a previously
 		// failed migration — leave it alone and let golang-migrate handle it.
 		// Overriding a non-nil version would discard progress (or a dirty
 		// state that needs idempotent re-application) and cause migrations to
 		// be retried unnecessarily.
 		_, _, versionErr := m.Version()
 		if errors.Is(versionErr, migrate.ErrNilVersion) {
 			if err := m.Force(legacyVersion); err != nil {
 				return fmt.Errorf("db: force legacy schema version %d: %w", legacyVersion, err)
 			}
 		// Update the schema version within the same transaction.
 		if currentVersion == 0 {
 			if _, err := tx.Exec(`INSERT INTO schema_version (version) VALUES (?)`, m.id); err != nil {
 				_ = tx.Rollback()
 				return fmt.Errorf("db: insert schema version %d: %w", m.id, err)
 			}
 		} else {
 			if _, err := tx.Exec(`UPDATE schema_version SET version = ?`, m.id); err != nil {
 				_ = tx.Rollback()
 				return fmt.Errorf("db: update schema version to %d: %w", m.id, err)
 		}
 	}
-		if err := tx.Commit(); err != nil {
+	if err := m.Up(); err != nil && !errors.Is(err, migrate.ErrNoChange) {
-			return fmt.Errorf("db: commit migration %d: %w", m.id, err)
+		// A "duplicate column name" error means the failing migration is an
 		// ADD COLUMN that was already applied outside the migration runner
 		// (common during development before a migration file existed).
 		// If this is the last migration and its version matches LatestSchemaVersion,
 		// force it clean so subsequent starts succeed.
 		//
 		// This is intentionally narrow: we only suppress the error when the
 		// dirty version equals the latest known version, preventing accidental
 		// masking of errors in intermediate migrations.
 		if strings.Contains(err.Error(), "duplicate column name") {
 			v, dirty, verErr := m.Version()
 			if verErr == nil && dirty && int(v) == LatestSchemaVersion { //nolint:gosec // G115: safe conversion
 				if forceErr := m.Force(LatestSchemaVersion); forceErr != nil {
 					return fmt.Errorf("db: force after duplicate column: %w", forceErr)
 				}
-		currentVersion = m.id
+				return nil
 			}
 		}
 		return fmt.Errorf("db: apply migrations: %w", err)
 	}
 	return nil
 }
-// currentSchemaVersion returns the current schema version, or 0 if none applied.
+// ForceSchemaVersion marks the database as being at the given version without
-func currentSchemaVersion(db *sql.DB) (int, error) {
+// running any SQL.  This is a break-glass operation: use it to clear a dirty
-	var version int
+// migration state after verifying (or manually applying) the migration SQL.
-	err := db.QueryRow(`SELECT version FROM schema_version LIMIT 1`).Scan(&version)
+//
 // Passing a version that has never been recorded by golang-migrate is safe;
 // it simply sets the version and clears the dirty flag.  The next call to
 // Migrate will apply any versions higher than the forced one.
 func ForceSchemaVersion(database *DB, version int) error {
 	m, err := newMigrate(database)
 	if err != nil {
-		// No rows means version 0 (fresh database).
+		return err
 	}
 	defer func() { src, drv := m.Close(); _ = src; _ = drv }()
 	if err := m.Force(version); err != nil {
 		return fmt.Errorf("db: force schema version %d: %w", version, err)
 	}
 	return nil
 }
 // SchemaVersion returns the current applied schema version of the database.
 // Returns 0 if no migrations have been applied yet.
 func SchemaVersion(database *DB) (int, error) {
 	m, err := newMigrate(database)
 	if err != nil {
 		return 0, err
 	}
 	defer func() { src, drv := m.Close(); _ = src; _ = drv }()
 	v, _, err := m.Version()
 	if errors.Is(err, migrate.ErrNilVersion) {
 		return 0, nil
 	}
 	if err != nil {
 		return 0, fmt.Errorf("db: read schema version: %w", err)
 	}
 	// Security: v is a migration version number (small positive integer);
 	// the uint→int conversion is safe for any realistic schema version count.
 	return int(v), nil //nolint:gosec // G115: migration version is always a small positive integer
 }
 // legacySchemaVersion reads the version from the old schema_version table
 // created by the hand-rolled migration runner.  Returns 0 if the table does
 // not exist (fresh database or already migrated to golang-migrate only).
 func legacySchemaVersion(database *DB) (int, error) {
 	var version int
 	err := database.sql.QueryRow(
 		`SELECT version FROM schema_version LIMIT 1`,
 	).Scan(&version)
 	if err != nil {
 		// Table does not exist or is empty — treat as version 0.
 		return 0, nil //nolint:nilerr
 	}
 	return version, nil
--- a/internal/db/migrations/000001_initial_schema.up.sql
+++ b/internal/db/migrations/000001_initial_schema.up.sql
@@ -0,0 +1,92 @@
 CREATE TABLE IF NOT EXISTS schema_version (
    version INTEGER NOT NULL
 );
 CREATE TABLE IF NOT EXISTS server_config (
    id                  INTEGER PRIMARY KEY CHECK (id = 1),
    signing_key_enc     BLOB,
    signing_key_nonce   BLOB,
    created_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 CREATE TABLE IF NOT EXISTS accounts (
    id                  INTEGER PRIMARY KEY,
    uuid                TEXT    NOT NULL UNIQUE,
    username            TEXT    NOT NULL UNIQUE COLLATE NOCASE,
    account_type        TEXT    NOT NULL CHECK (account_type IN ('human','system')),
    password_hash       TEXT,
    status              TEXT    NOT NULL DEFAULT 'active'
                                CHECK (status IN ('active','inactive','deleted')),
    totp_required       INTEGER NOT NULL DEFAULT 0 CHECK (totp_required IN (0,1)),
    totp_secret_enc     BLOB,
    totp_secret_nonce   BLOB,
    created_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    deleted_at          TEXT
 );
 CREATE INDEX IF NOT EXISTS idx_accounts_username ON accounts (username);
 CREATE INDEX IF NOT EXISTS idx_accounts_uuid     ON accounts (uuid);
 CREATE INDEX IF NOT EXISTS idx_accounts_status   ON accounts (status);
 CREATE TABLE IF NOT EXISTS account_roles (
    id          INTEGER PRIMARY KEY,
    account_id  INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
    role        TEXT    NOT NULL,
    granted_by  INTEGER REFERENCES accounts(id),
    granted_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    UNIQUE (account_id, role)
 );
 CREATE INDEX IF NOT EXISTS idx_account_roles_account ON account_roles (account_id);
 CREATE TABLE IF NOT EXISTS token_revocation (
    id            INTEGER PRIMARY KEY,
    jti           TEXT    NOT NULL UNIQUE,
    account_id    INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
    expires_at    TEXT    NOT NULL,
    revoked_at    TEXT,
    revoke_reason TEXT,
    issued_at     TEXT    NOT NULL,
    created_at    TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 CREATE INDEX IF NOT EXISTS idx_token_jti     ON token_revocation (jti);
 CREATE INDEX IF NOT EXISTS idx_token_account ON token_revocation (account_id);
 CREATE INDEX IF NOT EXISTS idx_token_expires ON token_revocation (expires_at);
 CREATE TABLE IF NOT EXISTS system_tokens (
    id          INTEGER PRIMARY KEY,
    account_id  INTEGER NOT NULL UNIQUE REFERENCES accounts(id) ON DELETE CASCADE,
    jti         TEXT    NOT NULL UNIQUE,
    expires_at  TEXT    NOT NULL,
    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 CREATE TABLE IF NOT EXISTS pg_credentials (
    id                  INTEGER PRIMARY KEY,
    account_id          INTEGER NOT NULL UNIQUE REFERENCES accounts(id) ON DELETE CASCADE,
    pg_host             TEXT    NOT NULL,
    pg_port             INTEGER NOT NULL DEFAULT 5432,
    pg_database         TEXT    NOT NULL,
    pg_username         TEXT    NOT NULL,
    pg_password_enc     BLOB    NOT NULL,
    pg_password_nonce   BLOB    NOT NULL,
    created_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    updated_at          TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
 CREATE TABLE IF NOT EXISTS audit_log (
    id          INTEGER PRIMARY KEY,
    event_time  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    event_type  TEXT    NOT NULL,
    actor_id    INTEGER REFERENCES accounts(id),
    target_id   INTEGER REFERENCES accounts(id),
    ip_address  TEXT,
    details     TEXT
 );
 CREATE INDEX IF NOT EXISTS idx_audit_time  ON audit_log (event_time);
 CREATE INDEX IF NOT EXISTS idx_audit_actor ON audit_log (actor_id);
 CREATE INDEX IF NOT EXISTS idx_audit_event ON audit_log (event_type);
--- a/internal/db/migrations/000002_master_key_salt.up.sql
+++ b/internal/db/migrations/000002_master_key_salt.up.sql
@@ -0,0 +1,4 @@
 -- Add master_key_salt to server_config for Argon2id KDF salt storage.
 -- The salt must be stable across restarts so the passphrase always yields the same key.
 -- We allow NULL signing_key_enc/nonce temporarily until the first signing key is generated.
 ALTER TABLE server_config ADD COLUMN master_key_salt BLOB;
--- a/internal/db/migrations/000003_failed_logins.up.sql
+++ b/internal/db/migrations/000003_failed_logins.up.sql
@@ -0,0 +1,8 @@
 -- Track per-account failed login attempts for lockout enforcement (F-08).
 -- One row per account; window_start resets when the window expires or on
 -- a successful login.  The DB layer enforces atomicity via UPDATE+INSERT.
 CREATE TABLE IF NOT EXISTS failed_logins (
    account_id    INTEGER NOT NULL PRIMARY KEY REFERENCES accounts(id) ON DELETE CASCADE,
    window_start  TEXT    NOT NULL,
    attempt_count INTEGER NOT NULL DEFAULT 1
 );
--- a/internal/db/migrations/000004_tags_and_policy.up.sql
+++ b/internal/db/migrations/000004_tags_and_policy.up.sql
@@ -0,0 +1,26 @@
 -- Machine/service tags on accounts (many-to-many).
 -- Used by the policy engine to gate access by machine or service identity
 -- (e.g. env:production, svc:payments-api, machine:db-west-01).
 CREATE TABLE IF NOT EXISTS account_tags (
    account_id  INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
    tag         TEXT    NOT NULL,
    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    PRIMARY KEY (account_id, tag)
 );
 CREATE INDEX IF NOT EXISTS idx_account_tags_account ON account_tags (account_id);
 -- Policy rules stored in the database and evaluated in-process.
 -- rule_json holds a JSON-encoded policy.RuleBody (all match fields + effect).
 -- Built-in default rules are compiled into the binary and are not stored here.
 -- Rows with enabled=0 are loaded but skipped during evaluation.
 CREATE TABLE IF NOT EXISTS policy_rules (
    id          INTEGER PRIMARY KEY,
    priority    INTEGER NOT NULL DEFAULT 100,
    description TEXT    NOT NULL,
    rule_json   TEXT    NOT NULL,
    enabled     INTEGER NOT NULL DEFAULT 1 CHECK (enabled IN (0,1)),
    created_by  INTEGER REFERENCES accounts(id),
    created_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    updated_at  TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
 );
--- a/internal/db/migrations/000005_pgcred_access.up.sql
+++ b/internal/db/migrations/000005_pgcred_access.up.sql
@@ -0,0 +1,24 @@
 -- Track which accounts own each set of pg_credentials and which other
 -- accounts have been granted read access to them.
 --
 -- owner_id: the account that administers the credentials and may grant/revoke
 --           access.  Defaults to the system account itself.  This column is
 --           nullable so that rows created before migration 5 are not broken.
 ALTER TABLE pg_credentials ADD COLUMN owner_id INTEGER REFERENCES accounts(id);
 -- pg_credential_access records an explicit "all-or-nothing" read grant from
 -- the credential owner to another account.  Grantees may view connection
 -- metadata (host, port, database, username) but the password is never
 -- decrypted for them in the UI.  Only the owner may update or delete the
 -- credential set.
 CREATE TABLE IF NOT EXISTS pg_credential_access (
    id              INTEGER PRIMARY KEY,
    credential_id   INTEGER NOT NULL REFERENCES pg_credentials(id) ON DELETE CASCADE,
    grantee_id      INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
    granted_by      INTEGER REFERENCES accounts(id),
    granted_at      TEXT    NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
    UNIQUE (credential_id, grantee_id)
 );
 CREATE INDEX IF NOT EXISTS idx_pgcred_access_cred    ON pg_credential_access (credential_id);
 CREATE INDEX IF NOT EXISTS idx_pgcred_access_grantee ON pg_credential_access (grantee_id);
--- a/internal/db/migrations/000006_policy_rule_expiry.up.sql
+++ b/internal/db/migrations/000006_policy_rule_expiry.up.sql
@@ -0,0 +1,6 @@
 -- Add optional time-scoped validity window to policy rules.
 -- NULL means "no constraint" (rule is always active / never expires).
 -- The policy engine skips rules where not_before > now() or expires_at <= now()
 -- at cache-load time (SetRules), not at query time.
 ALTER TABLE policy_rules ADD COLUMN not_before TEXT DEFAULT NULL;
 ALTER TABLE policy_rules ADD COLUMN expires_at TEXT DEFAULT NULL;
--- a/internal/db/migrations/000007_totp_counter.up.sql
+++ b/internal/db/migrations/000007_totp_counter.up.sql
@@ -0,0 +1,9 @@
 -- Add last_totp_counter to track the most recently accepted TOTP counter value
 -- per account.  This is used to prevent TOTP replay attacks within the ±1
 -- time-step validity window.  NULL means no TOTP code has ever been accepted
 -- for this account (fresh enrollment or TOTP not yet used).
 --
 -- Security (CRIT-01): RFC 6238 §5.2 recommends recording the last OTP counter
 -- used and rejecting codes that do not advance it, eliminating the ~90-second
 -- replay window that would otherwise be exploitable.
 ALTER TABLE accounts ADD COLUMN last_totp_counter INTEGER DEFAULT NULL;
--- a/internal/db/pgcred_access.go
+++ b/internal/db/pgcred_access.go
@@ -0,0 +1,247 @@
 package db
 import (
 	"database/sql"
 	"errors"
 	"fmt"
 	"time"
 	"git.wntrmute.dev/kyle/mcias/internal/model"
 )
 // ListCredentialedAccountIDs returns the set of account IDs that already have
 // a pg_credentials row.  Used to filter the "uncredentialed system accounts"
 // list on the /pgcreds create form without leaking credential content.
 func (db *DB) ListCredentialedAccountIDs() (map[int64]struct{}, error) {
 	rows, err := db.sql.Query(`SELECT account_id FROM pg_credentials`)
 	if err != nil {
 		return nil, fmt.Errorf("db: list credentialed account ids: %w", err)
 	}
 	defer func() { _ = rows.Close() }()
 	ids := make(map[int64]struct{})
 	for rows.Next() {
 		var id int64
 		if err := rows.Scan(&id); err != nil {
 			return nil, fmt.Errorf("db: scan credentialed account id: %w", err)
 		}
 		ids[id] = struct{}{}
 	}
 	return ids, rows.Err()
 }
 // SetPGCredentialOwner records the owning account for a pg_credentials row.
 // This is called on first write so that pre-migration rows retain a nil owner.
 // It is idempotent: if the owner is already set it is overwritten.
 func (db *DB) SetPGCredentialOwner(credentialID, ownerID int64) error {
 	_, err := db.sql.Exec(`
 		UPDATE pg_credentials SET owner_id = ? WHERE id = ?
 	`, ownerID, credentialID)
 	if err != nil {
 		return fmt.Errorf("db: set pg credential owner: %w", err)
 	}
 	return nil
 }
 // GetPGCredentialByID retrieves a single pg_credentials row by its primary key.
 // Returns ErrNotFound if no such credential exists.
 func (db *DB) GetPGCredentialByID(id int64) (*model.PGCredential, error) {
 	var cred model.PGCredential
 	var createdAtStr, updatedAtStr string
 	var ownerID sql.NullInt64
 	err := db.sql.QueryRow(`
 		SELECT p.id, p.account_id, p.pg_host, p.pg_port, p.pg_database, p.pg_username,
 		       p.pg_password_enc, p.pg_password_nonce, p.created_at, p.updated_at, p.owner_id
 		FROM pg_credentials p WHERE p.id = ?
 	`, id).Scan(
 		&cred.ID, &cred.AccountID, &cred.PGHost, &cred.PGPort,
 		&cred.PGDatabase, &cred.PGUsername,
 		&cred.PGPasswordEnc, &cred.PGPasswordNonce,
 		&createdAtStr, &updatedAtStr, &ownerID,
 	)
 	if errors.Is(err, sql.ErrNoRows) {
 		return nil, ErrNotFound
 	}
 	if err != nil {
 		return nil, fmt.Errorf("db: get pg credential by id: %w", err)
 	}
 	cred.CreatedAt, err = parseTime(createdAtStr)
 	if err != nil {
 		return nil, err
 	}
 	cred.UpdatedAt, err = parseTime(updatedAtStr)
 	if err != nil {
 		return nil, err
 	}
 	if ownerID.Valid {
 		v := ownerID.Int64
 		cred.OwnerID = &v
 	}
 	return &cred, nil
 }
 // GrantPGCredAccess grants an account read access to a pg_credentials set.
 // If the grant already exists the call is a no-op (UNIQUE constraint).
 // grantedBy may be nil if the grant is made programmatically.
 func (db *DB) GrantPGCredAccess(credentialID, granteeID int64, grantedBy *int64) error {
 	n := now()
 	_, err := db.sql.Exec(`
 		INSERT INTO pg_credential_access (credential_id, grantee_id, granted_by, granted_at)
 		VALUES (?, ?, ?, ?)
 		ON CONFLICT(credential_id, grantee_id) DO NOTHING
 	`, credentialID, granteeID, grantedBy, n)
 	if err != nil {
 		return fmt.Errorf("db: grant pg cred access: %w", err)
 	}
 	return nil
 }
 // RevokePGCredAccess removes a grantee's access to a pg_credentials set.
 func (db *DB) RevokePGCredAccess(credentialID, granteeID int64) error {
 	_, err := db.sql.Exec(`
 		DELETE FROM pg_credential_access WHERE credential_id = ? AND grantee_id = ?
 	`, credentialID, granteeID)
 	if err != nil {
 		return fmt.Errorf("db: revoke pg cred access: %w", err)
 	}
 	return nil
 }
 // ListPGCredAccess returns all access grants for a pg_credentials set,
 // joining against accounts to populate grantee username and UUID.
 func (db *DB) ListPGCredAccess(credentialID int64) ([]*model.PGCredAccessGrant, error) {
 	rows, err := db.sql.Query(`
 		SELECT pca.id, pca.credential_id, pca.grantee_id, pca.granted_by, pca.granted_at,
 		       a.uuid, a.username
 		FROM pg_credential_access pca
 		JOIN accounts a ON a.id = pca.grantee_id
 		WHERE pca.credential_id = ?
 		ORDER BY pca.granted_at ASC
 	`, credentialID)
 	if err != nil {
 		return nil, fmt.Errorf("db: list pg cred access: %w", err)
 	}
 	defer func() { _ = rows.Close() }()
 	var grants []*model.PGCredAccessGrant
 	for rows.Next() {
 		g, err := scanPGCredAccessGrant(rows)
 		if err != nil {
 			return nil, err
 		}
 		grants = append(grants, g)
 	}
 	return grants, rows.Err()
 }
 // CheckPGCredAccess reports whether accountID has an explicit access grant for
 // credentialID.  The credential owner always has access implicitly; callers
 // must check ownership separately.
 func (db *DB) CheckPGCredAccess(credentialID, accountID int64) (bool, error) {
 	var count int
 	err := db.sql.QueryRow(`
 		SELECT COUNT(*) FROM pg_credential_access
 		WHERE credential_id = ? AND grantee_id = ?
 	`, credentialID, accountID).Scan(&count)
 	if err != nil {
 		return false, fmt.Errorf("db: check pg cred access: %w", err)
 	}
 	return count > 0, nil
 }
 // PGCredWithAccount extends PGCredential with the owning system account's
 // username, used for the "My PG Credentials" listing view.
 type PGCredWithAccount struct {
 	model.PGCredential
 }
 // ListAccessiblePGCreds returns all pg_credentials rows that accountID may
 // view: those where accountID is the owner, plus those where an explicit
 // access grant exists.  The ServiceUsername and ServiceAccountUUID fields are
 // populated from the owning system account for display and navigation.
 func (db *DB) ListAccessiblePGCreds(accountID int64) ([]*model.PGCredential, error) {
 	rows, err := db.sql.Query(`
 		SELECT p.id, p.account_id, p.pg_host, p.pg_port, p.pg_database, p.pg_username,
 		       p.pg_password_enc, p.pg_password_nonce, p.created_at, p.updated_at, p.owner_id,
 		       a.username, a.uuid
 		FROM pg_credentials p
 		JOIN accounts a ON a.id = p.account_id
 		WHERE p.owner_id = ?
 		   OR EXISTS (
 		       SELECT 1 FROM pg_credential_access pca
 		       WHERE pca.credential_id = p.id AND pca.grantee_id = ?
 		   )
 		ORDER BY a.username ASC
 	`, accountID, accountID)
 	if err != nil {
 		return nil, fmt.Errorf("db: list accessible pg creds: %w", err)
 	}
 	defer func() { _ = rows.Close() }()
 	var creds []*model.PGCredential
 	for rows.Next() {
 		cred, err := scanPGCredWithUsername(rows)
 		if err != nil {
 			return nil, err
 		}
 		creds = append(creds, cred)
 	}
 	return creds, rows.Err()
 }
 func scanPGCredWithUsername(rows *sql.Rows) (*model.PGCredential, error) {
 	var cred model.PGCredential
 	var createdAtStr, updatedAtStr string
 	var ownerID sql.NullInt64
 	err := rows.Scan(
 		&cred.ID, &cred.AccountID, &cred.PGHost, &cred.PGPort,
 		&cred.PGDatabase, &cred.PGUsername,
 		&cred.PGPasswordEnc, &cred.PGPasswordNonce,
 		&createdAtStr, &updatedAtStr, &ownerID,
 		&cred.ServiceUsername, &cred.ServiceAccountUUID,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("db: scan pg cred with username: %w", err)
 	}
 	cred.CreatedAt, err = parseTime(createdAtStr)
 	if err != nil {
 		return nil, err
 	}
 	cred.UpdatedAt, err = parseTime(updatedAtStr)
 	if err != nil {
 		return nil, err
 	}
 	if ownerID.Valid {
 		v := ownerID.Int64
 		cred.OwnerID = &v
 	}
 	return &cred, nil
 }
 func scanPGCredAccessGrant(rows *sql.Rows) (*model.PGCredAccessGrant, error) {
 	var g model.PGCredAccessGrant
 	var grantedAtStr string
 	var grantedBy sql.NullInt64
 	err := rows.Scan(
 		&g.ID, &g.CredentialID, &g.GranteeID, &grantedBy, &grantedAtStr,
 		&g.GranteeUUID, &g.GranteeName,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("db: scan pg cred access grant: %w", err)
 	}
 	g.GrantedAt, err = time.Parse("2006-01-02T15:04:05Z", grantedAtStr)
 	if err != nil {
 		return nil, fmt.Errorf("db: parse pg cred access grant time %q: %w", grantedAtStr, err)
 	}
 	if grantedBy.Valid {
 		v := grantedBy.Int64
 		g.GrantedBy = &v
 	}
 	return &g, nil
 }
--- a/internal/db/policy.go
+++ b/internal/db/policy.go
@@ -4,18 +4,23 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
 	"time"
 	"git.wntrmute.dev/kyle/mcias/internal/model"
 )
 // policyRuleCols is the column list for all policy rule SELECT queries.
 const policyRuleCols = `id, priority, description, rule_json, enabled, created_by, created_at, updated_at, not_before, expires_at`
 // CreatePolicyRule inserts a new policy rule record. The returned record
 // includes the database-assigned ID and timestamps.
-func (db *DB) CreatePolicyRule(description string, priority int, ruleJSON string, createdBy *int64) (*model.PolicyRuleRecord, error) {
+// notBefore and expiresAt are optional; nil means no constraint.
 func (db *DB) CreatePolicyRule(description string, priority int, ruleJSON string, createdBy *int64, notBefore, expiresAt *time.Time) (*model.PolicyRuleRecord, error) {
 	n := now()
 	result, err := db.sql.Exec(`
-		INSERT INTO policy_rules (priority, description, rule_json, enabled, created_by, created_at, updated_at)
+		INSERT INTO policy_rules (priority, description, rule_json, enabled, created_by, created_at, updated_at, not_before, expires_at)
-		VALUES (?, ?, ?, 1, ?, ?, ?)
+		VALUES (?, ?, ?, 1, ?, ?, ?, ?, ?)
-	`, priority, description, ruleJSON, createdBy, n, n)
+	`, priority, description, ruleJSON, createdBy, n, n, formatNullableTime(notBefore), formatNullableTime(expiresAt))
 	if err != nil {
 		return nil, fmt.Errorf("db: create policy rule: %w", err)
 	}
@@ -39,6 +44,8 @@ func (db *DB) CreatePolicyRule(description string, priority int, ruleJSON string
 		CreatedBy:   createdBy,
 		CreatedAt:   createdAt,
 		UpdatedAt:   createdAt,
 		NotBefore:   notBefore,
 		ExpiresAt:   expiresAt,
 	}, nil
 }
@@ -46,7 +53,7 @@ func (db *DB) CreatePolicyRule(description string, priority int, ruleJSON string
 // Returns ErrNotFound if no such rule exists.
 func (db *DB) GetPolicyRule(id int64) (*model.PolicyRuleRecord, error) {
 	return db.scanPolicyRule(db.sql.QueryRow(`
-		SELECT id, priority, description, rule_json, enabled, created_by, created_at, updated_at
+		SELECT `+policyRuleCols+`
 		FROM policy_rules WHERE id = ?
 	`, id))
 }
@@ -55,7 +62,7 @@ func (db *DB) GetPolicyRule(id int64) (*model.PolicyRuleRecord, error) {
 // When enabledOnly is true, only rules with enabled=1 are returned.
 func (db *DB) ListPolicyRules(enabledOnly bool) ([]*model.PolicyRuleRecord, error) {
 	query := `
-		SELECT id, priority, description, rule_json, enabled, created_by, created_at, updated_at
+		SELECT ` + policyRuleCols + `
 		FROM policy_rules`
 	if enabledOnly {
 		query += ` WHERE enabled = 1`
@@ -80,8 +87,12 @@ func (db *DB) ListPolicyRules(enabledOnly bool) ([]*model.PolicyRuleRecord, erro
 }
 // UpdatePolicyRule updates the mutable fields of a policy rule.
-// Only the fields in the update map are changed; other fields are untouched.
+// Only non-nil fields are changed; nil fields are left untouched.
-func (db *DB) UpdatePolicyRule(id int64, description *string, priority *int, ruleJSON *string) error {
+// For notBefore and expiresAt, use a non-nil pointer-to-pointer:
 //   - nil (outer)       → don't change
 //   - non-nil → nil     → set column to NULL
 //   - non-nil → non-nil → set column to the time value
 func (db *DB) UpdatePolicyRule(id int64, description *string, priority *int, ruleJSON *string, notBefore, expiresAt **time.Time) error {
 	n := now()
 	// Build SET clause dynamically to only update provided fields.
@@ -102,6 +113,14 @@ func (db *DB) UpdatePolicyRule(id int64, description *string, priority *int, rul
 		setClauses += ", rule_json = ?"
 		args = append(args, *ruleJSON)
 	}
 	if notBefore != nil {
 		setClauses += ", not_before = ?"
 		args = append(args, formatNullableTime(*notBefore))
 	}
 	if expiresAt != nil {
 		setClauses += ", expires_at = ?"
 		args = append(args, formatNullableTime(*expiresAt))
 	}
 	args = append(args, id)
 	_, err := db.sql.Exec(`UPDATE policy_rules SET `+setClauses+` WHERE id = ?`, args...)
@@ -141,10 +160,12 @@ func (db *DB) scanPolicyRule(row *sql.Row) (*model.PolicyRuleRecord, error) {
 	var enabledInt int
 	var createdAtStr, updatedAtStr string
 	var createdBy *int64
 	var notBeforeStr, expiresAtStr *string
 	err := row.Scan(
 		&r.ID, &r.Priority, &r.Description, &r.RuleJSON,
 		&enabledInt, &createdBy, &createdAtStr, &updatedAtStr,
 		&notBeforeStr, &expiresAtStr,
 	)
 	if errors.Is(err, sql.ErrNoRows) {
 		return nil, ErrNotFound
@@ -153,7 +174,7 @@ func (db *DB) scanPolicyRule(row *sql.Row) (*model.PolicyRuleRecord, error) {
 		return nil, fmt.Errorf("db: scan policy rule: %w", err)
 	}
-	return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr)
+	return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr, notBeforeStr, expiresAtStr)
 }
 // scanPolicyRuleRow scans a single policy rule from *sql.Rows.
@@ -162,19 +183,21 @@ func (db *DB) scanPolicyRuleRow(rows *sql.Rows) (*model.PolicyRuleRecord, error)
 	var enabledInt int
 	var createdAtStr, updatedAtStr string
 	var createdBy *int64
 	var notBeforeStr, expiresAtStr *string
 	err := rows.Scan(
 		&r.ID, &r.Priority, &r.Description, &r.RuleJSON,
 		&enabledInt, &createdBy, &createdAtStr, &updatedAtStr,
 		&notBeforeStr, &expiresAtStr,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("db: scan policy rule row: %w", err)
 	}
-	return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr)
+	return finishPolicyRuleScan(&r, enabledInt, createdBy, createdAtStr, updatedAtStr, notBeforeStr, expiresAtStr)
 }
-func finishPolicyRuleScan(r *model.PolicyRuleRecord, enabledInt int, createdBy *int64, createdAtStr, updatedAtStr string) (*model.PolicyRuleRecord, error) {
+func finishPolicyRuleScan(r *model.PolicyRuleRecord, enabledInt int, createdBy *int64, createdAtStr, updatedAtStr string, notBeforeStr, expiresAtStr *string) (*model.PolicyRuleRecord, error) {
 	r.Enabled = enabledInt == 1
 	r.CreatedBy = createdBy
@@ -187,5 +210,23 @@ func finishPolicyRuleScan(r *model.PolicyRuleRecord, enabledInt int, createdBy *
 	if err != nil {
 		return nil, err
 	}
 	r.NotBefore, err = nullableTime(notBeforeStr)
 	if err != nil {
 		return nil, err
 	}
 	r.ExpiresAt, err = nullableTime(expiresAtStr)
 	if err != nil {
 		return nil, err
 	}
 	return r, nil
 }
 // formatNullableTime converts a *time.Time to a *string suitable for SQLite.
 // Returns nil if the input is nil (stores NULL).
 func formatNullableTime(t *time.Time) *string {
 	if t == nil {
 		return nil
 	}
 	s := t.UTC().Format(time.RFC3339)
 	return &s
 }
--- a/internal/db/policy_test.go
+++ b/internal/db/policy_test.go
@@ -3,6 +3,7 @@ package db
 import (
 	"errors"
 	"testing"
 	"time"
 	"git.wntrmute.dev/kyle/mcias/internal/model"
 )
@@ -11,7 +12,7 @@ func TestCreateAndGetPolicyRule(t *testing.T) {
 	db := openTestDB(t)
 	ruleJSON := `{"actions":["pgcreds:read"],"resource_type":"pgcreds","effect":"allow"}`
-	rec, err := db.CreatePolicyRule("test rule", 50, ruleJSON, nil)
+	rec, err := db.CreatePolicyRule("test rule", 50, ruleJSON, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("CreatePolicyRule: %v", err)
 	}
@@ -49,9 +50,9 @@ func TestGetPolicyRule_NotFound(t *testing.T) {
 func TestListPolicyRules(t *testing.T) {
 	db := openTestDB(t)
-	_, _ = db.CreatePolicyRule("rule A", 100, `{"effect":"allow"}`, nil)
+	_, _ = db.CreatePolicyRule("rule A", 100, `{"effect":"allow"}`, nil, nil, nil)
-	_, _ = db.CreatePolicyRule("rule B", 50, `{"effect":"deny"}`, nil)
+	_, _ = db.CreatePolicyRule("rule B", 50, `{"effect":"deny"}`, nil, nil, nil)
-	_, _ = db.CreatePolicyRule("rule C", 200, `{"effect":"allow"}`, nil)
+	_, _ = db.CreatePolicyRule("rule C", 200, `{"effect":"allow"}`, nil, nil, nil)
 	rules, err := db.ListPolicyRules(false)
 	if err != nil {
@@ -70,8 +71,8 @@ func TestListPolicyRules(t *testing.T) {
 func TestListPolicyRules_EnabledOnly(t *testing.T) {
 	db := openTestDB(t)
-	r1, _ := db.CreatePolicyRule("enabled rule", 100, `{"effect":"allow"}`, nil)
+	r1, _ := db.CreatePolicyRule("enabled rule", 100, `{"effect":"allow"}`, nil, nil, nil)
-	r2, _ := db.CreatePolicyRule("disabled rule", 100, `{"effect":"deny"}`, nil)
+	r2, _ := db.CreatePolicyRule("disabled rule", 100, `{"effect":"deny"}`, nil, nil, nil)
 	if err := db.SetPolicyRuleEnabled(r2.ID, false); err != nil {
 		t.Fatalf("SetPolicyRuleEnabled: %v", err)
@@ -100,11 +101,11 @@ func TestListPolicyRules_EnabledOnly(t *testing.T) {
 func TestUpdatePolicyRule(t *testing.T) {
 	db := openTestDB(t)
-	rec, _ := db.CreatePolicyRule("original", 100, `{"effect":"allow"}`, nil)
+	rec, _ := db.CreatePolicyRule("original", 100, `{"effect":"allow"}`, nil, nil, nil)
 	newDesc := "updated description"
 	newPriority := 25
-	if err := db.UpdatePolicyRule(rec.ID, &newDesc, &newPriority, nil); err != nil {
+	if err := db.UpdatePolicyRule(rec.ID, &newDesc, &newPriority, nil, nil, nil); err != nil {
 		t.Fatalf("UpdatePolicyRule: %v", err)
 	}
@@ -127,10 +128,10 @@ func TestUpdatePolicyRule(t *testing.T) {
 func TestUpdatePolicyRule_RuleJSON(t *testing.T) {
 	db := openTestDB(t)
-	rec, _ := db.CreatePolicyRule("rule", 100, `{"effect":"allow"}`, nil)
+	rec, _ := db.CreatePolicyRule("rule", 100, `{"effect":"allow"}`, nil, nil, nil)
 	newJSON := `{"effect":"deny","roles":["auditor"]}`
-	if err := db.UpdatePolicyRule(rec.ID, nil, nil, &newJSON); err != nil {
+	if err := db.UpdatePolicyRule(rec.ID, nil, nil, &newJSON, nil, nil); err != nil {
 		t.Fatalf("UpdatePolicyRule (json only): %v", err)
 	}
@@ -150,7 +151,7 @@ func TestUpdatePolicyRule_RuleJSON(t *testing.T) {
 func TestSetPolicyRuleEnabled(t *testing.T) {
 	db := openTestDB(t)
-	rec, _ := db.CreatePolicyRule("toggle rule", 100, `{"effect":"allow"}`, nil)
+	rec, _ := db.CreatePolicyRule("toggle rule", 100, `{"effect":"allow"}`, nil, nil, nil)
 	if !rec.Enabled {
 		t.Fatal("new rule should be enabled")
 	}
@@ -175,7 +176,7 @@ func TestSetPolicyRuleEnabled(t *testing.T) {
 func TestDeletePolicyRule(t *testing.T) {
 	db := openTestDB(t)
-	rec, _ := db.CreatePolicyRule("to delete", 100, `{"effect":"allow"}`, nil)
+	rec, _ := db.CreatePolicyRule("to delete", 100, `{"effect":"allow"}`, nil, nil, nil)
 	if err := db.DeletePolicyRule(rec.ID); err != nil {
 		t.Fatalf("DeletePolicyRule: %v", err)
@@ -200,7 +201,7 @@ func TestCreatePolicyRule_WithCreatedBy(t *testing.T) {
 	db := openTestDB(t)
 	acct, _ := db.CreateAccount("policy-creator", model.AccountTypeHuman, "hash")
-	rec, err := db.CreatePolicyRule("by user", 100, `{"effect":"allow"}`, &acct.ID)
+	rec, err := db.CreatePolicyRule("by user", 100, `{"effect":"allow"}`, &acct.ID, nil, nil)
 	if err != nil {
 		t.Fatalf("CreatePolicyRule with createdBy: %v", err)
 	}
@@ -210,3 +211,111 @@ func TestCreatePolicyRule_WithCreatedBy(t *testing.T) {
 		t.Errorf("expected CreatedBy=%d, got %v", acct.ID, got.CreatedBy)
 	}
 }
 func TestCreatePolicyRule_WithExpiresAt(t *testing.T) {
 	db := openTestDB(t)
 	exp := time.Date(2030, 6, 1, 0, 0, 0, 0, time.UTC)
 	rec, err := db.CreatePolicyRule("expiring rule", 100, `{"effect":"allow"}`, nil, nil, &exp)
 	if err != nil {
 		t.Fatalf("CreatePolicyRule with expiresAt: %v", err)
 	}
 	got, err := db.GetPolicyRule(rec.ID)
 	if err != nil {
 		t.Fatalf("GetPolicyRule: %v", err)
 	}
 	if got.ExpiresAt == nil {
 		t.Fatal("expected ExpiresAt to be set")
 	}
 	if !got.ExpiresAt.Equal(exp) {
 		t.Errorf("expected ExpiresAt=%v, got %v", exp, *got.ExpiresAt)
 	}
 	if got.NotBefore != nil {
 		t.Errorf("expected NotBefore=nil, got %v", *got.NotBefore)
 	}
 }
 func TestCreatePolicyRule_WithNotBefore(t *testing.T) {
 	db := openTestDB(t)
 	nb := time.Date(2030, 1, 1, 0, 0, 0, 0, time.UTC)
 	rec, err := db.CreatePolicyRule("scheduled rule", 100, `{"effect":"allow"}`, nil, &nb, nil)
 	if err != nil {
 		t.Fatalf("CreatePolicyRule with notBefore: %v", err)
 	}
 	got, err := db.GetPolicyRule(rec.ID)
 	if err != nil {
 		t.Fatalf("GetPolicyRule: %v", err)
 	}
 	if got.NotBefore == nil {
 		t.Fatal("expected NotBefore to be set")
 	}
 	if !got.NotBefore.Equal(nb) {
 		t.Errorf("expected NotBefore=%v, got %v", nb, *got.NotBefore)
 	}
 	if got.ExpiresAt != nil {
 		t.Errorf("expected ExpiresAt=nil, got %v", *got.ExpiresAt)
 	}
 }
 func TestCreatePolicyRule_WithBothTimes(t *testing.T) {
 	db := openTestDB(t)
 	nb := time.Date(2030, 1, 1, 0, 0, 0, 0, time.UTC)
 	exp := time.Date(2030, 6, 1, 0, 0, 0, 0, time.UTC)
 	rec, err := db.CreatePolicyRule("windowed rule", 100, `{"effect":"allow"}`, nil, &nb, &exp)
 	if err != nil {
 		t.Fatalf("CreatePolicyRule with both times: %v", err)
 	}
 	got, err := db.GetPolicyRule(rec.ID)
 	if err != nil {
 		t.Fatalf("GetPolicyRule: %v", err)
 	}
 	if got.NotBefore == nil || !got.NotBefore.Equal(nb) {
 		t.Errorf("NotBefore mismatch: got %v", got.NotBefore)
 	}
 	if got.ExpiresAt == nil || !got.ExpiresAt.Equal(exp) {
 		t.Errorf("ExpiresAt mismatch: got %v", got.ExpiresAt)
 	}
 }
 func TestUpdatePolicyRule_SetExpiresAt(t *testing.T) {
 	db := openTestDB(t)
 	rec, _ := db.CreatePolicyRule("no expiry", 100, `{"effect":"allow"}`, nil, nil, nil)
 	exp := time.Date(2030, 12, 31, 23, 59, 59, 0, time.UTC)
 	expPtr := &exp
 	if err := db.UpdatePolicyRule(rec.ID, nil, nil, nil, nil, &expPtr); err != nil {
 		t.Fatalf("UpdatePolicyRule (set expires_at): %v", err)
 	}
 	got, _ := db.GetPolicyRule(rec.ID)
 	if got.ExpiresAt == nil {
 		t.Fatal("expected ExpiresAt to be set after update")
 	}
 	if !got.ExpiresAt.Equal(exp) {
 		t.Errorf("expected ExpiresAt=%v, got %v", exp, *got.ExpiresAt)
 	}
 }
 func TestUpdatePolicyRule_ClearExpiresAt(t *testing.T) {
 	db := openTestDB(t)
 	exp := time.Date(2030, 6, 1, 0, 0, 0, 0, time.UTC)
 	rec, _ := db.CreatePolicyRule("will clear", 100, `{"effect":"allow"}`, nil, nil, &exp)
 	// Clear expires_at by passing non-nil outer, nil inner.
 	var nilTime *time.Time
 	if err := db.UpdatePolicyRule(rec.ID, nil, nil, nil, nil, &nilTime); err != nil {
 		t.Fatalf("UpdatePolicyRule (clear expires_at): %v", err)
 	}
 	got, _ := db.GetPolicyRule(rec.ID)
 	if got.ExpiresAt != nil {
 		t.Errorf("expected ExpiresAt=nil after clear, got %v", *got.ExpiresAt)
 	}
 }
--- a/internal/grpcserver/auth.go
+++ b/internal/grpcserver/auth.go
@@ -72,8 +72,14 @@ func (a *authServiceServer) Login(ctx context.Context, req *mciasv1.LoginRequest
 	if acct.TOTPRequired {
 		if req.TotpCode == "" {
 			// Security (DEF-08): password was already verified, so a missing
 			// TOTP code means the gRPC client needs to re-prompt the user —
 			// it is not a credential failure.  Do NOT increment the lockout
 			// counter here; doing so would lock out well-behaved clients that
 			// call Login in two steps (password first, TOTP second) and would
 			// also let an attacker trigger account lockout by omitting the
 			// code after a successful password guess.
 			a.s.db.WriteAuditEvent(model.EventLoginFail, &acct.ID, nil, ip, `{"reason":"totp_missing"}`) //nolint:errcheck
 			_ = a.s.db.RecordLoginFailure(acct.ID)
 			return nil, status.Error(codes.Unauthenticated, "TOTP code required")
 		}
 		secret, err := crypto.OpenAESGCM(a.s.masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc)
@@ -81,12 +87,19 @@ func (a *authServiceServer) Login(ctx context.Context, req *mciasv1.LoginRequest
 			a.s.logger.Error("decrypt TOTP secret", "error", err, "account_id", acct.ID)
 			return nil, status.Error(codes.Internal, "internal error")
 		}
-		valid, err := auth.ValidateTOTP(secret, req.TotpCode)
+		valid, counter, err := auth.ValidateTOTP(secret, req.TotpCode)
 		if err != nil || !valid {
 			a.s.db.WriteAuditEvent(model.EventLoginTOTPFail, &acct.ID, nil, ip, `{"reason":"wrong_totp"}`) //nolint:errcheck
 			_ = a.s.db.RecordLoginFailure(acct.ID)
 			return nil, status.Error(codes.Unauthenticated, "invalid credentials")
 		}
 		// Security (CRIT-01): reject replay of a code already used within
 		// its ±30-second validity window.
 		if err := a.s.db.CheckAndUpdateTOTPCounter(acct.ID, counter); err != nil {
 			a.s.db.WriteAuditEvent(model.EventLoginTOTPFail, &acct.ID, nil, ip, `{"reason":"totp_replay"}`) //nolint:errcheck
 			_ = a.s.db.RecordLoginFailure(acct.ID)
 			return nil, status.Error(codes.Unauthenticated, "invalid credentials")
 		}
 	}
 	// Login succeeded: clear any outstanding failure counter.
@@ -199,7 +212,12 @@ func (a *authServiceServer) EnrollTOTP(ctx context.Context, _ *mciasv1.EnrollTOT
 		return nil, status.Error(codes.Internal, "internal error")
 	}
-	if err := a.s.db.SetTOTP(acct.ID, secretEnc, secretNonce); err != nil {
+	// Security: use StorePendingTOTP (not SetTOTP) so that totp_required is
 	// not set to 1 until the user confirms the code via ConfirmTOTP.  Calling
 	// SetTOTP here would immediately lock the account behind TOTP before the
 	// user has had a chance to configure their authenticator app — matching the
 	// behaviour of the REST EnrollTOTP handler at internal/server/server.go.
 	if err := a.s.db.StorePendingTOTP(acct.ID, secretEnc, secretNonce); err != nil {
 		return nil, status.Error(codes.Internal, "internal error")
 	}
@@ -232,10 +250,15 @@ func (a *authServiceServer) ConfirmTOTP(ctx context.Context, req *mciasv1.Confir
 		return nil, status.Error(codes.Internal, "internal error")
 	}
-	valid, err := auth.ValidateTOTP(secret, req.Code)
+	valid, counter, err := auth.ValidateTOTP(secret, req.Code)
 	if err != nil || !valid {
 		return nil, status.Error(codes.Unauthenticated, "invalid TOTP code")
 	}
 	// Security (CRIT-01): record the counter even during enrollment confirmation
 	// so the same code cannot be replayed immediately after confirming.
 	if err := a.s.db.CheckAndUpdateTOTPCounter(acct.ID, counter); err != nil {
 		return nil, status.Error(codes.Unauthenticated, "invalid TOTP code")
 	}
 	// SetTOTP with existing enc/nonce sets totp_required=1, confirming enrollment.
 	if err := a.s.db.SetTOTP(acct.ID, acct.TOTPSecretEnc, acct.TOTPSecretNonce); err != nil {
--- a/internal/grpcserver/grpcserver_test.go
+++ b/internal/grpcserver/grpcserver_test.go
@@ -542,7 +542,7 @@ func TestSetAndGetRoles(t *testing.T) {
 	_, err = cl.SetRoles(authCtx(adminTok), &mciasv1.SetRolesRequest{
 		Id:    id,
-		Roles: []string{"editor", "viewer"},
+		Roles: []string{"admin", "user"},
 	})
 	if err != nil {
 		t.Fatalf("SetRoles: %v", err)
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -176,15 +176,62 @@ type ipRateLimiter struct {
 	mu    sync.Mutex
 }
 // ClientIP returns the real client IP for a request, optionally trusting a
 // single reverse-proxy address.
 //
 // Security (DEF-03): X-Forwarded-For and X-Real-IP headers can be forged by
 // any client. This function only honours them when the immediate TCP peer
 // (r.RemoteAddr) matches trustedProxy exactly. When trustedProxy is nil or
 // the peer address does not match, r.RemoteAddr is used unconditionally.
 //
 // This prevents IP-spoofing attacks: an attacker who sends a fake
 // X-Forwarded-For header from their own connection still has their real IP
 // used for rate limiting, because their RemoteAddr will not match the proxy.
 //
 // Only the first (leftmost) value in X-Forwarded-For is used, as that is the
 // client-supplied address as appended by the outermost proxy. If neither
 // header is present, RemoteAddr is used as a fallback even when the request
 // comes from the proxy.
 func ClientIP(r *http.Request, trustedProxy net.IP) string {
 	remoteHost, _, err := net.SplitHostPort(r.RemoteAddr)
 	if err != nil {
 		remoteHost = r.RemoteAddr
 	}
 	if trustedProxy != nil {
 		remoteIP := net.ParseIP(remoteHost)
 		if remoteIP != nil && remoteIP.Equal(trustedProxy) {
 			// Request is from the trusted proxy; extract the real client IP.
 			// Prefer X-Real-IP (single value) over X-Forwarded-For (may be a
 			// comma-separated list when multiple proxies are chained).
 			if xri := r.Header.Get("X-Real-IP"); xri != "" {
 				if ip := net.ParseIP(strings.TrimSpace(xri)); ip != nil {
 					return ip.String()
 				}
 			}
 			if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
 				// Take the first (leftmost) address — the original client.
 				first, _, _ := strings.Cut(xff, ",")
 				if ip := net.ParseIP(strings.TrimSpace(first)); ip != nil {
 					return ip.String()
 				}
 			}
 		}
 	}
 	return remoteHost
 }
 // RateLimit returns middleware implementing a per-IP token bucket.
 // rps is the sustained request rate (tokens refilled per second).
 // burst is the maximum burst size (initial and maximum token count).
 // trustedProxy, if non-nil, enables proxy-aware client IP extraction via
 // ClientIP; pass nil when not running behind a reverse proxy.
 //
-// Security: Rate limiting is applied at the IP level. In production, the
+// Security (DEF-03): when trustedProxy is set, real client IPs are extracted
-// server should be behind a reverse proxy that sets X-Forwarded-For; this
+// from X-Forwarded-For/X-Real-IP headers but only for requests whose
-// middleware uses RemoteAddr directly which may be the proxy IP. For single-
+// RemoteAddr matches the trusted proxy, preventing IP-spoofing.
-// instance deployment without a proxy, RemoteAddr is the client IP.
+func RateLimit(rps float64, burst int, trustedProxy net.IP) func(http.Handler) http.Handler {
 func RateLimit(rps float64, burst int) func(http.Handler) http.Handler {
 	limiter := &ipRateLimiter{
 		rps:   rps,
 		burst: float64(burst),
@@ -197,10 +244,7 @@ func RateLimit(rps float64, burst int) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			ip, _, err := net.SplitHostPort(r.RemoteAddr)
+			ip := ClientIP(r, trustedProxy)
 			if err != nil {
 				ip = r.RemoteAddr
 			}
 			if !limiter.allow(ip) {
 				w.Header().Set("Retry-After", "60")
--- a/internal/middleware/middleware_test.go
+++ b/internal/middleware/middleware_test.go
@@ -6,6 +6,7 @@ import (
 	"crypto/ed25519"
 	"crypto/rand"
 	"log/slog"
 	"net"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -271,7 +272,7 @@ func TestRequireRoleNoClaims(t *testing.T) {
 }
 func TestRateLimitAllows(t *testing.T) {
-	handler := RateLimit(10, 5)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+	handler := RateLimit(10, 5, nil)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
@@ -289,7 +290,7 @@ func TestRateLimitAllows(t *testing.T) {
 }
 func TestRateLimitBlocks(t *testing.T) {
-	handler := RateLimit(0.1, 2)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+	handler := RateLimit(0.1, 2, nil)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
@@ -340,3 +341,124 @@ func TestExtractBearerToken(t *testing.T) {
 		})
 	}
 }
 // TestClientIP verifies the proxy-aware IP extraction logic.
 func TestClientIP(t *testing.T) {
 	proxy := net.ParseIP("10.0.0.1")
 	tests := []struct {
 		name          string
 		remoteAddr    string
 		xForwardedFor string
 		xRealIP       string
 		trustedProxy  net.IP
 		want          string
 	}{
 		{
 			name:       "no proxy configured: uses RemoteAddr",
 			remoteAddr: "203.0.113.5:54321",
 			want:       "203.0.113.5",
 		},
 		{
 			name:          "proxy configured but request not from proxy: uses RemoteAddr",
 			remoteAddr:    "198.51.100.9:12345",
 			xForwardedFor: "203.0.113.99",
 			trustedProxy:  proxy,
 			want:          "198.51.100.9",
 		},
 		{
 			name:          "request from trusted proxy with X-Real-IP: uses X-Real-IP",
 			remoteAddr:    "10.0.0.1:8080",
 			xRealIP:       "203.0.113.42",
 			trustedProxy:  proxy,
 			want:          "203.0.113.42",
 		},
 		{
 			name:          "request from trusted proxy with X-Forwarded-For: uses first entry",
 			remoteAddr:    "10.0.0.1:8080",
 			xForwardedFor: "203.0.113.77, 10.0.0.2",
 			trustedProxy:  proxy,
 			want:          "203.0.113.77",
 		},
 		{
 			name:          "X-Real-IP takes precedence over X-Forwarded-For",
 			remoteAddr:    "10.0.0.1:8080",
 			xRealIP:       "203.0.113.11",
 			xForwardedFor: "203.0.113.22",
 			trustedProxy:  proxy,
 			want:          "203.0.113.11",
 		},
 		{
 			name:          "proxy request with invalid X-Real-IP falls back to X-Forwarded-For",
 			remoteAddr:    "10.0.0.1:8080",
 			xRealIP:       "not-an-ip",
 			xForwardedFor: "203.0.113.55",
 			trustedProxy:  proxy,
 			want:          "203.0.113.55",
 		},
 		{
 			name:          "proxy request with no forwarding headers falls back to RemoteAddr host",
 			remoteAddr:    "10.0.0.1:8080",
 			trustedProxy:  proxy,
 			want:          "10.0.0.1",
 		},
 		{
 			// Security: attacker fakes X-Forwarded-For but connects directly.
 			name:          "spoofed X-Forwarded-For from non-proxy IP is ignored",
 			remoteAddr:    "198.51.100.99:9999",
 			xForwardedFor: "127.0.0.1",
 			trustedProxy:  proxy,
 			want:          "198.51.100.99",
 		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			req := httptest.NewRequest(http.MethodGet, "/", nil)
 			req.RemoteAddr = tc.remoteAddr
 			if tc.xForwardedFor != "" {
 				req.Header.Set("X-Forwarded-For", tc.xForwardedFor)
 			}
 			if tc.xRealIP != "" {
 				req.Header.Set("X-Real-IP", tc.xRealIP)
 			}
 			got := ClientIP(req, tc.trustedProxy)
 			if got != tc.want {
 				t.Errorf("ClientIP = %q, want %q", got, tc.want)
 			}
 		})
 	}
 }
 // TestRateLimitTrustedProxy verifies that rate limiting uses the forwarded IP
 // when the request originates from a trusted proxy.
 func TestRateLimitTrustedProxy(t *testing.T) {
 	proxy := net.ParseIP("10.0.0.1")
 	// Very low rps and burst=1 so any two requests from the same IP are blocked.
 	handler := RateLimit(0.001, 1, proxy)(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	// Two requests from the same real client IP, forwarded by the proxy.
 	// Both carry the same X-Real-IP; the second should be rate-limited.
 	for i, wantStatus := range []int{http.StatusOK, http.StatusTooManyRequests} {
 		req := httptest.NewRequest(http.MethodPost, "/v1/auth/login", nil)
 		req.RemoteAddr = "10.0.0.1:5000" // from the trusted proxy
 		req.Header.Set("X-Real-IP", "203.0.113.5")
 		rr := httptest.NewRecorder()
 		handler.ServeHTTP(rr, req)
 		if rr.Code != wantStatus {
 			t.Errorf("request %d: status = %d, want %d", i+1, rr.Code, wantStatus)
 		}
 	}
 	// A different real client (different X-Real-IP) should still be allowed.
 	req := httptest.NewRequest(http.MethodPost, "/v1/auth/login", nil)
 	req.RemoteAddr = "10.0.0.1:5001"
 	req.Header.Set("X-Real-IP", "203.0.113.99")
 	rr := httptest.NewRecorder()
 	handler.ServeHTTP(rr, req)
 	if rr.Code != http.StatusOK {
 		t.Errorf("distinct client: status = %d, want 200 (separate bucket)", rr.Code)
 	}
 }
--- a/internal/model/model.go
+++ b/internal/model/model.go
@@ -2,7 +2,10 @@
 // These are pure data definitions with no external dependencies.
 package model
-import "time"
+import (
 	"fmt"
 	"time"
 )
 // AccountType distinguishes human interactive accounts from non-interactive
 // service accounts.
@@ -43,6 +46,33 @@ type Account struct {
 	TOTPRequired    bool          `json:"totp_required"`
 }
 // Allowlisted role names (DEF-10).
 // Only these strings may be stored in account_roles.  Extending the set of
 // valid roles requires a code change, ensuring that typos such as "admim"
 // are caught at grant time rather than silently creating a useless role.
 const (
 	RoleAdmin = "admin"
 	RoleUser  = "user"
 )
 // allowedRoles is the compile-time set of recognised role names.
 var allowedRoles = map[string]struct{}{
 	RoleAdmin: {},
 	RoleUser:  {},
 }
 // ValidateRole returns nil if role is an allowlisted role name, or an error
 // describing the problem.  Call this before writing to account_roles.
 //
 // Security (DEF-10): prevents admins from accidentally creating unmatchable
 // roles (e.g. "admim") by enforcing a compile-time allowlist.
 func ValidateRole(role string) error {
 	if _, ok := allowedRoles[role]; !ok {
 		return fmt.Errorf("model: unknown role %q; allowed roles: admin, user", role)
 	}
 	return nil
 }
 // Role is a string label assigned to an account to grant permissions.
 type Role struct {
 	GrantedAt time.Time `json:"granted_at"`
@@ -87,13 +117,21 @@ type SystemToken struct {
 // PGCredential holds Postgres connection details for a system account.
 // The password is encrypted at rest; PGPassword is only populated after
 // decryption and must never be logged or included in API responses.
 //
 // OwnerID identifies the account permitted to update, delete, and manage
 // access grants for this credential set.  A nil OwnerID means the credential
 // pre-dates ownership tracking; for backwards compatibility, nil is treated as
 // unowned (only admins can manage it via the UI).
 type PGCredential struct {
 	CreatedAt          time.Time `json:"created_at"`
 	UpdatedAt          time.Time `json:"updated_at"`
-	PGHost          string    `json:"host"`
+	OwnerID            *int64    `json:"-"`
-	PGDatabase      string    `json:"database"`
+	ServiceAccountUUID string    `json:"service_account_uuid,omitempty"`
 	PGUsername         string    `json:"username"`
 	PGPassword         string    `json:"-"`
 	ServiceUsername    string    `json:"service_username,omitempty"`
 	PGDatabase         string    `json:"database"`
 	PGHost             string    `json:"host"`
 	PGPasswordEnc      []byte    `json:"-"`
 	PGPasswordNonce    []byte    `json:"-"`
 	ID                 int64     `json:"-"`
@@ -141,12 +179,38 @@ const (
 	EventPolicyDeny        = "policy_deny"
 )
 // PGCredAccessGrant records that a specific account has been granted read
 // access to a pg_credentials set.  Only the credential owner can manage
 // grants; grantees can view connection metadata but never the plaintext
 // password, and they cannot update or delete the credential set.
 type PGCredAccessGrant struct {
 	GrantedAt    time.Time `json:"granted_at"`
 	GrantedBy    *int64    `json:"-"`
 	GranteeUUID  string    `json:"grantee_id"`
 	GranteeName  string    `json:"grantee_username"`
 	ID           int64     `json:"-"`
 	CredentialID int64     `json:"-"`
 	GranteeID    int64     `json:"-"`
 }
 // Audit event type for pg_credential_access changes.
 const (
 	EventPGCredAccessGranted = "pgcred_access_granted" //nolint:gosec // G101: audit event type, not a credential
 	EventPGCredAccessRevoked = "pgcred_access_revoked" //nolint:gosec // G101: audit event type, not a credential
 	EventPasswordChanged = "password_changed"
 )
 // PolicyRuleRecord is the database representation of a policy rule.
 // RuleJSON holds a JSON-encoded policy.RuleBody (all match and effect fields).
 // The ID, Priority, and Description are stored as dedicated columns.
 // NotBefore and ExpiresAt define an optional validity window; nil means no
 // constraint (always active / never expires).
 type PolicyRuleRecord struct {
 	CreatedAt   time.Time  `json:"created_at"`
 	UpdatedAt   time.Time  `json:"updated_at"`
 	NotBefore   *time.Time `json:"not_before,omitempty"`
 	ExpiresAt   *time.Time `json:"expires_at,omitempty"`
 	CreatedBy   *int64     `json:"-"`
 	Description string     `json:"description"`
 	RuleJSON    string     `json:"rule_json"`
--- a/internal/policy/defaults.go
+++ b/internal/policy/defaults.go
@@ -42,6 +42,18 @@ var defaultRules = []Rule{
 		Actions:     []Action{ActionEnrollTOTP},
 		Effect:      Allow,
 	},
 	{
 		// Self-service password change: any authenticated human account may
 		// change their own password. The handler derives the target exclusively
 		// from the JWT subject (claims.Subject) and requires the current
 		// password, so a non-admin caller can only affect their own account.
 		ID:           -7,
 		Description:  "Self-service: any human account may change their own password",
 		Priority:     0,
 		AccountTypes: []string{"human"},
 		Actions:      []Action{ActionChangePassword},
 		Effect:       Allow,
 	},
 	{
 		// System accounts reading their own pgcreds: a service that has already
 		// authenticated (e.g. via its bearer service token) may retrieve its own
--- a/internal/policy/engine_test.go
+++ b/internal/policy/engine_test.go
@@ -2,6 +2,7 @@ package policy
 import (
 	"testing"
 	"time"
 )
 // adminInput is a convenience helper for building admin PolicyInputs.
@@ -378,3 +379,131 @@ func TestEvaluate_AccountTypeGating(t *testing.T) {
 		t.Error("human account should not match system-only rule")
 	}
 }
 // ---- Engine.SetRules time-filtering tests ----
 func TestSetRules_SkipsExpiredRule(t *testing.T) {
 	engine := NewEngine()
 	past := time.Now().Add(-1 * time.Hour)
 	err := engine.SetRules([]PolicyRecord{
 		{
 			ID:          1,
 			Description: "expired",
 			Priority:    100,
 			RuleJSON:    `{"effect":"allow","actions":["accounts:list"]}`,
 			Enabled:     true,
 			ExpiresAt:   &past,
 		},
 	})
 	if err != nil {
 		t.Fatalf("SetRules: %v", err)
 	}
 	// The expired rule should not be in the cache; evaluation should deny.
 	input := PolicyInput{
 		Subject:     "user-uuid",
 		AccountType: "human",
 		Roles:       []string{},
 		Action:      ActionListAccounts,
 		Resource:    Resource{Type: ResourceAccount},
 	}
 	effect, _ := engine.Evaluate(input)
 	if effect != Deny {
 		t.Error("expired rule should not match; expected Deny")
 	}
 }
 func TestSetRules_SkipsNotYetActiveRule(t *testing.T) {
 	engine := NewEngine()
 	future := time.Now().Add(1 * time.Hour)
 	err := engine.SetRules([]PolicyRecord{
 		{
 			ID:          2,
 			Description: "not yet active",
 			Priority:    100,
 			RuleJSON:    `{"effect":"allow","actions":["accounts:list"]}`,
 			Enabled:     true,
 			NotBefore:   &future,
 		},
 	})
 	if err != nil {
 		t.Fatalf("SetRules: %v", err)
 	}
 	input := PolicyInput{
 		Subject:     "user-uuid",
 		AccountType: "human",
 		Roles:       []string{},
 		Action:      ActionListAccounts,
 		Resource:    Resource{Type: ResourceAccount},
 	}
 	effect, _ := engine.Evaluate(input)
 	if effect != Deny {
 		t.Error("future not_before rule should not match; expected Deny")
 	}
 }
 func TestSetRules_IncludesActiveWindowRule(t *testing.T) {
 	engine := NewEngine()
 	past := time.Now().Add(-1 * time.Hour)
 	future := time.Now().Add(1 * time.Hour)
 	err := engine.SetRules([]PolicyRecord{
 		{
 			ID:          3,
 			Description: "currently active",
 			Priority:    100,
 			RuleJSON:    `{"effect":"allow","actions":["accounts:list"]}`,
 			Enabled:     true,
 			NotBefore:   &past,
 			ExpiresAt:   &future,
 		},
 	})
 	if err != nil {
 		t.Fatalf("SetRules: %v", err)
 	}
 	input := PolicyInput{
 		Subject:     "user-uuid",
 		AccountType: "human",
 		Roles:       []string{},
 		Action:      ActionListAccounts,
 		Resource:    Resource{Type: ResourceAccount},
 	}
 	effect, _ := engine.Evaluate(input)
 	if effect != Allow {
 		t.Error("rule within its active window should match; expected Allow")
 	}
 }
 func TestSetRules_NilTimesAlwaysActive(t *testing.T) {
 	engine := NewEngine()
 	err := engine.SetRules([]PolicyRecord{
 		{
 			ID:          4,
 			Description: "no time constraints",
 			Priority:    100,
 			RuleJSON:    `{"effect":"allow","actions":["accounts:list"]}`,
 			Enabled:     true,
 			// NotBefore and ExpiresAt are both nil.
 		},
 	})
 	if err != nil {
 		t.Fatalf("SetRules: %v", err)
 	}
 	input := PolicyInput{
 		Subject:     "user-uuid",
 		AccountType: "human",
 		Roles:       []string{},
 		Action:      ActionListAccounts,
 		Resource:    Resource{Type: ResourceAccount},
 	}
 	effect, _ := engine.Evaluate(input)
 	if effect != Allow {
 		t.Error("nil time fields mean always active; expected Allow")
 	}
 }
--- a/internal/policy/engine_wrapper.go
+++ b/internal/policy/engine_wrapper.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"sync"
 	"time"
 )
 // Engine wraps the stateless Evaluate function with an in-memory cache of
@@ -31,11 +32,19 @@ func NewEngine() *Engine {
 // into a Rule. This prevents the database from injecting values into the ID or
 // Description fields that are stored as dedicated columns.
 func (e *Engine) SetRules(records []PolicyRecord) error {
 	now := time.Now()
 	rules := make([]Rule, 0, len(records))
 	for _, rec := range records {
 		if !rec.Enabled {
 			continue
 		}
 		// Skip rules outside their validity window.
 		if rec.NotBefore != nil && now.Before(*rec.NotBefore) {
 			continue
 		}
 		if rec.ExpiresAt != nil && now.After(*rec.ExpiresAt) {
 			continue
 		}
 		var body RuleBody
 		if err := json.Unmarshal([]byte(rec.RuleJSON), &body); err != nil {
 			return fmt.Errorf("policy: decode rule %d %q: %w", rec.ID, rec.Description, err)
@@ -75,6 +84,8 @@ func (e *Engine) Evaluate(input PolicyInput) (Effect, *Rule) {
 // Using a local struct avoids importing the db or model packages from policy,
 // which would create a dependency cycle.
 type PolicyRecord struct {
 	NotBefore   *time.Time
 	ExpiresAt   *time.Time
 	Description string
 	RuleJSON    string
 	ID          int64
--- a/internal/policy/policy.go
+++ b/internal/policy/policy.go
@@ -44,6 +44,7 @@ const (
 	ActionLogin          Action = "auth:login"           // public
 	ActionLogout         Action = "auth:logout"          // self-service
 	ActionChangePassword Action = "auth:change_password" // self-service
 	ActionListRules   Action = "policy:list"
 	ActionManageRules Action = "policy:manage"
--- a/internal/server/handlers_policy.go
+++ b/internal/server/handlers_policy.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
 	"time"
 	"git.wntrmute.dev/kyle/mcias/internal/db"
 	"git.wntrmute.dev/kyle/mcias/internal/middleware"
@@ -90,6 +91,8 @@ func (s *Server) handleSetTags(w http.ResponseWriter, r *http.Request) {
 type policyRuleResponse struct {
 	CreatedAt   string          `json:"created_at"`
 	UpdatedAt   string          `json:"updated_at"`
 	NotBefore   *string         `json:"not_before,omitempty"`
 	ExpiresAt   *string         `json:"expires_at,omitempty"`
 	Description string          `json:"description"`
 	RuleBody    policy.RuleBody `json:"rule"`
 	ID          int64           `json:"id"`
@@ -102,15 +105,24 @@ func policyRuleToResponse(rec *model.PolicyRuleRecord) (policyRuleResponse, erro
 	if err := json.Unmarshal([]byte(rec.RuleJSON), &body); err != nil {
 		return policyRuleResponse{}, fmt.Errorf("decode rule body: %w", err)
 	}
-	return policyRuleResponse{
+	resp := policyRuleResponse{
 		ID:          rec.ID,
 		Priority:    rec.Priority,
 		Description: rec.Description,
 		RuleBody:    body,
 		Enabled:     rec.Enabled,
-		CreatedAt:   rec.CreatedAt.Format("2006-01-02T15:04:05Z"),
+		CreatedAt:   rec.CreatedAt.Format(time.RFC3339),
-		UpdatedAt:   rec.UpdatedAt.Format("2006-01-02T15:04:05Z"),
+		UpdatedAt:   rec.UpdatedAt.Format(time.RFC3339),
-	}, nil
+	}
 	if rec.NotBefore != nil {
 		s := rec.NotBefore.UTC().Format(time.RFC3339)
 		resp.NotBefore = &s
 	}
 	if rec.ExpiresAt != nil {
 		s := rec.ExpiresAt.UTC().Format(time.RFC3339)
 		resp.ExpiresAt = &s
 	}
 	return resp, nil
 }
 func (s *Server) handleListPolicyRules(w http.ResponseWriter, _ *http.Request) {
@@ -133,6 +145,8 @@ func (s *Server) handleListPolicyRules(w http.ResponseWriter, _ *http.Request) {
 type createPolicyRuleRequest struct {
 	Description string          `json:"description"`
 	NotBefore   *string         `json:"not_before,omitempty"`
 	ExpiresAt   *string         `json:"expires_at,omitempty"`
 	Rule        policy.RuleBody `json:"rule"`
 	Priority    int             `json:"priority"`
 }
@@ -157,6 +171,29 @@ func (s *Server) handleCreatePolicyRule(w http.ResponseWriter, r *http.Request)
 		priority = 100 // default
 	}
 	// Parse optional time-scoped validity window.
 	var notBefore, expiresAt *time.Time
 	if req.NotBefore != nil {
 		t, err := time.Parse(time.RFC3339, *req.NotBefore)
 		if err != nil {
 			middleware.WriteError(w, http.StatusBadRequest, "not_before must be RFC3339", "bad_request")
 			return
 		}
 		notBefore = &t
 	}
 	if req.ExpiresAt != nil {
 		t, err := time.Parse(time.RFC3339, *req.ExpiresAt)
 		if err != nil {
 			middleware.WriteError(w, http.StatusBadRequest, "expires_at must be RFC3339", "bad_request")
 			return
 		}
 		expiresAt = &t
 	}
 	if notBefore != nil && expiresAt != nil && !expiresAt.After(*notBefore) {
 		middleware.WriteError(w, http.StatusBadRequest, "expires_at must be after not_before", "bad_request")
 		return
 	}
 	ruleJSON, err := json.Marshal(req.Rule)
 	if err != nil {
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
@@ -171,7 +208,7 @@ func (s *Server) handleCreatePolicyRule(w http.ResponseWriter, r *http.Request)
 		}
 	}
-	rec, err := s.db.CreatePolicyRule(req.Description, priority, string(ruleJSON), createdBy)
+	rec, err := s.db.CreatePolicyRule(req.Description, priority, string(ruleJSON), createdBy, notBefore, expiresAt)
 	if err != nil {
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 		return
@@ -203,9 +240,13 @@ func (s *Server) handleGetPolicyRule(w http.ResponseWriter, r *http.Request) {
 type updatePolicyRuleRequest struct {
 	Description    *string          `json:"description,omitempty"`
 	NotBefore      *string          `json:"not_before,omitempty"`
 	ExpiresAt      *string          `json:"expires_at,omitempty"`
 	Rule           *policy.RuleBody `json:"rule,omitempty"`
 	Priority       *int             `json:"priority,omitempty"`
 	Enabled        *bool            `json:"enabled,omitempty"`
 	ClearNotBefore *bool            `json:"clear_not_before,omitempty"`
 	ClearExpiresAt *bool            `json:"clear_expires_at,omitempty"`
 }
 func (s *Server) handleUpdatePolicyRule(w http.ResponseWriter, r *http.Request) {
@@ -230,11 +271,39 @@ func (s *Server) handleUpdatePolicyRule(w http.ResponseWriter, r *http.Request)
 			middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 			return
 		}
-		s := string(b)
+		js := string(b)
-		ruleJSON = &s
+		ruleJSON = &js
 	}
-	if err := s.db.UpdatePolicyRule(rec.ID, req.Description, req.Priority, ruleJSON); err != nil {
+	// Parse optional time-scoped validity window updates.
 	// Double-pointer semantics: nil = no change, non-nil→nil = clear, non-nil→non-nil = set.
 	var notBefore, expiresAt **time.Time
 	if req.ClearNotBefore != nil && *req.ClearNotBefore {
 		var nilTime *time.Time
 		notBefore = &nilTime // non-nil outer, nil inner → set to NULL
 	} else if req.NotBefore != nil {
 		t, err := time.Parse(time.RFC3339, *req.NotBefore)
 		if err != nil {
 			middleware.WriteError(w, http.StatusBadRequest, "not_before must be RFC3339", "bad_request")
 			return
 		}
 		tp := &t
 		notBefore = &tp
 	}
 	if req.ClearExpiresAt != nil && *req.ClearExpiresAt {
 		var nilTime *time.Time
 		expiresAt = &nilTime // non-nil outer, nil inner → set to NULL
 	} else if req.ExpiresAt != nil {
 		t, err := time.Parse(time.RFC3339, *req.ExpiresAt)
 		if err != nil {
 			middleware.WriteError(w, http.StatusBadRequest, "expires_at must be RFC3339", "bad_request")
 			return
 		}
 		tp := &t
 		expiresAt = &tp
 	}
 	if err := s.db.UpdatePolicyRule(rec.ID, req.Description, req.Priority, ruleJSON, notBefore, expiresAt); err != nil {
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 		return
 	}
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -16,6 +16,7 @@ import (
 	"fmt"
 	"io/fs"
 	"log/slog"
 	"net"
 	"net/http"
 	"git.wntrmute.dev/kyle/mcias/internal/auth"
@@ -56,10 +57,19 @@ func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed255
 func (s *Server) Handler() http.Handler {
 	mux := http.NewServeMux()
 	// Security (DEF-03): parse the optional trusted-proxy address once here
 	// so RateLimit and audit-log helpers use consistent IP extraction.
 	// net.ParseIP returns nil for an empty string, which disables proxy
 	// trust and falls back to r.RemoteAddr.
 	var trustedProxy net.IP
 	if s.cfg.Server.TrustedProxy != "" {
 		trustedProxy = net.ParseIP(s.cfg.Server.TrustedProxy)
 	}
 	// Security: per-IP rate limiting on public auth endpoints to prevent
 	// brute-force login attempts and token-validation abuse. Parameters match
 	// the gRPC rate limiter (10 req/s sustained, burst 10).
-	loginRateLimit := middleware.RateLimit(10, 10)
+	loginRateLimit := middleware.RateLimit(10, 10, trustedProxy)
 	// Public endpoints (no authentication required).
 	mux.HandleFunc("GET /v1/health", s.handleHealth)
@@ -82,16 +92,20 @@ func (s *Server) Handler() http.Handler {
 	if err != nil {
 		panic(fmt.Sprintf("server: read openapi.yaml: %v", err))
 	}
-	mux.HandleFunc("GET /docs", func(w http.ResponseWriter, _ *http.Request) {
+	// Security (DEF-09): apply defensive HTTP headers to the docs handlers.
 	// The Swagger UI page at /docs loads JavaScript from the same origin
 	// and renders untrusted content (API descriptions), so it benefits from
 	// CSP, X-Frame-Options, and the other headers applied to the UI sub-mux.
 	mux.Handle("GET /docs", docsSecurityHeaders(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write(docsHTML)
-	})
+	})))
-	mux.HandleFunc("GET /docs/openapi.yaml", func(w http.ResponseWriter, _ *http.Request) {
+	mux.Handle("GET /docs/openapi.yaml", docsSecurityHeaders(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", "application/yaml")
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write(specYAML)
-	})
+	})))
 	// Authenticated endpoints.
 	requireAuth := middleware.RequireAuth(s.pubKey, s.db, s.cfg.Tokens.Issuer)
@@ -121,6 +135,10 @@ func (s *Server) Handler() http.Handler {
 	mux.Handle("GET /v1/audit", requireAdmin(http.HandlerFunc(s.handleListAudit)))
 	mux.Handle("GET /v1/accounts/{id}/tags", requireAdmin(http.HandlerFunc(s.handleGetTags)))
 	mux.Handle("PUT /v1/accounts/{id}/tags", requireAdmin(http.HandlerFunc(s.handleSetTags)))
 	mux.Handle("PUT /v1/accounts/{id}/password", requireAdmin(http.HandlerFunc(s.handleAdminSetPassword)))
 	// Self-service password change (requires valid token; actor must match target account).
 	mux.Handle("PUT /v1/auth/password", requireAuth(http.HandlerFunc(s.handleChangePassword)))
 	mux.Handle("GET /v1/policy/rules", requireAdmin(http.HandlerFunc(s.handleListPolicyRules)))
 	mux.Handle("POST /v1/policy/rules", requireAdmin(http.HandlerFunc(s.handleCreatePolicyRule)))
 	mux.Handle("GET /v1/policy/rules/{id}", requireAdmin(http.HandlerFunc(s.handleGetPolicyRule)))
@@ -247,13 +265,21 @@ func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
 			middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 			return
 		}
-		valid, err := auth.ValidateTOTP(secret, req.TOTPCode)
+		valid, totpCounter, err := auth.ValidateTOTP(secret, req.TOTPCode)
 		if err != nil || !valid {
 			s.writeAudit(r, model.EventLoginTOTPFail, &acct.ID, nil, `{"reason":"wrong_totp"}`)
 			_ = s.db.RecordLoginFailure(acct.ID)
 			middleware.WriteError(w, http.StatusUnauthorized, "invalid credentials", "unauthorized")
 			return
 		}
 		// Security (CRIT-01): reject replay of a code already used within
 		// its ±30-second validity window.
 		if err := s.db.CheckAndUpdateTOTPCounter(acct.ID, totpCounter); err != nil {
 			s.writeAudit(r, model.EventLoginTOTPFail, &acct.ID, nil, `{"reason":"totp_replay"}`)
 			_ = s.db.RecordLoginFailure(acct.ID)
 			middleware.WriteError(w, http.StatusUnauthorized, "invalid credentials", "unauthorized")
 			return
 		}
 	}
 	// Login succeeded: clear any outstanding failure counter.
@@ -760,11 +786,18 @@ func (s *Server) handleTOTPConfirm(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	valid, err := auth.ValidateTOTP(secret, req.Code)
+	valid, totpCounter, err := auth.ValidateTOTP(secret, req.Code)
 	if err != nil || !valid {
 		middleware.WriteError(w, http.StatusUnauthorized, "invalid TOTP code", "unauthorized")
 		return
 	}
 	// Security (CRIT-01): record the counter even during enrollment
 	// confirmation so the same code cannot be replayed immediately after
 	// confirming.
 	if err := s.db.CheckAndUpdateTOTPCounter(acct.ID, totpCounter); err != nil {
 		middleware.WriteError(w, http.StatusUnauthorized, "invalid TOTP code", "unauthorized")
 		return
 	}
 	// Mark TOTP as confirmed and required.
 	if err := s.db.SetTOTP(acct.ID, acct.TOTPSecretEnc, acct.TOTPSecretNonce); err != nil {
@@ -801,6 +834,183 @@ func (s *Server) handleTOTPRemove(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusNoContent)
 }
 // ---- Password change endpoints ----
 // adminSetPasswordRequest is the request body for PUT /v1/accounts/{id}/password.
 // Used by admins to reset any human account's password without requiring the
 // current password.
 type adminSetPasswordRequest struct {
 	NewPassword string `json:"new_password"`
 }
 // handleAdminSetPassword allows an admin to reset any human account's password.
 // No current-password verification is required because the admin role already
 // represents a higher trust level, matching the break-glass recovery pattern.
 //
 // Security: new password is validated (minimum length) and hashed with Argon2id
 // before storage.  The plaintext is never logged.  All active tokens for the
 // target account are revoked so that a compromised-account recovery fully
 // invalidates any outstanding sessions.
 func (s *Server) handleAdminSetPassword(w http.ResponseWriter, r *http.Request) {
 	acct, ok := s.loadAccount(w, r)
 	if !ok {
 		return
 	}
 	if acct.AccountType != model.AccountTypeHuman {
 		middleware.WriteError(w, http.StatusBadRequest, "password can only be set on human accounts", "bad_request")
 		return
 	}
 	var req adminSetPasswordRequest
 	if !decodeJSON(w, r, &req) {
 		return
 	}
 	// Security (F-13): enforce minimum length before hashing.
 	if err := validate.Password(req.NewPassword); err != nil {
 		middleware.WriteError(w, http.StatusBadRequest, err.Error(), "bad_request")
 		return
 	}
 	hash, err := auth.HashPassword(req.NewPassword, auth.ArgonParams{
 		Time:    s.cfg.Argon2.Time,
 		Memory:  s.cfg.Argon2.Memory,
 		Threads: s.cfg.Argon2.Threads,
 	})
 	if err != nil {
 		s.logger.Error("hash password (admin reset)", "error", err)
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 		return
 	}
 	if err := s.db.UpdatePasswordHash(acct.ID, hash); err != nil {
 		s.logger.Error("update password hash", "error", err)
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 		return
 	}
 	// Security: revoke all active sessions so a compromised account cannot
 	// continue to use old tokens after a password reset.  Failure here means
 	// the API's documented guarantee ("all active sessions revoked") cannot be
 	// upheld, so we return 500 rather than silently succeeding.
 	if err := s.db.RevokeAllUserTokens(acct.ID, "password_reset"); err != nil {
 		s.logger.Error("revoke tokens on password reset", "error", err, "account_id", acct.ID)
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 		return
 	}
 	actor := middleware.ClaimsFromContext(r.Context())
 	var actorID *int64
 	if actor != nil {
 		if a, err := s.db.GetAccountByUUID(actor.Subject); err == nil {
 			actorID = &a.ID
 		}
 	}
 	s.writeAudit(r, model.EventPasswordChanged, actorID, &acct.ID, `{"via":"admin_reset"}`)
 	w.WriteHeader(http.StatusNoContent)
 }
 // changePasswordRequest is the request body for PUT /v1/auth/password.
 // The current_password is required to prevent token-theft attacks: an attacker
 // who steals a valid JWT cannot change the password without also knowing the
 // existing one.
 type changePasswordRequest struct {
 	CurrentPassword string `json:"current_password"`
 	NewPassword     string `json:"new_password"`
 }
 // handleChangePassword allows an authenticated user to change their own password.
 // The current password must be verified before the new hash is written.
 //
 // Security: current password is verified with Argon2id (constant-time).
 // Lockout is checked and failures are recorded to prevent the endpoint from
 // being used as an oracle for the current password.  On success, all other
 // active sessions (other JTIs) are revoked so stale tokens cannot be used
 // after a credential rotation.
 func (s *Server) handleChangePassword(w http.ResponseWriter, r *http.Request) {
 	claims := middleware.ClaimsFromContext(r.Context())
 	acct, err := s.db.GetAccountByUUID(claims.Subject)
 	if err != nil {
 		middleware.WriteError(w, http.StatusUnauthorized, "account not found", "unauthorized")
 		return
 	}
 	if acct.AccountType != model.AccountTypeHuman {
 		middleware.WriteError(w, http.StatusBadRequest, "password change is only available for human accounts", "bad_request")
 		return
 	}
 	var req changePasswordRequest
 	if !decodeJSON(w, r, &req) {
 		return
 	}
 	if req.CurrentPassword == "" || req.NewPassword == "" {
 		middleware.WriteError(w, http.StatusBadRequest, "current_password and new_password are required", "bad_request")
 		return
 	}
 	// Security: check lockout before verifying (same as login flow) so an
 	// attacker cannot use this endpoint to brute-force the current password.
 	locked, lockErr := s.db.IsLockedOut(acct.ID)
 	if lockErr != nil {
 		s.logger.Error("lockout check (password change)", "error", lockErr)
 	}
 	if locked {
 		s.writeAudit(r, model.EventPasswordChanged, &acct.ID, &acct.ID, `{"result":"locked"}`)
 		middleware.WriteError(w, http.StatusTooManyRequests, "account temporarily locked", "account_locked")
 		return
 	}
 	// Security: verify the current password with the same constant-time
 	// Argon2id path used at login to prevent timing oracles.
 	ok, verifyErr := auth.VerifyPassword(req.CurrentPassword, acct.PasswordHash)
 	if verifyErr != nil || !ok {
 		_ = s.db.RecordLoginFailure(acct.ID)
 		s.writeAudit(r, model.EventPasswordChanged, &acct.ID, &acct.ID, `{"result":"wrong_current_password"}`)
 		middleware.WriteError(w, http.StatusUnauthorized, "current password is incorrect", "unauthorized")
 		return
 	}
 	// Security (F-13): enforce minimum length on the new password before hashing.
 	if err := validate.Password(req.NewPassword); err != nil {
 		middleware.WriteError(w, http.StatusBadRequest, err.Error(), "bad_request")
 		return
 	}
 	hash, err := auth.HashPassword(req.NewPassword, auth.ArgonParams{
 		Time:    s.cfg.Argon2.Time,
 		Memory:  s.cfg.Argon2.Memory,
 		Threads: s.cfg.Argon2.Threads,
 	})
 	if err != nil {
 		s.logger.Error("hash password (self-service change)", "error", err)
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 		return
 	}
 	if err := s.db.UpdatePasswordHash(acct.ID, hash); err != nil {
 		s.logger.Error("update password hash", "error", err)
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 		return
 	}
 	// Security: clear the failure counter since the user proved knowledge of
 	// the current password, then revoke all tokens *except* the current one so
 	// the caller retains their active session but any other stolen sessions are
 	// invalidated.  Revocation failure breaks the documented guarantee so we
 	// return 500 rather than silently succeeding.
 	_ = s.db.ClearLoginFailures(acct.ID)
 	if err := s.db.RevokeAllUserTokensExcept(acct.ID, claims.JTI, "password_changed"); err != nil {
 		s.logger.Error("revoke other tokens on password change", "error", err, "account_id", acct.ID)
 		middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
 		return
 	}
 	s.writeAudit(r, model.EventPasswordChanged, &acct.ID, &acct.ID, `{"via":"self_service"}`)
 	w.WriteHeader(http.StatusNoContent)
 }
 // ---- Postgres credential endpoints ----
 type pgCredRequest struct {
@@ -968,8 +1178,14 @@ func (s *Server) loadAccount(w http.ResponseWriter, r *http.Request) (*model.Acc
 }
 // writeAudit appends an audit log entry, logging errors but not failing the request.
 // The logged IP honours the trusted-proxy setting so the real client address
 // is recorded rather than the proxy's address (DEF-03).
 func (s *Server) writeAudit(r *http.Request, eventType string, actorID, targetID *int64, details string) {
-	ip := r.RemoteAddr
+	var proxyIP net.IP
 	if s.cfg.Server.TrustedProxy != "" {
 		proxyIP = net.ParseIP(s.cfg.Server.TrustedProxy)
 	}
 	ip := middleware.ClientIP(r, proxyIP)
 	if err := s.db.WriteAuditEvent(eventType, actorID, targetID, ip, details); err != nil {
 		s.logger.Error("write audit event", "error", err, "event_type", eventType)
 	}
@@ -1010,6 +1226,25 @@ func extractBearerFromRequest(r *http.Request) (string, error) {
 	return auth[len(prefix):], nil
 }
 // docsSecurityHeaders adds the same defensive HTTP headers as the UI sub-mux
 // to the /docs and /docs/openapi.yaml endpoints.
 //
 // Security (DEF-09): without these headers the Swagger UI HTML page is
 // served without CSP, X-Frame-Options, or HSTS, leaving it susceptible
 // to clickjacking and MIME-type confusion in browsers.
 func docsSecurityHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		h := w.Header()
 		h.Set("Content-Security-Policy",
 			"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'")
 		h.Set("X-Content-Type-Options", "nosniff")
 		h.Set("X-Frame-Options", "DENY")
 		h.Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
 		h.Set("Referrer-Policy", "no-referrer")
 		next.ServeHTTP(w, r)
 	})
 }
 // encodeBase64URL encodes bytes as base64url without padding.
 func encodeBase64URL(b []byte) string {
 	const table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
--- a/internal/server/server_test.go
+++ b/internal/server/server_test.go
@@ -376,7 +376,7 @@ func TestSetAndGetRoles(t *testing.T) {
 	// Set roles.
 	rr := doRequest(t, handler, "PUT", "/v1/accounts/"+target.UUID+"/roles", map[string][]string{
-		"roles": {"reader", "writer"},
+		"roles": {"admin", "user"},
 	}, adminToken)
 	if rr.Code != http.StatusNoContent {
 		t.Errorf("set roles status = %d, want 204; body: %s", rr.Code, rr.Body.String())
--- a/internal/token/token.go
+++ b/internal/token/token.go
@@ -70,11 +70,16 @@ func IssueToken(key ed25519.PrivateKey, issuer, subject string, roles []string,
 	exp := now.Add(expiry)
 	jti := uuid.New().String()
 	// Security (DEF-04): set NotBefore = now so tokens are not valid before
 	// the instant of issuance. This is a defence-in-depth measure: without
 	// nbf, a clock-skewed client or intermediate could present a token
 	// before its intended validity window.
 	jc := jwtClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    issuer,
 			Subject:   subject,
 			IssuedAt:  jwt.NewNumericDate(now),
 			NotBefore: jwt.NewNumericDate(now),
 			ExpiresAt: jwt.NewNumericDate(exp),
 			ID:        jti,
 		},
@@ -127,6 +132,9 @@ func ValidateToken(key ed25519.PublicKey, tokenString, expectedIssuer string) (*
 		jwt.WithIssuedAt(),
 		jwt.WithIssuer(expectedIssuer),
 		jwt.WithExpirationRequired(),
 		// Security (DEF-04): nbf is validated automatically by the library
 		// when the claim is present; no explicit option is needed. If nbf is
 		// in the future the library returns ErrTokenNotValidYet.
 	)
 	if err != nil {
 		// Map library errors to our typed errors for consistent handling.
--- a/internal/ui/handlers_accounts.go
+++ b/internal/ui/handlers_accounts.go
@@ -32,7 +32,7 @@ func (u *UIServer) handleAccountsList(w http.ResponseWriter, r *http.Request) {
 	}
 	u.render(w, "accounts", AccountsData{
-		PageData: PageData{CSRFToken: csrfToken},
+		PageData: PageData{CSRFToken: csrfToken, ActorName: u.actorName(r)},
 		Accounts: accounts,
 	})
 }
@@ -132,15 +132,41 @@ func (u *UIServer) handleAccountDetail(w http.ResponseWriter, r *http.Request) {
 		tokens = nil
 	}
 	// Resolve the currently logged-in actor.
 	claims := claimsFromContext(r.Context())
 	var actorID *int64
 	if claims != nil {
 		if actor, err := u.db.GetAccountByUUID(claims.Subject); err == nil {
 			actorID = &actor.ID
 		}
 	}
 	// Load PG credentials for system accounts only; leave nil for human accounts
 	// and when no credentials have been stored yet.
 	var pgCred *model.PGCredential
 	var pgCredGrants []*model.PGCredAccessGrant
 	var grantableAccounts []*model.Account
 	if acct.AccountType == model.AccountTypeSystem {
 		pgCred, err = u.db.ReadPGCredentials(acct.ID)
 		if err != nil && !errors.Is(err, db.ErrNotFound) {
 			u.logger.Warn("read pg credentials", "error", err)
 		}
 		// ErrNotFound is expected when no credentials have been stored yet.
 		// Load access grants; only show management controls when the actor is owner.
 		if pgCred != nil {
 			pgCredGrants, err = u.db.ListPGCredAccess(pgCred.ID)
 			if err != nil {
 				u.logger.Warn("list pg cred access", "error", err)
 			}
 			// Populate the "add grantee" dropdown only for the credential owner.
 			if actorID != nil && pgCred.OwnerID != nil && *pgCred.OwnerID == *actorID {
 				grantableAccounts, err = u.db.ListAccounts()
 				if err != nil {
 					u.logger.Warn("list accounts for pgcred grant", "error", err)
 				}
 			}
 		}
 	}
 	tags, err := u.db.GetAccountTags(acct.ID)
@@ -150,12 +176,15 @@ func (u *UIServer) handleAccountDetail(w http.ResponseWriter, r *http.Request) {
 	}
 	u.render(w, "account_detail", AccountDetailData{
-		PageData: PageData{CSRFToken: csrfToken},
+		PageData:          PageData{CSRFToken: csrfToken, ActorName: u.actorName(r)},
 		Account:           acct,
 		Roles:             roles,
 		AllRoles:          knownRoles,
 		Tokens:            tokens,
 		PGCred:            pgCred,
 		PGCredGrants:      pgCredGrants,
 		GrantableAccounts: grantableAccounts,
 		ActorID:           actorID,
 		Tags:              tags,
 	})
 }
@@ -456,6 +485,32 @@ func (u *UIServer) handleSetPGCreds(w http.ResponseWriter, r *http.Request) {
 		pgCred = nil
 	}
 	// Security: set the credential owner to the actor on first write so that
 	// subsequent grant/revoke operations can enforce ownership.  If no actor
 	// is present (e.g. bootstrap), the owner remains nil.
 	if pgCred != nil && pgCred.OwnerID == nil && actorID != nil {
 		if err := u.db.SetPGCredentialOwner(pgCred.ID, *actorID); err != nil {
 			u.logger.Warn("set pg credential owner", "error", err)
 		} else {
 			pgCred.OwnerID = actorID
 		}
 	}
 	// Load existing access grants to re-render the full section.
 	var grants []*model.PGCredAccessGrant
 	if pgCred != nil {
 		grants, err = u.db.ListPGCredAccess(pgCred.ID)
 		if err != nil {
 			u.logger.Warn("list pg cred access after write", "error", err)
 		}
 	}
 	// Load non-system accounts available to grant access to.
 	grantableAccounts, err := u.db.ListAccounts()
 	if err != nil {
 		u.logger.Warn("list accounts for pgcred grant", "error", err)
 	}
 	csrfToken, err := u.setCSRFCookies(w)
 	if err != nil {
 		csrfToken = ""
@@ -465,6 +520,492 @@ func (u *UIServer) handleSetPGCreds(w http.ResponseWriter, r *http.Request) {
 		PageData:          PageData{CSRFToken: csrfToken},
 		Account:           acct,
 		PGCred:            pgCred,
 		PGCredGrants:      grants,
 		GrantableAccounts: grantableAccounts,
 		ActorID:           actorID,
 	})
 }
 // handleGrantPGCredAccess grants another account read access to a pg_credentials
 // set owned by the actor.  Only the credential owner may grant access; this is
 // enforced by comparing the stored owner_id with the logged-in actor.
 //
 // Security: ownership is re-verified server-side on every request; the form
 // field grantee_uuid is looked up in the accounts table (no ID injection).
 // Audit event EventPGCredAccessGranted is recorded on success.
 func (u *UIServer) handleGrantPGCredAccess(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 	if err := r.ParseForm(); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, "invalid form")
 		return
 	}
 	id := r.PathValue("id")
 	acct, err := u.db.GetAccountByUUID(id)
 	if err != nil {
 		u.renderError(w, r, http.StatusNotFound, "account not found")
 		return
 	}
 	if acct.AccountType != model.AccountTypeSystem {
 		u.renderError(w, r, http.StatusBadRequest, "postgres credentials are only available for system accounts")
 		return
 	}
 	pgCred, err := u.db.ReadPGCredentials(acct.ID)
 	if err != nil {
 		u.renderError(w, r, http.StatusNotFound, "no credentials stored for this account")
 		return
 	}
 	// Resolve the currently logged-in actor.
 	claims := claimsFromContext(r.Context())
 	var actorID *int64
 	if claims != nil {
 		if actor, err := u.db.GetAccountByUUID(claims.Subject); err == nil {
 			actorID = &actor.ID
 		}
 	}
 	// Security: only the credential owner may grant access.
 	if actorID == nil || pgCred.OwnerID == nil || *pgCred.OwnerID != *actorID {
 		u.renderError(w, r, http.StatusForbidden, "only the credential owner may grant access")
 		return
 	}
 	granteeUUID := strings.TrimSpace(r.FormValue("grantee_uuid"))
 	if granteeUUID == "" {
 		u.renderError(w, r, http.StatusBadRequest, "grantee is required")
 		return
 	}
 	grantee, err := u.db.GetAccountByUUID(granteeUUID)
 	if err != nil {
 		u.renderError(w, r, http.StatusNotFound, "grantee account not found")
 		return
 	}
 	if err := u.db.GrantPGCredAccess(pgCred.ID, grantee.ID, actorID); err != nil {
 		u.logger.Error("grant pg cred access", "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "failed to grant access")
 		return
 	}
 	u.writeAudit(r, model.EventPGCredAccessGranted, actorID, &grantee.ID,
 		fmt.Sprintf(`{"credential_id":%d,"grantee":%q}`, pgCred.ID, grantee.UUID))
 	// If the caller requested a redirect (e.g. from the /pgcreds page), honour it.
 	if next := r.FormValue("_next"); next == "/pgcreds" {
 		http.Redirect(w, r, "/pgcreds", http.StatusSeeOther)
 		return
 	}
 	// Re-render the full pgcreds section so the new grant appears.
 	grants, err := u.db.ListPGCredAccess(pgCred.ID)
 	if err != nil {
 		u.logger.Warn("list pg cred access after grant", "error", err)
 	}
 	grantableAccounts, err := u.db.ListAccounts()
 	if err != nil {
 		u.logger.Warn("list accounts for pgcred grant", "error", err)
 	}
 	csrfToken, err := u.setCSRFCookies(w)
 	if err != nil {
 		csrfToken = ""
 	}
 	u.render(w, "pgcreds_form", AccountDetailData{
 		PageData:          PageData{CSRFToken: csrfToken},
 		Account:           acct,
 		PGCred:            pgCred,
 		PGCredGrants:      grants,
 		GrantableAccounts: grantableAccounts,
 		ActorID:           actorID,
 	})
 }
 // handleRevokePGCredAccess removes a grantee's read access to a pg_credentials set.
 // Only the credential owner may revoke grants; this is enforced server-side.
 //
 // Security: ownership re-verified on every request.  grantee_uuid looked up
 // in accounts table — not taken from URL path to prevent enumeration.
 // Audit event EventPGCredAccessRevoked is recorded on success.
 func (u *UIServer) handleRevokePGCredAccess(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 	if err := r.ParseForm(); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, "invalid form")
 		return
 	}
 	id := r.PathValue("id")
 	acct, err := u.db.GetAccountByUUID(id)
 	if err != nil {
 		u.renderError(w, r, http.StatusNotFound, "account not found")
 		return
 	}
 	if acct.AccountType != model.AccountTypeSystem {
 		u.renderError(w, r, http.StatusBadRequest, "postgres credentials are only available for system accounts")
 		return
 	}
 	pgCred, err := u.db.ReadPGCredentials(acct.ID)
 	if err != nil {
 		u.renderError(w, r, http.StatusNotFound, "no credentials stored for this account")
 		return
 	}
 	// Resolve the currently logged-in actor.
 	claims := claimsFromContext(r.Context())
 	var actorID *int64
 	if claims != nil {
 		if actor, err := u.db.GetAccountByUUID(claims.Subject); err == nil {
 			actorID = &actor.ID
 		}
 	}
 	// Security: only the credential owner may revoke access.
 	if actorID == nil || pgCred.OwnerID == nil || *pgCred.OwnerID != *actorID {
 		u.renderError(w, r, http.StatusForbidden, "only the credential owner may revoke access")
 		return
 	}
 	granteeUUID := r.PathValue("grantee")
 	if granteeUUID == "" {
 		u.renderError(w, r, http.StatusBadRequest, "grantee is required")
 		return
 	}
 	grantee, err := u.db.GetAccountByUUID(granteeUUID)
 	if err != nil {
 		u.renderError(w, r, http.StatusNotFound, "grantee account not found")
 		return
 	}
 	if err := u.db.RevokePGCredAccess(pgCred.ID, grantee.ID); err != nil {
 		u.logger.Error("revoke pg cred access", "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "failed to revoke access")
 		return
 	}
 	u.writeAudit(r, model.EventPGCredAccessRevoked, actorID, &grantee.ID,
 		fmt.Sprintf(`{"credential_id":%d,"grantee":%q}`, pgCred.ID, grantee.UUID))
 	// If the caller requested a redirect (e.g. from the /pgcreds page), honour it.
 	if r.URL.Query().Get("_next") == "/pgcreds" {
 		if isHTMX(r) {
 			w.Header().Set("HX-Redirect", "/pgcreds")
 			w.WriteHeader(http.StatusOK)
 			return
 		}
 		http.Redirect(w, r, "/pgcreds", http.StatusSeeOther)
 		return
 	}
 	// Re-render the full pgcreds section with the grant removed.
 	grants, err := u.db.ListPGCredAccess(pgCred.ID)
 	if err != nil {
 		u.logger.Warn("list pg cred access after revoke", "error", err)
 	}
 	grantableAccounts, err := u.db.ListAccounts()
 	if err != nil {
 		u.logger.Warn("list accounts for pgcred grant", "error", err)
 	}
 	csrfToken, err := u.setCSRFCookies(w)
 	if err != nil {
 		csrfToken = ""
 	}
 	u.render(w, "pgcreds_form", AccountDetailData{
 		PageData:          PageData{CSRFToken: csrfToken},
 		Account:           acct,
 		PGCred:            pgCred,
 		PGCredGrants:      grants,
 		GrantableAccounts: grantableAccounts,
 		ActorID:           actorID,
 	})
 }
 // handlePGCredsList renders the "My PG Credentials" page, showing all
 // pg_credentials accessible to the currently logged-in user (owned + granted),
 // plus a create form for system accounts that have no credentials yet.
 func (u *UIServer) handlePGCredsList(w http.ResponseWriter, r *http.Request) {
 	csrfToken, err := u.setCSRFCookies(w)
 	if err != nil {
 		http.Error(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	claims := claimsFromContext(r.Context())
 	if claims == nil {
 		u.redirectToLogin(w, r)
 		return
 	}
 	actor, err := u.db.GetAccountByUUID(claims.Subject)
 	if err != nil {
 		u.renderError(w, r, http.StatusInternalServerError, "could not resolve actor")
 		return
 	}
 	creds, err := u.db.ListAccessiblePGCreds(actor.ID)
 	if err != nil {
 		u.renderError(w, r, http.StatusInternalServerError, "failed to load credentials")
 		return
 	}
 	// Build the list of system accounts that have no credentials at all
 	// (not just those absent from this actor's accessible set) so the
 	// create form remains available even when the actor has no existing creds.
 	credAcctIDs, err := u.db.ListCredentialedAccountIDs()
 	if err != nil {
 		u.logger.Warn("list credentialed account ids", "error", err)
 		credAcctIDs = map[int64]struct{}{}
 	}
 	allAccounts, err := u.db.ListAccounts()
 	if err != nil {
 		u.logger.Warn("list accounts for pgcreds create form", "error", err)
 	}
 	var uncredentialed []*model.Account
 	for _, a := range allAccounts {
 		if a.AccountType == model.AccountTypeSystem {
 			if _, hasCredential := credAcctIDs[a.ID]; !hasCredential {
 				uncredentialed = append(uncredentialed, a)
 			}
 		}
 	}
 	// For each credential owned by the actor, load its access grants so the
 	// /pgcreds page can render inline grant management controls.
 	credGrants := make(map[int64][]*model.PGCredAccessGrant)
 	for _, c := range creds {
 		if c.OwnerID != nil && *c.OwnerID == actor.ID {
 			grants, err := u.db.ListPGCredAccess(c.ID)
 			if err != nil {
 				u.logger.Warn("list pg cred access for owned cred", "cred_id", c.ID, "error", err)
 				continue
 			}
 			credGrants[c.ID] = grants
 		}
 	}
 	u.render(w, "pgcreds", PGCredsData{
 		PageData:               PageData{CSRFToken: csrfToken, ActorName: u.actorName(r)},
 		Creds:                  creds,
 		UncredentialedAccounts: uncredentialed,
 		CredGrants:             credGrants,
 		AllAccounts:            allAccounts,
 		ActorID:                &actor.ID,
 	})
 }
 // handleCreatePGCreds creates a new PG credential set from the /pgcreds page.
 // The submitter selects a system account from the uncredentialed list and
 // provides connection details; on success they become the credential owner.
 //
 // Security: only system accounts may hold PG credentials; the submitted account
 // UUID is validated server-side. Password is encrypted with AES-256-GCM before
 // storage; the plaintext is never logged or included in any response.
 // Audit event EventPGCredUpdated is recorded on success.
 func (u *UIServer) handleCreatePGCreds(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 	if err := r.ParseForm(); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, "invalid form")
 		return
 	}
 	accountUUID := strings.TrimSpace(r.FormValue("account_uuid"))
 	if accountUUID == "" {
 		u.renderError(w, r, http.StatusBadRequest, "account is required")
 		return
 	}
 	acct, err := u.db.GetAccountByUUID(accountUUID)
 	if err != nil {
 		u.renderError(w, r, http.StatusNotFound, "account not found")
 		return
 	}
 	if acct.AccountType != model.AccountTypeSystem {
 		u.renderError(w, r, http.StatusBadRequest, "postgres credentials are only available for system accounts")
 		return
 	}
 	host := strings.TrimSpace(r.FormValue("host"))
 	portStr := strings.TrimSpace(r.FormValue("port"))
 	dbName := strings.TrimSpace(r.FormValue("database"))
 	username := strings.TrimSpace(r.FormValue("username"))
 	password := r.FormValue("password")
 	if host == "" {
 		u.renderError(w, r, http.StatusBadRequest, "host is required")
 		return
 	}
 	if dbName == "" {
 		u.renderError(w, r, http.StatusBadRequest, "database is required")
 		return
 	}
 	if username == "" {
 		u.renderError(w, r, http.StatusBadRequest, "username is required")
 		return
 	}
 	// Security: password is required on every write — the UI never carries an
 	// existing password, so callers must supply it explicitly.
 	if password == "" {
 		u.renderError(w, r, http.StatusBadRequest, "password is required")
 		return
 	}
 	port := 5432
 	if portStr != "" {
 		port, err = strconv.Atoi(portStr)
 		if err != nil || port < 1 || port > 65535 {
 			u.renderError(w, r, http.StatusBadRequest, "port must be an integer between 1 and 65535")
 			return
 		}
 	}
 	// Security: encrypt with AES-256-GCM; fresh nonce per call.
 	enc, nonce, err := crypto.SealAESGCM(u.masterKey, []byte(password))
 	if err != nil {
 		u.logger.Error("encrypt pg password", "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "internal error")
 		return
 	}
 	if err := u.db.WritePGCredentials(acct.ID, host, port, dbName, username, enc, nonce); err != nil {
 		u.logger.Error("write pg credentials", "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "failed to save credentials")
 		return
 	}
 	claims := claimsFromContext(r.Context())
 	var actorID *int64
 	if claims != nil {
 		if actor, err := u.db.GetAccountByUUID(claims.Subject); err == nil {
 			actorID = &actor.ID
 		}
 	}
 	u.writeAudit(r, model.EventPGCredUpdated, actorID, &acct.ID, "")
 	// Security: set the credential owner to the actor on creation.
 	pgCred, err := u.db.ReadPGCredentials(acct.ID)
 	if err != nil {
 		u.logger.Warn("re-read pg credentials after create", "error", err)
 	}
 	if pgCred != nil && pgCred.OwnerID == nil && actorID != nil {
 		if err := u.db.SetPGCredentialOwner(pgCred.ID, *actorID); err != nil {
 			u.logger.Warn("set pg credential owner", "error", err)
 		} else {
 			pgCred.OwnerID = actorID
 		}
 	}
 	// Redirect to the pgcreds list so the new entry appears in context.
 	http.Redirect(w, r, "/pgcreds", http.StatusSeeOther)
 }
 // handleAdminResetPassword allows an admin to set a new password for any human
 // account without requiring the current password.  On success all active tokens
 // for the target account are revoked so a compromised account is fully
 // invalidated.
 //
 // Security: caller must hold the admin role; the check is performed server-side
 // against the JWT claims so it cannot be bypassed by client-side tricks.
 // New password is validated (minimum 12 chars) and hashed with Argon2id before
 // storage.  The plaintext is never logged or included in any response.
 // Audit event EventPasswordChanged is recorded on success.
 func (u *UIServer) handleAdminResetPassword(w http.ResponseWriter, r *http.Request) {
 	// Security: enforce admin role; requireCookieAuth only validates the token,
 	// it does not check roles.  A non-admin with a valid session must not be
 	// able to reset arbitrary accounts' passwords.
 	callerClaims := claimsFromContext(r.Context())
 	if callerClaims == nil {
 		u.renderError(w, r, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	isAdmin := false
 	for _, role := range callerClaims.Roles {
 		if role == "admin" {
 			isAdmin = true
 			break
 		}
 	}
 	if !isAdmin {
 		u.renderError(w, r, http.StatusForbidden, "admin role required")
 		return
 	}
 	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 	if err := r.ParseForm(); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, "invalid form")
 		return
 	}
 	id := r.PathValue("id")
 	acct, err := u.db.GetAccountByUUID(id)
 	if err != nil {
 		u.renderError(w, r, http.StatusNotFound, "account not found")
 		return
 	}
 	if acct.AccountType != model.AccountTypeHuman {
 		u.renderError(w, r, http.StatusBadRequest, "password can only be reset for human accounts")
 		return
 	}
 	newPassword := r.FormValue("new_password")
 	confirmPassword := r.FormValue("confirm_password")
 	if newPassword == "" {
 		u.renderError(w, r, http.StatusBadRequest, "new password is required")
 		return
 	}
 	// Server-side equality check mirrors the client-side guard; defends against
 	// direct POST requests that bypass the JavaScript confirmation.
 	if newPassword != confirmPassword {
 		u.renderError(w, r, http.StatusBadRequest, "passwords do not match")
 		return
 	}
 	// Security (F-13): enforce minimum length before hashing.
 	if err := validate.Password(newPassword); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, err.Error())
 		return
 	}
 	hash, err := auth.HashPassword(newPassword, auth.ArgonParams{
 		Time:    u.cfg.Argon2.Time,
 		Memory:  u.cfg.Argon2.Memory,
 		Threads: u.cfg.Argon2.Threads,
 	})
 	if err != nil {
 		u.logger.Error("hash password (admin reset)", "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "internal error")
 		return
 	}
 	if err := u.db.UpdatePasswordHash(acct.ID, hash); err != nil {
 		u.logger.Error("update password hash", "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "failed to update password")
 		return
 	}
 	// Security: revoke all active sessions for the target account so an
 	// attacker who held a valid token cannot continue to use it after reset.
 	// Render an error fragment rather than silently claiming success if
 	// revocation fails.
 	if err := u.db.RevokeAllUserTokens(acct.ID, "password_reset"); err != nil {
 		u.logger.Error("revoke tokens on admin password reset", "account_id", acct.ID, "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "password updated but session revocation failed; revoke tokens manually")
 		return
 	}
 	claims := claimsFromContext(r.Context())
 	var actorID *int64
 	if claims != nil {
 		if actor, err := u.db.GetAccountByUUID(claims.Subject); err == nil {
 			actorID = &actor.ID
 		}
 	}
 	u.writeAudit(r, model.EventPasswordChanged, actorID, &acct.ID, `{"via":"admin_reset"}`)
 	// Return a success fragment so HTMX can display confirmation inline.
 	csrfToken, _ := u.setCSRFCookies(w)
 	u.render(w, "password_reset_result", AccountDetailData{
 		PageData: PageData{
 			CSRFToken: csrfToken,
 			Flash:     "Password updated and all active sessions revoked.",
 		},
 		Account: acct,
 	})
 }
--- a/internal/ui/handlers_audit.go
+++ b/internal/ui/handlers_audit.go
@@ -86,7 +86,7 @@ func (u *UIServer) handleAuditDetail(w http.ResponseWriter, r *http.Request) {
 	}
 	u.render(w, "audit_detail", AuditDetailData{
-		PageData: PageData{CSRFToken: csrfToken},
+		PageData: PageData{CSRFToken: csrfToken, ActorName: u.actorName(r)},
 		Event:    event,
 	})
 }
@@ -116,7 +116,7 @@ func (u *UIServer) buildAuditData(r *http.Request, page int, csrfToken string) (
 	}
 	return AuditData{
-		PageData:   PageData{CSRFToken: csrfToken},
+		PageData:   PageData{CSRFToken: csrfToken, ActorName: u.actorName(r)},
 		Events:     events,
 		EventTypes: auditEventTypes,
 		FilterType: filterType,
--- a/internal/ui/handlers_auth.go
+++ b/internal/ui/handlers_auth.go
@@ -8,6 +8,7 @@ import (
 	"git.wntrmute.dev/kyle/mcias/internal/crypto"
 	"git.wntrmute.dev/kyle/mcias/internal/model"
 	"git.wntrmute.dev/kyle/mcias/internal/token"
 	"git.wntrmute.dev/kyle/mcias/internal/validate"
 )
 // handleLoginPage renders the login form.
@@ -148,7 +149,7 @@ func (u *UIServer) handleTOTPStep(w http.ResponseWriter, r *http.Request) {
 		u.render(w, "login", LoginData{Error: "internal error"})
 		return
 	}
-	valid, err := auth.ValidateTOTP(secret, totpCode)
+	valid, totpCounter, err := auth.ValidateTOTP(secret, totpCode)
 	if err != nil || !valid {
 		u.writeAudit(r, model.EventLoginTOTPFail, &acct.ID, nil, `{"reason":"wrong_totp"}`)
 		_ = u.db.RecordLoginFailure(acct.ID)
@@ -165,6 +166,23 @@ func (u *UIServer) handleTOTPStep(w http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
 	// Security (CRIT-01): reject replay of a code already used within its
 	// ±30-second validity window.
 	if err := u.db.CheckAndUpdateTOTPCounter(acct.ID, totpCounter); err != nil {
 		u.writeAudit(r, model.EventLoginTOTPFail, &acct.ID, nil, `{"reason":"totp_replay"}`)
 		_ = u.db.RecordLoginFailure(acct.ID)
 		newNonce, nonceErr := u.issueTOTPNonce(acct.ID)
 		if nonceErr != nil {
 			u.render(w, "login", LoginData{Error: "internal error"})
 			return
 		}
 		u.render(w, "totp_step", LoginData{
 			Error:    "invalid TOTP code",
 			Username: username,
 			Nonce:    newNonce,
 		})
 		return
 	}
 	u.finishLogin(w, r, acct)
 }
@@ -250,8 +268,132 @@ func (u *UIServer) handleLogout(w http.ResponseWriter, r *http.Request) {
 // writeAudit is a fire-and-forget audit log helper for the UI package.
 func (u *UIServer) writeAudit(r *http.Request, eventType string, actorID, targetID *int64, details string) {
-	ip := clientIP(r)
+	ip := u.clientIP(r)
 	if err := u.db.WriteAuditEvent(eventType, actorID, targetID, ip, details); err != nil {
 		u.logger.Warn("write audit event", "type", eventType, "error", err)
 	}
 }
 // handleProfilePage renders the profile page for the currently logged-in user.
 func (u *UIServer) handleProfilePage(w http.ResponseWriter, r *http.Request) {
 	csrfToken, _ := u.setCSRFCookies(w)
 	u.render(w, "profile", ProfileData{
 		PageData: PageData{
 			CSRFToken: csrfToken,
 			ActorName: u.actorName(r),
 		},
 	})
 }
 // handleSelfChangePassword allows an authenticated human user to change their
 // own password.  The current password must be supplied to prevent a stolen
 // session token from being used to take over an account.
 //
 // Security: current password is verified with Argon2id (constant-time) before
 // the new hash is written.  Lockout is checked first so the endpoint cannot
 // be used to brute-force the existing password.  On success all other active
 // sessions are revoked; the caller's own session is preserved so they remain
 // logged in.  The plaintext passwords are never logged or returned.
 func (u *UIServer) handleSelfChangePassword(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
 	if err := r.ParseForm(); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, "invalid form")
 		return
 	}
 	claims := claimsFromContext(r.Context())
 	if claims == nil {
 		u.renderError(w, r, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	acct, err := u.db.GetAccountByUUID(claims.Subject)
 	if err != nil {
 		u.renderError(w, r, http.StatusUnauthorized, "account not found")
 		return
 	}
 	if acct.AccountType != model.AccountTypeHuman {
 		u.renderError(w, r, http.StatusBadRequest, "password change is only available for human accounts")
 		return
 	}
 	currentPassword := r.FormValue("current_password")
 	newPassword := r.FormValue("new_password")
 	confirmPassword := r.FormValue("confirm_password")
 	if currentPassword == "" || newPassword == "" {
 		u.renderError(w, r, http.StatusBadRequest, "current and new password are required")
 		return
 	}
 	// Server-side confirmation check mirrors the client-side guard; defends
 	// against direct POST requests that bypass the JavaScript validation.
 	if newPassword != confirmPassword {
 		u.renderError(w, r, http.StatusBadRequest, "passwords do not match")
 		return
 	}
 	// Security: check lockout before running Argon2 to prevent brute-force.
 	locked, lockErr := u.db.IsLockedOut(acct.ID)
 	if lockErr != nil {
 		u.logger.Error("lockout check (UI self-service password change)", "error", lockErr)
 	}
 	if locked {
 		u.writeAudit(r, model.EventPasswordChanged, &acct.ID, &acct.ID, `{"result":"locked"}`)
 		u.renderError(w, r, http.StatusTooManyRequests, "account temporarily locked, please try again later")
 		return
 	}
 	// Security: verify current password with constant-time Argon2id path used
 	// at login so this endpoint cannot serve as a timing oracle.
 	ok, verifyErr := auth.VerifyPassword(currentPassword, acct.PasswordHash)
 	if verifyErr != nil || !ok {
 		_ = u.db.RecordLoginFailure(acct.ID)
 		u.writeAudit(r, model.EventPasswordChanged, &acct.ID, &acct.ID, `{"result":"wrong_current_password"}`)
 		u.renderError(w, r, http.StatusUnauthorized, "current password is incorrect")
 		return
 	}
 	// Security (F-13): enforce minimum length before hashing.
 	if err := validate.Password(newPassword); err != nil {
 		u.renderError(w, r, http.StatusBadRequest, err.Error())
 		return
 	}
 	hash, err := auth.HashPassword(newPassword, auth.ArgonParams{
 		Time:    u.cfg.Argon2.Time,
 		Memory:  u.cfg.Argon2.Memory,
 		Threads: u.cfg.Argon2.Threads,
 	})
 	if err != nil {
 		u.logger.Error("hash password (UI self-service)", "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "internal error")
 		return
 	}
 	if err := u.db.UpdatePasswordHash(acct.ID, hash); err != nil {
 		u.logger.Error("update password hash", "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "failed to update password")
 		return
 	}
 	// Security: clear failure counter (user proved knowledge of current
 	// password), then revoke all sessions except the current one so stale
 	// tokens are invalidated while the caller stays logged in.
 	_ = u.db.ClearLoginFailures(acct.ID)
 	if err := u.db.RevokeAllUserTokensExcept(acct.ID, claims.JTI, "password_changed"); err != nil {
 		u.logger.Error("revoke other tokens on UI password change", "account_id", acct.ID, "error", err)
 		u.renderError(w, r, http.StatusInternalServerError, "password updated but session revocation failed; revoke tokens manually")
 		return
 	}
 	u.writeAudit(r, model.EventPasswordChanged, &acct.ID, &acct.ID, `{"via":"ui_self_service"}`)
 	csrfToken, _ := u.setCSRFCookies(w)
 	u.render(w, "password_change_result", ProfileData{
 		PageData: PageData{
 			CSRFToken: csrfToken,
 			ActorName: u.actorName(r),
 			Flash:     "Password updated successfully. Other active sessions have been revoked.",
 		},
 	})
 }
--- a/internal/ui/handlers_dashboard.go
+++ b/internal/ui/handlers_dashboard.go
@@ -37,7 +37,7 @@ func (u *UIServer) handleDashboard(w http.ResponseWriter, r *http.Request) {
 	}
 	u.render(w, "dashboard", DashboardData{
-		PageData:       PageData{CSRFToken: csrfToken},
+		PageData:       PageData{CSRFToken: csrfToken, ActorName: u.actorName(r)},
 		TotalAccounts:  total,
 		ActiveAccounts: active,
 		RecentEvents:   events,
--- a/internal/ui/handlers_policy.go
+++ b/internal/ui/handlers_policy.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 	"git.wntrmute.dev/kyle/mcias/internal/db"
 	"git.wntrmute.dev/kyle/mcias/internal/model"
@@ -60,7 +61,7 @@ func (u *UIServer) handlePoliciesPage(w http.ResponseWriter, r *http.Request) {
 	}
 	data := PoliciesData{
-		PageData:   PageData{CSRFToken: csrfToken},
+		PageData:   PageData{CSRFToken: csrfToken, ActorName: u.actorName(r)},
 		Rules:      views,
 		AllActions: allActionStrings,
 	}
@@ -70,7 +71,7 @@ func (u *UIServer) handlePoliciesPage(w http.ResponseWriter, r *http.Request) {
 // policyRuleToView converts a DB record to a template-friendly view.
 func policyRuleToView(rec *model.PolicyRuleRecord) *PolicyRuleView {
 	pretty := prettyJSONStr(rec.RuleJSON)
-	return &PolicyRuleView{
+	v := &PolicyRuleView{
 		ID:          rec.ID,
 		Priority:    rec.Priority,
 		Description: rec.Description,
@@ -79,6 +80,16 @@ func policyRuleToView(rec *model.PolicyRuleRecord) *PolicyRuleView {
 		CreatedAt:   rec.CreatedAt.Format("2006-01-02 15:04 UTC"),
 		UpdatedAt:   rec.UpdatedAt.Format("2006-01-02 15:04 UTC"),
 	}
 	now := time.Now()
 	if rec.NotBefore != nil {
 		v.NotBefore = rec.NotBefore.UTC().Format("2006-01-02 15:04 UTC")
 		v.IsPending = now.Before(*rec.NotBefore)
 	}
 	if rec.ExpiresAt != nil {
 		v.ExpiresAt = rec.ExpiresAt.UTC().Format("2006-01-02 15:04 UTC")
 		v.IsExpired = now.After(*rec.ExpiresAt)
 	}
 	return v
 }
 func prettyJSONStr(s string) string {
@@ -160,6 +171,29 @@ func (u *UIServer) handleCreatePolicyRule(w http.ResponseWriter, r *http.Request
 		return
 	}
 	// Parse optional time-scoped validity window from datetime-local inputs.
 	var notBefore, expiresAt *time.Time
 	if nbStr := strings.TrimSpace(r.FormValue("not_before")); nbStr != "" {
 		t, err := time.Parse("2006-01-02T15:04", nbStr)
 		if err != nil {
 			u.renderError(w, r, http.StatusBadRequest, "invalid not_before time format")
 			return
 		}
 		notBefore = &t
 	}
 	if eaStr := strings.TrimSpace(r.FormValue("expires_at")); eaStr != "" {
 		t, err := time.Parse("2006-01-02T15:04", eaStr)
 		if err != nil {
 			u.renderError(w, r, http.StatusBadRequest, "invalid expires_at time format")
 			return
 		}
 		expiresAt = &t
 	}
 	if notBefore != nil && expiresAt != nil && !expiresAt.After(*notBefore) {
 		u.renderError(w, r, http.StatusBadRequest, "expires_at must be after not_before")
 		return
 	}
 	claims := claimsFromContext(r.Context())
 	var actorID *int64
 	if claims != nil {
@@ -168,7 +202,7 @@ func (u *UIServer) handleCreatePolicyRule(w http.ResponseWriter, r *http.Request
 		}
 	}
-	rec, err := u.db.CreatePolicyRule(description, priority, string(ruleJSON), actorID)
+	rec, err := u.db.CreatePolicyRule(description, priority, string(ruleJSON), actorID, notBefore, expiresAt)
 	if err != nil {
 		u.renderError(w, r, http.StatusInternalServerError, fmt.Sprintf("create policy rule: %v", err))
 		return
--- a/internal/ui/ui.go
+++ b/internal/ui/ui.go
@@ -22,14 +22,15 @@ import (
 	"html/template"
 	"io/fs"
 	"log/slog"
 	"net"
 	"net/http"
 	"strings"
 	"sync"
 	"time"
 	"git.wntrmute.dev/kyle/mcias/internal/auth"
 	"git.wntrmute.dev/kyle/mcias/internal/config"
 	"git.wntrmute.dev/kyle/mcias/internal/db"
 	"git.wntrmute.dev/kyle/mcias/internal/middleware"
 	"git.wntrmute.dev/kyle/mcias/internal/model"
 	"git.wntrmute.dev/kyle/mcias/web"
 )
@@ -141,6 +142,22 @@ func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed255
 			return false
 		},
 		"not": func(b bool) bool { return !b },
 		// derefInt64 safely dereferences a *int64, returning 0 for nil.
 		// Used in templates to compare owner IDs without triggering nil panics.
 		"derefInt64": func(p *int64) int64 {
 			if p == nil {
 				return 0
 			}
 			return *p
 		},
 		// isPGCredOwner returns true when actorID and cred are both non-nil
 		// and actorID matches cred.OwnerID.  Safe to call with nil arguments.
 		"isPGCredOwner": func(actorID *int64, cred *model.PGCredential) bool {
 			if actorID == nil || cred == nil || cred.OwnerID == nil {
 				return false
 			}
 			return *actorID == *cred.OwnerID
 		},
 		"add": func(a, b int) int { return a + b },
 		"sub": func(a, b int) int { return a - b },
 		"gt":  func(a, b int) bool { return a > b },
@@ -174,6 +191,8 @@ func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed255
 		"templates/fragments/tags_editor.html",
 		"templates/fragments/policy_row.html",
 		"templates/fragments/policy_form.html",
 		"templates/fragments/password_reset_form.html",
 		"templates/fragments/password_change_form.html",
 	}
 	base, err := template.New("").Funcs(funcMap).ParseFS(web.TemplateFS, sharedFiles...)
 	if err != nil {
@@ -190,6 +209,8 @@ func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed255
 		"audit":          "templates/audit.html",
 		"audit_detail":   "templates/audit_detail.html",
 		"policies":       "templates/policies.html",
 		"pgcreds":        "templates/pgcreds.html",
 		"profile":        "templates/profile.html",
 	}
 	tmpls := make(map[string]*template.Template, len(pageFiles))
 	for name, file := range pageFiles {
@@ -203,7 +224,7 @@ func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed255
 		tmpls[name] = clone
 	}
-	return &UIServer{
+	srv := &UIServer{
 		db:        database,
 		cfg:       cfg,
 		pubKey:    pub,
@@ -212,7 +233,33 @@ func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed255
 		logger:    logger,
 		csrf:      csrf,
 		tmpls:     tmpls,
-	}, nil
+	}
 	// Security (DEF-02): launch a background goroutine to evict expired TOTP
 	// nonces from pendingLogins.  consumeTOTPNonce deletes entries on use, but
 	// entries abandoned by users who never complete step 2 would otherwise
 	// accumulate indefinitely, enabling a memory-exhaustion attack.
 	go srv.cleanupPendingLogins()
 	return srv, nil
 }
 // cleanupPendingLogins periodically evicts expired entries from pendingLogins.
 // It runs every 5 minutes, which is well within the 90-second nonce TTL, so
 // stale entries are removed before they can accumulate to any significant size.
 func (u *UIServer) cleanupPendingLogins() {
 	ticker := time.NewTicker(5 * time.Minute)
 	defer ticker.Stop()
 	for range ticker.C {
 		now := time.Now()
 		u.pendingLogins.Range(func(key, value any) bool {
 			pl, ok := value.(*pendingLogin)
 			if !ok || now.After(pl.expiresAt) {
 				u.pendingLogins.Delete(key)
 			}
 			return true
 		})
 	}
 }
 // Register attaches all UI routes to mux, wrapped with security headers.
@@ -239,9 +286,18 @@ func (u *UIServer) Register(mux *http.ServeMux) {
 		http.NotFound(w, r)
 	})
 	// Security (DEF-01, DEF-03): apply the same per-IP rate limit as the REST
 	// /v1/auth/login endpoint, using the same proxy-aware IP extraction so
 	// the rate limit is applied to real client IPs behind a reverse proxy.
 	var trustedProxy net.IP
 	if u.cfg.Server.TrustedProxy != "" {
 		trustedProxy = net.ParseIP(u.cfg.Server.TrustedProxy)
 	}
 	loginRateLimit := middleware.RateLimit(10, 10, trustedProxy)
 	// Auth routes (no session required).
 	uiMux.HandleFunc("GET /login", u.handleLoginPage)
-	uiMux.HandleFunc("POST /login", u.handleLoginPost)
+	uiMux.Handle("POST /login", loginRateLimit(http.HandlerFunc(u.handleLoginPost)))
 	uiMux.HandleFunc("POST /logout", u.handleLogout)
 	// Protected routes.
@@ -264,6 +320,10 @@ func (u *UIServer) Register(mux *http.ServeMux) {
 	uiMux.Handle("DELETE /token/{jti}", admin(u.handleRevokeToken))
 	uiMux.Handle("POST /accounts/{id}/token", admin(u.handleIssueSystemToken))
 	uiMux.Handle("PUT /accounts/{id}/pgcreds", admin(u.handleSetPGCreds))
 	uiMux.Handle("POST /accounts/{id}/pgcreds/access", admin(u.handleGrantPGCredAccess))
 	uiMux.Handle("DELETE /accounts/{id}/pgcreds/access/{grantee}", admin(u.handleRevokePGCredAccess))
 	uiMux.Handle("GET /pgcreds", adminGet(u.handlePGCredsList))
 	uiMux.Handle("POST /pgcreds", admin(u.handleCreatePGCreds))
 	uiMux.Handle("GET /audit", adminGet(u.handleAuditPage))
 	uiMux.Handle("GET /audit/rows", adminGet(u.handleAuditRows))
 	uiMux.Handle("GET /audit/{id}", adminGet(u.handleAuditDetail))
@@ -272,6 +332,11 @@ func (u *UIServer) Register(mux *http.ServeMux) {
 	uiMux.Handle("PATCH /policies/{id}/enabled", admin(u.handleTogglePolicyRule))
 	uiMux.Handle("DELETE /policies/{id}", admin(u.handleDeletePolicyRule))
 	uiMux.Handle("PUT /accounts/{id}/tags", admin(u.handleSetAccountTags))
 	uiMux.Handle("PUT /accounts/{id}/password", admin(u.handleAdminResetPassword))
 	// Profile routes — accessible to any authenticated user (not admin-only).
 	uiMux.Handle("GET /profile", adminGet(u.handleProfilePage))
 	uiMux.Handle("PUT /profile/password", auth(u.requireCSRF(http.HandlerFunc(u.handleSelfChangePassword))))
 	// Mount the wrapped UI mux on the parent mux. The "/" pattern acts as a
 	// catch-all for all UI paths; the more-specific /v1/ API patterns registered
@@ -469,13 +534,30 @@ func securityHeaders(next http.Handler) http.Handler {
 	})
 }
-// clientIP extracts the client IP from RemoteAddr (best effort).
+// clientIP returns the real client IP for the request, respecting the
-func clientIP(r *http.Request) string {
+// server's trusted-proxy setting (DEF-03).  Delegates to middleware.ClientIP
-	addr := r.RemoteAddr
+// so the same extraction logic is used for rate limiting and audit logging.
-	if idx := strings.LastIndex(addr, ":"); idx != -1 {
+func (u *UIServer) clientIP(r *http.Request) string {
-		return addr[:idx]
+	var proxyIP net.IP
 	if u.cfg.Server.TrustedProxy != "" {
 		proxyIP = net.ParseIP(u.cfg.Server.TrustedProxy)
 	}
-	return addr
+	return middleware.ClientIP(r, proxyIP)
 }
 // actorName resolves the username of the currently authenticated user from the
 // request context.  Returns an empty string if claims are absent or the account
 // cannot be found; callers should treat an empty string as "not logged in".
 func (u *UIServer) actorName(r *http.Request) string {
 	claims := claimsFromContext(r.Context())
 	if claims == nil {
 		return ""
 	}
 	acct, err := u.db.GetAccountByUUID(claims.Subject)
 	if err != nil {
 		return ""
 	}
 	return acct.Username
 }
 // ---- Page data types ----
@@ -485,6 +567,9 @@ type PageData struct {
 	CSRFToken string
 	Flash     string
 	Error     string
 	// ActorName is the username of the currently logged-in user, populated by
 	// handlers so the base template can display it in the navigation bar.
 	ActorName string
 }
 // LoginData is the view model for the login page.
@@ -514,7 +599,16 @@ type AccountsData struct {
 // AccountDetailData is the view model for the account detail page.
 type AccountDetailData struct {
 	Account *model.Account
-	PGCred  *model.PGCredential // nil if none stored or account is not a system account
+	// PGCred is nil if none stored or the account is not a system account.
 	PGCred *model.PGCredential
 	// PGCredGrants lists accounts that have been granted read access to PGCred.
 	// Only populated when the viewing actor is the credential owner.
 	PGCredGrants []*model.PGCredAccessGrant
 	// GrantableAccounts is the list of accounts the owner may grant access to.
 	GrantableAccounts []*model.Account
 	// ActorID is the DB id of the currently logged-in user; used in templates
 	// to decide whether to show the owner-only management controls.
 	ActorID *int64
 	PageData
 	Roles    []string
 	AllRoles []string
@@ -545,9 +639,13 @@ type PolicyRuleView struct {
 	RuleJSON    string
 	CreatedAt   string
 	UpdatedAt   string
 	NotBefore   string // empty if not set
 	ExpiresAt   string // empty if not set
 	ID          int64
 	Priority    int
 	Enabled     bool
 	IsExpired   bool // true if expires_at is in the past
 	IsPending   bool // true if not_before is in the future
 }
 // PoliciesData is the view model for the policies list page.
@@ -556,3 +654,26 @@ type PoliciesData struct {
 	Rules      []*PolicyRuleView
 	AllActions []string
 }
 // ProfileData is the view model for the profile/settings page.
 type ProfileData struct {
 	PageData
 }
 // PGCredsData is the view model for the "My PG Credentials" list page.
 // It shows all pg_credentials sets accessible to the currently logged-in user:
 // those they own and those they have been granted access to.
 // UncredentialedAccounts is the list of system accounts that have no credentials
 // yet, populated to drive the "New Credentials" create form on the same page.
 // CredGrants maps credential ID to the list of access grants for that credential;
 // only populated for credentials the actor owns.
 // AllAccounts is used to populate the grant-access dropdown for owned credentials.
 // ActorID is the DB id of the currently logged-in user.
 type PGCredsData struct {
 	CredGrants map[int64][]*model.PGCredAccessGrant
 	ActorID    *int64
 	PageData
 	Creds                  []*model.PGCredential
 	UncredentialedAccounts []*model.Account
 	AllAccounts            []*model.Account
 }
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -206,6 +206,24 @@ components:
        enabled:
          type: boolean
          example: true
        not_before:
          type: string
          format: date-time
          nullable: true
          description: |
            Earliest time the rule becomes active. NULL means no constraint
            (always active). Rules where `not_before > now()` are skipped
            during evaluation.
          example: "2026-04-01T00:00:00Z"
        expires_at:
          type: string
          format: date-time
          nullable: true
          description: |
            Time after which the rule is no longer active. NULL means no
            constraint (never expires). Rules where `expires_at <= now()` are
            skipped during evaluation.
          example: "2026-06-01T00:00:00Z"
        created_at:
          type: string
          format: date-time
@@ -582,6 +600,68 @@ paths:
        "401":
          $ref: "#/components/responses/Unauthorized"
  /v1/auth/password:
    put:
      summary: Change own password (self-service)
      description: |
        Change the password of the currently authenticated human account.
        The caller must supply the correct `current_password` to prevent
        token-theft attacks: possession of a valid JWT alone is not sufficient.
        On success:
        - The stored Argon2id hash is replaced with the new password hash.
        - All active sessions *except* the caller's current token are revoked.
        - The lockout failure counter is cleared.
        On failure (wrong current password):
        - A login failure is recorded against the account, subject to the
          same lockout rules as `POST /v1/auth/login`.
        Only applies to human accounts. System accounts have no password.
      operationId: changePassword
      tags: [Auth]
      security:
        - bearerAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [current_password, new_password]
              properties:
                current_password:
                  type: string
                  description: The account's current password (required for verification).
                  example: old-s3cr3t
                new_password:
                  type: string
                  description: The new password. Minimum 12 characters.
                  example: new-s3cr3t-long
      responses:
        "204":
          description: Password changed. Other active sessions revoked.
        "400":
          $ref: "#/components/responses/BadRequest"
        "401":
          description: Current password is incorrect.
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
              example:
                error: current password is incorrect
                code: unauthorized
        "429":
          description: Account temporarily locked due to too many failed attempts.
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
              example:
                error: account temporarily locked
                code: account_locked
  # ── Admin ──────────────────────────────────────────────────────────────────
  /v1/auth/totp:
@@ -984,7 +1064,10 @@ paths:
        `token_issued`, `token_renewed`, `token_revoked`, `token_expired`,
        `account_created`, `account_updated`, `account_deleted`,
        `role_granted`, `role_revoked`, `totp_enrolled`, `totp_removed`,
-        `pgcred_accessed`, `pgcred_updated`.
+        `pgcred_accessed`, `pgcred_updated`, `pgcred_access_granted`,
        `pgcred_access_revoked`, `tag_added`, `tag_removed`,
        `policy_rule_created`, `policy_rule_updated`, `policy_rule_deleted`,
        `policy_deny`.
      operationId: listAudit
      tags: [Admin — Audit]
      security:
@@ -1118,12 +1201,63 @@ paths:
        "404":
          $ref: "#/components/responses/NotFound"
  /v1/accounts/{id}/password:
    parameters:
      - name: id
        in: path
        required: true
        schema:
          type: string
          format: uuid
        example: 550e8400-e29b-41d4-a716-446655440000
    put:
      summary: Admin password reset (admin)
      description: |
        Reset the password for a human account without requiring the current
        password. This is intended for account recovery (e.g. a user forgot
        their password).
        On success:
        - The stored Argon2id hash is replaced with the new password hash.
        - All active sessions for the target account are revoked.
        Only applies to human accounts. The new password must be at least
        12 characters.
      operationId: adminSetPassword
      tags: [Admin — Accounts]
      security:
        - bearerAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [new_password]
              properties:
                new_password:
                  type: string
                  description: The new password. Minimum 12 characters.
                  example: new-s3cr3t-long
      responses:
        "204":
          description: Password reset. All active sessions for the account revoked.
        "400":
          $ref: "#/components/responses/BadRequest"
        "401":
          $ref: "#/components/responses/Unauthorized"
        "403":
          $ref: "#/components/responses/Forbidden"
        "404":
          $ref: "#/components/responses/NotFound"
  /v1/policy/rules:
    get:
      summary: List policy rules (admin)
      description: |
        Return all operator-defined policy rules ordered by priority (ascending).
-        Built-in default rules (IDs -1 to -6) are not included.
+        Built-in default rules (IDs -1 to -7) are not included.
      operationId: listPolicyRules
      tags: [Admin — Policy]
      security:
@@ -1169,6 +1303,16 @@ paths:
                  example: 50
                rule:
                  $ref: "#/components/schemas/RuleBody"
                not_before:
                  type: string
                  format: date-time
                  description: Earliest activation time (RFC3339, optional).
                  example: "2026-04-01T00:00:00Z"
                expires_at:
                  type: string
                  format: date-time
                  description: Expiry time (RFC3339, optional).
                  example: "2026-06-01T00:00:00Z"
      responses:
        "201":
          description: Rule created.
@@ -1239,6 +1383,22 @@ paths:
                  example: false
                rule:
                  $ref: "#/components/schemas/RuleBody"
                not_before:
                  type: string
                  format: date-time
                  description: Set earliest activation time (RFC3339).
                  example: "2026-04-01T00:00:00Z"
                expires_at:
                  type: string
                  format: date-time
                  description: Set expiry time (RFC3339).
                  example: "2026-06-01T00:00:00Z"
                clear_not_before:
                  type: boolean
                  description: Set to true to remove not_before constraint.
                clear_expires_at:
                  type: boolean
                  description: Set to true to remove expires_at constraint.
      responses:
        "200":
          description: Updated rule.
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -303,7 +303,7 @@ func TestE2EAdminAccountManagement(t *testing.T) {
 	// Set roles.
 	resp3 := e.do(t, "PUT", "/v1/accounts/"+carolUUID+"/roles", map[string][]string{
-		"roles": {"reader"},
+		"roles": {"user"},
 	}, adminToken)
 	mustStatus(t, resp3, http.StatusNoContent)
 	_ = resp3.Body.Close()
@@ -315,8 +315,8 @@ func TestE2EAdminAccountManagement(t *testing.T) {
 		Roles []string `json:"roles"`
 	}
 	decodeJSON(t, resp4, &rolesResp)
-	if len(rolesResp.Roles) != 1 || rolesResp.Roles[0] != "reader" {
+	if len(rolesResp.Roles) != 1 || rolesResp.Roles[0] != "user" {
-		t.Errorf("roles = %v, want [reader]", rolesResp.Roles)
+		t.Errorf("roles = %v, want [user]", rolesResp.Roles)
 	}
 	// Delete account.
--- a/web/static/mcias.js
+++ b/web/static/mcias.js
@@ -0,0 +1,26 @@
 // mcias.js — HTMX event wiring for the MCIAS web UI.
 // Show server error responses in the global #htmx-error-banner.
 //
 // HTMX 2.x fires htmx:responseError for 4xx/5xx responses and does not swap
 // the body into the target by default.  The server's renderError() always
 // returns a <div class="alert alert-error"> fragment whose message is
 // HTML-escaped server-side, so setting innerHTML here is safe.
 document.body.addEventListener('htmx:responseError', function (evt) {
  var banner = document.getElementById('htmx-error-banner');
  if (!banner) { return; }
  var body = (evt.detail.xhr && evt.detail.xhr.responseText) || 'An unexpected error occurred.';
  banner.innerHTML = body;
  banner.style.display = '';
  banner.scrollIntoView({ behavior: 'instant', block: 'nearest' });
 });
 // Clear the error banner whenever a successful HTMX swap completes so
 // stale errors do not persist after the user corrects their input.
 document.body.addEventListener('htmx:afterSwap', function () {
  var banner = document.getElementById('htmx-error-banner');
  if (banner) {
    banner.style.display = 'none';
    banner.innerHTML = '';
  }
 });
--- a/web/static/style.css
+++ b/web/static/style.css
@@ -8,6 +8,18 @@ nav { background: #1a1a2e; color: #fff; padding: 0.5rem 1rem; }
 .nav-links { list-style: none; display: flex; gap: 1rem; margin: 0; padding: 0; }
 .nav-links a { color: #ccc; text-decoration: none; }
 .nav-links a:hover { color: #fff; }
 .nav-actor { color: #aaa; font-size: 0.85rem; }
 /* Login page layout */
 .login-wrapper { display: flex; align-items: center; justify-content: center; min-height: 100vh; padding: 2rem; }
 .login-box { width: 100%; max-width: 380px; }
 .brand-heading { font-size: 2rem; font-weight: 700; text-align: center; letter-spacing: 0.05em; color: #1a1a2e; margin-bottom: 0.25rem; }
 .brand-subtitle { font-size: 0.8rem; text-align: center; color: #666; margin-bottom: 1.5rem; letter-spacing: 0.02em; }
 .login-box .card { background: #fff; border: 1px solid #dee2e6; border-radius: 6px; padding: 1.75rem 2rem; box-shadow: 0 2px 8px rgba(0,0,0,0.07); }
 .form-group { margin-bottom: 1rem; }
 .form-group label { display: block; margin-bottom: 0.35rem; font-size: 0.9rem; font-weight: 500; }
 .form-control { width: 100%; padding: 0.5rem 0.6rem; border: 1px solid #ced4da; border-radius: 4px; font-size: 0.95rem; }
 .form-control:focus { outline: none; border-color: #0d6efd; box-shadow: 0 0 0 2px rgba(13,110,253,0.2); }
 .form-actions { margin-top: 1.25rem; }
 .btn { display: inline-block; padding: 0.4rem 0.8rem; border: none; border-radius: 4px; cursor: pointer; font-size: 0.9rem; }
 .btn-sm { padding: 0.2rem 0.5rem; font-size: 0.8rem; }
 .btn-primary { background: #0d6efd; color: #fff; }
--- a/web/templates/account_detail.html
+++ b/web/templates/account_detail.html
@@ -44,4 +44,15 @@
  <h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Tags</h2>
  <div id="tags-editor">{{template "tags_editor" .}}</div>
 </div>
 {{if eq (string .Account.AccountType) "human"}}
 <div class="card">
  <h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Reset Password</h2>
  <p class="text-muted text-small" style="margin-bottom:.75rem">
    Set a new password for this account. All active sessions will be revoked.
  </p>
  <div id="password-reset-section">
    {{template "password_reset_form" .}}
  </div>
 </div>
 {{end}}
 {{end}}
--- a/web/templates/base.html
+++ b/web/templates/base.html
@@ -15,18 +15,22 @@
      <li><a href="/accounts">Accounts</a></li>
      <li><a href="/audit">Audit</a></li>
      <li><a href="/policies">Policies</a></li>
      <li><a href="/pgcreds">PG Creds</a></li>
      {{if .ActorName}}<li><a href="/profile">{{.ActorName}}</a></li>{{end}}
      <li><form method="POST" action="/logout" style="margin:0"><button class="btn btn-sm btn-secondary" type="submit">Logout</button></form></li>
    </ul>
  </div>
 </nav>
 <main>
  <div class="container">
    <div id="htmx-error-banner" role="alert" style="display:none"></div>
    {{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
    {{if .Flash}}<div class="alert alert-success" role="status">{{.Flash}}</div>{{end}}
    {{block "content" .}}{{end}}
  </div>
 </main>
 <script src="/static/htmx.min.js"></script>
 <script src="/static/mcias.js"></script>
 </body>
 </html>
 {{end}}
--- a/web/templates/fragments/password_change_form.html
+++ b/web/templates/fragments/password_change_form.html
@@ -0,0 +1,53 @@
 {{define "password_change_form"}}
 <form id="password-change-form"
      hx-put="/profile/password"
      hx-target="#password-change-section"
      hx-swap="innerHTML"
      hx-headers='{"X-CSRF-Token": "{{.CSRFToken}}"}'
      onsubmit="return mciasPwChangeConfirm(this)">
  <div class="form-group">
    <label for="current_password">Current Password</label>
    <input type="password" id="current_password" name="current_password"
           class="form-control" autocomplete="current-password"
           placeholder="Your current password" required>
  </div>
  <div class="form-group" style="margin-top:.5rem">
    <label for="new_password">New Password</label>
    <input type="password" id="new_password" name="new_password"
           class="form-control" autocomplete="new-password"
           placeholder="Minimum 12 characters" required minlength="12">
  </div>
  <div class="form-group" style="margin-top:.5rem">
    <label for="confirm_password">Confirm New Password</label>
    <input type="password" id="confirm_password" name="confirm_password"
           class="form-control" autocomplete="new-password"
           placeholder="Repeat new password" required minlength="12">
  </div>
  <div id="pw-change-error" role="alert"
       style="display:none;color:var(--color-danger,#c0392b);font-size:.85rem;margin-top:.35rem"></div>
  <button type="submit" class="btn btn-primary btn-sm" style="margin-top:.75rem">
    Change Password
  </button>
 </form>
 <script>
 function mciasPwChangeConfirm(form) {
  var pw  = form.querySelector('#new_password').value;
  var cfm = form.querySelector('#confirm_password').value;
  var err = form.querySelector('#pw-change-error');
  if (pw !== cfm) {
    err.textContent = 'Passwords do not match.';
    err.style.display = 'block';
    return false;
  }
  err.style.display = 'none';
  return true;
 }
 </script>
 {{end}}
 {{define "password_change_result"}}
 {{if .Flash}}
 <div class="alert alert-success" role="alert">{{.Flash}}</div>
 {{end}}
 {{template "password_change_form" .}}
 {{end}}
--- a/web/templates/fragments/password_reset_form.html
+++ b/web/templates/fragments/password_reset_form.html
@@ -0,0 +1,47 @@
 {{define "password_reset_form"}}
 <form id="password-reset-form"
      hx-put="/accounts/{{.Account.UUID}}/password"
      hx-target="#password-reset-section"
      hx-swap="innerHTML"
      hx-headers='{"X-CSRF-Token": "{{.CSRFToken}}"}'
      onsubmit="return mciasPwConfirm(this)">
  <div class="form-group">
    <label for="new_password">New Password</label>
    <input type="password" id="new_password" name="new_password"
           class="form-control" autocomplete="new-password"
           placeholder="Minimum 12 characters" required minlength="12">
  </div>
  <div class="form-group" style="margin-top:.5rem">
    <label for="confirm_password">Confirm Password</label>
    <input type="password" id="confirm_password" name="confirm_password"
           class="form-control" autocomplete="new-password"
           placeholder="Repeat new password" required minlength="12">
  </div>
  <div id="pw-reset-error" role="alert"
       style="display:none;color:var(--color-danger,#c0392b);font-size:.85rem;margin-top:.35rem"></div>
  <button type="submit" class="btn btn-danger btn-sm" style="margin-top:.75rem">
    Reset Password
  </button>
 </form>
 <script>
 function mciasPwConfirm(form) {
  var pw  = form.querySelector('#new_password').value;
  var cfm = form.querySelector('#confirm_password').value;
  var err = form.querySelector('#pw-reset-error');
  if (pw !== cfm) {
    err.textContent = 'Passwords do not match.';
    err.style.display = 'block';
    return false;
  }
  err.style.display = 'none';
  return true;
 }
 </script>
 {{end}}
 {{define "password_reset_result"}}
 {{if .Flash}}
 <div class="alert alert-success" role="alert">{{.Flash}}</div>
 {{end}}
 {{template "password_reset_form" .}}
 {{end}}
--- a/web/templates/fragments/pgcreds_form.html
+++ b/web/templates/fragments/pgcreds_form.html
@@ -11,25 +11,84 @@
  {{else}}
  <p class="text-muted text-small" style="margin-bottom:1rem">No credentials stored.</p>
  {{end}}
  {{/* Any admin can add or update credentials; creator of the first set becomes owner */}}
  <details style="margin-bottom:1rem">
    <summary class="text-small" style="cursor:pointer;color:var(--color-text-muted)">
      {{if .PGCred}}Update credentials{{else}}Add new credentials{{end}}
    </summary>
    <form hx-put="/accounts/{{.Account.UUID}}/pgcreds"
-        hx-target="#pgcreds-section" hx-swap="outerHTML">
+          hx-target="#pgcreds-section" hx-swap="outerHTML"
          style="margin-top:.75rem">
      <div style="display:grid;grid-template-columns:1fr 1fr;gap:.5rem;margin-bottom:.5rem">
        <input class="form-control" type="text" name="host" placeholder="Host" required
-             value="{{if .PGCred}}{{.PGCred.PGHost}}{{end}}">
+               {{if .PGCred}}value="{{.PGCred.PGHost}}"{{end}}>
        <input class="form-control" type="number" name="port" placeholder="Port (5432)"
               min="1" max="65535"
-             value="{{if .PGCred}}{{.PGCred.PGPort}}{{end}}">
+               {{if .PGCred}}value="{{.PGCred.PGPort}}"{{end}}>
      </div>
      <div style="display:grid;grid-template-columns:1fr 1fr;gap:.5rem;margin-bottom:.5rem">
        <input class="form-control" type="text" name="database" placeholder="Database" required
-             value="{{if .PGCred}}{{.PGCred.PGDatabase}}{{end}}">
+               {{if .PGCred}}value="{{.PGCred.PGDatabase}}"{{end}}>
        <input class="form-control" type="text" name="username" placeholder="Username" required
-             value="{{if .PGCred}}{{.PGCred.PGUsername}}{{end}}">
+               {{if .PGCred}}value="{{.PGCred.PGUsername}}"{{end}}>
      </div>
      <input class="form-control" type="password" name="password"
-           placeholder="Password (required to update)" required
+             placeholder="Password (required)" required
             style="margin-bottom:.5rem">
      <button class="btn btn-sm btn-secondary" type="submit">Save Credentials</button>
    </form>
  </details>
  {{/* Access grants section — shown whenever credentials exist */}}
  {{if .PGCred}}
  <div style="margin-top:1.25rem">
    <h3 style="font-size:.9rem;font-weight:600;margin-bottom:.5rem">Access Grants</h3>
    {{if .PGCredGrants}}
    <table class="table table-sm" style="font-size:.85rem">
      <thead>
        <tr>
          <th>User</th>
          <th>Granted</th>
          {{if isPGCredOwner $.ActorID $.PGCred}}<th></th>{{end}}
        </tr>
      </thead>
      <tbody>
        {{range .PGCredGrants}}
        <tr>
          <td>{{.GranteeName}}</td>
          <td class="text-small text-muted">{{formatTime .GrantedAt}}</td>
          {{if isPGCredOwner $.ActorID $.PGCred}}
          <td>
            <button class="btn btn-sm btn-danger"
                    hx-delete="/accounts/{{$.Account.UUID}}/pgcreds/access/{{.GranteeUUID}}"
                    hx-target="#pgcreds-section" hx-swap="outerHTML"
                    hx-confirm="Revoke access for {{.GranteeName}}?">Revoke</button>
          </td>
          {{end}}
        </tr>
        {{end}}
      </tbody>
    </table>
    {{else}}
    <p class="text-muted text-small">No access grants.</p>
    {{end}}
    {{/* Grant form — owner only */}}
    {{if and (isPGCredOwner .ActorID .PGCred) .GrantableAccounts}}
    <form hx-post="/accounts/{{.Account.UUID}}/pgcreds/access"
          hx-target="#pgcreds-section" hx-swap="outerHTML"
          style="margin-top:.75rem;display:flex;gap:.5rem;align-items:center">
      <select class="form-control" name="grantee_uuid" required style="flex:1">
        <option value="">— select account to grant —</option>
        {{range .GrantableAccounts}}
        <option value="{{.UUID}}">{{.Username}} ({{.AccountType}})</option>
        {{end}}
      </select>
      <button class="btn btn-sm btn-secondary" type="submit">Grant Access</button>
    </form>
    {{end}}
  </div>
  {{end}}
 </div>
 {{end}}
--- a/web/templates/fragments/policy_form.html
+++ b/web/templates/fragments/policy_form.html
@@ -72,6 +72,16 @@
      Owner must match subject (self-service rules only)
    </label>
  </div>
  <div style="display:grid;grid-template-columns:1fr 1fr;gap:.5rem;margin-bottom:.5rem">
    <div>
      <label class="text-small text-muted">Not before (UTC, optional)</label>
      <input class="form-control" type="datetime-local" name="not_before" style="font-size:.85rem">
    </div>
    <div>
      <label class="text-small text-muted">Expires at (UTC, optional)</label>
      <input class="form-control" type="datetime-local" name="expires_at" style="font-size:.85rem">
    </div>
  </div>
  <button class="btn btn-sm btn-secondary" type="submit">Create Rule</button>
 </form>
 {{end}}
--- a/web/templates/fragments/policy_row.html
+++ b/web/templates/fragments/policy_row.html
@@ -4,6 +4,15 @@
  <td class="text-small">{{.Priority}}</td>
  <td>
    <strong>{{.Description}}</strong>
    {{if .IsExpired}}<span class="badge" style="background:#dc2626;color:#fff;margin-left:.4rem">expired</span>{{end}}
    {{if .IsPending}}<span class="badge" style="background:#d97706;color:#fff;margin-left:.4rem">scheduled</span>{{end}}
    {{if or .NotBefore .ExpiresAt}}
    <div class="text-small text-muted" style="margin-top:.2rem">
      {{if .NotBefore}}Not before: {{.NotBefore}}{{end}}
      {{if and .NotBefore .ExpiresAt}} · {{end}}
      {{if .ExpiresAt}}Expires: {{.ExpiresAt}}{{end}}
    </div>
    {{end}}
    <details style="margin-top:.25rem">
      <summary class="text-small text-muted" style="cursor:pointer">Show rule JSON</summary>
      <pre style="font-size:.75rem;background:#f8fafc;padding:.5rem;border-radius:4px;overflow:auto;margin-top:.25rem">{{.RuleJSON}}</pre>
--- a/web/templates/login.html
+++ b/web/templates/login.html
@@ -10,6 +10,7 @@
 <div class="login-wrapper">
  <div class="login-box">
    <div class="brand-heading">MCIAS</div>
    <div class="brand-subtitle">Metacircular Identity &amp; Access System</div>
    <div class="card">
      {{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
      <form id="login-form" method="POST" action="/login"
--- a/web/templates/pgcreds.html
+++ b/web/templates/pgcreds.html
@@ -0,0 +1,134 @@
 {{define "pgcreds"}}{{template "base" .}}{{end}}
 {{define "title"}}PG Credentials — MCIAS{{end}}
 {{define "content"}}
 <div class="page-header">
  <h1>Postgres Credentials</h1>
  <p class="text-muted text-small">Credentials you own or have been granted access to.</p>
 </div>
 {{if .Creds}}
 <div class="card">
  <h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Your Credentials</h2>
  {{range .Creds}}
  <div style="border:1px solid var(--color-border);border-radius:6px;padding:1rem;margin-bottom:1rem">
    <dl style="display:grid;grid-template-columns:140px 1fr;gap:.35rem .75rem;font-size:.9rem;margin-bottom:.75rem">
      <dt class="text-muted">Service Account</dt><dd>{{.ServiceUsername}}</dd>
      <dt class="text-muted">Host</dt><dd>{{.PGHost}}:{{.PGPort}}</dd>
      <dt class="text-muted">Database</dt><dd>{{.PGDatabase}}</dd>
      <dt class="text-muted">Username</dt><dd>{{.PGUsername}}</dd>
      <dt class="text-muted">Updated</dt><dd class="text-small text-muted">{{formatTime .UpdatedAt}}</dd>
    </dl>
    {{/* Grant management — only for the credential owner */}}
    {{$credID := .ID}}
    {{$svcUUID := .ServiceAccountUUID}}
    {{$grants := index $.CredGrants $credID}}
    {{if isPGCredOwner $.ActorID .}}
    <div style="margin-top:.75rem">
      <h3 style="font-size:.85rem;font-weight:600;margin-bottom:.5rem">Access Grants</h3>
      {{if $grants}}
      <table class="table table-sm" style="font-size:.85rem;margin-bottom:.75rem">
        <thead>
          <tr><th>User</th><th>Granted</th><th></th></tr>
        </thead>
        <tbody>
          {{range $grants}}
          <tr>
            <td>{{.GranteeName}}</td>
            <td class="text-small text-muted">{{formatTime .GrantedAt}}</td>
            <td>
              <button class="btn btn-sm btn-danger"
                      hx-delete="/accounts/{{$svcUUID}}/pgcreds/access/{{.GranteeUUID}}?_next=/pgcreds"
                      hx-confirm="Revoke access for {{.GranteeName}}?">Revoke</button>
            </td>
          </tr>
          {{end}}
        </tbody>
      </table>
      {{else}}
      <p class="text-muted text-small" style="margin-bottom:.5rem">No access grants.</p>
      {{end}}
      {{/* Plain POST grant form with redirect back to /pgcreds */}}
      <form method="POST" action="/accounts/{{.ServiceAccountUUID}}/pgcreds/access"
            style="display:flex;gap:.5rem;align-items:center">
        <input type="hidden" name="_csrf" value="{{$.CSRFToken}}">
        <input type="hidden" name="_next" value="/pgcreds">
        <select class="form-control" name="grantee_uuid" required style="flex:1">
          <option value="">— select account to grant —</option>
          {{range $.AllAccounts}}
          <option value="{{.UUID}}">{{.Username}} ({{.AccountType}})</option>
          {{end}}
        </select>
        <button class="btn btn-sm btn-secondary" type="submit">Grant Access</button>
      </form>
    </div>
    {{end}}
    <div style="margin-top:.75rem">
      <a class="btn btn-sm btn-secondary" href="/accounts/{{.ServiceAccountUUID}}">View Account</a>
    </div>
  </div>
  {{end}}
 </div>
 {{else}}
 <div class="card">
  <p class="text-muted">No Postgres credentials are accessible to your account.</p>
 </div>
 {{end}}
 <div class="card" style="margin-top:1.5rem">
  <div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:.5rem">
    <h2 style="font-size:1rem;font-weight:600;margin:0">New Credentials</h2>
    <button class="btn btn-sm btn-secondary"
            onclick="var f=document.getElementById('pgcreds-create-form');f.hidden=!f.hidden;this.textContent=f.hidden?'Add Credentials':'Cancel'">Add Credentials</button>
  </div>
  <div id="pgcreds-create-form" hidden>
    <p class="text-muted text-small" style="margin-bottom:1rem;margin-top:.5rem">
      Create a credential set for a system account. You will become the owner and
      may later grant other accounts read access.
    </p>
    {{if .UncredentialedAccounts}}
    <form method="POST" action="/pgcreds">
      <input type="hidden" name="_csrf" value="{{.CSRFToken}}">
      <div style="margin-bottom:.75rem">
        <label class="form-label" for="pgcreds-account">Service Account</label>
        <select id="pgcreds-account" class="form-control" name="account_uuid" required>
          <option value="">— select system account —</option>
          {{range .UncredentialedAccounts}}
          <option value="{{.UUID}}">{{.Username}}</option>
          {{end}}
        </select>
      </div>
      <div style="display:grid;grid-template-columns:1fr 1fr;gap:.5rem;margin-bottom:.5rem">
        <div>
          <label class="form-label" for="pgcreds-host">Host</label>
          <input id="pgcreds-host" class="form-control" type="text" name="host" placeholder="db.example.com" required>
        </div>
        <div>
          <label class="form-label" for="pgcreds-port">Port</label>
          <input id="pgcreds-port" class="form-control" type="number" name="port" placeholder="5432" min="1" max="65535">
        </div>
      </div>
      <div style="display:grid;grid-template-columns:1fr 1fr;gap:.5rem;margin-bottom:.5rem">
        <div>
          <label class="form-label" for="pgcreds-db">Database</label>
          <input id="pgcreds-db" class="form-control" type="text" name="database" placeholder="myapp" required>
        </div>
        <div>
          <label class="form-label" for="pgcreds-user">Username</label>
          <input id="pgcreds-user" class="form-control" type="text" name="username" placeholder="svc_user" required>
        </div>
      </div>
      <div style="margin-bottom:.75rem">
        <label class="form-label" for="pgcreds-password">Password</label>
        <input id="pgcreds-password" class="form-control" type="password" name="password" required>
      </div>
      <button class="btn btn-secondary" type="submit">Create Credentials</button>
    </form>
    {{else}}
    <p class="text-muted text-small">All system accounts already have credentials. Create a new system account first.</p>
    {{end}}
  </div>
 </div>
 {{end}}
--- a/web/templates/profile.html
+++ b/web/templates/profile.html
@@ -0,0 +1,16 @@
 {{define "profile"}}{{template "base" .}}{{end}}
 {{define "title"}}Profile — MCIAS{{end}}
 {{define "content"}}
 <div class="page-header">
  <h1>Profile</h1>
 </div>
 <div class="card">
  <h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Change Password</h2>
  <p class="text-muted text-small" style="margin-bottom:.75rem">
    Enter your current password and choose a new one. Other active sessions will be revoked.
  </p>
  <div id="password-change-section">
    {{template "password_change_form" .}}
  </div>
 </div>
 {{end}}
Author	SHA1	Message	Date
Kyle Isom	28bc33a96d	clients: expand Go, Python, Rust client APIs - Add TOTP enrollment/confirmation/removal to all clients - Add password change and admin set-password endpoints - Add account listing, status update, and tag management - Add audit log listing with filter support - Add policy rule CRUD operations - Expand test coverage for all new endpoints across clients - Fix .gitignore to exclude built binaries Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-12 20:29:11 -07:00
Kyle Isom	98ed858c67	trusted proxy, TOTP replay protection, new tests - Trusted proxy config option for proxy-aware IP extraction used by rate limiting and audit logs; validates proxy IP before trusting X-Forwarded-For / X-Real-IP headers - TOTP replay protection via counter-based validation to reject reused codes within the same time step (±30s) - RateLimit middleware updated to extract client IP from proxy headers without IP spoofing risk - New tests for ClientIP proxy logic (spoofed headers, fallback) and extended rate-limit proxy coverage - HTMX error banner script integrated into web UI base - .gitignore updated for mciasdb build artifact Security: resolves CRIT-01 (TOTP replay attack) and DEF-03 (proxy-unaware rate limiting); gRPC TOTP enrollment aligned with REST via StorePendingTOTP Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-12 17:44:01 -07:00
Kyle Isom	35f27b7c4f	UI: password change enforcement + migration recovery - Web UI admin password reset now enforces admin role server-side (was cookie-auth + CSRF only; any logged-in user could previously reset any account's password) - Added self-service password change UI at GET/PUT /profile: current_password + new_password + confirm_password; server-side equality check; lockout + Argon2id verification; revokes all other sessions on success - password_change_form.html fragment and profile.html page - Nav bar actor name now links to /profile - policy: ActionChangePassword + default rule -7 allowing human accounts to change their own password - openapi.yaml: built-in rules count updated to -7 Migration recovery: - mciasdb schema force --version N: new subcommand to clear dirty migration state without running SQL (break-glass) - schema subcommands bypass auto-migration on open so the tool stays usable when the database is dirty - Migrate(): shim no longer overrides schema_migrations when it already has an entry; duplicate-column error on the latest migration is force-cleaned and treated as success (handles columns added outside the runner) Security: - Admin role is now validated in handleAdminResetPassword before any DB access; non-admin receives 403 - handleSelfChangePassword follows identical lockout + constant-time Argon2id path as the REST self-service handler; current password required to prevent token-theft account takeover Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-12 15:33:19 -07:00
Kyle Isom	25d550a066	ignore env file	2026-03-12 14:39:14 -07:00
Kyle Isom	5d7d2cfc08	Checkpoint: password reset, rule expiry, migrations - Self-service and admin password-change endpoints (PUT /v1/auth/password, PUT /v1/accounts/{id}/password) - Policy rule time-scoped expiry (not_before / expires_at) with migration 000006 and engine filtering - golang-migrate integration; embedded SQL migrations - PolicyRecord fieldalignment lint fix Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-12 14:38:38 -07:00
Kyle Isom	833775de83	db: integrate golang-migrate for schema migrations - internal/db/migrations/: five embedded SQL files containing the migration SQL previously held as Go string literals. Files follow the NNN_description.up.sql naming convention required by golang-migrate's iofs source. - internal/db/migrate.go: rewritten to use github.com/golang-migrate/migrate/v4 with the database/sqlite driver (modernc.org/sqlite, pure Go) and source/iofs for compile-time embedded SQL. - newMigrate() opens a dedicated *sql.DB so m.Close() does not affect the caller's shared connection. - Migrate() includes a compatibility shim: reads the legacy schema_version table and calls m.Force(v) before m.Up() so existing databases are not re-migrated. - LatestSchemaVersion promoted from var to const. - internal/db/db.go: added path field to DB struct; Open() translates ':memory:' to a named shared-cache URI (file:mcias_N?mode=memory&cache=shared) so the migration runner can open a second connection to the same in-memory database without sharing the handle that golang-migrate will close on teardown. - go.mod: added golang-migrate/migrate/v4 v4.19.1 (direct). All callers unchanged. All tests pass; golangci-lint clean.	2026-03-12 11:52:39 -07:00
Kyle Isom	562aad908e	UI: pgcreds create button; show logged-in user * web/templates/pgcreds.html: New Credentials card is now always rendered; Add Credentials toggle button reveals the create form (hidden by default). Shows a message when all system accounts already have credentials. Previously the card was hidden when UncredentialedAccounts was empty. * internal/ui/ui.go: added ActorName string field to PageData; added actorName(r) helper resolving username from JWT claims via DB lookup, returns empty string if unauthenticated. * internal/ui/handlers_.go: all full-page PageData constructors now pass ActorName: u.actorName(r). web/templates/base.html: nav bar renders actor username as a muted label before the Logout button when logged in. * web/static/style.css: added .nav-actor rule (muted grey, 0.85rem).	2026-03-12 11:38:57 -07:00