Move SSO clients from config to database

- Add sso_clients table (migration 000010) with client_id, redirect_uri,
  tags (JSON), enabled flag, and audit timestamps
- Add SSOClient model struct and audit events
- Implement DB CRUD with 10 unit tests
- Add REST API: GET/POST/PATCH/DELETE /v1/sso/clients (policy-gated)
- Add gRPC SSOClientService with 5 RPCs (admin-only)
- Add mciasctl sso list/create/get/update/delete commands
- Add web UI admin page at /sso-clients with HTMX create/toggle/delete
- Migrate handleSSOAuthorize and handleSSOTokenExchange to use DB
- Remove SSOConfig, SSOClient struct, lookup methods from config
- Simplify: client_id = service_name for policy evaluation

Security:
- SSO client CRUD is admin-only (policy-gated REST, requireAdmin gRPC)
- redirect_uri must use https:// (validated at DB layer)
- Disabled clients are rejected at both authorize and token exchange
- All mutations write audit events

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/config/config.go

@@ -22,24 +22,6 @@ type Config struct { //nolint:govet // fieldalignment: TOML section order is mor
 	Tokens    TokensConfig    `toml:"tokens"`
 	Argon2    Argon2Config    `toml:"argon2"`
 	WebAuthn  WebAuthnConfig  `toml:"webauthn"`
-	SSO       SSOConfig       `toml:"sso"`
-}
-
-// SSOConfig holds registered SSO clients that may use the authorization code
-// flow to authenticate users via MCIAS. Omitting the [sso] section or leaving
-// clients empty disables SSO.
-type SSOConfig struct {
-	Clients []SSOClient `toml:"clients"`
-}
-
-// SSOClient is a registered relying-party application that may redirect users
-// to MCIAS for login. The redirect_uri is validated as an exact match (no
-// wildcards) to prevent open-redirect attacks.
-type SSOClient struct {
-	ClientID    string   `toml:"client_id"`    // unique identifier (e.g. "mcr")
-	RedirectURI string   `toml:"redirect_uri"` // exact callback URL, https required
-	ServiceName string   `toml:"service_name"` // passed to policy engine on login
-	Tags        []string `toml:"tags"`         // passed to policy engine on login
 }
 
 // WebAuthnConfig holds FIDO2/WebAuthn settings. Omitting the entire [webauthn]
@@ -264,48 +246,9 @@ func (c *Config) validate() error {
 		}
 	}
 
-	// SSO clients — if any are configured, each must have a unique client_id,
-	// a non-empty redirect_uri with the https:// scheme, and a non-empty
-	// service_name.
-	seen := make(map[string]bool, len(c.SSO.Clients))
-	for i, cl := range c.SSO.Clients {
-		prefix := fmt.Sprintf("sso.clients[%d]", i)
-		if cl.ClientID == "" {
-			errs = append(errs, fmt.Errorf("%s: client_id is required", prefix))
-		} else if seen[cl.ClientID] {
-			errs = append(errs, fmt.Errorf("%s: duplicate client_id %q", prefix, cl.ClientID))
-		} else {
-			seen[cl.ClientID] = true
-		}
-		if cl.RedirectURI == "" {
-			errs = append(errs, fmt.Errorf("%s: redirect_uri is required", prefix))
-		} else if !strings.HasPrefix(cl.RedirectURI, "https://") {
-			errs = append(errs, fmt.Errorf("%s: redirect_uri must use the https:// scheme (got %q)", prefix, cl.RedirectURI))
-		}
-		if cl.ServiceName == "" {
-			errs = append(errs, fmt.Errorf("%s: service_name is required", prefix))
-		}
-	}
-
 	return errors.Join(errs...)
 }
 
-// SSOClient looks up a registered SSO client by client_id.
-// Returns nil if no client with that ID is registered.
-func (c *Config) SSOClient(clientID string) *SSOClient {
-	for i := range c.SSO.Clients {
-		if c.SSO.Clients[i].ClientID == clientID {
-			return &c.SSO.Clients[i]
-		}
-	}
-	return nil
-}
-
-// SSOEnabled reports whether any SSO clients are registered.
-func (c *Config) SSOEnabled() bool {
-	return len(c.SSO.Clients) > 0
-}
-
 // DefaultExpiry returns the configured default token expiry duration.
 func (c *Config) DefaultExpiry() time.Duration { return c.Tokens.DefaultExpiry.Duration }
 

internal/config/config_test.go

@@ -244,153 +244,6 @@ func TestTrustedProxyValidation(t *testing.T) {
 	}
 }
 
-func TestSSOClientValidation(t *testing.T) {
-	tests := []struct {
-		name    string
-		extra   string
-		wantErr bool
-	}{
-		{
-			name: "valid single client",
-			extra: `
-[[sso.clients]]
-client_id    = "mcr"
-redirect_uri = "https://mcr.example.com/sso/callback"
-service_name = "mcr"
-tags         = ["env:restricted"]
-`,
-			wantErr: false,
-		},
-		{
-			name: "valid multiple clients",
-			extra: `
-[[sso.clients]]
-client_id    = "mcr"
-redirect_uri = "https://mcr.example.com/sso/callback"
-service_name = "mcr"
-
-[[sso.clients]]
-client_id    = "mcat"
-redirect_uri = "https://mcat.example.com/sso/callback"
-service_name = "mcat"
-`,
-			wantErr: false,
-		},
-		{
-			name: "missing client_id",
-			extra: `
-[[sso.clients]]
-redirect_uri = "https://mcr.example.com/sso/callback"
-service_name = "mcr"
-`,
-			wantErr: true,
-		},
-		{
-			name: "missing redirect_uri",
-			extra: `
-[[sso.clients]]
-client_id    = "mcr"
-service_name = "mcr"
-`,
-			wantErr: true,
-		},
-		{
-			name: "http redirect_uri rejected",
-			extra: `
-[[sso.clients]]
-client_id    = "mcr"
-redirect_uri = "http://mcr.example.com/sso/callback"
-service_name = "mcr"
-`,
-			wantErr: true,
-		},
-		{
-			name: "missing service_name",
-			extra: `
-[[sso.clients]]
-client_id    = "mcr"
-redirect_uri = "https://mcr.example.com/sso/callback"
-`,
-			wantErr: true,
-		},
-		{
-			name: "duplicate client_id",
-			extra: `
-[[sso.clients]]
-client_id    = "mcr"
-redirect_uri = "https://mcr.example.com/sso/callback"
-service_name = "mcr"
-
-[[sso.clients]]
-client_id    = "mcr"
-redirect_uri = "https://other.example.com/sso/callback"
-service_name = "mcr2"
-`,
-			wantErr: true,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			path := writeTempConfig(t, validConfig()+tc.extra)
-			_, err := Load(path)
-			if tc.wantErr && err == nil {
-				t.Error("expected validation error, got nil")
-			}
-			if !tc.wantErr && err != nil {
-				t.Errorf("unexpected error: %v", err)
-			}
-		})
-	}
-}
-
-func TestSSOClientLookup(t *testing.T) {
-	path := writeTempConfig(t, validConfig()+`
-[[sso.clients]]
-client_id    = "mcr"
-redirect_uri = "https://mcr.example.com/sso/callback"
-service_name = "mcr"
-tags         = ["env:restricted"]
-`)
-	cfg, err := Load(path)
-	if err != nil {
-		t.Fatalf("Load: %v", err)
-	}
-
-	cl := cfg.SSOClient("mcr")
-	if cl == nil {
-		t.Fatal("SSOClient(mcr) returned nil")
-	}
-	if cl.RedirectURI != "https://mcr.example.com/sso/callback" {
-		t.Errorf("RedirectURI = %q", cl.RedirectURI)
-	}
-	if cl.ServiceName != "mcr" {
-		t.Errorf("ServiceName = %q", cl.ServiceName)
-	}
-	if len(cl.Tags) != 1 || cl.Tags[0] != "env:restricted" {
-		t.Errorf("Tags = %v", cl.Tags)
-	}
-
-	if cfg.SSOClient("nonexistent") != nil {
-		t.Error("SSOClient(nonexistent) should return nil")
-	}
-
-	if !cfg.SSOEnabled() {
-		t.Error("SSOEnabled() should return true")
-	}
-}
-
-func TestSSODisabledByDefault(t *testing.T) {
-	path := writeTempConfig(t, validConfig())
-	cfg, err := Load(path)
-	if err != nil {
-		t.Fatalf("Load: %v", err)
-	}
-	if cfg.SSOEnabled() {
-		t.Error("SSOEnabled() should return false with no clients")
-	}
-}
-
 func TestDurationParsing(t *testing.T) {
 	var d duration
 	if err := d.UnmarshalText([]byte("1h30m")); err != nil {