Fix ECDH zeroization, add audit logging, and remediate high findings

- Fix #61: handleRotateKey and handleDeleteUser now zeroize stored privBytes instead of calling Bytes() (which returns a copy). New state populates privBytes; old references nil'd for GC. - Add audit logging subsystem (internal/audit) with structured event recording for cryptographic operations. - Add audit log engine spec (engines/auditlog.md). - Add ValidateName checks across all engines for path traversal (#48). - Update AUDIT.md: all High findings resolved (0 open). - Add REMEDIATION.md with detailed remediation tracking. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 14:04:39 -07:00
parent b33d1f99a0
commit 5c5d7e184e
24 changed files with 1699 additions and 72 deletions
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -14,6 +14,7 @@ import (
 	"google.golang.org/grpc"

 	internacme "git.wntrmute.dev/kyle/metacrypt/internal/acme"
+	"git.wntrmute.dev/kyle/metacrypt/internal/audit"
 	"git.wntrmute.dev/kyle/metacrypt/internal/auth"
 	"git.wntrmute.dev/kyle/metacrypt/internal/config"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine"
@@ -28,6 +29,7 @@ type Server struct {
 	auth         *auth.Authenticator
 	policy       *policy.Engine
 	engines      *engine.Registry
+	audit        *audit.Logger
 	httpSrv      *http.Server
 	grpcSrv      *grpc.Server
 	logger       *slog.Logger
@@ -38,13 +40,14 @@ type Server struct {

 // New creates a new server.
 func New(cfg *config.Config, sealMgr *seal.Manager, authenticator *auth.Authenticator,
-	policyEngine *policy.Engine, engineRegistry *engine.Registry, logger *slog.Logger, version string) *Server {
+	policyEngine *policy.Engine, engineRegistry *engine.Registry, auditLog *audit.Logger, logger *slog.Logger, version string) *Server {
 	s := &Server{
 		cfg:     cfg,
 		seal:    sealMgr,
 		auth:    authenticator,
 		policy:  policyEngine,
 		engines: engineRegistry,
+		audit:   auditLog,
 		logger:  logger,
 		version: version,
 	}