Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22)

Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs
stored in a new barrier_keys table, rather than encrypting all barrier
entries directly. A v2 ciphertext format (0x02) embeds the key ID so the
barrier can resolve which DEK to use on decryption. v1 ciphertext remains
supported for backward compatibility.

Key changes:
- crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs
- barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys)
- seal: RotateMEK re-wraps DEKs without re-encrypting data
- engine: Mount auto-creates per-engine DEK
- REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate
- proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate
- db: migration v2 adds barrier_keys table

Also includes: security audit report, CSRF protection, engine design specs
(sshca, transit, user), path-bound AAD migration tool, policy engine
enhancements, and ARCHITECTURE.md updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/grpcserver/barrier.go

@@ -0,0 +1,85 @@
+package grpcserver
+
+import (
+	"context"
+	"errors"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
+	"git.wntrmute.dev/kyle/metacrypt/internal/barrier"
+	"git.wntrmute.dev/kyle/metacrypt/internal/seal"
+)
+
+type barrierServer struct {
+	pb.UnimplementedBarrierServiceServer
+	s *GRPCServer
+}
+
+func (bs *barrierServer) ListKeys(ctx context.Context, _ *pb.ListKeysRequest) (*pb.ListKeysResponse, error) {
+	keys, err := bs.s.sealMgr.Barrier().ListKeys(ctx)
+	if err != nil {
+		bs.s.logger.Error("grpc: list barrier keys", "error", err)
+		return nil, status.Error(codes.Internal, "failed to list keys")
+	}
+
+	resp := &pb.ListKeysResponse{}
+	for _, k := range keys {
+		resp.Keys = append(resp.Keys, &pb.BarrierKeyInfo{
+			KeyId:     k.KeyID,
+			Version:   int32(k.Version),
+			CreatedAt: k.CreatedAt,
+			RotatedAt: k.RotatedAt,
+		})
+	}
+	return resp, nil
+}
+
+func (bs *barrierServer) RotateMEK(ctx context.Context, req *pb.RotateMEKRequest) (*pb.RotateMEKResponse, error) {
+	if req.Password == "" {
+		return nil, status.Error(codes.InvalidArgument, "password is required")
+	}
+
+	if err := bs.s.sealMgr.RotateMEK(ctx, []byte(req.Password)); err != nil {
+		if errors.Is(err, seal.ErrInvalidPassword) {
+			return nil, status.Error(codes.Unauthenticated, "invalid password")
+		}
+		if errors.Is(err, seal.ErrSealed) {
+			return nil, status.Error(codes.FailedPrecondition, "sealed")
+		}
+		bs.s.logger.Error("grpc: rotate MEK", "error", err)
+		return nil, status.Error(codes.Internal, "rotation failed")
+	}
+
+	bs.s.logger.Info("audit: MEK rotated")
+	return &pb.RotateMEKResponse{Ok: true}, nil
+}
+
+func (bs *barrierServer) RotateKey(ctx context.Context, req *pb.RotateKeyRequest) (*pb.RotateKeyResponse, error) {
+	if req.KeyId == "" {
+		return nil, status.Error(codes.InvalidArgument, "key_id is required")
+	}
+
+	if err := bs.s.sealMgr.Barrier().RotateKey(ctx, req.KeyId); err != nil {
+		if errors.Is(err, barrier.ErrKeyNotFound) {
+			return nil, status.Error(codes.NotFound, "key not found")
+		}
+		bs.s.logger.Error("grpc: rotate key", "key_id", req.KeyId, "error", err)
+		return nil, status.Error(codes.Internal, "rotation failed")
+	}
+
+	bs.s.logger.Info("audit: DEK rotated", "key_id", req.KeyId)
+	return &pb.RotateKeyResponse{Ok: true}, nil
+}
+
+func (bs *barrierServer) Migrate(ctx context.Context, _ *pb.MigrateBarrierRequest) (*pb.MigrateBarrierResponse, error) {
+	migrated, err := bs.s.sealMgr.Barrier().MigrateToV2(ctx)
+	if err != nil {
+		bs.s.logger.Error("grpc: barrier migration", "error", err)
+		return nil, status.Error(codes.Internal, "migration failed")
+	}
+
+	bs.s.logger.Info("audit: barrier migrated to v2", "entries_migrated", migrated)
+	return &pb.MigrateBarrierResponse{Migrated: int32(migrated)}, nil
+}