Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22)

Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs
stored in a new barrier_keys table, rather than encrypting all barrier
entries directly. A v2 ciphertext format (0x02) embeds the key ID so the
barrier can resolve which DEK to use on decryption. v1 ciphertext remains
supported for backward compatibility.

Key changes:
- crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs
- barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys)
- seal: RotateMEK re-wraps DEKs without re-encrypting data
- engine: Mount auto-creates per-engine DEK
- REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate
- proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate
- db: migration v2 adds barrier_keys table

Also includes: security audit report, CSRF protection, engine design specs
(sshca, transit, user), path-bound AAD migration tool, policy engine
enhancements, and ARCHITECTURE.md updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/policy/policy_test.go

@@ -141,6 +141,96 @@ func TestPolicyPriorityOrder(t *testing.T) {
 	}
 }
 
+func TestActionAnyMatchesNonAdmin(t *testing.T) {
+	e, cleanup := setupPolicy(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	_ = e.CreateRule(ctx, &Rule{
+		ID:        "any-rule",
+		Priority:  100,
+		Effect:    EffectAllow,
+		Roles:     []string{"user"},
+		Resources: []string{"transit/*"},
+		Actions:   []string{ActionAny},
+	})
+
+	// "any" should match encrypt, decrypt, sign, verify, hmac, read, write.
+	for _, action := range []string{ActionEncrypt, ActionDecrypt, ActionSign, ActionVerify, ActionHMAC, ActionRead, ActionWrite} {
+		effect, _ := e.Evaluate(ctx, &Request{
+			Username: "alice",
+			Roles:    []string{"user"},
+			Resource: "transit/default",
+			Action:   action,
+		})
+		if effect != EffectAllow {
+			t.Errorf("action %q should be allowed by 'any', got: %s", action, effect)
+		}
+	}
+
+	// "any" must NOT match "admin".
+	effect, _ := e.Evaluate(ctx, &Request{
+		Username: "alice",
+		Roles:    []string{"user"},
+		Resource: "transit/default",
+		Action:   ActionAdmin,
+	})
+	if effect != EffectDeny {
+		t.Fatalf("action 'admin' should not be matched by 'any', got: %s", effect)
+	}
+}
+
+func TestLintRule(t *testing.T) {
+	// Valid rule.
+	problems := LintRule(&Rule{
+		ID:      "ok",
+		Effect:  EffectAllow,
+		Actions: []string{ActionAny, ActionEncrypt},
+	})
+	if len(problems) > 0 {
+		t.Errorf("expected no problems, got: %v", problems)
+	}
+
+	// Missing ID.
+	problems = LintRule(&Rule{Effect: EffectAllow})
+	if len(problems) != 1 {
+		t.Errorf("expected 1 problem for missing ID, got: %v", problems)
+	}
+
+	// Invalid effect.
+	problems = LintRule(&Rule{ID: "bad-effect", Effect: "maybe"})
+	if len(problems) != 1 {
+		t.Errorf("expected 1 problem for bad effect, got: %v", problems)
+	}
+
+	// Invalid action.
+	problems = LintRule(&Rule{ID: "bad-action", Effect: EffectAllow, Actions: []string{"destroy"}})
+	if len(problems) != 1 {
+		t.Errorf("expected 1 problem for bad action, got: %v", problems)
+	}
+
+	// Multiple problems.
+	problems = LintRule(&Rule{Effect: "bogus", Actions: []string{"nope"}})
+	if len(problems) != 3 { // missing ID + bad effect + bad action
+		t.Errorf("expected 3 problems, got: %v", problems)
+	}
+}
+
+func TestCreateRuleRejectsInvalid(t *testing.T) {
+	e, cleanup := setupPolicy(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	err := e.CreateRule(ctx, &Rule{
+		ID:      "bad",
+		Effect:  EffectAllow,
+		Actions: []string{"obliterate"},
+	})
+	if err == nil {
+		t.Fatal("expected error for invalid action, got nil")
+	}
+}
+
 func TestPolicyUsernameMatch(t *testing.T) {
 	e, cleanup := setupPolicy(t)
 	defer cleanup()