Add MEK rotation, per-engine DEKs, and v2 ciphertext format (audit #6, #22)

Implement a two-level key hierarchy: the MEK now wraps per-engine DEKs
stored in a new barrier_keys table, rather than encrypting all barrier
entries directly. A v2 ciphertext format (0x02) embeds the key ID so the
barrier can resolve which DEK to use on decryption. v1 ciphertext remains
supported for backward compatibility.

Key changes:
- crypto: EncryptV2/DecryptV2/ExtractKeyID for v2 ciphertext with key IDs
- barrier: key registry (CreateKey, RotateKey, ListKeys, MigrateToV2, ReWrapKeys)
- seal: RotateMEK re-wraps DEKs without re-encrypting data
- engine: Mount auto-creates per-engine DEK
- REST + gRPC: barrier/keys, barrier/rotate-mek, barrier/rotate-key, barrier/migrate
- proto: BarrierService (v1 + v2) with ListKeys, RotateMEK, RotateKey, Migrate
- db: migration v2 adds barrier_keys table

Also includes: security audit report, CSRF protection, engine design specs
(sshca, transit, user), path-bound AAD migration tool, policy engine
enhancements, and ARCHITECTURE.md updates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/seal/seal_test.go

@@ -120,6 +120,94 @@ func TestSealCheckInitializedPersists(t *testing.T) {
 	}
 }
 
+func TestSealRotateMEK(t *testing.T) {
+	mgr, cleanup := setupSeal(t)
+	defer cleanup()
+	ctx := context.Background()
+	_ = mgr.CheckInitialized()
+
+	password := []byte("test-password")
+	params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
+	_ = mgr.Initialize(ctx, password, params)
+
+	// Create a DEK and write data through the barrier.
+	b := mgr.Barrier()
+	_ = b.CreateKey(ctx, "system")
+	_ = b.CreateKey(ctx, "engine/ca/prod")
+	_ = b.Put(ctx, "policy/rule1", []byte("policy-data"))
+	_ = b.Put(ctx, "engine/ca/prod/cert", []byte("cert-data"))
+
+	// Rotate MEK.
+	if err := mgr.RotateMEK(ctx, password); err != nil {
+		t.Fatalf("RotateMEK: %v", err)
+	}
+
+	// Data should still be readable.
+	got, err := b.Get(ctx, "policy/rule1")
+	if err != nil {
+		t.Fatalf("Get after MEK rotation: %v", err)
+	}
+	if string(got) != "policy-data" {
+		t.Fatalf("data: got %q", got)
+	}
+
+	got2, err := b.Get(ctx, "engine/ca/prod/cert")
+	if err != nil {
+		t.Fatalf("Get engine data after MEK rotation: %v", err)
+	}
+	if string(got2) != "cert-data" {
+		t.Fatalf("data: got %q", got2)
+	}
+
+	// Seal and unseal with the same password should work
+	// (the new MEK is now encrypted with the KWK).
+	if err := mgr.Seal(); err != nil {
+		t.Fatalf("Seal: %v", err)
+	}
+	if err := mgr.Unseal(password); err != nil {
+		t.Fatalf("Unseal after MEK rotation: %v", err)
+	}
+
+	got3, err := b.Get(ctx, "engine/ca/prod/cert")
+	if err != nil {
+		t.Fatalf("Get after seal/unseal: %v", err)
+	}
+	if string(got3) != "cert-data" {
+		t.Fatalf("data after seal/unseal: got %q", got3)
+	}
+}
+
+func TestSealRotateMEKWrongPassword(t *testing.T) {
+	mgr, cleanup := setupSeal(t)
+	defer cleanup()
+	ctx := context.Background()
+	_ = mgr.CheckInitialized()
+
+	params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
+	_ = mgr.Initialize(ctx, []byte("correct"), params)
+
+	err := mgr.RotateMEK(ctx, []byte("wrong"))
+	if !errors.Is(err, ErrInvalidPassword) {
+		t.Fatalf("expected ErrInvalidPassword, got: %v", err)
+	}
+}
+
+func TestSealRotateMEKWhenSealed(t *testing.T) {
+	mgr, cleanup := setupSeal(t)
+	defer cleanup()
+	ctx := context.Background()
+	_ = mgr.CheckInitialized()
+
+	params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
+	_ = mgr.Initialize(ctx, []byte("password"), params)
+	_ = mgr.Seal()
+
+	err := mgr.RotateMEK(ctx, []byte("password"))
+	if !errors.Is(err, ErrSealed) {
+		t.Fatalf("expected ErrSealed, got: %v", err)
+	}
+}
+
 func TestSealStateString(t *testing.T) {
 	tests := []struct {
 		want  string