Add web UI for SSH CA, Transit, and User engines; full security audit and remediation

Web UI: Added browser-based management for all three remaining engines
(SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files,
7 HTML templates, dashboard mount forms, and conditional navigation links.
Fixed REST API routes to match design specs (SSH CA cert singular paths,
Transit PATCH for update-key-config).

Security audit: Conducted full-system audit covering crypto core, all
engine implementations, API servers, policy engine, auth, deployment,
and documentation. Identified 42 new findings (#39-#80) across all
severity levels.

Remediation of all 8 High findings:
- #68: Replaced 14 JSON-injection-vulnerable error responses with safe
  json.Encoder via writeJSONError helper
- #48: Added two-layer path traversal defense (barrier validatePath
  rejects ".." segments; engine ValidateName enforces safe name pattern)
- #39: Extended RLock through entire crypto operations in barrier
  Get/Put/Delete/List to eliminate TOCTOU race with Seal
- #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite
  transaction to prevent irrecoverable data loss on crash during MEK
  rotation
- #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling
  on handleIssue and handleSignCSR
- #61: Store raw ECDH private key bytes in userState for effective
  zeroization on Seal
- #62: Fixed user engine policy resource path from mountPath to
  mountName() so policy rules match correctly
- #69: Added newPolicyChecker helper and passed service-level policy
  evaluation to all 25 typed REST handler engine.Request structs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/webserver/user.go

@@ -0,0 +1,277 @@
+package webserver
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func (ws *WebServer) handleUser(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findUserMount(r, token)
+	if err != nil {
+		http.Redirect(w, r, "/dashboard", http.StatusFound)
+		return
+	}
+
+	data := ws.baseData(r, info)
+	data["MountName"] = mountName
+
+	// Try to fetch the caller's own key.
+	if keyInfo, err := ws.vault.GetUserPublicKey(r.Context(), token, mountName, info.Username); err == nil {
+		data["OwnKey"] = keyInfo
+	}
+
+	if users, err := ws.vault.ListUsers(r.Context(), token, mountName); err == nil {
+		data["Users"] = users
+	}
+
+	ws.renderTemplate(w, "user.html", data)
+}
+
+func (ws *WebServer) handleUserRegister(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findUserMount(r, token)
+	if err != nil {
+		http.Error(w, "no user engine mounted", http.StatusNotFound)
+		return
+	}
+
+	if _, err := ws.vault.UserRegister(r.Context(), token, mountName); err != nil {
+		ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
+		return
+	}
+
+	http.Redirect(w, r, "/user", http.StatusFound)
+}
+
+func (ws *WebServer) handleUserProvision(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	if !info.IsAdmin {
+		http.Error(w, "forbidden", http.StatusForbidden)
+		return
+	}
+
+	token := extractCookie(r)
+	mountName, err := ws.findUserMount(r, token)
+	if err != nil {
+		http.Error(w, "no user engine mounted", http.StatusNotFound)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+	_ = r.ParseForm()
+
+	username := strings.TrimSpace(r.FormValue("username"))
+	if username == "" {
+		ws.renderUserWithError(w, r, mountName, info, "Username is required")
+		return
+	}
+
+	if _, err := ws.vault.UserProvision(r.Context(), token, mountName, username); err != nil {
+		ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
+		return
+	}
+
+	http.Redirect(w, r, "/user", http.StatusFound)
+}
+
+func (ws *WebServer) handleUserKeyDetail(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findUserMount(r, token)
+	if err != nil {
+		http.Error(w, "no user engine mounted", http.StatusNotFound)
+		return
+	}
+
+	username := chi.URLParam(r, "username")
+	keyInfo, err := ws.vault.GetUserPublicKey(r.Context(), token, mountName, username)
+	if err != nil {
+		st, _ := status.FromError(err)
+		if st.Code() == codes.NotFound {
+			http.Error(w, "user not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, grpcMessage(err), http.StatusInternalServerError)
+		return
+	}
+
+	data := ws.baseData(r, info)
+	data["MountName"] = mountName
+	data["KeyInfo"] = keyInfo
+	ws.renderTemplate(w, "user_key_detail.html", data)
+}
+
+func (ws *WebServer) handleUserEncrypt(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findUserMount(r, token)
+	if err != nil {
+		http.Error(w, "no user engine mounted", http.StatusNotFound)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+	_ = r.ParseForm()
+
+	var recipients []string
+	for _, line := range strings.Split(r.FormValue("recipients"), "\n") {
+		if v := strings.TrimSpace(line); v != "" {
+			recipients = append(recipients, v)
+		}
+	}
+	plaintext := r.FormValue("plaintext")
+	metadata := r.FormValue("metadata")
+
+	if len(recipients) == 0 || plaintext == "" {
+		ws.renderUserWithError(w, r, mountName, info, "Recipients and plaintext are required")
+		return
+	}
+
+	envelope, err := ws.vault.UserEncrypt(r.Context(), token, mountName, plaintext, metadata, recipients)
+	if err != nil {
+		ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
+		return
+	}
+
+	ws.renderUserWithResult(w, r, mountName, info, "EncryptResult", envelope)
+}
+
+func (ws *WebServer) handleUserDecrypt(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findUserMount(r, token)
+	if err != nil {
+		http.Error(w, "no user engine mounted", http.StatusNotFound)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+	_ = r.ParseForm()
+
+	envelope := r.FormValue("envelope")
+	if envelope == "" {
+		ws.renderUserWithError(w, r, mountName, info, "Envelope is required")
+		return
+	}
+
+	result, err := ws.vault.UserDecrypt(r.Context(), token, mountName, envelope)
+	if err != nil {
+		ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
+		return
+	}
+
+	ws.renderUserWithResult(w, r, mountName, info, "DecryptResult", result)
+}
+
+func (ws *WebServer) handleUserReEncrypt(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findUserMount(r, token)
+	if err != nil {
+		http.Error(w, "no user engine mounted", http.StatusNotFound)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+	_ = r.ParseForm()
+
+	envelope := r.FormValue("envelope")
+	if envelope == "" {
+		ws.renderUserWithError(w, r, mountName, info, "Envelope is required")
+		return
+	}
+
+	newEnvelope, err := ws.vault.UserReEncrypt(r.Context(), token, mountName, envelope)
+	if err != nil {
+		ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
+		return
+	}
+
+	ws.renderUserWithResult(w, r, mountName, info, "ReEncryptResult", newEnvelope)
+}
+
+func (ws *WebServer) handleUserRotateKey(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findUserMount(r, token)
+	if err != nil {
+		http.Error(w, "no user engine mounted", http.StatusNotFound)
+		return
+	}
+
+	if _, err := ws.vault.UserRotateKey(r.Context(), token, mountName); err != nil {
+		ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
+		return
+	}
+
+	http.Redirect(w, r, "/user", http.StatusSeeOther)
+}
+
+func (ws *WebServer) handleUserDeleteUser(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	if !info.IsAdmin {
+		http.Error(w, "forbidden", http.StatusForbidden)
+		return
+	}
+
+	token := extractCookie(r)
+	mountName, err := ws.findUserMount(r, token)
+	if err != nil {
+		http.Error(w, "no user engine mounted", http.StatusNotFound)
+		return
+	}
+
+	username := chi.URLParam(r, "username")
+	if err := ws.vault.UserDeleteUser(r.Context(), token, mountName, username); err != nil {
+		http.Error(w, grpcMessage(err), http.StatusInternalServerError)
+		return
+	}
+
+	http.Redirect(w, r, "/user", http.StatusSeeOther)
+}
+
+func (ws *WebServer) renderUserWithError(w http.ResponseWriter, r *http.Request, mountName string, info *TokenInfo, errMsg string) {
+	token := extractCookie(r)
+	data := ws.baseData(r, info)
+	data["MountName"] = mountName
+	data["Error"] = errMsg
+
+	if keyInfo, err := ws.vault.GetUserPublicKey(r.Context(), token, mountName, info.Username); err == nil {
+		data["OwnKey"] = keyInfo
+	}
+	if users, err := ws.vault.ListUsers(r.Context(), token, mountName); err == nil {
+		data["Users"] = users
+	}
+
+	ws.renderTemplate(w, "user.html", data)
+}
+
+func (ws *WebServer) renderUserWithResult(w http.ResponseWriter, r *http.Request, mountName string, info *TokenInfo, resultKey string, result interface{}) {
+	token := extractCookie(r)
+	data := ws.baseData(r, info)
+	data["MountName"] = mountName
+	data[resultKey] = result
+
+	if keyInfo, err := ws.vault.GetUserPublicKey(r.Context(), token, mountName, info.Username); err == nil {
+		data["OwnKey"] = keyInfo
+	}
+	if users, err := ws.vault.ListUsers(r.Context(), token, mountName); err == nil {
+		data["Users"] = users
+	}
+
+	ws.renderTemplate(w, "user.html", data)
+}