fix(security): remediate 2026-05-12 audit findings (Stages 2–5)

Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps),
tracked in deploy-k3s/SECURITY.md, plus fixes from two independent
post-remediation reviews.

Auth & sessions:
- SHA-256 hashed auth-token storage (C1); prior-token cache eviction on
  re-login (MEDIUM-1)
- local Google JWKS verification, iss/aud/exp checks (C2/C3)
- constant-time login + generic errors (L1/LIVE-L11/LIVE-L13)
- per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3)
- verified-email gating, login rate limiting (LIVE-L19, H1-H3)

IAP & webhooks:
- Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6)
- migrations 000003-000006 (token hashing, IAP replay, audit_log +
  webhook_event_log table creation, append-only audit log)

Authorization & races:
- file-ownership owner-OR-member fix (C7), atomic share-code join
  (C9/H9), device-token reassignment (C8/LOW-3)

Secrets & deploy:
- secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis
  password out of the ConfigMap (HIGH-1); B2 keys reconciled
- digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics
  lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban +
  unattended-upgrades at provision; secret-rotation runbook

Build, vet, and the full test suite (incl. -race) pass; the goose
migration chain is verified against PostgreSQL 16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy-k3s/manifests/worker/deployment.yaml

@@ -27,8 +27,11 @@ spec:
         app.kubernetes.io/part-of: honeydue
     spec:
       serviceAccountName: worker
+      # Explicit pod-level opt-out (audit F11) — defense-in-depth on top of
+      # the ServiceAccount-level setting in rbac.yaml.
+      automountServiceAccountToken: false
       imagePullSecrets:
-        - name: ghcr-credentials
+        - name: gitea-credentials
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
@@ -39,6 +42,7 @@ spec:
       containers:
         - name: worker
           image: IMAGE_PLACEHOLDER  # Replaced by 03-deploy.sh
+          imagePullPolicy: IfNotPresent  # audit CODE-L4 — explicit; images are SHA/digest-pinned
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
@@ -47,64 +51,16 @@ spec:
           envFrom:
             - configMapRef:
                 name: honeydue-config
-          env:
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: honeydue-secrets
-                  key: POSTGRES_PASSWORD
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: honeydue-secrets
-                  key: SECRET_KEY
-            - name: EMAIL_HOST_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: honeydue-secrets
-                  key: EMAIL_HOST_PASSWORD
-            - name: FCM_SERVER_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: honeydue-secrets
-                  key: FCM_SERVER_KEY
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: honeydue-secrets
-                  key: REDIS_PASSWORD
-                  optional: true
-            # B2 (Backblaze) credentials. The worker needs these to delete
-            # B2 objects when the pending_uploads cleanup cron reaps
-            # expired upload sessions. Without them the worker falls back
-            # to local-disk storage which fails on this pod's read-only
-            # root filesystem and disables the cleanup cron.
-            - name: B2_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: honeydue-secrets
-                  key: B2_KEY_ID
-            - name: B2_APP_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: honeydue-secrets
-                  key: B2_APP_KEY
-            # Observability — workers emit traces (e.g., asynq job spans) to
-            # obs.88oakapps.com over OTLP/HTTP. service.name=honeydue-worker
-            # so api and worker show up as separate services in Jaeger.
-            - name: OBS_TRACES_URL
-              valueFrom:
-                secretKeyRef:
-                  name: honeydue-secrets
-                  key: OBS_TRACES_URL
-                  optional: true
-            - name: OBS_INGEST_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: honeydue-secrets
-                  key: OBS_INGEST_TOKEN
-                  optional: true
+          # Audit CODE-F8: secrets are NOT injected as environment variables.
+          # Env vars are readable for the life of the pod via /proc/<pid>/environ
+          # and leak into crash dumps / child processes. honeydue-secrets is
+          # mounted read-only at /etc/honeydue/secrets (mode 0400) and the Go
+          # config layer (config.loadFileSecrets) reads each key from its file.
+          # Non-secret config still arrives via the configMapRef above.
           volumeMounts:
+            - name: app-secrets
+              mountPath: /etc/honeydue/secrets
+              readOnly: true
             - name: apns-key
               mountPath: /secrets/apns
               readOnly: true
@@ -124,6 +80,12 @@ spec:
             periodSeconds: 30
             timeoutSeconds: 5
       volumes:
+        # Audit CODE-F8: the whole honeydue-secrets Secret, projected as files.
+        # defaultMode 0400 → readable only by the container's runAsUser (1000).
+        - name: app-secrets
+          secret:
+            secretName: honeydue-secrets
+            defaultMode: 0400
         - name: apns-key
           secret:
             secretName: honeydue-apns-key