fix(security): remediate 2026-05-12 audit findings (Stages 2–5)

Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps),
tracked in deploy-k3s/SECURITY.md, plus fixes from two independent
post-remediation reviews.

Auth & sessions:
- SHA-256 hashed auth-token storage (C1); prior-token cache eviction on
  re-login (MEDIUM-1)
- local Google JWKS verification, iss/aud/exp checks (C2/C3)
- constant-time login + generic errors (L1/LIVE-L11/LIVE-L13)
- per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3)
- verified-email gating, login rate limiting (LIVE-L19, H1-H3)

IAP & webhooks:
- Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6)
- migrations 000003-000006 (token hashing, IAP replay, audit_log +
  webhook_event_log table creation, append-only audit log)

Authorization & races:
- file-ownership owner-OR-member fix (C7), atomic share-code join
  (C9/H9), device-token reassignment (C8/LOW-3)

Secrets & deploy:
- secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis
  password out of the ConfigMap (HIGH-1); B2 keys reconciled
- digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics
  lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban +
  unattended-upgrades at provision; secret-rotation runbook

Build, vet, and the full test suite (incl. -race) pass; the goose
migration chain is verified against PostgreSQL 16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy-k3s/scripts/03-deploy.sh

@@ -128,6 +128,56 @@ else
   warn "Skipping build. Using images for tag: ${DEPLOY_TAG}"
 fi
 
+# --- Resolve immutable image digests (audit F5) ---
+# A short-SHA tag is mutable — anyone who can push to the registry can
+# overwrite it, and imagePullPolicy then pulls the new bits silently. We
+# deploy by @sha256: digest instead, pinning the exact image that was just
+# built and pushed. `docker push` populates RepoDigests; with --skip-build
+# (no local image) resolve_ref falls back to the tag.
+resolve_ref() {
+  local img="$1" digest
+  digest="$(docker inspect --format='{{range .RepoDigests}}{{println .}}{{end}}' "${img}" 2>/dev/null | grep -m1 '@sha256:' || true)"
+  if [[ -n "${digest}" ]]; then
+    printf '%s' "${digest}"
+  else
+    warn "could not resolve a digest for ${img} — deploying by mutable tag"
+    printf '%s' "${img}"
+  fi
+}
+API_REF="$(resolve_ref "${API_IMAGE}")"
+WORKER_REF="$(resolve_ref "${WORKER_IMAGE}")"
+ADMIN_REF="$(resolve_ref "${ADMIN_IMAGE}")"
+WEB_REF="$(resolve_ref "${WEB_IMAGE}")"
+log "Deploying by digest:"
+log "  API:    ${API_REF}"
+log "  Worker: ${WORKER_REF}"
+log "  Admin:  ${ADMIN_REF}"
+
+# --- Image scan + signing (audit CODE-L5) ---
+# Both steps are best-effort: the deploy does NOT fail if the tools are
+# absent, so an operator who has not set up cosign/trivy yet is not blocked.
+# Install trivy + cosign and export COSIGN_KEY to enforce. Cluster-side
+# admission verification (Kyverno/Connaisseur) is a separate operator step.
+if [[ "${SKIP_BUILD}" == "false" ]]; then
+  if command -v trivy >/dev/null 2>&1; then
+    log "Scanning images with Trivy (HIGH,CRITICAL)..."
+    for img in "${API_IMAGE}" "${WORKER_IMAGE}" "${ADMIN_IMAGE}"; do
+      trivy image --severity HIGH,CRITICAL --exit-code 0 --quiet "${img}" \
+        || warn "Trivy reported findings for ${img}"
+    done
+  else
+    warn "trivy not installed — skipping image vulnerability scan (audit L5)"
+  fi
+  if command -v cosign >/dev/null 2>&1 && [[ -n "${COSIGN_KEY:-}" ]]; then
+    log "Signing images with cosign..."
+    for ref in "${API_REF}" "${WORKER_REF}" "${ADMIN_REF}"; do
+      cosign sign --yes --key "${COSIGN_KEY}" "${ref}" || warn "cosign sign failed for ${ref}"
+    done
+  else
+    warn "cosign not configured (need cosign + COSIGN_KEY) — skipping image signing (audit L5)"
+  fi
+fi
+
 # --- Generate and apply ConfigMap from config.yaml ---
 
 log "Generating env from config.yaml..."
@@ -166,7 +216,7 @@ kubectl apply -f "${MANIFESTS}/ingress/"
 # pod sees a stale schema.
 log "Running database migrations (goose Job)..."
 kubectl delete job honeydue-migrate -n "${NAMESPACE}" --ignore-not-found --wait=true >/dev/null
-sed "s|image: IMAGE_PLACEHOLDER|image: ${API_IMAGE}|" "${MANIFESTS}/migrate/job.yaml" | kubectl apply -f -
+sed "s|image: IMAGE_PLACEHOLDER|image: ${API_REF}|" "${MANIFESTS}/migrate/job.yaml" | kubectl apply -f -
 if ! kubectl wait --namespace="${NAMESPACE}" --for=condition=complete --timeout=10m job/honeydue-migrate; then
   warn "migration Job failed — see logs:"
   kubectl logs -n "${NAMESPACE}" job/honeydue-migrate --tail=200 || true
@@ -175,17 +225,17 @@ fi
 log "Migrations applied; proceeding with api/worker rollout"
 
 # Apply deployments with image substitution
-sed "s|image: IMAGE_PLACEHOLDER|image: ${API_IMAGE}|" "${MANIFESTS}/api/deployment.yaml" | kubectl apply -f -
+sed "s|image: IMAGE_PLACEHOLDER|image: ${API_REF}|" "${MANIFESTS}/api/deployment.yaml" | kubectl apply -f -
 kubectl apply -f "${MANIFESTS}/api/service.yaml"
 kubectl apply -f "${MANIFESTS}/api/hpa.yaml"
 
-sed "s|image: IMAGE_PLACEHOLDER|image: ${WORKER_IMAGE}|" "${MANIFESTS}/worker/deployment.yaml" | kubectl apply -f -
+sed "s|image: IMAGE_PLACEHOLDER|image: ${WORKER_REF}|" "${MANIFESTS}/worker/deployment.yaml" | kubectl apply -f -
 
-sed "s|image: IMAGE_PLACEHOLDER|image: ${ADMIN_IMAGE}|" "${MANIFESTS}/admin/deployment.yaml" | kubectl apply -f -
+sed "s|image: IMAGE_PLACEHOLDER|image: ${ADMIN_REF}|" "${MANIFESTS}/admin/deployment.yaml" | kubectl apply -f -
 kubectl apply -f "${MANIFESTS}/admin/service.yaml"
 
 if [[ -d "${MANIFESTS}/web" ]]; then
-  sed "s|image: IMAGE_PLACEHOLDER|image: ${WEB_IMAGE}|" "${MANIFESTS}/web/deployment.yaml" | kubectl apply -f -
+  sed "s|image: IMAGE_PLACEHOLDER|image: ${WEB_REF}|" "${MANIFESTS}/web/deployment.yaml" | kubectl apply -f -
   kubectl apply -f "${MANIFESTS}/web/service.yaml"
 fi