fix(security): remediate 2026-05-12 audit findings (Stages 2–5)

Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps),
tracked in deploy-k3s/SECURITY.md, plus fixes from two independent
post-remediation reviews.

Auth & sessions:
- SHA-256 hashed auth-token storage (C1); prior-token cache eviction on
  re-login (MEDIUM-1)
- local Google JWKS verification, iss/aud/exp checks (C2/C3)
- constant-time login + generic errors (L1/LIVE-L11/LIVE-L13)
- per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3)
- verified-email gating, login rate limiting (LIVE-L19, H1-H3)

IAP & webhooks:
- Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6)
- migrations 000003-000006 (token hashing, IAP replay, audit_log +
  webhook_event_log table creation, append-only audit log)

Authorization & races:
- file-ownership owner-OR-member fix (C7), atomic share-code join
  (C9/H9), device-token reassignment (C8/LOW-3)

Secrets & deploy:
- secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis
  password out of the ConfigMap (HIGH-1); B2 keys reconciled
- digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics
  lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban +
  unattended-upgrades at provision; secret-rotation runbook

Build, vet, and the full test suite (incl. -race) pass; the goose
migration chain is verified against PostgreSQL 16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy-k3s/scripts/_config.sh

@@ -100,7 +100,7 @@ lines = [
     # API
     'DEBUG=false',
     f\"ALLOWED_HOSTS={d['api']},{d['base']}\",
-    f\"CORS_ALLOWED_ORIGINS=https://{d['base']},https://{d['admin']}\",
+    f\"CORS_ALLOWED_ORIGINS=https://{d['base']},https://{d['admin']},https://{d.get('app', 'app.' + d['base'])}\",
     'TIMEZONE=UTC',
     f\"BASE_URL=https://{d['base']}\",
     'PORT=8000',
@@ -119,9 +119,14 @@ lines = [
     f\"DB_MAX_IDLE_CONNS={db['max_idle_conns']}\",
     f\"DB_MAX_LIFETIME={db['max_lifetime']}\",
     f\"DB_MAX_IDLE_TIME={db.get('max_idle_time', '0s')}\",
-    # Redis (in-namespace DNS short form — password injected if configured;
-    # short form works because /etc/resolv.conf in pods searches honeydue.svc.cluster.local)
-    f\"REDIS_URL=redis://{':%s@' % val(rd.get('password')) if rd.get('password') else ''}redis:6379/0\",
+    # Redis — in-namespace DNS short form (works because pod /etc/resolv.conf
+    # searches honeydue.svc.cluster.local). Audit HIGH-1: the password is
+    # intentionally NOT embedded here. This URL is emitted into the
+    # honeydue-config ConfigMap, which is NOT encrypted at rest and is
+    # readable by anyone with `get configmap`. The Redis password travels
+    # only in honeydue-secrets as REDIS_PASSWORD (file-mounted, F8); the API
+    # applies it in cache_service.go and the worker onto its Asynq opt.
+    'REDIS_URL=redis://redis:6379/0',
     'REDIS_DB=0',
     # Email
     f\"EMAIL_HOST={em['host']}\",
@@ -218,8 +223,18 @@ config = {
         'image': 'ubuntu-24.04',
     },
     'additional_packages': ['open-iscsi'],
-    'post_create_commands': ['sudo systemctl enable --now iscsid'],
-    'k3s_config_file': 'secrets-encryption: true\n',
+    # Audit K3S-CG2: harden the node OS at provision time — fail2ban for SSH
+    # brute-force, unattended-upgrades for automatic security patches.
+    'post_create_commands': [
+        'sudo systemctl enable --now iscsid',
+        'sudo apt-get update -qq',
+        'sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq fail2ban unattended-upgrades',
+        'sudo systemctl enable --now fail2ban',
+        'sudo dpkg-reconfigure -f noninteractive -plow unattended-upgrades',
+    ],
+    # Audit K3S-CG1 / K3S-F4: encrypt Secrets at rest in etcd, and write the
+    # node kubeconfig as mode 0600 (not world-readable).
+    'k3s_config_file': 'secrets-encryption: true\nwrite-kubeconfig-mode: \"0600\"\n',
 }
 
 print(yaml.dump(config, default_flow_style=False, sort_keys=False))