fix(security): remediate 2026-05-12 audit findings (Stages 2–5)

Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps),
tracked in deploy-k3s/SECURITY.md, plus fixes from two independent
post-remediation reviews.

Auth & sessions:
- SHA-256 hashed auth-token storage (C1); prior-token cache eviction on
  re-login (MEDIUM-1)
- local Google JWKS verification, iss/aud/exp checks (C2/C3)
- constant-time login + generic errors (L1/LIVE-L11/LIVE-L13)
- per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3)
- verified-email gating, login rate limiting (LIVE-L19, H1-H3)

IAP & webhooks:
- Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6)
- migrations 000003-000006 (token hashing, IAP replay, audit_log +
  webhook_event_log table creation, append-only audit log)

Authorization & races:
- file-ownership owner-OR-member fix (C7), atomic share-code join
  (C9/H9), device-token reassignment (C8/LOW-3)

Secrets & deploy:
- secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis
  password out of the ConfigMap (HIGH-1); B2 keys reconciled
- digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics
  lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban +
  unattended-upgrades at provision; secret-rotation runbook

Build, vet, and the full test suite (incl. -race) pass; the goose
migration chain is verified against PostgreSQL 16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/config/config.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"crypto/rand"
 	"encoding/hex"
 	"fmt"
 	"net/url"
@@ -216,6 +217,11 @@ func Load() (*Config, error) {
 	// Set defaults
 	setDefaults()
 
+	// Audit F8: overlay file-mounted secrets onto Viper. No-op when the
+	// directory is absent (local/dev), so this is safe to ship before the
+	// manifests mount honeydue-secrets as a volume.
+	loadFileSecrets()
+
 	// Parse DATABASE_URL if set (Dokku-style)
 	dbConfig := DatabaseConfig{
 		Host:         viper.GetString("DB_HOST"),
@@ -432,14 +438,67 @@ func isWeakSecretKey(key string) bool {
 	return knownWeakSecretKeys[strings.ToLower(strings.TrimSpace(key))]
 }
 
+// loadFileSecrets overlays file-mounted secrets onto Viper (audit F8). When
+// the honeydue-secrets Secret is mounted as a volume at /etc/honeydue/secrets
+// each key is a file; reading the value here and viper.Set-ing it (highest
+// Viper precedence) keeps the secret out of the process environment
+// (/proc/<pid>/environ), which plain env-var injection cannot. When the
+// directory is absent it is a silent no-op and env vars are used as before.
+func loadFileSecrets() {
+	dir := os.Getenv("HONEYDUE_SECRETS_DIR")
+	if dir == "" {
+		dir = "/etc/honeydue/secrets"
+	}
+	for _, k := range []string{
+		"POSTGRES_PASSWORD", "SECRET_KEY", "EMAIL_HOST_PASSWORD", "FCM_SERVER_KEY",
+		"REDIS_PASSWORD", "B2_KEY_ID", "B2_APP_KEY", "OBS_INGEST_TOKEN", "OBS_TRACES_URL",
+	} {
+		b, err := os.ReadFile(dir + "/" + k)
+		if err != nil {
+			continue
+		}
+		if v := strings.TrimSpace(string(b)); v != "" {
+			viper.Set(k, v)
+		}
+	}
+}
+
+// SecretValue resolves a configuration value that is not part of the typed
+// Config struct. It reads through Viper, so a value supplied via a file-mounted
+// secret (audit F8, loaded by loadFileSecrets) is found just like an env var.
+//
+// Must be called after Load(). Used by cmd/api and cmd/worker for the
+// observability endpoints, which are needed before the full Config is wired
+// and would otherwise be read with os.Getenv — which misses file-mounted
+// secrets entirely once F8 removes them from the process environment.
+func SecretValue(key string) string {
+	return viper.GetString(key)
+}
+
+// randomHexKey returns a cryptographically secure random hex string
+// representing n random bytes (2n hex characters).
+func randomHexKey(n int) (string, error) {
+	b := make([]byte, n)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(b), nil
+}
+
 func validate(cfg *Config) error {
-	// S-08: Validate SECRET_KEY against known weak defaults
+	// M8: SECRET_KEY validation — no static fallback secret in the binary.
 	if cfg.Security.SecretKey == "" {
 		if cfg.Server.Debug {
-			// In debug mode, use a default key with a warning for local development
-			cfg.Security.SecretKey = "change-me-in-production-secret-key-12345"
-			fmt.Println("WARNING: SECRET_KEY not set, using default (debug mode only)")
-			fmt.Println("WARNING: *** DO NOT USE THIS DEFAULT KEY IN PRODUCTION ***")
+			// Debug only: generate a random key per boot. Tokens signed with
+			// it do not survive a restart, which is acceptable for local dev
+			// and far safer than a well-known hardcoded fallback.
+			randomKey, err := randomHexKey(32)
+			if err != nil {
+				return fmt.Errorf("failed to generate ephemeral debug SECRET_KEY: %w", err)
+			}
+			cfg.Security.SecretKey = randomKey
+			fmt.Println("WARNING: SECRET_KEY not set, generated an ephemeral random key (debug mode only)")
+			fmt.Println("WARNING: tokens will not survive a restart — set SECRET_KEY for stable local sessions")
 		} else {
 			// In production, refuse to start without a proper secret key
 			return fmt.Errorf("FATAL: SECRET_KEY environment variable is required in production (DEBUG=false)")
@@ -452,6 +511,12 @@ func validate(cfg *Config) error {
 		}
 	}
 
+	// C4: fixed confirmation codes ("123456") must never be enabled outside
+	// debug — with DEBUG=false they are a full authentication bypass.
+	if cfg.Server.DebugFixedCodes && !cfg.Server.Debug {
+		return fmt.Errorf("FATAL: DEBUG_FIXED_CODES is enabled with DEBUG=false — fixed confirmation codes must never run in production")
+	}
+
 	// Database password might come from DATABASE_URL, don't require it separately
 	// The actual connection will fail if credentials are wrong
 

internal/config/config_test.go

@@ -106,8 +106,10 @@ func TestLoad_Validation_MissingSecretKey_DebugMode(t *testing.T) {
 
 	c, err := Load()
 	require.NoError(t, err)
-	// In debug mode, a default key is assigned
-	assert.Equal(t, "change-me-in-production-secret-key-12345", c.Security.SecretKey)
+	// Audit M8: in debug mode an ephemeral random key is generated per boot
+	// (no static fallback). It must be a non-empty 64-char hex string.
+	assert.Len(t, c.Security.SecretKey, 64)
+	assert.NotEqual(t, "change-me-in-production-secret-key-12345", c.Security.SecretKey)
 }
 
 func TestLoad_Validation_WeakSecretKey_Production(t *testing.T) {
@@ -133,6 +135,33 @@ func TestLoad_Validation_WeakSecretKey_DebugMode(t *testing.T) {
 	assert.Equal(t, "secret", c.Security.SecretKey)
 }
 
+// Audit C4: DEBUG_FIXED_CODES makes confirmation codes a fixed "123456" — a
+// full authentication bypass. With DEBUG=false, validate() must refuse to boot
+// rather than ship that bypass to production.
+func TestLoad_Validation_DebugFixedCodes_Production(t *testing.T) {
+	// validate() directly — avoids the sync.Once issue Load() has on failure.
+	cfg := &Config{
+		Server:   ServerConfig{Debug: false, DebugFixedCodes: true},
+		Security: SecurityConfig{SecretKey: "a-strong-secret-key-for-tests"},
+	}
+
+	err := validate(cfg)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "DEBUG_FIXED_CODES")
+}
+
+// With DEBUG=true the fixed codes are an intended local-dev convenience, so
+// the same combination must NOT error.
+func TestLoad_Validation_DebugFixedCodes_DebugMode(t *testing.T) {
+	cfg := &Config{
+		Server:   ServerConfig{Debug: true, DebugFixedCodes: true},
+		Security: SecurityConfig{SecretKey: "a-strong-secret-key-for-tests"},
+	}
+
+	err := validate(cfg)
+	require.NoError(t, err)
+}
+
 func TestLoad_Validation_EncryptionKey_Valid(t *testing.T) {
 	resetConfigState()
 	t.Setenv("SECRET_KEY", "a-strong-secret-key-for-tests")