fix(security): remediate 2026-05-12 audit findings (Stages 2–5)

Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps),
tracked in deploy-k3s/SECURITY.md, plus fixes from two independent
post-remediation reviews.

Auth & sessions:
- SHA-256 hashed auth-token storage (C1); prior-token cache eviction on
  re-login (MEDIUM-1)
- local Google JWKS verification, iss/aud/exp checks (C2/C3)
- constant-time login + generic errors (L1/LIVE-L11/LIVE-L13)
- per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3)
- verified-email gating, login rate limiting (LIVE-L19, H1-H3)

IAP & webhooks:
- Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6)
- migrations 000003-000006 (token hashing, IAP replay, audit_log +
  webhook_event_log table creation, append-only audit log)

Authorization & races:
- file-ownership owner-OR-member fix (C7), atomic share-code join
  (C9/H9), device-token reassignment (C8/LOW-3)

Secrets & deploy:
- secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis
  password out of the ConfigMap (HIGH-1); B2 keys reconciled
- digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics
  lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban +
  unattended-upgrades at provision; secret-rotation runbook

Build, vet, and the full test suite (incl. -race) pass; the goose
migration chain is verified against PostgreSQL 16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

migrations/000005_audit_log_append_only.sql

@@ -0,0 +1,52 @@
+-- +goose Up
+-- Audit M7: make audit_log append-only. A BEFORE trigger rejects UPDATE and
+-- DELETE so the security-event history cannot be altered or erased after the
+-- fact — even by a database account with broad table privileges. The
+-- application only ever INSERTs into this table.
+
+-- The audit_log table itself was never created by a goose migration — it is
+-- only built by GORM AutoMigrate in the test harness, and production never
+-- runs AutoMigrate. CREATE TABLE IF NOT EXISTS brings it under migration
+-- control without disturbing an existing table: a no-op on a DB that already
+-- has it, and a correct build (matching models.AuditLog) on a from-scratch
+-- redeploy — so the trigger below has a table to attach to and a clean
+-- redeploy comes up with a working, append-only audit log.
+CREATE TABLE IF NOT EXISTS audit_log (
+    id         BIGSERIAL    PRIMARY KEY,
+    user_id    BIGINT,
+    event_type VARCHAR(50)  NOT NULL,
+    ip_address VARCHAR(45),
+    user_agent TEXT,
+    details    JSONB,
+    created_at TIMESTAMPTZ  NOT NULL DEFAULT now()
+);
+CREATE INDEX IF NOT EXISTS idx_audit_log_user_id    ON audit_log (user_id);
+CREATE INDEX IF NOT EXISTS idx_audit_log_created_at ON audit_log (created_at);
+
+-- +goose StatementBegin
+CREATE OR REPLACE FUNCTION audit_log_append_only() RETURNS trigger AS $$
+BEGIN
+    RAISE EXCEPTION 'audit_log is append-only: % is not permitted', TG_OP;
+END;
+$$ LANGUAGE plpgsql;
+-- +goose StatementEnd
+
+-- DROP ... IF EXISTS before CREATE keeps this idempotent (CREATE TRIGGER has
+-- no OR REPLACE on older PostgreSQL).
+DROP TRIGGER IF EXISTS audit_log_no_update ON audit_log;
+CREATE TRIGGER audit_log_no_update
+    BEFORE UPDATE ON audit_log
+    FOR EACH ROW EXECUTE FUNCTION audit_log_append_only();
+
+DROP TRIGGER IF EXISTS audit_log_no_delete ON audit_log;
+CREATE TRIGGER audit_log_no_delete
+    BEFORE DELETE ON audit_log
+    FOR EACH ROW EXECUTE FUNCTION audit_log_append_only();
+
+-- +goose Down
+-- Reverses only the append-only guard, which is this migration's purpose.
+-- The audit_log table is intentionally NOT dropped — it may hold security
+-- history that predates this migration.
+DROP TRIGGER IF EXISTS audit_log_no_delete ON audit_log;
+DROP TRIGGER IF EXISTS audit_log_no_update ON audit_log;
+DROP FUNCTION IF EXISTS audit_log_append_only();