acme-server: account resource + JWS verifier (Phase 1b/7)

Layers JWS-authenticated POST machinery onto the Phase 1a foundation
(commit e146b00). After this commit, an ACME client can run

  POST /acme/profile/<id>/new-account

against certctl and successfully register an account. Account update
+ deactivation via POST /acme/profile/<id>/account/<acc-id> work.
Orders + challenges remain Phase 2 / 3.

Background:
  Two prior dispatch attempts at the original Phase 1 ("skeleton +
  directory + new-nonce + new-account" as a single commit) failed on
  go-jose v4 API speculation (jws.GetPayload, sig.Algorithm,
  jose.SHA256, etc. — none of those exist in v4). Splitting Phase 1
  into 1a (foundation, no go-jose) and 1b (this commit, all go-jose
  in one place) concentrated the JWS work where attention pays off.
  The verifier reads the actual go-jose v4 surface — ParseSigned with
  closed alg allow-list, Header struct fields (Algorithm, KeyID,
  JSONWebKey, Nonce, ExtraHeaders[HeaderKey]), JWK.Thumbprint with
  stdlib crypto.SHA256.

What ships:
  - internal/api/acme/jws.go: 487-line verifier + sentinel error
    family. Enforces RFC 8555 §6.2 + §6.4 + §6.5 invariants:
      - alg in {RS256, ES256, EdDSA} (closed allow-list passed to
        jose.ParseSigned — HS256 / none / etc. rejected at parse time)
      - exactly one of `kid` / `jwk` in protected header (per
        endpoint policy — new-account demands jwk, others demand kid)
      - protected `url` matches request URL exactly
      - protected `nonce` consumed against acme_nonces (badNonce on
        miss/replay/expiry per RFC 8555 §6.5.1)
      - kid round-trips against canonical AccountKID(accountID) URL
        (catches cross-profile / cross-host replay)
      - kid path: account exists + status=valid (deactivated /
        revoked accounts cannot authenticate)
      - signature verifies; post-Verify payload bytes equal
        UnsafePayloadWithoutVerification (defense in depth)
    + JWK persistence helpers (JWKToPEM / ParseJWKFromPEM round-
    trip a public-only JWK as a PEM-wrapped JSON envelope; stored
    as TEXT in acme_accounts.jwk_pem for diff-friendliness) +
    JWKThumbprint per RFC 7638.
  - internal/api/acme/jws_test.go: 16 cases covering happy paths
    (RS256 kid, ES256 jwk, EdDSA kid) + every named failure mode
    (alg-not-allowed, bad-sig, missing-nonce, unknown-nonce,
    replay, url-mismatch, mixed kid+jwk, deactivated-account,
    cross-host kid). Uses real keypairs + real go-jose Signer to
    build JWS objects.
  - internal/api/acme/account.go: NewAccountRequest /
    AccountUpdateRequest payload shapes (RFC 8555 §7.3 + §7.3.2 +
    §7.3.6) + AccountResponseJSON wire shape + MarshalAccount
    helper.
  - internal/domain/acme.go: ACMEAccount struct + ACMEAccountStatus
    closed enum (valid / deactivated / revoked).
  - internal/repository/postgres/acme.go: full account CRUD path
    (CreateAccountWithTx with 23505-unique-violation sentinel
    translation, GetAccountByID, GetAccountByThumbprint,
    UpdateAccountContactWithTx, UpdateAccountStatusWithTx) +
    sql.ErrNoRows-wrapped repository.ErrNotFound on lookup misses.
  - internal/service/acme.go: ACMERepo interface extended;
    SetTransactor + SetAuditService wires; NewAccount (idempotent
    re-registration per RFC 8555 §7.3.1 — same JWK returns existing
    row without an update or new audit event); LookupAccount;
    UpdateAccount; DeactivateAccount; VerifyJWS adapter that bridges
    api/acme.VerifierConfig to the service-layer ACMERepo; per-op
    metrics extended (new_account_total + _failures_total +
    _idempotent_total + update_account_total + _failures_total +
    deactivate_account_total).
  - internal/service/acme_test.go: 8 new tests covering
    new-account happy path / idempotent re-registration / only-
    return-existing match + no-match / contact update / deactivate
    / lookup-not-found / requires-transactor.
  - internal/api/handler/acme.go: NewAccount + Account handlers.
    Account dispatches POST-as-GET (RFC 8555 §6.3 — empty body or
    {} payload returns the account row), contact update, and
    deactivation from the same endpoint. Defense-in-depth check
    that the kid path-segment matches the URL path-segment (the
    verifier already round-tripped the kid against canonical URL,
    but the handler re-asserts to catch any future verifier
    refactor).
  - internal/api/handler/acme_handler_test.go: 7 new cases
    covering happy-create, idempotent-200, only-return-existing-
    no-match-400, malformed-JWS-400, kid-URL-mismatch-401,
    deactivate, contact-update, POST-as-GET.
  - internal/api/router/router.go: 4 new Register calls (per-
    profile + shorthand for new-account and account/{acc_id}).
  - internal/api/router/openapi_parity_test.go: SpecParityExceptions
    extended with the 4 new routes (RFC 8555 wire-protocol surface,
    not OpenAPI-shaped — same precedent as Phase 1a).
  - cmd/server/main.go: SetTransactor + SetAuditService on
    acmeService at startup so the WithinTx-based new-account /
    update / deactivate paths run with the same transactor instance
    shared across CertificateService / RevocationSvc / RenewalService.
  - docs/acme-server.md: Phase status updated; endpoints table grows
    new-account + account/<acc_id> rows; new "JWS verification
    (Phase 1b)" section enumerates the 7 invariants the verifier
    enforces; phases-cross-reference table marks 1b live.
  - go.mod / go.sum: github.com/go-jose/go-jose/v4 v4.0.4 added.

Atomicity: every account-state mutation writes its acme_accounts row
+ its audit_events row inside one repository.Transactor.WithinTx
call — the canonical certctl atomicity contract (matches
CertificateService.Create at internal/service/certificate.go:131).
Idempotent re-registration explicitly does NOT write an audit row
(RFC 8555 §7.3.1 returns the existing row unmodified).

Tests: 16 jws_test.go cases + 11 service tests + 11 handler tests
all pass under -short. Bad-signature test uses a real registered
account whose stored JWK is a different keypair from the signer's,
so the JWS parses cleanly but jose.Verify rejects — exercises the
ErrJWSSignatureInvalid path directly.

Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-1b".

docs/acme-server.md

@@ -7,11 +7,11 @@ as an ACME issuer with no certctl-side modification — closing the
 "deploy a certctl agent on every K8s node" friction that costs deals to
 external PKI vendors today.
 
-> **Phase status (2026-05-03):** Phase 1a (foundation — directory +
-> new-nonce + per-profile routing). The directory document is live and
-> ACME clients can fetch nonces. Account creation, JWS verification,
-> orders, challenges, key rollover, revocation, and ARI all land in
-> subsequent phases. Track shipped phases via
+> **Phase status (2026-05-03):** Phase 1b — directory + new-nonce +
+> new-account + account/{id} update + JWS verifier (RFC 7515 + go-jose
+> v4). An ACME client can now run new-account end-to-end and register
+> against a profile. Orders + challenges + key rollover + revocation +
+> ARI land in subsequent phases. Track shipped phases via
 > `git log --grep='acme-server:'`.
 
 ## Configuration
@@ -95,33 +95,65 @@ the `caBundle` requirement is flagged here in Phase 1a's docs because
 operators hit it the moment they try to point a real ACME client at
 certctl.
 
-## Endpoints (Phase 1a)
+## Endpoints (Phase 1b)
 
 Routes registered in `internal/api/router/router.go::RegisterHandlers`:
 
-| Method | Path                                      | RFC ref         | Auth      | Description |
-|--------|-------------------------------------------|-----------------|-----------|-------------|
-| GET    | `/acme/profile/{id}/directory`            | RFC 8555 §7.1.1 | unauth    | Per-profile directory document. |
-| HEAD   | `/acme/profile/{id}/new-nonce`            | RFC 8555 §7.2   | unauth    | Returns 200 + Replay-Nonce header. |
-| GET    | `/acme/profile/{id}/new-nonce`            | RFC 8555 §7.2   | unauth    | Returns 204 + Replay-Nonce header. |
-| GET    | `/acme/directory`                         | RFC 8555 §7.1.1 | unauth    | Shorthand path; mirrors per-profile when `CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID` is set. |
-| HEAD   | `/acme/new-nonce`                         | RFC 8555 §7.2   | unauth    | Shorthand. |
-| GET    | `/acme/new-nonce`                         | RFC 8555 §7.2   | unauth    | Shorthand. |
+| Method | Path                                       | RFC ref         | Auth     | Description |
+|--------|--------------------------------------------|-----------------|----------|-------------|
+| GET    | `/acme/profile/{id}/directory`             | RFC 8555 §7.1.1 | unauth   | Per-profile directory document. |
+| HEAD   | `/acme/profile/{id}/new-nonce`             | RFC 8555 §7.2   | unauth   | Returns 200 + Replay-Nonce header. |
+| GET    | `/acme/profile/{id}/new-nonce`             | RFC 8555 §7.2   | unauth   | Returns 204 + Replay-Nonce header. |
+| POST   | `/acme/profile/{id}/new-account`           | RFC 8555 §7.3   | JWS jwk  | Register a new account; idempotent re-registration of an existing JWK returns the existing row. |
+| POST   | `/acme/profile/{id}/account/{acc_id}`      | RFC 8555 §7.3.2 + §7.3.6 | JWS kid | Update contact list, deactivate, or POST-as-GET (RFC 8555 §6.3) to fetch the account. |
+| GET    | `/acme/directory`                          | RFC 8555 §7.1.1 | unauth   | Shorthand path; mirrors per-profile when `CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID` is set. |
+| HEAD   | `/acme/new-nonce`                          | RFC 8555 §7.2   | unauth   | Shorthand. |
+| GET    | `/acme/new-nonce`                          | RFC 8555 §7.2   | unauth   | Shorthand. |
+| POST   | `/acme/new-account`                        | RFC 8555 §7.3   | JWS jwk  | Shorthand. |
+| POST   | `/acme/account/{acc_id}`                   | RFC 8555 §7.3.2 + §7.3.6 | JWS kid | Shorthand. |
 
-The remaining RFC 8555 endpoints (`new-account`, `account/{id}`,
-`new-order`, `order/{id}`, `order/{id}/finalize`, `authz/{id}`,
-`challenge/{id}`, `cert/{id}`, `key-change`, `revoke-cert`,
-`renewal-info`) are advertised in the directory document but not yet
-served — clients hitting them get a 404 until subsequent phases land.
-The directory document includes their URLs because RFC 8555 doesn't
-permit a partial directory.
+The remaining RFC 8555 endpoints (`new-order`, `order/{id}`,
+`order/{id}/finalize`, `authz/{id}`, `challenge/{id}`, `cert/{id}`,
+`key-change`, `revoke-cert`, `renewal-info`) are advertised in the
+directory document but not yet served — clients hitting them get a 404
+until subsequent phases land. The directory document includes their
+URLs because RFC 8555 doesn't permit a partial directory.
+
+## JWS verification (Phase 1b)
+
+Every JWS-authenticated POST runs through the verifier at
+`internal/api/acme/jws.go::VerifyJWS`. The verifier enforces:
+
+1. The JWS parses as a flattened single-signature object (multi-sig is
+   rejected per RFC 8555 §6.2).
+2. The signature algorithm is in the closed allow-list `{RS256, ES256,
+   EdDSA}` per RFC 8555 §6.2 — `none`, `HS256`, and every other alg
+   are refused at parse time.
+3. The protected header carries exactly one of `kid` (registered
+   account) or `jwk` (new-account flow); endpoints declare which they
+   require.
+4. The protected header `url` matches the inbound request URL exactly.
+5. The protected header `nonce` is consumed against the
+   `acme_nonces` store; missing / replayed / expired nonces return
+   `urn:ietf:params:acme:error:badNonce` per RFC 8555 §6.5.1.
+6. On the `kid` path: the kid URL round-trips against the canonical
+   per-profile shape, the referenced account exists, and its status
+   is `valid`. Deactivated / revoked accounts cannot authenticate.
+7. The signature verifies against the resolved key (registered
+   account's stored JWK on the kid path; embedded jwk on the jwk path).
+
+Every state-mutating account operation (create, contact update,
+deactivate) writes its `acme_accounts` row and an `audit_events` row
+inside one `repository.Transactor.WithinTx` call — the canonical
+certctl atomicity contract (matches `service.CertificateService.Create`
+at `internal/service/certificate.go:131`).
 
 ## Phases (cross-reference)
 
 | Phase | Status      | Surface |
 |-------|-------------|---------|
 | 1a    | live        | directory + new-nonce + per-profile routing |
-| 1b    | not yet     | new-account + JWS verifier (RFC 7515) |
+| 1b    | live        | new-account + account/{id} + JWS verifier (RFC 7515 + go-jose v4) |
 | 2     | not yet     | orders + authzs + finalize + cert download (trust_authenticated mode end-to-end) |
 | 3     | not yet     | HTTP-01 + DNS-01 + TLS-ALPN-01 challenge validation |
 | 4     | not yet     | key rollover + revocation + ARI (RFC 9773) |