secret: migrate EJBCA / GlobalSign / Sectigo credentials to *secret.Ref (Phase 2)

Phase 2 of the #6 acquisition-readiness fix from the 2026-05-01 issuer
coverage audit. Phase 1 (commit 633a10a) shipped the secret.Ref opaque
credential type with PBKDF2-derived key, ChaCha20-Poly1305 envelope,
String/MarshalJSON redaction to "[redacted]", and the Use callback
that zero-fills the per-call buffer after the consumer returns.

This commit applies the type to the three connectors flagged by the
audit and adds the JSON-roundtrip glue that the production factory
path needs.

Shared (internal/secret/):

- Add UnmarshalJSON on *Ref so json.Unmarshal of a stored config
  blob (issuerfactory.NewFromConfig) parses the bytes-as-string into
  NewRefFromString without callers having to know the field type
  changed. Null and missing keys leave the receiver nil; non-string
  payloads (numbers, bools) are rejected with a typed error. Pinned
  by TestRef_UnmarshalJSON: string_value, null, missing_key,
  number_rejected, roundtrip_marshal_then_unmarshal (the round-trip
  goes through "[redacted]" intentionally — JSON-marshal-then-
  unmarshal of a Config with secrets is NOT a supported test pattern;
  callers that construct a rawConfig must use a JSON literal with
  the real values).

Per-connector migration:

- EJBCA (ejbca.go): Config.Token: string → *secret.Ref. ValidateConfig
  empty-check uses Token.IsEmpty() (nil-safe). setAuthHeaders rewritten
  to call Token.Use; the Bearer header string is built inside the
  callback and the buffer is zeroed on return. mTLS path is
  unaffected.

- GlobalSign (globalsign.go): Config.APIKey + Config.APISecret: string
  → *secret.Ref. Both ValidateConfig empty-checks use IsEmpty().
  Extracted setAuthHeaders helper consolidates the four duplicated
  triple-Set sites (ValidateConfig probe, IssueCertificate,
  RevokeCertificate, pollCertificateOnce) so any future header-shape
  change applies once. ValidateConfig now pulls from the local cfg
  (post-Unmarshal) so the helper takes a *Config rather than the
  receiver — needed because ValidateConfig writes the validated cfg
  onto c.config only AFTER the probe succeeds.

- Sectigo (sectigo.go): Config.Login + Config.Password: string →
  *secret.Ref. CustomerURI stays plain string (org identifier, not
  a credential). setAuthHeaders rewritten to call Login.Use +
  Password.Use; ValidateConfig's inline header writes use the same
  pattern (the ValidateConfig probe writes to a local cfg, not
  c.config, so it can't share setAuthHeaders without rewiring — the
  inline form is fine, kept consistent in shape).

Test migration:

- ejbca_test.go, ejbca_failure_test.go, ejbca_stubs_test.go: bulk
  Token: "X" → Token: secret.NewRefFromString("X") via sed; secret
  import added.
- globalsign_test.go, globalsign_failure_test.go: same pattern for
  APIKey + APISecret.
- sectigo_test.go, sectigo_failure_test.go: same pattern for Login +
  Password.

Two tests (TestGlobalSign_ServerTLSConfig/PinnedCA_TrustsExpectedServer
and TestSectigoConnector/ValidateConfig_Success) used to construct
rawConfig via json.Marshal(config) → ValidateConfig(rawConfig). After
the migration, json.Marshal redacts *secret.Ref to "[redacted]" by
design, so the roundtripped rawConfig wrote "[redacted]" as the
actual header value and the mock server's auth-header check 403'd.
Both tests now build rawConfig as a JSON literal (the production-
shape input — the factory path always feeds rawConfig from the DB
or env, never from json.Marshal of an in-memory Config). The new
tests have a comment explaining the trap so the next person who
adds a similar test sees the pattern.

Out of scope (intentional):

- The `internal/config/config.SectigoConfig` / `GlobalSignConfig` /
  `EJBCAConfig` env-var-loader structs are still plain strings —
  those types are the env-load shape, not the steady-state runtime
  shape. The seed path in service/issuer.go json-marshals them into
  a map[string]interface{} which the factory then UnmarshalJSON's
  into the connector Config; the new UnmarshalJSON on *Ref handles
  the conversion at the boundary.
- DigiCert.APIKey + Vault.Token are still plain strings; Phase 3
  will pick them up. The audit explicitly named EJBCA / GlobalSign /
  Sectigo as the Phase 2 scope (RESULTS.md L633).

Verified locally:
- gofmt -l . clean
- go vet ./... clean
- staticcheck across all four packages clean
- go test -short -count=1 across secret, ejbca, globalsign, sectigo,
  issuerfactory, service, api/handler: green

Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md
Top-10 fix #6 — Phase 2.

internal/connector/issuer/ejbca/ejbca.go

@@ -33,6 +33,7 @@ import (
 	"time"
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 // Config represents the EJBCA issuer connector configuration.
@@ -55,7 +56,15 @@ type Config struct {
 
 	// Token is the OAuth2 Bearer token for authentication.
 	// Required when auth_mode=oauth2. Set via CERTCTL_EJBCA_TOKEN environment variable.
-	Token string `json:"token"`
+	//
+	// Type: *secret.Ref (audit fix #6 Phase 2). Wrapping the token in
+	// a Ref means: it never stringifies (Config marshals as
+	// "[redacted]"), the bytes are zeroed after each Use/WriteTo
+	// invocation (defeats heap-dump extraction), and outbound HTTP
+	// header writes go through Ref.WriteTo so the staging buffer is
+	// short-lived. JSON unmarshal of a string value populates the
+	// Ref via NewRefFromString.
+	Token *secret.Ref `json:"token"`
 
 	// CAName is the EJBCA CA name for certificate issuance.
 	// Required. Set via CERTCTL_EJBCA_CA_NAME environment variable.
@@ -185,7 +194,7 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 			return fmt.Errorf("EJBCA client_key_path is required for auth_mode=mtls")
 		}
 	case "oauth2":
-		if cfg.Token == "" {
+		if cfg.Token.IsEmpty() {
 			return fmt.Errorf("EJBCA token is required for auth_mode=oauth2")
 		}
 	default:
@@ -520,10 +529,16 @@ func (c *Connector) GetRenewalInfo(ctx context.Context, certPEM string) (*issuer
 	return nil, nil
 }
 
-// setAuthHeaders sets the appropriate authentication headers based on configured auth mode.
+// setAuthHeaders sets the appropriate authentication headers based on
+// configured auth mode. For OAuth2, the Bearer token is fetched from
+// the *secret.Ref via Use; the staging buffer is zeroed after the
+// header value is constructed (audit fix #6 Phase 2).
 func (c *Connector) setAuthHeaders(req *http.Request) {
-	if c.config.AuthMode == "oauth2" {
-		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.config.Token))
+	if c.config.AuthMode == "oauth2" && c.config.Token != nil {
+		_ = c.config.Token.Use(func(buf []byte) error {
+			req.Header.Set("Authorization", "Bearer "+string(buf))
+			return nil
+		})
 	}
 	// mTLS is handled via http.Client with tls.Config
 }

internal/connector/issuer/ejbca/ejbca_failure_test.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
 	"github.com/shankar0123/certctl/internal/connector/issuer/ejbca"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 // Bundle N.A/B-extended: ejbca failure-mode round-out (76.5% → ≥85%).
@@ -24,7 +25,7 @@ func buildEJBCAConnector(t *testing.T, baseURL string) *ejbca.Connector {
 	cfg := &ejbca.Config{
 		APIUrl:      baseURL,
 		AuthMode:    "oauth2",
-		Token:       "tok",
+		Token:       secret.NewRefFromString("tok"),
 		CAName:      "TestCA",
 		CertProfile: "TestProfile",
 		EEProfile:   "TestEEProfile",

internal/connector/issuer/ejbca/ejbca_stubs_test.go

@@ -14,6 +14,7 @@ import (
 	"testing"
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 func quietStubLogger() *slog.Logger {
@@ -21,7 +22,7 @@ func quietStubLogger() *slog.Logger {
 }
 
 func TestStub_GenerateCRL(t *testing.T) {
-	c, err := New(&Config{AuthMode: "oauth2", Token: "dummy"}, quietStubLogger())
+	c, err := New(&Config{AuthMode: "oauth2", Token: secret.NewRefFromString("dummy")}, quietStubLogger())
 	if err != nil {
 		t.Fatalf("New: %v", err)
 	}
@@ -32,7 +33,7 @@ func TestStub_GenerateCRL(t *testing.T) {
 }
 
 func TestStub_SignOCSPResponse(t *testing.T) {
-	c, err := New(&Config{AuthMode: "oauth2", Token: "dummy"}, quietStubLogger())
+	c, err := New(&Config{AuthMode: "oauth2", Token: secret.NewRefFromString("dummy")}, quietStubLogger())
 	if err != nil {
 		t.Fatalf("New: %v", err)
 	}
@@ -43,7 +44,7 @@ func TestStub_SignOCSPResponse(t *testing.T) {
 }
 
 func TestStub_GetCACertPEM(t *testing.T) {
-	c, err := New(&Config{AuthMode: "oauth2", Token: "dummy"}, quietStubLogger())
+	c, err := New(&Config{AuthMode: "oauth2", Token: secret.NewRefFromString("dummy")}, quietStubLogger())
 	if err != nil {
 		t.Fatalf("New: %v", err)
 	}
@@ -51,7 +52,7 @@ func TestStub_GetCACertPEM(t *testing.T) {
 }
 
 func TestStub_GetRenewalInfo(t *testing.T) {
-	c, err := New(&Config{AuthMode: "oauth2", Token: "dummy"}, quietStubLogger())
+	c, err := New(&Config{AuthMode: "oauth2", Token: secret.NewRefFromString("dummy")}, quietStubLogger())
 	if err != nil {
 		t.Fatalf("New: %v", err)
 	}

internal/connector/issuer/ejbca/ejbca_test.go

@@ -27,6 +27,7 @@ import (
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
 	"github.com/shankar0123/certctl/internal/connector/issuer/ejbca"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 // mustNewForValidateConfig returns an EJBCA connector wired in OAuth2 mode
@@ -40,7 +41,7 @@ func mustNewForValidateConfig(t *testing.T, logger *slog.Logger) *ejbca.Connecto
 	c, err := ejbca.New(&ejbca.Config{
 		APIUrl:   "https://placeholder",
 		AuthMode: "oauth2",
-		Token:    "placeholder",
+		Token:    secret.NewRefFromString("placeholder"),
 		CAName:   "placeholder",
 	}, logger)
 	if err != nil {
@@ -79,7 +80,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := ejbca.Config{
 			APIUrl:   "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1",
 			AuthMode: "oauth2",
-			Token:    "test-oauth2-token",
+			Token:    secret.NewRefFromString("test-oauth2-token"),
 			CAName:   "Management CA",
 		}
 
@@ -224,7 +225,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := &ejbca.Config{
 			APIUrl:   srv.URL,
 			AuthMode: "oauth2",
-			Token:    "test-token",
+			Token:    secret.NewRefFromString("test-token"),
 			CAName:   "Management CA",
 		}
 		connector := ejbca.NewWithHTTPClient(config, logger, srv.Client())
@@ -291,7 +292,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := &ejbca.Config{
 			APIUrl:      srv.URL,
 			AuthMode:    "oauth2",
-			Token:       "test-token",
+			Token:       secret.NewRefFromString("test-token"),
 			CAName:      "Management CA",
 			CertProfile: "ENDUSER",
 			EEProfile:   "ENDUSER",
@@ -324,7 +325,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := &ejbca.Config{
 			APIUrl:   srv.URL,
 			AuthMode: "oauth2",
-			Token:    "test-token",
+			Token:    secret.NewRefFromString("test-token"),
 			CAName:   "Management CA",
 		}
 		connector := ejbca.NewWithHTTPClient(config, logger, srv.Client())
@@ -363,7 +364,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := &ejbca.Config{
 			APIUrl:   srv.URL,
 			AuthMode: "oauth2",
-			Token:    "test-token",
+			Token:    secret.NewRefFromString("test-token"),
 			CAName:   "Management CA",
 		}
 		connector := ejbca.NewWithHTTPClient(config, logger, srv.Client())
@@ -405,7 +406,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := &ejbca.Config{
 			APIUrl:   srv.URL,
 			AuthMode: "oauth2",
-			Token:    "test-token",
+			Token:    secret.NewRefFromString("test-token"),
 			CAName:   "Management CA",
 		}
 		connector := ejbca.NewWithHTTPClient(config, logger, srv.Client())
@@ -451,7 +452,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := &ejbca.Config{
 			APIUrl:   srv.URL,
 			AuthMode: "oauth2",
-			Token:    "test-token",
+			Token:    secret.NewRefFromString("test-token"),
 			CAName:   "Management CA",
 		}
 		connector := ejbca.NewWithHTTPClient(config, logger, srv.Client())
@@ -506,7 +507,7 @@ func TestEJBCAConnector(t *testing.T) {
 				config := &ejbca.Config{
 					APIUrl:   srv.URL,
 					AuthMode: "oauth2",
-					Token:    "test-token",
+					Token:    secret.NewRefFromString("test-token"),
 					CAName:   "Management CA",
 				}
 				connector := ejbca.NewWithHTTPClient(config, logger, srv.Client())
@@ -528,7 +529,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := &ejbca.Config{
 			APIUrl:   "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1",
 			AuthMode: "oauth2",
-			Token:    "test-token",
+			Token:    secret.NewRefFromString("test-token"),
 			CAName:   "Management CA",
 		}
 		connector, err := ejbca.New(config, logger)
@@ -549,7 +550,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := &ejbca.Config{
 			APIUrl:   "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1",
 			AuthMode: "oauth2",
-			Token:    "test-token",
+			Token:    secret.NewRefFromString("test-token"),
 			CAName:   "Management CA",
 		}
 		connector, err := ejbca.New(config, logger)
@@ -570,7 +571,7 @@ func TestEJBCAConnector(t *testing.T) {
 		config := &ejbca.Config{
 			APIUrl:   "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1",
 			AuthMode: "oauth2",
-			Token:    "test-token",
+			Token:    secret.NewRefFromString("test-token"),
 			CAName:   "Management CA",
 		}
 		connector, err := ejbca.New(config, logger)
@@ -778,7 +779,7 @@ func TestNew_OAuth2NoTransportTuning(t *testing.T) {
 	cfg := &ejbca.Config{
 		APIUrl:   "https://placeholder",
 		AuthMode: "oauth2",
-		Token:    "test-token",
+		Token:    secret.NewRefFromString("test-token"),
 		CAName:   "Management CA",
 	}
 	conn, err := ejbca.New(cfg, logger)
@@ -803,7 +804,7 @@ func TestNew_InvalidAuthMode(t *testing.T) {
 	cfg := &ejbca.Config{
 		APIUrl:   "https://placeholder",
 		AuthMode: "invalid",
-		Token:    "test-token",
+		Token:    secret.NewRefFromString("test-token"),
 		CAName:   "Management CA",
 	}
 	_, err := ejbca.New(cfg, logger)