Bundle B: Auth & transport surface tightening — 5 findings closed

Closes M-001 + M-002 + M-013 + M-018 + M-025 from
comprehensive-audit-2026-04-25.

M-001 (CWE-916) — PBKDF2 100k -> 600k via v3 blob format
  internal/crypto/encryption.go:
    - New v3Magic (0x03), pbkdf2IterationsV3 (600,000 — OWASP 2024
      Password Storage Cheat Sheet floor), v3SaltSize (16 bytes),
      deriveKeyWithSaltV3 helper.
    - EncryptIfKeySet now unconditionally writes v3:
        magic(0x03) || salt(16) || nonce(12) || ciphertext+tag
    - DecryptIfKeySet falls through v3 -> v2 -> v1 with AEAD verification
      at each step. Wrong-passphrase v3 reads cannot be silently
      misattributed to v2/v1.
    - IsLegacyFormat updated to recognize 0x03 as non-legacy.
  internal/crypto/encryption_v3_test.go (NEW, 7 tests):
    V3 round-trip / V2 read-fallback against deterministic v2 fixture /
    V3 wrong-passphrase fails / V3-vs-V2 dispatch order / V2 vs V3 keys
    differ for same (passphrase, salt) / iteration-count pin at OWASP
    2024 floor / IsLegacyFormat-recognises-V3.
  Coverage internal/crypto: 86.7% -> 88.2%.

M-002 (CWE-862) — Auth-exempt allowlist constants + AST regression test
  Recon found auth-exempt surface spans TWO layers (audit's claim was
  incomplete):
    Layer 1 (router.go direct r.mux.Handle):
      GET /health, GET /ready, GET /api/v1/auth/info, GET /api/v1/version
    Layer 2 (cmd/server/main.go::buildFinalHandler URL-prefix dispatch):
      /.well-known/pki/*, /.well-known/est/*, /scep[/...]*
  internal/api/router/router.go:
    - New AuthExemptRouterRoutes constant with per-entry justifications.
    - New AuthExemptDispatchPrefixes constant.
  internal/api/router/auth_exempt_test.go (NEW, 2 tests):
    AST-walks router.go for every direct mux.Handle call and asserts
    set equals AuthExemptRouterRoutes; reads source bytes of Register /
    RegisterFunc and asserts they still wrap with middleware.Chain.
  cmd/server/auth_exempt_test.go (NEW, 2 tests):
    14-case table test on buildFinalHandler asserting documented
    prefixes route to noAuthHandler and authenticated routes route to
    apiHandler; inverse-overlap pin proves no documented bypass shadows
    an authenticated prefix.

M-013 (CWE-942) — CORS deny-by-default verified-already-clean + pin
  Audit claim 'default allows all origins if env-var unset' was WRONG.
  internal/api/middleware/middleware.go::NewCORS already denies cross-
  origin requests when len(cfg.AllowedOrigins) == 0 (no
  Access-Control-Allow-Origin header is emitted, same-origin policy
  applies).
  internal/api/middleware/cors_test.go: +TestNewCORS_NilOriginsDeniesAll
  + TestNewCORS_M013_ContractDocumentedInOrder (5-case table test
  pinning the 3-arm dispatch contract).

M-018 (CWE-319 / PCI-DSS Req 4) — Postgres TLS opt-in toggle
  deploy/helm/certctl/values.yaml: new postgresql.tls.{mode,caSecretRef}
    operator-facing knobs. Default 'disable' preserves in-cluster pod-
    network behavior; PCI-scoped operators set verify-full.
  deploy/helm/certctl/templates/_helpers.tpl: certctl.databaseURL helper
    pipes postgresql.tls.mode into ?sslmode=.
  deploy/helm/certctl/templates/server-secret.yaml: uses the helper
    instead of hardcoded sslmode=disable.
  deploy/docker-compose.yml: CERTCTL_DATABASE_URL is now
    ${CERTCTL_DATABASE_URL:-...} so operators override without editing.
  docs/database-tls.md (NEW): operator runbook covering 4 deployment
    shapes, RDS verify-full example with PGSSLROOTCERT mount, and
    pg_stat_ssl verification query.
  helm template + helm lint clean.

M-025 (OWASP ASVS L2 §11.2.1) — Per-key rate limiting
  internal/api/middleware/middleware.go::NewRateLimiter rewritten from
  a single global tokenBucket to a keyedRateLimiter map keyed on
    'user:'+GetUser(ctx)  for authenticated callers
    'ip:'+RemoteAddr-host for unauthenticated
  - Empty UserKey strings treated as unauthenticated.
  - X-Forwarded-For intentionally NOT consulted (header-spoofing risk).
  - Create-on-demand bucket allocation under sync.RWMutex with double-
    check pattern.
  RateLimitConfig.PerUserRPS / PerUserBurstSize fields with env vars
    CERTCTL_RATE_LIMIT_PER_USER_RPS / CERTCTL_RATE_LIMIT_PER_USER_BURST
    allow per-user budgets distinct from per-IP.
  internal/api/middleware/ratelimit_keyed_test.go (NEW, 5 tests):
    TwoIPsHaveIndependentBuckets / SameUserDifferentIPsShareBucket /
    TwoUsersHaveIndependentBuckets / PerUserBudgetOverride /
    EmptyUserKeyTreatedAsAnonymous.
  Coverage internal/api/middleware: 82.1% -> 83.7%.

Audit deliverables:
  cowork/comprehensive-audit-2026-04-25/audit-report.md: score
    25/55 -> 30/55 closed (High 7/9, Medium 7/27 -> 12/27, Low 8/19).
  cowork/comprehensive-audit-2026-04-25/findings.yaml: 5 status flips
    open -> closed with closure notes citing the Bundle B mechanism.
  certctl/CHANGELOG.md: Bundle B section under [unreleased].

Verification:
  go test -count=1 -short ./...                     all green
  staticcheck on changed packages                   no new SA*/ST* hits
    (the 4 pre-existing SA1019 sites in cmd/server/main_test.go are
    Bundle 9 / M-028 partial closure leftovers tracked in Bundle C)
  helm template + helm lint                         clean
  internal/repository/postgres setup-fail            sandbox disk pressure,
    same on master HEAD before this branch — environmental, not Bundle B

deploy/docker-compose.yml

@@ -119,7 +119,11 @@ services:
       certctl-tls-init:
         condition: service_completed_successfully
     environment:
-      CERTCTL_DATABASE_URL: postgres://certctl:${POSTGRES_PASSWORD:-certctl}@postgres:5432/certctl?sslmode=disable
+      # Bundle B / Audit M-018 (PCI-DSS Req 4 / CWE-319): in-cluster Postgres
+      # on the docker bridge network keeps sslmode=disable acceptable; for
+      # external/managed Postgres operators MUST override CERTCTL_DATABASE_URL
+      # with sslmode=verify-full and provide the CA bundle. See docs/database-tls.md.
+      CERTCTL_DATABASE_URL: ${CERTCTL_DATABASE_URL:-postgres://certctl:${POSTGRES_PASSWORD:-certctl}@postgres:5432/certctl?sslmode=disable}
       CERTCTL_SERVER_HOST: 0.0.0.0
       CERTCTL_SERVER_PORT: 8443
       CERTCTL_SERVER_TLS_CERT_PATH: /etc/certctl/tls/server.crt

deploy/helm/certctl/templates/_helpers.tpl

@@ -112,9 +112,24 @@ PostgreSQL image
 
 {{/*
 Database connection string
+
+Bundle B / Audit M-018 (PCI-DSS Req 4 / CWE-319):
+  - postgresql.tls.mode is the operator-facing knob.
+    Default: "disable" (preserves the in-cluster Helm-bundled-Postgres
+    behavior; pod-to-pod traffic stays on the K8s pod network and is
+    encrypted by the CNI when the cluster is configured with a TLS-aware
+    CNI such as Cilium WireGuard).
+  - Operators on PCI-DSS-scoped clusters or operators using an external
+    managed Postgres (RDS, Cloud SQL, Azure DB) MUST set
+    postgresql.tls.mode to "require", "verify-ca", or "verify-full" and
+    point postgresql.tls.caSecretRef at a Secret containing the
+    server-ca.crt under key "ca.crt".
+  - The connection string sslmode parameter is wired from
+    postgresql.tls.mode without further translation.
 */}}
 {{- define "certctl.databaseURL" -}}
-postgres://{{ .Values.postgresql.auth.username }}:$(POSTGRES_PASSWORD)@{{ include "certctl.fullname" . }}-postgres:5432/{{ .Values.postgresql.auth.database }}?sslmode=disable
+{{- $sslMode := default "disable" .Values.postgresql.tls.mode -}}
+postgres://{{ .Values.postgresql.auth.username }}:$(POSTGRES_PASSWORD)@{{ include "certctl.fullname" . }}-postgres:5432/{{ .Values.postgresql.auth.database }}?sslmode={{ $sslMode }}
 {{- end }}
 
 {{/*

deploy/helm/certctl/templates/server-secret.yaml

@@ -8,7 +8,11 @@ metadata:
     app.kubernetes.io/component: server
 type: Opaque
 stringData:
-  database-url: postgres://{{ .Values.postgresql.auth.username }}:$(POSTGRES_PASSWORD)@{{ include "certctl.fullname" . }}-postgres:5432/{{ .Values.postgresql.auth.database }}?sslmode=disable
+  # Bundle B / Audit M-018 (PCI-DSS Req 4): sslmode wired from
+  # postgresql.tls.mode. Default "disable" preserves the in-cluster
+  # Helm-bundled-Postgres path; operators on PCI-scoped clusters set
+  # postgresql.tls.mode to require / verify-ca / verify-full.
+  database-url: {{ include "certctl.databaseURL" . | quote }}
   {{- if and (eq .Values.server.auth.type "api-key") .Values.server.auth.apiKey }}
   api-key: {{ .Values.server.auth.apiKey | quote }}
   {{- end }}

deploy/helm/certctl/values.yaml

@@ -314,6 +314,34 @@ postgresql:
     #       helm install <release> ...  # PVC re-creates empty, initdb seeds new password
     password: ""
 
+  # ─────────────────────────────────────────────────────────────────────
+  # Bundle B / Audit M-018 (PCI-DSS Req 4 / CWE-319): TLS to Postgres
+  # ─────────────────────────────────────────────────────────────────────
+  # postgresql.tls.mode is wired into the database-url sslmode parameter
+  # (see templates/_helpers.tpl::certctl.databaseURL).
+  #
+  # Acceptable values (lib/pq):
+  #   disable     — no TLS (default, preserves in-cluster pod-to-pod
+  #                 traffic on the K8s pod network).
+  #   require     — TLS required, no certificate verification.
+  #   verify-ca   — TLS required + verify CA chain.
+  #   verify-full — TLS required + verify CA chain + verify hostname.
+  #
+  # PCI-DSS Req 4 v4.0 §2.2.5 requires verify-ca or verify-full when the
+  # database carries sensitive data crossing untrusted networks (RDS,
+  # Cloud SQL, cross-VPC, etc). The bundled Helm Postgres runs in the
+  # same pod network as certctl-server; sslmode=disable is acceptable
+  # there only when the cluster CNI provides L2/L3 encryption (Cilium
+  # WireGuard, Calico Wireguard, Tailscale operator, etc).
+  #
+  # When mode != disable AND tls.caSecretRef is set, the CA bundle is
+  # mounted at /etc/postgresql-ca/ca.crt and the server's PGSSLROOTCERT
+  # env points there. caSecretRef must reference an existing Secret with
+  # a "ca.crt" key.
+  tls:
+    mode: disable
+    # caSecretRef: ""  # Secret with ca.crt key (required for verify-ca/verify-full)
+
   # Storage configuration
   storage:
     size: 10Gi