auth-bundle-1 Phase 6-7-8: bootstrap path + scope-down CLI + auditor-role split

# Phase 6 — day-0 admin bootstrap

* internal/auth/bootstrap/ (new package): Strategy interface +
  EnvTokenStrategy with constant-time compare, one-shot consumption
  via sync.Mutex, optional admin-existence probe. Bundle 2's OIDC-
  first-admin will plug in alongside as an alternate Strategy.
* BootstrapService.ValidateAndMint: validates the operator's
  CERTCTL_BOOTSTRAP_TOKEN, mints a 32-byte (64-hex-char) random API
  key value, persists the SHA-256 hash to api_keys, grants r-admin
  via actor_roles, AddHashed's the runtime keystore so the just-
  minted key authenticates the next request without restart, and
  records bootstrap.consume to the audit trail with category=auth.
* internal/auth/keystore.go (new): KeyStore interface +
  StaticKeyStore (immutable env-var-only path) + MutableKeyStore
  (env-var keys + DB-loaded api_keys + runtime AddHashed). The auth
  middleware now consumes a KeyStore so the bootstrap path can
  extend the lookup table at runtime.
* migrations/000031_api_keys.up/down.sql: api_keys table with
  (id, name UNIQUE, key_hash UNIQUE, tenant_id, admin, created_by,
  created_at, expires_at, last_used_at). Idempotent.
* /v1/auth/bootstrap GET (probe) + POST (mint) — auth-exempt. Both
  routes documented in api/openapi.yaml + AuthExemptRouterRoutes
  allowlist updated. The token never leaves internal/auth/bootstrap;
  the minted plaintext key flows only into the HTTP response body.
* Startup warning emitted when CERTCTL_BOOTSTRAP_TOKEN is set AND
  admin actors already exist (config drift signal).
* Tests: 4 strategy invariants (empty token born disabled, wrong
  token=ErrInvalidToken without consumption, one-shot consumption,
  admin-exists closes path), 5 service tests (happy path + actor-
  name validation + propagation of strategy errors + nil-deps
  guard + 32-byte entropy budget), 8 HTTP-handler tests (status
  201/410/401/400 mapping + token-leak hygiene scan of slog +
  audit details + Location header). Token-leak test redirects
  slog.Default to a buffer for the test scope.

# Phase 7 — API-key migration + scope-down CLI

* GET /v1/auth/keys handler + service method ListKeys backed by
  ActorRoleRepository.ListDistinctActors. Returns one row per
  (actor_id, actor_type) pair with the slice of role IDs they hold.
  Permission: auth.role.list.
* internal/cli/auth_scope_down.go: AuthListKeys, AuthScopeDown
  (interactive), AuthScopeDownNonInteractive (JSON config),
  AuthScopeDownSuggest (--suggest with optional --apply). The
  synthetic actor-demo-anon is filtered out of every interactive /
  bulk path; non-interactive flow logs and skips it explicitly.
* SuggestRoleFromAuditEvents (pure function): walks 30 days of
  audit events per actor and returns the narrowest matching role
  (admin / mcp / viewer / agent / operator) plus a one-line reason.
  Classification: any admin-shaped action wins; otherwise all-MCP
  → mcp; all-read-only → viewer; all-agent-shaped → agent;
  otherwise operator. Test table pins all six classifications.
* CLI subcommand tree extended: 'auth keys list' + 'auth keys
  scope-down [--non-interactive <cfg>] [--suggest [--apply]]'.
* CHANGELOG.md leads v2.1.0 with the SECURITY: AUDIT YOUR API KEYS
  call-out + four flow examples.

# Phase 8 — auditor role + event_category column

* migrations/000032_audit_category.up/down.sql: ALTER TABLE
  audit_events ADD COLUMN event_category TEXT NOT NULL DEFAULT
  'cert_lifecycle' + CHECK constraint (cert_lifecycle/auth/config)
  + (event_category) and (event_category, timestamp DESC) indexes
  for the auditor-filter query path. WORM trigger from migration
  000018 continues to enforce append-only at the DB layer (DDL is
  not blocked).
* domain.AuditEvent gains EventCategory string (omitempty);
  domain.EventCategoryCertLifecycle / Auth / Config constants.
* AuditService.RecordEventWithCategory sibling of RecordEvent;
  legacy callers stay on RecordEvent (defaults to cert_lifecycle).
  Auth callers (RoleService, ActorRoleService, BootstrapService)
  switched to RecordEventWithCategory(..., 'auth', ...).
* GET /v1/audit?category=<cat>: handler accepts the optional query
  param, validates against the enum (400 on invalid value),
  dispatches through ListAuditEventsByCategory. OpenAPI updated
  with the new query param + AuditEvent.event_category schema.
* Postgres AuditRepository.Create now writes event_category;
  AuditRepository.List filters on it; AuditFilter.EventCategory
  gates the WHERE clause.
* Tests: 5 audit-category-filter HTTP tests (dispatch routing,
  back-compat fallback, 400 for invalid values, all 3 enum values
  accepted, page+category combine, JSON output surfaces the
  field). 3 auditor-role invariants (auditor holds exactly
  audit.read+audit.export, no mutating perms, disjoint from
  viewer except audit.read).

# Cross-phase wiring

* HandlerRegistry.Bootstrap field added; cmd/server/main.go wires
  the bootstrap service ahead of RegisterHandlers (extracted
  assembleNamedAPIKeys helper into auth_backfill.go, moved the
  keystore + bootstrap construction up alongside the auth repos).
* AuthCheckResolver / AuthActorRoleService extended with ListKeys
  to satisfy the Phase 7 surface; existing fakes updated.
* fakeAudit + mockAuditService stubs in tests gain
  RecordEventWithCategory + ListAuditEventsByCategory; existing
  tests untouched.

# Verifications

* gofmt -l: clean across every modified file.
* go vet ./...: clean.
* staticcheck across internal/auth + handler + router + cli +
  service + repository + cmd + domain: clean.
* go test -short -count=1: green across every Bundle-1-touched
  package — internal/auth (incl. bootstrap), internal/api/handler,
  internal/api/router, internal/cli, internal/service/auth,
  internal/service, internal/domain/auth, internal/repository/postgres,
  cmd/server, cmd/cli, plus internal/scheduler, internal/api/middleware,
  cmd/agent, internal/mcp.

migrations/000031_api_keys.down.sql

@@ -0,0 +1,7 @@
+-- Bundle 1 Phase 6: drop the operator API-keys table. Down is destructive;
+-- keys minted by bootstrap will fail to authenticate after this runs.
+BEGIN;
+DROP INDEX IF EXISTS idx_api_keys_created_by;
+DROP INDEX IF EXISTS idx_api_keys_tenant_id;
+DROP TABLE IF EXISTS api_keys;
+COMMIT;

migrations/000031_api_keys.up.sql

@@ -0,0 +1,47 @@
+-- Bundle 1 Phase 6 (bootstrap path): runtime-minted operator API keys.
+--
+-- Pre-Bundle-1 the only operator API keys lived in CERTCTL_API_KEYS_NAMED
+-- (env-var config; static at boot). The bootstrap endpoint
+-- POST /v1/auth/bootstrap mints the first admin key without requiring
+-- the operator to know the env-var format up front; that key has to
+-- survive a process restart and authenticate against the auth
+-- middleware's keystore on subsequent requests, which means it lives
+-- here.
+--
+-- Storage rules: ONLY the SHA-256 hash of the key value is stored
+-- (key_hash). The plaintext key value is returned to the operator in
+-- the bootstrap HTTP response body once and never persisted. Lost?
+-- Mint a new admin key via the regular RBAC API and revoke the old
+-- one — the api_keys row is the source of truth for "this name +
+-- hash authenticates", so revoking it via the RBAC API removes the
+-- row and the next request lookup fails 401.
+--
+-- Idempotent: CREATE TABLE IF NOT EXISTS, indexes IF NOT EXISTS.
+
+BEGIN;
+
+CREATE TABLE IF NOT EXISTS api_keys (
+    id TEXT PRIMARY KEY,                     -- prefix `ak-`
+    name TEXT NOT NULL UNIQUE,               -- operator-visible name; matches actor_roles.actor_id
+    key_hash TEXT NOT NULL UNIQUE,           -- SHA-256 hex of the plaintext key
+    tenant_id TEXT NOT NULL DEFAULT 't-default'
+        REFERENCES tenants(id) ON DELETE CASCADE,
+    -- Admin is a denormalized hint replicated from the actor's
+    -- standing role grant so the auth middleware can populate
+    -- AdminKey context without joining actor_roles on every request.
+    -- Source of truth remains actor_roles; this column is rebuilt by
+    -- the boot loader from "actor holds r-admin?" queries.
+    admin BOOLEAN NOT NULL DEFAULT FALSE,
+    created_by TEXT NOT NULL,                -- actor_id of the creator; "bootstrap" for the first one
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    -- Decoration columns for forward-compat: bundle 2 will add
+    -- expiry + last_used + rotation tracking. Reserved as nullable
+    -- now so the migration in Bundle 2 doesn't reshape the table.
+    expires_at TIMESTAMPTZ,
+    last_used_at TIMESTAMPTZ
+);
+
+CREATE INDEX IF NOT EXISTS idx_api_keys_tenant_id ON api_keys(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_api_keys_created_by ON api_keys(created_by);
+
+COMMIT;

migrations/000032_audit_category.down.sql

@@ -0,0 +1,8 @@
+-- Bundle 1 Phase 8 down: drop the event_category column + indexes.
+-- Destructive — auditor-filter queries stop working after this runs.
+BEGIN;
+DROP INDEX IF EXISTS idx_audit_events_category_timestamp;
+DROP INDEX IF EXISTS idx_audit_events_event_category;
+ALTER TABLE audit_events DROP CONSTRAINT IF EXISTS audit_events_event_category_check;
+ALTER TABLE audit_events DROP COLUMN IF EXISTS event_category;
+COMMIT;

migrations/000032_audit_category.up.sql

@@ -0,0 +1,62 @@
+-- Bundle 1 Phase 8 — categorize audit events.
+--
+-- Why: post-Phase-1 the auditor role holds only audit.read +
+-- audit.export. Without a category column the auditor surface
+-- co-mingles cert-lifecycle events with auth-config mutations and
+-- config edits, which makes a "show me only the auth changes from
+-- last week" query impossible. Phase 8 adds the column + enum CHECK
+-- constraint + index so auditors can filter to the slice they care
+-- about.
+--
+-- Storage rules:
+--
+--   - cert_lifecycle (default): cert.issue, cert.renew, cert.revoke,
+--     cert.bulk_revoke, deployment.*, agent.heartbeat, etc.
+--     Existing rows backfill here.
+--   - auth: every auth.role.* / auth.key.* / auth.bootstrap.* event,
+--     plus the day-0 bootstrap.consume action from Phase 6.
+--   - config: issuer config edits, target config edits, settings
+--     mutations. Distinct from cert_lifecycle so a regulator can
+--     review "who changed the issuer wiring" separately from "who
+--     issued certs".
+--
+-- WORM trigger continues to enforce append-only at the DB layer
+-- (migration 000018). The ALTER TABLE itself is DDL, not DML, so
+-- it's not blocked by the trigger.
+--
+-- Idempotent: ADD COLUMN IF NOT EXISTS, ADD CONSTRAINT IF NOT EXISTS
+-- (Postgres 15+; uses DO blocks for older versions). The migration
+-- runner re-applies safely if the migration was partially completed.
+
+BEGIN;
+
+ALTER TABLE audit_events
+    ADD COLUMN IF NOT EXISTS event_category TEXT NOT NULL DEFAULT 'cert_lifecycle';
+
+-- CHECK constraint (idempotent via DO block; ADD CONSTRAINT IF NOT
+-- EXISTS is Postgres 15+ only).
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint
+        WHERE conname = 'audit_events_event_category_check'
+    ) THEN
+        ALTER TABLE audit_events
+            ADD CONSTRAINT audit_events_event_category_check
+            CHECK (event_category IN ('cert_lifecycle', 'auth', 'config'));
+    END IF;
+END$$;
+
+-- Index for the auditor-filter query path. Single-column btree
+-- because event_category is low-cardinality (3 values today); the
+-- planner can still bitmap-scan with a small index.
+CREATE INDEX IF NOT EXISTS idx_audit_events_event_category
+    ON audit_events(event_category);
+
+-- Composite index for the most common auditor query: "auth events
+-- from last 7 days, newest first". The (category, timestamp DESC)
+-- shape lets the planner serve LIMIT-20 dashboards without sorting.
+CREATE INDEX IF NOT EXISTS idx_audit_events_category_timestamp
+    ON audit_events(event_category, timestamp DESC);
+
+COMMIT;