auth-bundle-1 Phase 0-5 closure: demo-mode wire, named-key backfill, AuthCheck enrichment, OpenAPI schema, intermediate-ca comment refresh

Closes the 5 gaps the post-Phase-5 audit flagged on dev/auth-bundle-1.

C1: cmd/server/main.go now selects auth.NewDemoModeAuth() when
CERTCTL_AUTH_TYPE=none and falls back to auth.NewAuthWithNamedKeys
otherwise. Pre-closure, the no-op pass-through that
NewAuthWithNamedKeys returns for empty keys would have left
ActorIDKey / ActorTypeKey / TenantIDKey unpopulated and 401'd
every Phase-3.5 rbacGate-wrapped admin route + every Phase-4
RBAC handler in demo deployments. NewDemoModeAuth injects the
synthetic 'actor-demo-anon' actor seeded by migration 000029,
which holds r-admin at global scope.

C2: backfillNamedKeyActorRoles startup hook (cmd/server/auth_backfill.go)
iterates CERTCTL_API_KEYS_NAMED entries (and legacy
CERTCTL_AUTH_SECRET synthesized fallbacks) and grants r-admin
or r-viewer to each via authActorRoleRepo.Grant before the
HTTP server starts accepting requests. Idempotent via
ON CONFLICT DO NOTHING in the repo. Failures log a warning but
are non-fatal — the server still starts and the operator can
fix grants via /v1/auth/keys. Helper extracted from main.go so
the role-mapping invariant is pinned by 4 focused unit tests
(admin->r-admin, non-admin->r-viewer, empty no-op,
grant-error non-fatal, nil-logger safe).

M1: HealthHandler.AuthCheck now returns actor_id, actor_type,
tenant_id, roles, effective_permissions, and admin_via_role
when the optional AuthCheckResolver is wired (production path:
authCheckResolverAdapter wraps the postgres ActorRoleRepository
in main.go). Nil resolver preserves the legacy {status, user,
admin} contract for back-compat with pre-Bundle-1 GUIs and
test fixtures. Adds 2 regression tests + 1 fake resolver shim.

M2: refreshes the stale 'Admin gate: every method calls
auth.IsAdmin first' comment on IntermediateCAHandler — the gate
moved to router.go::rbacGate via auth.RequirePermission
middleware in Phase 3.5; the new comment block points readers
there.

M4: 11 RBAC routes (auth/me, auth/permissions, 5 role lifecycle,
2 role-permission grant/revoke, 2 actor-role grant/revoke) added
to api/openapi.yaml under the [Auth] tag with operationIds and
shared AuthRole / AuthRolePermission schemas. AuthCheck path
extended with the Bundle-1 enrichment fields. The 11 entries
removed from openapi_parity_test.go::SpecParityExceptions.

Tests: go vet + staticcheck + go test -short -count=1 green
across cmd/server/, internal/auth/, internal/api/router/, and
internal/api/handler/. New tests: 4 backfill unit tests,
2 AuthCheck M1 enrichment tests, 1 demo-mode + rbacGate chain
integration test (TestRBACGate_DemoModeChainReachesHandler).

Branch SECURITY.md (cowork/auth-bundle-1-SECURITY.md, not part
of this commit) captures the full posture of dev/auth-bundle-1
as of this closure for the operator's pre-merge review.

internal/api/router/openapi_parity_test.go

@@ -93,23 +93,13 @@ var SpecParityExceptions = map[string]string{
 	"POST /acme/revoke-cert":                        "Phase 4 default-profile shorthand for revoke-cert.",
 	"GET /acme/renewal-info/{cert_id}":              "Phase 4 default-profile shorthand for ARI.",
 
-	// Bundle 1 / Phase 4 RBAC API: routes registered in this commit;
-	// OpenAPI schema entries land in a Phase 4 follow-up commit so the
-	// schema review is its own atomic change. Each route's request /
-	// response shape is documented in internal/api/handler/auth.go's
-	// type definitions; the OpenAPI section lift will mirror those.
-	// Routes:
-	"GET /api/v1/auth/me":                               "Bundle 1 Phase 4 RBAC: current actor's effective permissions; OpenAPI follow-up.",
-	"GET /api/v1/auth/permissions":                      "Bundle 1 Phase 4 RBAC: canonical permission catalogue; OpenAPI follow-up.",
-	"GET /api/v1/auth/roles":                            "Bundle 1 Phase 4 RBAC: list roles; OpenAPI follow-up.",
-	"POST /api/v1/auth/roles":                           "Bundle 1 Phase 4 RBAC: create role; OpenAPI follow-up.",
-	"GET /api/v1/auth/roles/{id}":                       "Bundle 1 Phase 4 RBAC: get role + permissions; OpenAPI follow-up.",
-	"PUT /api/v1/auth/roles/{id}":                       "Bundle 1 Phase 4 RBAC: update role; OpenAPI follow-up.",
-	"DELETE /api/v1/auth/roles/{id}":                    "Bundle 1 Phase 4 RBAC: delete role; OpenAPI follow-up.",
-	"POST /api/v1/auth/roles/{id}/permissions":          "Bundle 1 Phase 4 RBAC: grant permission to role; OpenAPI follow-up.",
-	"DELETE /api/v1/auth/roles/{id}/permissions/{perm}": "Bundle 1 Phase 4 RBAC: revoke permission from role; OpenAPI follow-up.",
-	"POST /api/v1/auth/keys/{id}/roles":                 "Bundle 1 Phase 4 RBAC: assign role to API key; OpenAPI follow-up.",
-	"DELETE /api/v1/auth/keys/{id}/roles/{role_id}":     "Bundle 1 Phase 4 RBAC: revoke role from API key; OpenAPI follow-up.",
+	// Bundle 1 / Phase 4 RBAC API: shipped with full OpenAPI schema in
+	// the Phase 0-5 closure commit. The 11 routes (auth/me + permissions
+	// catalogue + 5 role-lifecycle + 2 role-permission grant/revoke + 2
+	// actor-role grant/revoke) live in api/openapi.yaml under tag
+	// `[Auth]`. Shared shapes: AuthRole + AuthRolePermission in the
+	// schemas section. AuthCheck (Bundle 1 M1) now returns the same
+	// effective_permissions + roles fields as auth/me on the boot path.
 }
 
 func TestRouter_OpenAPIParity(t *testing.T) {

internal/api/router/rbac_gate_integration_test.go

@@ -127,3 +127,37 @@ func TestRBACGate_NoActorReturns401(t *testing.T) {
 		t.Errorf("handler body must NOT run when no actor in context")
 	}
 }
+
+// TestRBACGate_DemoModeChainReachesHandler is the end-to-end Bundle 1
+// Phase 3 closure (C1) regression: when CERTCTL_AUTH_TYPE=none, the
+// auth.NewDemoModeAuth middleware injects the synthetic actor-demo-anon
+// actor into context. The rbacGate downstream sees a populated actor +
+// the fake checker (standing in for the seeded admin grant on the
+// demo actor) and forwards the request. Without the C1 fix, the
+// pre-closure NewAuthWithNamedKeys no-op pass-through would have left
+// context unpopulated and the rbacGate would 401 every demo request.
+func TestRBACGate_DemoModeChainReachesHandler(t *testing.T) {
+	rh := &reachedHandler{}
+	// Mirror the seeded admin grant on actor-demo-anon: the checker
+	// allows every permission for the demo actor (matches the data
+	// migration seeds in 000029_rbac.up.sql).
+	checker := &fakeChecker{permFn: func(_ context.Context, actorID, _, _, _, _ string, _ *string) (bool, error) {
+		if actorID != auth.DemoAnonActorID {
+			t.Errorf("checker called for unexpected actor %q (want demo-anon)", actorID)
+		}
+		return true, nil
+	}}
+	gated := rbacGate(checker, "cert.bulk_revoke", rh.ServeHTTP)
+	chain := auth.NewDemoModeAuth()(gated)
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", nil)
+	rec := httptest.NewRecorder()
+	chain.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Errorf("demo-mode caller against admin route should reach handler 200; got %d", rec.Code)
+	}
+	if !rh.called {
+		t.Errorf("handler body must run for demo-mode caller (C1 closure regression)")
+	}
+}