fix(auth/users): close MED-11 lying field — DeactivatedAt loaded + enforced on login (A-2)

The MED-11 closure shipped users.deactivated_at + DELETE /api/v1/auth/users/{id}
+ cascade-revoke, but the federated-user soft-delete was reversible: the next
OIDC login under the same (provider, subject) tuple re-minted a session and
re-elevated the user.

Three legs of the chain were severed (each independently CRIT-shaped):

  Leg A — postgres/user.go::userColumns omitted `deactivated_at`, so scanUser
          never populated User.DeactivatedAt. Every Get / GetByOIDCSubject /
          ListAll returned DeactivatedAt = nil regardless of the column value.

  Leg B — postgres/user.go::Update SQL omitted `deactivated_at = $X`, so the
          handler's `u.DeactivatedAt = now()` mutation was a no-op write at
          the SQL level. Even with leg A closed, no row ever flipped.

  Leg C — oidc/service.go::upsertUser did not inspect DeactivatedAt on the
          existing-user path. Even with legs A + B closed, the OIDC login
          would still proceed normally.

The cascade-session-revoke half of the original closure remained correct, but
only for the duration of the user's current cookie. SOC 2 CC6.3 + ISO 27001
A.9.2.6 "user access removal" controls require both immediate revoke AND
persistent block — this fix restores the persistent-block leg.

Closure across layers:

  internal/repository/postgres/user.go
    - userColumns adds `deactivated_at`
    - scanUser reads via sql.NullTime intermediate (column is nullable)
    - Create writes deactivated_at explicitly (NULL for new active users;
      forward-compat for future seed-data flows that pre-populate the column)
    - Update writes deactivated_at on every call; nil DeactivatedAt → NULL
      (supports reactivation)

  internal/auth/oidc/service.go
    - New sentinel ErrUserDeactivated
    - upsertUser checks existing.DeactivatedAt != nil BEFORE mutating email /
      display_name / last_login_at — preserves last_login_at forensics on
      rejected login attempts (defense-in-depth pin against future
      "performance optimization" that reorders the gate)

  internal/api/handler/auth_session_oidc.go
    - classifyOIDCFailure adds typed errors.Is dispatch for ErrUserDeactivated
      → audit category "user_deactivated" (SOC/SIEM observability surface)

  internal/api/handler/auth_users.go
    - Self-deactivate guard on Deactivate: HTTP 409 + audit row
      auth.user_deactivate_self_rejected when caller targets own User row.
      Prevents an admin from one-way-door locking themselves out via the
      standard handler; break-glass remains the recovery path.
    - New Reactivate handler: inverse of Deactivate. Clears DeactivatedAt
      via Update; emits auth.user_reactivated audit row. Idempotent on
      already-active rows. Sessions revoked at deactivation stay revoked
      (cascade irreversible by design — user must complete fresh OIDC
      login).

  internal/api/router/router.go
    - POST /api/v1/auth/users/{id}/reactivate wired with auth.user.deactivate
      gate (reactivation is the inverse op, not a separate privilege)

  web/src/api/client.ts + web/src/pages/auth/UsersPage.tsx
    - authReactivateUser() client function
    - Reactivate button on deactivated rows in UsersPage

Regression coverage:

  Postgres (testcontainers, skipped under -short):
    TestUserRepository_DeactivatedAt_RoundTrip — Create → set DeactivatedAt
      → Update → Get / GetByOIDCSubject / ListAll round-trip the value
    TestUserRepository_DeactivatedAt_CreateWritesNullForActive — new active
      user reads back DeactivatedAt = nil
    TestUserRepository_DeactivatedAt_CreatePersistsPreDeactivated — Create
      with non-nil DeactivatedAt round-trips (forward-compat path)

  OIDC service:
    TestService_HandleCallback_RejectsDeactivatedUser — errors.Is
      ErrUserDeactivated; CallbackResult nil; persisted email / last_login_at
      / deactivated_at NOT mutated by the rejected attempt
    TestService_HandleCallback_AllowsReactivatedUser — DeactivatedAt = nil
      → happy path resumes
    TestService_HandleCallback_DeactivatedUserPreservesForensics —
      defense-in-depth pin against future regressions that reorder the
      gate-vs-mutation sequence

  Classifier:
    TestClassifyOIDCFailure extended — typed dispatch + wrapped variant
      round-trip through errors.Is

  Handler:
    TestAuthUsers_Deactivate_RejectsSelfDeactivate — HTTP 409 + audit
      row + cascade-revoke NOT fired + row stays active
    TestAuthUsers_Deactivate_OtherUser_HappyPath — HTTP 204 + cascade
      fires + row soft-deleted
    TestAuthUsers_Reactivate_HappyPath / _IdempotentOnActiveUser /
      _UnknownID / _MissingID / _UpdateError

Phase 6 verify gate green on the targeted packages: gofmt clean, go vet
clean, go test -short pass across internal/auth/oidc, internal/api/handler,
internal/api/router, internal/repository/postgres, internal/auth/...,
internal/service/..., internal/tlsprobe/..., internal/trustanchor/...,
internal/validation/...

Spec at cowork/auth-bundles-fixes-2026-05-11/02-crit-deactivated-at-enforcement.md
Closure annotation at cowork/auth-bundles-audit-2026-05-10.md MED-11 row.
Operator advisory in CHANGELOG.md v2.1.0 release notes.

CHANGELOG.md

@@ -4,6 +4,33 @@
 
 ### Security (BREAKING)
 
+- **Federated-user deactivation now actually blocks login (Audit 2026-05-11 A-2).**
+  The MED-11 closure shipped `users.deactivated_at` + `DELETE /api/v1/auth/users/{id}`
+  + cascade-session-revoke, but the column was a "lying field" three legs over: the
+  postgres user repository never SELECTed it (so `User.DeactivatedAt` always read
+  nil), the `Update` SQL never wrote it (so the handler's mutation was a no-op),
+  and the OIDC `upsertUser` path never checked it (so the next login under the
+  same `(provider, subject)` tuple re-minted a session and re-elevated the user).
+  The cascade-revoke remained correct for the current cookie only. **Operator
+  advisory: if you deactivated a federated user between the MED-11 closure
+  (Bundle 2 merge `dea5053`) and the v2.1.0 release tag, verify the user cannot
+  OIDC-log-in after upgrading — the column took no effect at login time before
+  this fix. If needed, re-run the deactivation against the upgraded server.**
+  Closure: `userColumns` + `scanUser` now read `deactivated_at` via `sql.NullTime`;
+  `Create` + `Update` write it explicitly; `upsertUser` returns the new
+  `ErrUserDeactivated` sentinel before mutating fields (preserves `last_login_at`
+  forensics on rejected logins); `classifyOIDCFailure` surfaces the rejection
+  as audit category `user_deactivated`. Self-deactivate guard on
+  `DELETE /api/v1/auth/users/{id}` returns HTTP 409 + audit row
+  `auth.user_deactivate_self_rejected` (prevents an admin from one-way-door
+  locking themselves out via the standard handler — break-glass remains the
+  recovery path). New inverse endpoint `POST /api/v1/auth/users/{id}/reactivate`
+  (gated `auth.user.deactivate` — reactivation is the inverse op, not a separate
+  privilege) clears `deactivated_at`; emits audit row `auth.user_reactivated`.
+  Sessions revoked at deactivation stay revoked across reactivation — the user
+  must complete a fresh OIDC login. GUI: `UsersPage.tsx` now renders a Reactivate
+  button on deactivated rows. CWE-862 (missing authorization at the user-state
+  boundary). SOC 2 CC6.3 + ISO 27001 A.9.2.6 compliance-table-flipping fix.
 - **`__Host-` cookie prefix on all three auth cookies (Audit 2026-05-10 MED-14).**
   The session cookie, CSRF cookie, and OIDC pre-login cookie are renamed from
   `certctl_session` / `certctl_csrf` / `certctl_oidc_pending` to