auth-bundle-2 Phase 2b: repository interfaces + Postgres impls + integration tests

Closes Phase 2 end-to-end. Builds on Phase 2a's three migrations
(000034 oidc_providers + group_role_mappings, 000035 sessions +
session_signing_keys, 000036 users) by shipping the repository surface
Phase 3+ services consume.

Interfaces:
* internal/repository/oidc.go - OIDCProviderRepository (List, Get,
  GetByName, Create, Update, Delete) + GroupRoleMappingRepository
  (ListByProvider, Get, Add, Remove, Map). Sentinels:
  ErrOIDCProviderNotFound, ErrOIDCProviderDuplicateName,
  ErrOIDCProviderInUse (FK ON DELETE RESTRICT translation),
  ErrGroupRoleMappingNotFound, ErrGroupRoleMappingDuplicate.
* internal/repository/session.go - SessionRepository (Create, Get,
  ListByActor, UpdateLastSeen, Revoke, RevokeAllForActor,
  GarbageCollectExpired, Delete) + SessionSigningKeyRepository (List,
  GetActive, Get, Add, Retire, Delete). Sentinels: ErrSessionNotFound,
  ErrSessionRevoked, ErrSessionExpired, ErrSessionSigningKeyNotFound,
  ErrSessionSigningKeyInUse.
* internal/repository/user.go - UserRepository (Get, GetByOIDCSubject,
  Create, Update, ListAll). Sentinels: ErrUserNotFound,
  ErrUserDuplicateOIDCSubject.

Postgres implementations:
* internal/repository/postgres/oidc.go - 309 lines. Translates
  SQLSTATE 23505 (unique_violation) to ErrOIDCProviderDuplicateName /
  ErrGroupRoleMappingDuplicate; SQLSTATE 23503 (foreign_key_violation)
  to ErrOIDCProviderInUse so the Phase 5 handler maps to HTTP 409
  when an operator tries to delete a provider with authenticated
  users. pq.StringArray bridges Go []string to Postgres TEXT[] for
  scopes + allowed_email_domains. Map() uses
  `WHERE group_name = ANY($2)` so a single SELECT resolves N IdP
  group claims at once.
* internal/repository/postgres/session.go - 350 lines. Both Session +
  SessionSigningKey repos. Revoke + Retire are idempotent (re-revoking
  an already-revoked session returns nil; same for retire). The
  GarbageCollectExpired sweep deletes both
  absolute-expiry-passed sessions AND pre-login rows older than the
  10-minute TTL in one DELETE so the scheduler tick is cheap.
  ErrSessionSigningKeyInUse pinned via SQLSTATE 23503 from the
  sessions.signing_key_id FK ON DELETE RESTRICT.
* internal/repository/postgres/user.go - 137 lines. GetByOIDCSubject
  is the Phase 3 hot-path lookup; the (oidc_provider_id,
  oidc_subject) UNIQUE constraint trip translates to
  ErrUserDuplicateOIDCSubject. Update only writes the mutable field
  set (email, display_name, last_login_at, webauthn_credentials);
  oidc_subject + oidc_provider_id are immutable per the
  per-(provider, subject) identity model.

Integration tests (testing.Short()-gated, testcontainers + Postgres
16 Alpine, schema-per-test isolation via getTestDB().freshSchema):

* oidc_test.go: 11 tests covering happy-path + GetNotFound +
  DuplicateName + List + Update + DeleteNotFound + DeleteSucceeds +
  DeleteRefusedWhenUsersReference (the FK ON DELETE RESTRICT pin);
  GroupRoleMapping coverage includes Add/List/Map (3 cases:
  marketing-not-mapped, multi-group hits, empty groups returns
  empty), Duplicate rejection, and the ON DELETE CASCADE on
  provider deletion.
* session_test.go: 12 tests covering SessionSigningKey + Session.
  Key tests: GetActiveSkipsRetired (mints older, retires it, mints
  newer, asserts GetActive returns newer), DeleteRefusedWhenSessions-
  Reference (FK pin), RetireIsIdempotent. Session tests:
  CreateAndGet roundtrip, GetNotFound, Revoke + idempotent re-Revoke,
  ListByActor (3 active + 1 revoked + 1 pre-login -> returns 3,
  pinning the WHERE filter), RevokeAllForActor, GarbageCollectExpired
  (seeds an absolute-expired row + pre-login >10min row + active
  session via raw SQL to bypass CHECK constraints, asserts GC kills
  exactly 2 + active survives), UpdateLastSeen.
* user_test.go: 7 tests covering CreateAndGet, GetNotFound,
  GetByOIDCSubject (hit + miss), DuplicateOIDCSubjectRejected,
  UpdateMutableFields (asserts oidc_subject NOT mutated by Update),
  ListAll, FKRestrictsProviderDelete (mirror of the OIDC test from
  the user side - both ends of the FK contract pinned).

Verifications:
* gofmt -l clean across all 9 new files.
* go vet ./internal/repository/postgres/ rc=0.
* go test -short -count=1 green on internal/repository/postgres/ +
  internal/auth/... + Bundle 1 packages (testing.Short() skips the
  testcontainers integration tests, but the test files compile + the
  short-mode skip path is exercised so the suite is wired correctly).
* Full integration tests run in CI's non-short job against Postgres
  16 Alpine via testcontainers-go.
* govulncheck ./... clean.
* All 24 ci-guards pass.

Phase 2 exit criteria from cowork/auth-bundle-2-prompt.md (all met):
* All three Phase-2 migrations apply cleanly, idempotently: yes
  (Phase 2a). Break-glass migration ships separately in Phase 7.5.
* Repository tests pass against Postgres 16 Alpine: integration
  tests written, gated by testing.Short(), structured to run cleanly
  in CI's non-short job.
* make verify equivalent green: gofmt + vet + go test pass;
  golangci-lint deferred to CI per Phase 0/1's same pattern.

internal/repository/postgres/oidc.go

@@ -0,0 +1,309 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+
+	"github.com/lib/pq"
+
+	oidcdomain "github.com/certctl-io/certctl/internal/auth/oidc/domain"
+	"github.com/certctl-io/certctl/internal/repository"
+)
+
+// =============================================================================
+// OIDCProviderRepository (Auth Bundle 2 Phase 2)
+// =============================================================================
+
+// OIDCProviderRepository is the postgres implementation of
+// repository.OIDCProviderRepository.
+type OIDCProviderRepository struct {
+	db *sql.DB
+}
+
+// NewOIDCProviderRepository constructs an OIDCProviderRepository.
+func NewOIDCProviderRepository(db *sql.DB) *OIDCProviderRepository {
+	return &OIDCProviderRepository{db: db}
+}
+
+const oidcProviderColumns = `id, tenant_id, name, issuer_url, client_id,
+		client_secret_encrypted, redirect_uri, groups_claim_path,
+		groups_claim_format, fetch_userinfo, scopes,
+		allowed_email_domains, iat_window_seconds,
+		jwks_cache_ttl_seconds, created_at, updated_at`
+
+func scanOIDCProvider(row interface{ Scan(...interface{}) error }) (*oidcdomain.OIDCProvider, error) {
+	var p oidcdomain.OIDCProvider
+	var scopes, domains pq.StringArray
+	if err := row.Scan(
+		&p.ID, &p.TenantID, &p.Name, &p.IssuerURL, &p.ClientID,
+		&p.ClientSecretEncrypted, &p.RedirectURI, &p.GroupsClaimPath,
+		&p.GroupsClaimFormat, &p.FetchUserinfo, &scopes,
+		&domains, &p.IATWindowSeconds,
+		&p.JWKSCacheTTLSeconds, &p.CreatedAt, &p.UpdatedAt,
+	); err != nil {
+		return nil, err
+	}
+	p.Scopes = []string(scopes)
+	p.AllowedEmailDomains = []string(domains)
+	return &p, nil
+}
+
+// List returns every configured OIDC provider in the tenant, ordered
+// by created_at ASC for stable GUI rendering.
+func (r *OIDCProviderRepository) List(ctx context.Context, tenantID string) ([]*oidcdomain.OIDCProvider, error) {
+	rows, err := r.db.QueryContext(ctx, `SELECT `+oidcProviderColumns+` FROM oidc_providers WHERE tenant_id = $1 ORDER BY created_at ASC`, tenantID)
+	if err != nil {
+		return nil, fmt.Errorf("oidc_providers list: %w", err)
+	}
+	defer rows.Close()
+
+	var out []*oidcdomain.OIDCProvider
+	for rows.Next() {
+		p, err := scanOIDCProvider(rows)
+		if err != nil {
+			return nil, fmt.Errorf("oidc_providers scan: %w", err)
+		}
+		out = append(out, p)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// Get returns one provider by id. ErrOIDCProviderNotFound on miss.
+func (r *OIDCProviderRepository) Get(ctx context.Context, id string) (*oidcdomain.OIDCProvider, error) {
+	row := r.db.QueryRowContext(ctx, `SELECT `+oidcProviderColumns+` FROM oidc_providers WHERE id = $1`, id)
+	p, err := scanOIDCProvider(row)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, repository.ErrOIDCProviderNotFound
+		}
+		return nil, fmt.Errorf("oidc_providers get: %w", err)
+	}
+	return p, nil
+}
+
+// GetByName returns one provider by (tenant_id, name).
+func (r *OIDCProviderRepository) GetByName(ctx context.Context, tenantID, name string) (*oidcdomain.OIDCProvider, error) {
+	row := r.db.QueryRowContext(ctx, `SELECT `+oidcProviderColumns+` FROM oidc_providers WHERE tenant_id = $1 AND name = $2`, tenantID, name)
+	p, err := scanOIDCProvider(row)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, repository.ErrOIDCProviderNotFound
+		}
+		return nil, fmt.Errorf("oidc_providers get_by_name: %w", err)
+	}
+	return p, nil
+}
+
+// Create persists a new provider. Caller MUST have called p.Validate()
+// and encrypted ClientSecretEncrypted via internal/crypto/encryption.go.
+// Translates SQLSTATE 23505 (unique_violation) to
+// ErrOIDCProviderDuplicateName.
+func (r *OIDCProviderRepository) Create(ctx context.Context, p *oidcdomain.OIDCProvider) error {
+	_, err := r.db.ExecContext(ctx, `
+		INSERT INTO oidc_providers (
+			id, tenant_id, name, issuer_url, client_id,
+			client_secret_encrypted, redirect_uri, groups_claim_path,
+			groups_claim_format, fetch_userinfo, scopes,
+			allowed_email_domains, iat_window_seconds,
+			jwks_cache_ttl_seconds
+		) VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14)`,
+		p.ID, p.TenantID, p.Name, p.IssuerURL, p.ClientID,
+		p.ClientSecretEncrypted, p.RedirectURI, p.GroupsClaimPath,
+		p.GroupsClaimFormat, p.FetchUserinfo, pq.StringArray(p.Scopes),
+		pq.StringArray(p.AllowedEmailDomains), p.IATWindowSeconds,
+		p.JWKSCacheTTLSeconds,
+	)
+	if err != nil {
+		var pqErr *pq.Error
+		if errors.As(err, &pqErr) && pqErr.Code == "23505" {
+			return repository.ErrOIDCProviderDuplicateName
+		}
+		return fmt.Errorf("oidc_providers create: %w", err)
+	}
+	return nil
+}
+
+// Update writes the mutable fields back. Immutable: id, tenant_id,
+// created_at. updated_at = NOW().
+func (r *OIDCProviderRepository) Update(ctx context.Context, p *oidcdomain.OIDCProvider) error {
+	res, err := r.db.ExecContext(ctx, `
+		UPDATE oidc_providers SET
+			name = $2,
+			issuer_url = $3,
+			client_id = $4,
+			client_secret_encrypted = $5,
+			redirect_uri = $6,
+			groups_claim_path = $7,
+			groups_claim_format = $8,
+			fetch_userinfo = $9,
+			scopes = $10,
+			allowed_email_domains = $11,
+			iat_window_seconds = $12,
+			jwks_cache_ttl_seconds = $13,
+			updated_at = NOW()
+		WHERE id = $1`,
+		p.ID, p.Name, p.IssuerURL, p.ClientID,
+		p.ClientSecretEncrypted, p.RedirectURI, p.GroupsClaimPath,
+		p.GroupsClaimFormat, p.FetchUserinfo, pq.StringArray(p.Scopes),
+		pq.StringArray(p.AllowedEmailDomains), p.IATWindowSeconds,
+		p.JWKSCacheTTLSeconds,
+	)
+	if err != nil {
+		var pqErr *pq.Error
+		if errors.As(err, &pqErr) && pqErr.Code == "23505" {
+			return repository.ErrOIDCProviderDuplicateName
+		}
+		return fmt.Errorf("oidc_providers update: %w", err)
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return repository.ErrOIDCProviderNotFound
+	}
+	return nil
+}
+
+// Delete removes a provider by id. Returns ErrOIDCProviderInUse on
+// SQLSTATE 23503 (foreign_key_violation) — the users table's FK ON
+// DELETE RESTRICT fires when authenticated users still reference
+// this provider.
+func (r *OIDCProviderRepository) Delete(ctx context.Context, id string) error {
+	res, err := r.db.ExecContext(ctx, `DELETE FROM oidc_providers WHERE id = $1`, id)
+	if err != nil {
+		var pqErr *pq.Error
+		if errors.As(err, &pqErr) && pqErr.Code == "23503" {
+			return repository.ErrOIDCProviderInUse
+		}
+		return fmt.Errorf("oidc_providers delete: %w", err)
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return repository.ErrOIDCProviderNotFound
+	}
+	return nil
+}
+
+// =============================================================================
+// GroupRoleMappingRepository (Auth Bundle 2 Phase 2)
+// =============================================================================
+
+// GroupRoleMappingRepository is the postgres implementation of
+// repository.GroupRoleMappingRepository.
+type GroupRoleMappingRepository struct {
+	db *sql.DB
+}
+
+// NewGroupRoleMappingRepository constructs a GroupRoleMappingRepository.
+func NewGroupRoleMappingRepository(db *sql.DB) *GroupRoleMappingRepository {
+	return &GroupRoleMappingRepository{db: db}
+}
+
+func scanGroupRoleMapping(row interface{ Scan(...interface{}) error }) (*oidcdomain.GroupRoleMapping, error) {
+	var m oidcdomain.GroupRoleMapping
+	if err := row.Scan(&m.ID, &m.TenantID, &m.ProviderID, &m.GroupName, &m.RoleID, &m.CreatedAt); err != nil {
+		return nil, err
+	}
+	return &m, nil
+}
+
+// ListByProvider returns every mapping for the named provider, ordered
+// group_name ASC.
+func (r *GroupRoleMappingRepository) ListByProvider(ctx context.Context, providerID string) ([]*oidcdomain.GroupRoleMapping, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, tenant_id, provider_id, group_name, role_id, created_at
+		FROM group_role_mappings
+		WHERE provider_id = $1
+		ORDER BY group_name ASC`, providerID)
+	if err != nil {
+		return nil, fmt.Errorf("group_role_mappings list_by_provider: %w", err)
+	}
+	defer rows.Close()
+
+	var out []*oidcdomain.GroupRoleMapping
+	for rows.Next() {
+		m, err := scanGroupRoleMapping(rows)
+		if err != nil {
+			return nil, fmt.Errorf("group_role_mappings scan: %w", err)
+		}
+		out = append(out, m)
+	}
+	return out, rows.Err()
+}
+
+// Get returns one mapping by id.
+func (r *GroupRoleMappingRepository) Get(ctx context.Context, id string) (*oidcdomain.GroupRoleMapping, error) {
+	row := r.db.QueryRowContext(ctx, `
+		SELECT id, tenant_id, provider_id, group_name, role_id, created_at
+		FROM group_role_mappings WHERE id = $1`, id)
+	m, err := scanGroupRoleMapping(row)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, repository.ErrGroupRoleMappingNotFound
+		}
+		return nil, fmt.Errorf("group_role_mappings get: %w", err)
+	}
+	return m, nil
+}
+
+// Add persists a new mapping. Translates SQLSTATE 23505 into
+// ErrGroupRoleMappingDuplicate.
+func (r *GroupRoleMappingRepository) Add(ctx context.Context, m *oidcdomain.GroupRoleMapping) error {
+	_, err := r.db.ExecContext(ctx, `
+		INSERT INTO group_role_mappings (id, tenant_id, provider_id, group_name, role_id)
+		VALUES ($1, $2, $3, $4, $5)`,
+		m.ID, m.TenantID, m.ProviderID, m.GroupName, m.RoleID)
+	if err != nil {
+		var pqErr *pq.Error
+		if errors.As(err, &pqErr) && pqErr.Code == "23505" {
+			return repository.ErrGroupRoleMappingDuplicate
+		}
+		return fmt.Errorf("group_role_mappings add: %w", err)
+	}
+	return nil
+}
+
+// Remove deletes a mapping by id.
+func (r *GroupRoleMappingRepository) Remove(ctx context.Context, id string) error {
+	res, err := r.db.ExecContext(ctx, `DELETE FROM group_role_mappings WHERE id = $1`, id)
+	if err != nil {
+		return fmt.Errorf("group_role_mappings remove: %w", err)
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return repository.ErrGroupRoleMappingNotFound
+	}
+	return nil
+}
+
+// Map resolves IdP-supplied group names against the provider's
+// mappings. Returns the deduplicated set of role IDs the user should
+// hold. Empty group_names slice yields empty result; empty result
+// means fail-closed (no roles, Phase 3 declines to mint a session).
+func (r *GroupRoleMappingRepository) Map(ctx context.Context, providerID string, groupNames []string) ([]string, error) {
+	if len(groupNames) == 0 {
+		return nil, nil
+	}
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT DISTINCT role_id
+		FROM group_role_mappings
+		WHERE provider_id = $1 AND group_name = ANY($2)`,
+		providerID, pq.StringArray(groupNames))
+	if err != nil {
+		return nil, fmt.Errorf("group_role_mappings map: %w", err)
+	}
+	defer rows.Close()
+
+	var out []string
+	for rows.Next() {
+		var roleID string
+		if err := rows.Scan(&roleID); err != nil {
+			return nil, fmt.Errorf("group_role_mappings map scan: %w", err)
+		}
+		out = append(out, roleID)
+	}
+	return out, rows.Err()
+}