P1-33: agent-side encrypted secrets store + push-on-update

New internal/agent/secrets package: AEAD blob at
/var/lib/restic-manager/secrets.enc, atomic write (os.CreateTemp +
Sync + Rename), 0600. Key lives in agent.yaml as base64
(SecretsKey) — same trust boundary as the bearer token, minted on
first start via EnsureSecretsKey.

cmd/agent: dispatcher reads creds fresh from secrets.Load() on
each job rather than from in-memory config. config.update merges
the push with what's on disk and persists, so a daemon restart
keeps the latest values. Legacy plaintext repo_url/repo_password
in agent.yaml are silently migrated into secrets.enc on next start
and stripped from the YAML on the following save.

Tests: round-trip + wrong-key rejection + atomic-write
post-condition for secrets; key idempotence + legacy-field
parse/clear for config.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/agent/config/config.go

@@ -1,14 +1,22 @@
 // Package config loads the agent's persistent configuration. After
 // enrollment, the file holds the bearer token + server URL; it is
 // only ever written via Save (which replaces atomically).
+//
+// Restic repo credentials live in a separate AEAD-encrypted file
+// (see internal/agent/secrets) and never appear in this config.
 package config
 
 import (
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 
 	"gopkg.in/yaml.v3"
+
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/crypto"
 )
 
 // Config is the on-disk shape of the agent's config file.
@@ -33,19 +41,75 @@ type Config struct {
 	// ResticPath overrides the auto-detected restic binary path.
 	ResticPath string `yaml:"restic_path,omitempty"`
 
-	// RepoURL + RepoPassword are the credentials this host uses to
-	// reach its restic repository. Phase 1 keeps these in plaintext
-	// in agent.yaml (mode 0600 owned by the agent service user); the
-	// server-pushed config.update message can override them in
-	// memory. Phase 2 moves them into the OS keyring (DPAPI on
-	// Windows, Secret Service on Linux).
-	RepoURL      string `yaml:"repo_url,omitempty"`
-	RepoPassword string `yaml:"repo_password,omitempty"`
+	// SecretsPath is the on-disk location of the AEAD-encrypted
+	// repo-creds blob. Defaults to /var/lib/restic-manager/secrets.enc
+	// when empty. Phase 1 trust boundary: this file is 0600 owned by
+	// the agent service user; the SecretsKey below sits in this same
+	// agent.yaml (also 0600), so anyone who can read one can read the
+	// other. Phase 2 swaps SecretsKey for an OS-keyring lookup.
+	SecretsPath string `yaml:"secrets_path,omitempty"`
+
+	// SecretsKey is the base64-encoded 32-byte AEAD master key for
+	// the secrets file. Minted on first Save if absent.
+	SecretsKey string `yaml:"secrets_key,omitempty"`
+
+	// LegacyRepoURL / LegacyRepoPassword: remnants of the pre-P1-33
+	// world where repo creds lived in plaintext here. Load() pulls
+	// them off (so a config written by an older agent still works on
+	// upgrade), the agent migrates them into secrets.enc on next
+	// start, and Save() writes them out as empty (yamls "omitempty")
+	// — i.e. the next file on disk no longer contains them.
+	LegacyRepoURL      string `yaml:"repo_url,omitempty"`
+	LegacyRepoPassword string `yaml:"repo_password,omitempty"`
 
 	// path is the file we loaded from. Used by Save.
 	path string `yaml:"-"`
 }
 
+// DefaultSecretsPath is where the encrypted secrets blob lives on a
+// stock Linux install. Override via Config.SecretsPath.
+const DefaultSecretsPath = "/var/lib/restic-manager/secrets.enc"
+
+// ResolvedSecretsPath returns SecretsPath if set, otherwise the
+// default for the current OS.
+func (c *Config) ResolvedSecretsPath() string {
+	if c.SecretsPath != "" {
+		return c.SecretsPath
+	}
+	return DefaultSecretsPath
+}
+
+// EnsureSecretsKey mints a fresh 32-byte AEAD key into c.SecretsKey
+// if one isn't already set. Caller must Save() afterwards. Idempotent.
+func (c *Config) EnsureSecretsKey() error {
+	if c.SecretsKey != "" {
+		return nil
+	}
+	raw := make([]byte, crypto.KeyLen)
+	if _, err := io.ReadFull(rand.Reader, raw); err != nil {
+		return fmt.Errorf("agent config: mint secrets key: %w", err)
+	}
+	c.SecretsKey = base64.StdEncoding.EncodeToString(raw)
+	return nil
+}
+
+// SecretsKeyBytes returns the decoded AEAD key, or an error if the
+// key is unset/malformed.
+func (c *Config) SecretsKeyBytes() ([]byte, error) {
+	if c.SecretsKey == "" {
+		return nil, fmt.Errorf("agent config: secrets_key is empty")
+	}
+	b, err := base64.StdEncoding.DecodeString(c.SecretsKey)
+	if err != nil {
+		return nil, fmt.Errorf("agent config: decode secrets_key: %w", err)
+	}
+	if len(b) != crypto.KeyLen {
+		return nil, fmt.Errorf("agent config: secrets_key must decode to %d bytes, got %d",
+			crypto.KeyLen, len(b))
+	}
+	return b, nil
+}
+
 // DefaultPath returns the canonical config path for the current OS.
 // Phase 1 ships Linux only; Windows path lives in the spec for P2.
 func DefaultPath() string {

internal/agent/config/config_test.go

@@ -0,0 +1,96 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/crypto"
+)
+
+func TestEnsureSecretsKeyMintsOnce(t *testing.T) {
+	t.Parallel()
+	c := &Config{}
+	if err := c.EnsureSecretsKey(); err != nil {
+		t.Fatalf("mint: %v", err)
+	}
+	first := c.SecretsKey
+	if first == "" {
+		t.Fatal("EnsureSecretsKey: SecretsKey still empty")
+	}
+	// Second call must be a no-op (idempotent).
+	if err := c.EnsureSecretsKey(); err != nil {
+		t.Fatalf("second mint: %v", err)
+	}
+	if c.SecretsKey != first {
+		t.Errorf("EnsureSecretsKey is not idempotent: %q → %q", first, c.SecretsKey)
+	}
+
+	// SecretsKeyBytes returns 32 raw bytes.
+	b, err := c.SecretsKeyBytes()
+	if err != nil {
+		t.Fatalf("bytes: %v", err)
+	}
+	if len(b) != crypto.KeyLen {
+		t.Errorf("decoded key len = %d, want %d", len(b), crypto.KeyLen)
+	}
+}
+
+func TestSecretsKeyBytesRejectsBadInput(t *testing.T) {
+	t.Parallel()
+	cases := map[string]Config{
+		"empty":      {SecretsKey: ""},
+		"not_base64": {SecretsKey: "!!!"},
+		"wrong_len":  {SecretsKey: "Zm9v"}, // "foo", 3 bytes
+	}
+	for name, c := range cases {
+		c := c
+		t.Run(name, func(t *testing.T) {
+			if _, err := c.SecretsKeyBytes(); err == nil {
+				t.Errorf("expected error for %s", name)
+			}
+		})
+	}
+}
+
+func TestLoadAcceptsLegacyRepoFields(t *testing.T) {
+	t.Parallel()
+	dir := t.TempDir()
+	path := filepath.Join(dir, "agent.yaml")
+	yaml := []byte(`server_url: "https://srv"
+host_id: "h1"
+agent_token: "tok"
+repo_url: "rest:https://repo/h1"
+repo_password: "secret"
+`)
+	if err := os.WriteFile(path, yaml, 0o600); err != nil {
+		t.Fatalf("write: %v", err)
+	}
+	c, err := Load(path)
+	if err != nil {
+		t.Fatalf("load: %v", err)
+	}
+	if c.LegacyRepoURL != "rest:https://repo/h1" || c.LegacyRepoPassword != "secret" {
+		t.Errorf("legacy fields not parsed: %+v", c)
+	}
+	// And on Save the legacy fields should round-trip out to the file
+	// only when set (empty values use omitempty).
+	c.LegacyRepoURL = ""
+	c.LegacyRepoPassword = ""
+	if err := c.Save(); err != nil {
+		t.Fatalf("save: %v", err)
+	}
+	body, _ := os.ReadFile(path)
+	if contains := string(body); contains == "" || stringContains(contains, "repo_password:") {
+		t.Errorf("repo_password should be gone after legacy clear, got:\n%s", contains)
+	}
+}
+
+func stringContains(haystack, needle string) bool {
+	for i := 0; i+len(needle) <= len(haystack); i++ {
+		if haystack[i:i+len(needle)] == needle {
+			return true
+		}
+	}
+	return false
+}