server: drop in-process TLS — HTTP-only behind reverse proxy

Self-hosted deployments already terminate TLS at Caddy/Traefik/nginx;
making the server do TLS too means double cert config, dual ACME
plumbing, and an untested code path. Drop RM_TLS_CERT/RM_TLS_KEY,
remove TLSEnabled() and the ListenAndServeTLS branch.

Replace the cookie's "Secure if TLS-in-process" check with a new
RM_COOKIE_SECURE flag (default true). Local HTTP-only testing sets
RM_COOKIE_SECURE=false; production is always behind a TLS proxy and
the cookie stays Secure.

Default port :8443 → :8080. docker-compose binds 127.0.0.1 only and
populates RM_TRUSTED_PROXY. spec.md §4.1/§10.1 rewritten with a
Caddyfile snippet and a hard "do not expose RM_LISTEN publicly"
warning. enrollResponse keeps cert_pin_sha256 in the shape but the
server can't introspect a cert it doesn't terminate — operator
pastes the proxy's hash into -cert-pin at install time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/server/http/auth.go

@@ -71,7 +71,7 @@ func (s *Server) handleLogin(w stdhttp.ResponseWriter, r *stdhttp.Request) {
 		Value:    token,
 		Path:     "/",
 		HttpOnly: true,
-		Secure:   s.deps.Cfg.TLSEnabled(),
+		Secure:   s.deps.Cfg.CookieSecure,
 		SameSite: stdhttp.SameSiteLaxMode,
 		Expires:  sess.ExpiresAt,
 	})
@@ -97,7 +97,7 @@ func (s *Server) handleLogout(w stdhttp.ResponseWriter, r *stdhttp.Request) {
 		Path:     "/",
 		MaxAge:   -1,
 		HttpOnly: true,
-		Secure:   s.deps.Cfg.TLSEnabled(),
+		Secure:   s.deps.Cfg.CookieSecure,
 		SameSite: stdhttp.SameSiteLaxMode,
 	})
 	w.WriteHeader(stdhttp.StatusNoContent)

internal/server/http/enrollment.go

@@ -27,9 +27,12 @@ type enrollRequest struct {
 
 // enrollResponse hands the agent the credentials it'll use forever.
 // AgentToken is shown exactly once; the server stores its hash.
-// CertPinSHA256 is the SHA-256 of the server's certificate, base64;
-// the agent pins this on every reconnect so a stolen DB at the
-// control plane can't be replayed against an attacker's TLS endpoint.
+//
+// CertPinSHA256 is reserved for future use. The server is HTTP-only
+// and sits behind a reverse proxy that owns the TLS cert; pinning is
+// configured at the agent install step (`-cert-pin`) by the operator
+// pasting in the proxy's cert hash. The field stays in the response
+// shape so we can populate it later if the topology changes.
 type enrollResponse struct {
 	HostID        string `json:"host_id"`
 	AgentToken    string `json:"agent_token"`
@@ -109,9 +112,11 @@ func (s *Server) handleAgentEnroll(w stdhttp.ResponseWriter, r *stdhttp.Request)
 	writeJSON(w, stdhttp.StatusCreated, enrollResponse{
 		HostID:     hostID,
 		AgentToken: agentToken,
-		// CertPinSHA256 is populated by a TLS-aware future revision.
-		// For now (HTTP-or-TLS-by-Caddy) we leave it empty and rely
-		// on the agent trusting its OS root store.
+		// CertPinSHA256: the server is HTTP-only and sits behind a
+		// reverse proxy that owns the cert. The operator pastes the
+		// proxy's cert hash into the install command (`-cert-pin`)
+		// when they want pinning; the server cannot introspect a
+		// cert it doesn't terminate.
 	})
 }
 

internal/server/http/server.go

@@ -86,6 +86,9 @@ func (s *Server) routes(r chi.Router) {
 
 		// Run-now: dispatch a job to a host's agent.
 		r.Post("/hosts/{id}/jobs", s.handleRunNow)
+
+		// Snapshot projection (refreshed by the agent after each backup).
+		r.Get("/hosts/{id}/snapshots", s.handleListHostSnapshots)
 	})
 
 	// Agent ↔ server WebSocket. Bearer-authenticated inside the handler.
@@ -109,16 +112,9 @@ func (s *Server) routes(r chi.Router) {
 }
 
 // Start begins listening. Blocks until ListenAndServe returns
-// (typically only on Shutdown). Pass the result to errgroup.Group.Go.
+// (typically only on Shutdown). The server is HTTP-only by design;
+// production deployments terminate TLS at a reverse proxy in front.
 func (s *Server) Start() error {
-	cfg := s.deps.Cfg
-	if cfg.TLSEnabled() {
-		err := s.srv.ListenAndServeTLS(cfg.TLSCert, cfg.TLSKey)
-		if errors.Is(err, stdhttp.ErrServerClosed) {
-			return nil
-		}
-		return err
-	}
 	err := s.srv.ListenAndServe()
 	if errors.Is(err, stdhttp.ErrServerClosed) {
 		return nil