phase 1 foundations: api types, store, crypto, auth

Lands the bottom three layers of Phase 1:

P1-08 internal/api: protocol_version + envelope + every WS message
  shape from spec.md §6.2 (Hello, Heartbeat, Job*, Schedule*, etc).
  Wire-format tests pin the JSON shape so a rename here breaks
  tests instead of silently breaking the agent.

P1-02 + P1-03 internal/store: SQLite via modernc.org/sqlite,
  embed.FS + a tiny version table for hand-rolled migrations.
  0001_initial.sql covers every table from spec.md §5 plus
  enrollment_tokens and host_schedule_version. Typed accessors
  for users / sessions / enrollment / audit. WAL + foreign_keys
  + busy_timeout on by default.

P1-06 internal/crypto: XChaCha20-Poly1305 AEAD wrapper with
  per-message random nonce. Key file lifecycle (generate +
  refuse-to-overwrite, load with size validation). Optional
  additionalData binds ciphertext to the row that owns it.

P1-04 internal/auth (partial — passwords + tokens; sessions
  middleware lands with the HTTP handlers): argon2id following
  RFC 9106 (64 MiB / t=3 / p=4 / 32B), constant-time verify.
  HashToken stores SHA-256 of session/agent/enrollment tokens
  so a stolen DB doesn't hand over credentials.

Build floor moves to Go 1.25 (modernc.org/sqlite v1.50+ requires
it); CI + Dockerfile + README updated. Markdown lint diagnostics
on tasks.md cleared.

All packages tested. ~70 new tests pass in <1s.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/store/enrollment.go

@@ -0,0 +1,58 @@
+package store
+
+import (
+	"context"
+	"fmt"
+	"time"
+)
+
+// CreateEnrollmentToken persists a fresh one-time token. The caller
+// has already hashed the raw token; the raw form is returned to the
+// operator (printed in the install snippet) and never persisted.
+func (s *Store) CreateEnrollmentToken(ctx context.Context, tokenHash string, ttl time.Duration) error {
+	now := time.Now().UTC()
+	_, err := s.db.ExecContext(ctx,
+		`INSERT INTO enrollment_tokens (token_hash, created_at, expires_at)
+		 VALUES (?, ?, ?)`,
+		tokenHash,
+		now.Format(time.RFC3339Nano),
+		now.Add(ttl).Format(time.RFC3339Nano))
+	if err != nil {
+		return fmt.Errorf("store: create enrollment token: %w", err)
+	}
+	return nil
+}
+
+// ConsumeEnrollmentToken atomically validates a token (must exist,
+// not be consumed, not be expired) and marks it consumed by hostID.
+// Returns ErrNotFound on any failure.
+func (s *Store) ConsumeEnrollmentToken(ctx context.Context, tokenHash, hostID string) error {
+	now := time.Now().UTC().Format(time.RFC3339Nano)
+	res, err := s.db.ExecContext(ctx,
+		`UPDATE enrollment_tokens
+		 SET consumed_at = ?, consumed_host = ?
+		 WHERE token_hash = ? AND consumed_at IS NULL AND expires_at > ?`,
+		now, hostID, tokenHash, now)
+	if err != nil {
+		return fmt.Errorf("store: consume enrollment token: %w", err)
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// PurgeExpiredEnrollmentTokens deletes long-expired token rows. Tokens
+// retained for ~24h after expiry so audit traces still resolve them.
+func (s *Store) PurgeExpiredEnrollmentTokens(ctx context.Context) (int64, error) {
+	cutoff := time.Now().Add(-24 * time.Hour).UTC().Format(time.RFC3339Nano)
+	res, err := s.db.ExecContext(ctx,
+		`DELETE FROM enrollment_tokens WHERE expires_at <= ?`, cutoff)
+	if err != nil {
+		return 0, fmt.Errorf("store: purge enrollment tokens: %w", err)
+	}
+	n, _ := res.RowsAffected()
+	return n, nil
+}
+