phase 1: HTTP server + first-run bootstrap

P1-01 chi router, slog request log, graceful shutdown via signal
  context. Health endpoint, /api/auth/login, /api/auth/logout,
  /api/bootstrap. Background sweeper for expired sessions and
  enrollment tokens (15 min cadence).

P1-04 (sessions half) HttpOnly Secure-when-TLS cookie carrying a
  base64url token; server stores SHA-256(token) so a stolen DB
  doesn't yield credentials. Unknown user and bad password collapse
  to the same 401 response code so a probe can't enumerate names.

P1-05 first-run admin bootstrap. On a fresh DB the server mints a
  one-time token and prints it to stderr inside a banner. The
  /api/bootstrap handler accepts {token, username, password},
  creates the first admin, then becomes a 409 forever.

P1-07 (partial) audit hooks fire on auth.login and auth.bootstrap.
  Full middleware-driven coverage lands with the rest of the API.

internal/server/config: env > YAML > defaults. RM_LISTEN /
  RM_DATA_DIR / RM_BASE_URL / RM_TLS_CERT / RM_TLS_KEY /
  RM_SECRET_KEY_FILE / RM_TRUSTED_PROXY (CIDR list, validated).

End-to-end smoke test passes: server boots on a fresh dir,
prints the bootstrap token, POST /api/bootstrap creates the admin,
POST /api/auth/login returns 200 with a session cookie.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/server/config/config_test.go

@@ -0,0 +1,92 @@
+package config
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func TestDefaultsValid(t *testing.T) {
+	t.Setenv("RM_LISTEN", ":8443")
+	t.Setenv("RM_DATA_DIR", "/tmp/rm-test")
+
+	c, err := Load("")
+	if err != nil {
+		t.Fatalf("load: %v", err)
+	}
+	if c.Listen != ":8443" {
+		t.Errorf("listen: %q", c.Listen)
+	}
+	if c.SecretKeyFile != "/tmp/rm-test/secret.key" {
+		t.Errorf("secret_key_file default: %q", c.SecretKeyFile)
+	}
+}
+
+func TestEnvOverridesYAML(t *testing.T) {
+	dir := t.TempDir()
+	yamlPath := filepath.Join(dir, "rm.yaml")
+	body := []byte(`listen: ":7000"` + "\n" +
+		`data_dir: "/var/lib/rm"` + "\n" +
+		`base_url: "https://yaml.example"` + "\n")
+	if err := writeFile(yamlPath, body); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Setenv("RM_LISTEN", ":9999")
+	t.Setenv("RM_BASE_URL", "https://env.example")
+
+	c, err := Load(yamlPath)
+	if err != nil {
+		t.Fatalf("load: %v", err)
+	}
+	if c.Listen != ":9999" {
+		t.Errorf("env should win: %q", c.Listen)
+	}
+	if c.BaseURL != "https://env.example" {
+		t.Errorf("env should win: %q", c.BaseURL)
+	}
+	if c.DataDir != "/var/lib/rm" {
+		t.Errorf("yaml should fill: %q", c.DataDir)
+	}
+}
+
+func TestTrustedProxyParsing(t *testing.T) {
+	t.Setenv("RM_LISTEN", ":8443")
+	t.Setenv("RM_DATA_DIR", "/tmp/x")
+	t.Setenv("RM_TRUSTED_PROXY", "10.0.0.0/8, 192.168.1.0/24")
+
+	c, err := Load("")
+	if err != nil {
+		t.Fatalf("load: %v", err)
+	}
+	if len(c.TrustedProxies) != 2 {
+		t.Fatalf("want 2 proxies, got %v", c.TrustedProxies)
+	}
+	if c.TrustedProxies[0] != "10.0.0.0/8" || c.TrustedProxies[1] != "192.168.1.0/24" {
+		t.Errorf("parsed: %v", c.TrustedProxies)
+	}
+}
+
+func TestTrustedProxyRejectsGarbage(t *testing.T) {
+	t.Setenv("RM_LISTEN", ":8443")
+	t.Setenv("RM_DATA_DIR", "/tmp/x")
+	t.Setenv("RM_TRUSTED_PROXY", "not-a-cidr")
+
+	if _, err := Load(""); err == nil {
+		t.Fatal("expected validation error, got nil")
+	}
+}
+
+func TestTLSPairConsistency(t *testing.T) {
+	t.Setenv("RM_LISTEN", ":8443")
+	t.Setenv("RM_DATA_DIR", "/tmp/x")
+	t.Setenv("RM_TLS_CERT", "/some/cert.pem")
+	// key intentionally unset
+
+	if _, err := Load(""); err == nil {
+		t.Fatal("expected error: cert without key")
+	}
+}
+
+func writeFile(path string, body []byte) error {
+	return writeFileImpl(path, body)
+}