phase 1 foundations: api types, store, crypto, auth

Lands the bottom three layers of Phase 1:

P1-08 internal/api: protocol_version + envelope + every WS message
  shape from spec.md §6.2 (Hello, Heartbeat, Job*, Schedule*, etc).
  Wire-format tests pin the JSON shape so a rename here breaks
  tests instead of silently breaking the agent.

P1-02 + P1-03 internal/store: SQLite via modernc.org/sqlite,
  embed.FS + a tiny version table for hand-rolled migrations.
  0001_initial.sql covers every table from spec.md §5 plus
  enrollment_tokens and host_schedule_version. Typed accessors
  for users / sessions / enrollment / audit. WAL + foreign_keys
  + busy_timeout on by default.

P1-06 internal/crypto: XChaCha20-Poly1305 AEAD wrapper with
  per-message random nonce. Key file lifecycle (generate +
  refuse-to-overwrite, load with size validation). Optional
  additionalData binds ciphertext to the row that owns it.

P1-04 internal/auth (partial — passwords + tokens; sessions
  middleware lands with the HTTP handlers): argon2id following
  RFC 9106 (64 MiB / t=3 / p=4 / 32B), constant-time verify.
  HashToken stores SHA-256 of session/agent/enrollment tokens
  so a stolen DB doesn't hand over credentials.

Build floor moves to Go 1.25 (modernc.org/sqlite v1.50+ requires
it); CI + Dockerfile + README updated. Markdown lint diagnostics
on tasks.md cleared.

All packages tested. ~70 new tests pass in <1s.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/store/users_test.go

@@ -0,0 +1,158 @@
+package store
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+)
+
+func TestUserCRUD(t *testing.T) {
+	t.Parallel()
+	s := openTestStore(t)
+	ctx := context.Background()
+
+	now := time.Now().UTC()
+	u := User{
+		ID:           "u1",
+		Username:     "alice",
+		PasswordHash: "$argon2id$...",
+		Role:         RoleAdmin,
+		CreatedAt:    now,
+	}
+	if err := s.CreateUser(ctx, u); err != nil {
+		t.Fatalf("create: %v", err)
+	}
+
+	got, err := s.GetUserByUsername(ctx, "alice")
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	if got.ID != "u1" || got.Role != RoleAdmin {
+		t.Errorf("unexpected user: %+v", got)
+	}
+
+	// Username uniqueness is enforced by the schema.
+	if err := s.CreateUser(ctx, u); err == nil {
+		t.Error("duplicate username should fail")
+	}
+
+	if _, err := s.GetUserByUsername(ctx, "bob"); !errors.Is(err, ErrNotFound) {
+		t.Errorf("missing user: want ErrNotFound, got %v", err)
+	}
+
+	if err := s.MarkUserLogin(ctx, "u1", now); err != nil {
+		t.Fatalf("mark login: %v", err)
+	}
+	got, _ = s.GetUserByUsername(ctx, "alice")
+	if got.LastLoginAt == nil {
+		t.Error("last_login_at not updated")
+	}
+}
+
+func TestCountUsers(t *testing.T) {
+	t.Parallel()
+	s := openTestStore(t)
+	ctx := context.Background()
+
+	n, _ := s.CountUsers(ctx)
+	if n != 0 {
+		t.Errorf("fresh db: want 0, got %d", n)
+	}
+	_ = s.CreateUser(ctx, User{
+		ID: "u1", Username: "a", PasswordHash: "x",
+		Role: RoleAdmin, CreatedAt: time.Now(),
+	})
+	n, _ = s.CountUsers(ctx)
+	if n != 1 {
+		t.Errorf("after insert: want 1, got %d", n)
+	}
+}
+
+func TestSessionLifecycle(t *testing.T) {
+	t.Parallel()
+	s := openTestStore(t)
+	ctx := context.Background()
+
+	// Need a user for FK.
+	_ = s.CreateUser(ctx, User{
+		ID: "u1", Username: "alice", PasswordHash: "x",
+		Role: RoleAdmin, CreatedAt: time.Now(),
+	})
+
+	now := time.Now().UTC()
+	sess := Session{
+		UserID:    "u1",
+		CreatedAt: now,
+		ExpiresAt: now.Add(time.Hour),
+		IP:        "10.0.0.1",
+		UA:        "test/1.0",
+	}
+	hash := "deadbeef" + "00000000000000000000000000000000000000000000000000000000"
+	if err := s.CreateSession(ctx, sess, hash); err != nil {
+		t.Fatalf("create: %v", err)
+	}
+
+	got, err := s.LookupSession(ctx, hash)
+	if err != nil {
+		t.Fatalf("lookup: %v", err)
+	}
+	if got.UserID != "u1" {
+		t.Errorf("user mismatch: %s", got.UserID)
+	}
+
+	// Expired sessions should not resolve.
+	expiredHash := "expired-hash"
+	expired := Session{
+		UserID:    "u1",
+		CreatedAt: now.Add(-2 * time.Hour),
+		ExpiresAt: now.Add(-time.Hour),
+	}
+	if err := s.CreateSession(ctx, expired, expiredHash); err != nil {
+		t.Fatalf("create expired: %v", err)
+	}
+	if _, err := s.LookupSession(ctx, expiredHash); !errors.Is(err, ErrNotFound) {
+		t.Errorf("expired session should look like ErrNotFound, got %v", err)
+	}
+
+	if err := s.DeleteSession(ctx, hash); err != nil {
+		t.Fatalf("delete: %v", err)
+	}
+	if _, err := s.LookupSession(ctx, hash); !errors.Is(err, ErrNotFound) {
+		t.Errorf("deleted session: want ErrNotFound, got %v", err)
+	}
+
+	n, err := s.PurgeExpiredSessions(ctx)
+	if err != nil {
+		t.Fatalf("purge: %v", err)
+	}
+	if n != 1 {
+		t.Errorf("purge should remove the 1 expired row, got %d", n)
+	}
+}
+
+func TestEnrollmentTokenSingleUse(t *testing.T) {
+	t.Parallel()
+	s := openTestStore(t)
+	ctx := context.Background()
+
+	hash := "tok-hash"
+	if err := s.CreateEnrollmentToken(ctx, hash, time.Hour); err != nil {
+		t.Fatalf("create: %v", err)
+	}
+
+	// Need a host for FK.
+	_, err := s.DB().Exec(`INSERT INTO hosts (id, name, os, arch, enrolled_at) VALUES (?,?,?,?,?)`,
+		"h1", "host1", "linux", "amd64", time.Now().UTC().Format(time.RFC3339Nano))
+	if err != nil {
+		t.Fatalf("insert host: %v", err)
+	}
+
+	if err := s.ConsumeEnrollmentToken(ctx, hash, "h1"); err != nil {
+		t.Fatalf("consume: %v", err)
+	}
+	// Second consume must fail — the whole point of one-time tokens.
+	if err := s.ConsumeEnrollmentToken(ctx, hash, "h1"); !errors.Is(err, ErrNotFound) {
+		t.Errorf("re-consume: want ErrNotFound, got %v", err)
+	}
+}