feat: security hardening — TLS, token blacklist, field encryption, sandbox, secret rotation (#210)

* feat: security hardening — TLS, token blacklist, field-level encryption, sandbox, secret rotation

Phase 1: TLS support for all transports
- pkg/tlsutil: shared TLS config (manual, autocert, mTLS)
- HTTP server: Let's Encrypt autocert + manual TLS + mTLS
- Redis: TLS with client cert support
- Kafka: SASL (PLAIN/SCRAM-SHA-256/512) + TLS
- NATS: TLS via nats.Secure()
- Database: explicit TLS fields (sslmode, ca_file)

Phase 2: Token blacklist
- auth.token-blacklist module (memory + redis backends)
- step.token_revoke pipeline step
- JTI generation + blacklist check in JWTAuthModule

Phase 3: Field-level data protection
- pkg/fieldcrypt: AES-256-GCM encryption, masking, HKDF key derivation
- Tenant-isolated KeyRing with versioned keys
- ProtectedFieldManager module (security.field-protection)
- step.field_reencrypt for key rotation re-encryption
- Backward compat: legacy enc:: prefix handled alongside new epf:v{n}: format

Phase 4: Docker sandbox hardening
- seccomp profiles, capability dropping, read-only rootfs, no-new-privileges
- step.sandbox_exec with strict/standard/permissive security profiles
- Default secure config with Wolfi base image (cgr.dev/chainguard/wolfi-base)

Phase 5: Secret rotation
- RotationProvider interface in secrets package
- Vault provider Rotate() + GetPrevious() via versioned KV v2
- step.secret_rotate pipeline step

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address CI lint and build failures

- Fix nilerr: use separate parseErr variable in token revoke step
- Fix staticcheck: remove redundant embedded field selector in SCRAM client
- Remove unused alwaysErrorApp type and fmt import in test
- Update example/go.sum with xdg-go/scram dependency

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: field protection wiring, error handling, and Kafka integration

- Require master_key (error instead of zero-key fallback)
- Handle error in field-protection module factory
- Add field-protection-wiring hook: connects ProtectedFieldManager to KafkaBroker
- KafkaBroker.SetFieldProtection() for field-level encrypt/decrypt in JSON payloads
- Add Registry.Len() method
- Add TestFieldProtectionRequiresMasterKey test
- Update wiring hook count in auth plugin tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: implement CopyIn/CopyOut with CreateContainer/RemoveContainer lifecycle

Replace stub CopyIn/CopyOut methods with real implementations that use the
Docker API. Added CreateContainer() to create a container and store its ID,
and RemoveContainer() to clean up. CopyIn delegates to the existing
copyToContainer helper; CopyOut uses client.CopyFromContainer.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: return errors from token revoke step for invalid tokens

Return parseErr when JWT parsing fails and fmt.Errorf for invalid claims
type, instead of swallowing the error. Fixes nilerr lint violation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add field-protection-wiring to manifest and set env in test

The manifest WiringHooks list was missing the field-protection-wiring
entry, and TestModuleFactories needed FIELD_ENCRYPTION_KEY set for the
security.field-protection factory to succeed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: intel352

example/go.mod

@@ -151,6 +151,9 @@ require (
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
+	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
+	github.com/xdg-go/scram v1.2.0 // indirect
+	github.com/xdg-go/stringprep v1.0.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect

example/go.sum

@@ -407,6 +407,12 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.2.0 h1:bYKF2AEwG5rqd1BumT4gAnvwU/M9nBp2pTSxeZw7Wvs=
+github.com/xdg-go/scram v1.2.0/go.mod h1:3dlrS0iBaWKYVt2ZfA4cj48umJZ+cAEbR6/SjLA88I8=
+github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
+github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
@@ -499,6 +505,7 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=

go.mod

@@ -207,6 +207,9 @@ require (
 	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
 	github.com/tliron/commonlog v0.2.8 // indirect
 	github.com/tliron/kutil v0.3.11 // indirect
+	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
+	github.com/xdg-go/scram v1.2.0 // indirect
+	github.com/xdg-go/stringprep v1.0.4 // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect

go.sum

@@ -506,6 +506,12 @@ github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6Kllzaw
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/wsxiaoys/terminal v0.0.0-20160513160801-0940f3fc43a0 h1:3UeQBvD0TFrlVjOeLOBz+CPAI8dnbqNSVwUwRrkp7vQ=
 github.com/wsxiaoys/terminal v0.0.0-20160513160801-0940f3fc43a0/go.mod h1:IXCdmsXIht47RaVFLEdVnh1t+pgYtTAhQGj73kz+2DM=
+github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.2.0 h1:bYKF2AEwG5rqd1BumT4gAnvwU/M9nBp2pTSxeZw7Wvs=
+github.com/xdg-go/scram v1.2.0/go.mod h1:3dlrS0iBaWKYVt2ZfA4cj48umJZ+cAEbR6/SjLA88I8=
+github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
+github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
 github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
 github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
@@ -606,6 +612,7 @@ golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=

module/auth_token_blacklist.go

@@ -0,0 +1,163 @@
+package module
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/CrisisTextLine/modular"
+	"github.com/redis/go-redis/v9"
+)
+
+// TokenBlacklist is the interface for checking and adding revoked JWT IDs.
+type TokenBlacklist interface {
+	Add(jti string, expiresAt time.Time)
+	IsBlacklisted(jti string) bool
+}
+
+// TokenBlacklistModule maintains a set of revoked JWT IDs (JTIs).
+// It supports two backends: "memory" (default) and "redis".
+type TokenBlacklistModule struct {
+	name            string
+	backend         string
+	redisURL        string
+	cleanupInterval time.Duration
+
+	// memory backend
+	entries sync.Map // jti (string) -> expiry (time.Time)
+
+	// redis backend
+	redisClient *redis.Client
+
+	logger modular.Logger
+	stopCh chan struct{}
+}
+
+// NewTokenBlacklistModule creates a new TokenBlacklistModule.
+func NewTokenBlacklistModule(name, backend, redisURL string, cleanupInterval time.Duration) *TokenBlacklistModule {
+	if backend == "" {
+		backend = "memory"
+	}
+	if cleanupInterval <= 0 {
+		cleanupInterval = 5 * time.Minute
+	}
+	return &TokenBlacklistModule{
+		name:            name,
+		backend:         backend,
+		redisURL:        redisURL,
+		cleanupInterval: cleanupInterval,
+		stopCh:          make(chan struct{}),
+	}
+}
+
+// Name returns the module name.
+func (m *TokenBlacklistModule) Name() string { return m.name }
+
+// Init initializes the module.
+func (m *TokenBlacklistModule) Init(app modular.Application) error {
+	m.logger = app.Logger()
+	return nil
+}
+
+// Start connects to Redis (if configured) and starts the cleanup goroutine.
+func (m *TokenBlacklistModule) Start(ctx context.Context) error {
+	if m.backend == "redis" {
+		if m.redisURL == "" {
+			return fmt.Errorf("auth.token-blacklist %q: redis_url is required for redis backend", m.name)
+		}
+		opts, err := redis.ParseURL(m.redisURL)
+		if err != nil {
+			return fmt.Errorf("auth.token-blacklist %q: invalid redis_url: %w", m.name, err)
+		}
+		m.redisClient = redis.NewClient(opts)
+		if err := m.redisClient.Ping(ctx).Err(); err != nil {
+			_ = m.redisClient.Close()
+			m.redisClient = nil
+			return fmt.Errorf("auth.token-blacklist %q: redis ping failed: %w", m.name, err)
+		}
+		m.logger.Info("token blacklist started", "name", m.name, "backend", "redis")
+		return nil
+	}
+
+	// memory backend: start cleanup goroutine
+	go m.runCleanup()
+	m.logger.Info("token blacklist started", "name", m.name, "backend", "memory")
+	return nil
+}
+
+// Stop shuts down the module.
+func (m *TokenBlacklistModule) Stop(_ context.Context) error {
+	select {
+	case <-m.stopCh:
+		// already closed
+	default:
+		close(m.stopCh)
+	}
+	if m.redisClient != nil {
+		return m.redisClient.Close()
+	}
+	return nil
+}
+
+// Add marks a JTI as revoked until expiresAt.
+func (m *TokenBlacklistModule) Add(jti string, expiresAt time.Time) {
+	if m.backend == "redis" && m.redisClient != nil {
+		ttl := time.Until(expiresAt)
+		if ttl <= 0 {
+			return // already expired, nothing to blacklist
+		}
+		_ = m.redisClient.Set(context.Background(), m.redisKey(jti), "1", ttl).Err()
+		return
+	}
+	m.entries.Store(jti, expiresAt)
+}
+
+// IsBlacklisted returns true if the JTI is revoked and has not yet expired.
+func (m *TokenBlacklistModule) IsBlacklisted(jti string) bool {
+	if m.backend == "redis" && m.redisClient != nil {
+		n, err := m.redisClient.Exists(context.Background(), m.redisKey(jti)).Result()
+		return err == nil && n > 0
+	}
+	val, ok := m.entries.Load(jti)
+	if !ok {
+		return false
+	}
+	expiry, ok := val.(time.Time)
+	return ok && time.Now().Before(expiry)
+}
+
+func (m *TokenBlacklistModule) redisKey(jti string) string {
+	return "blacklist:" + jti
+}
+
+func (m *TokenBlacklistModule) runCleanup() {
+	ticker := time.NewTicker(m.cleanupInterval)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-m.stopCh:
+			return
+		case <-ticker.C:
+			now := time.Now()
+			m.entries.Range(func(key, value any) bool {
+				if expiry, ok := value.(time.Time); ok && now.After(expiry) {
+					m.entries.Delete(key)
+				}
+				return true
+			})
+		}
+	}
+}
+
+// ProvidesServices registers this module as a service.
+func (m *TokenBlacklistModule) ProvidesServices() []modular.ServiceProvider {
+	return []modular.ServiceProvider{
+		{Name: m.name, Description: "JWT token blacklist", Instance: m},
+	}
+}
+
+// RequiresServices returns service dependencies (none).
+func (m *TokenBlacklistModule) RequiresServices() []modular.ServiceDependency {
+	return nil
+}

module/auth_token_blacklist_test.go

@@ -0,0 +1,89 @@
+package module
+
+import (
+	"context"
+	"testing"
+	"time"
+)
+
+func TestTokenBlacklistMemory_AddAndCheck(t *testing.T) {
+	bl := NewTokenBlacklistModule("test-bl", "memory", "", time.Minute)
+
+	if bl.IsBlacklisted("jti-1") {
+		t.Fatal("expected jti-1 to not be blacklisted initially")
+	}
+
+	bl.Add("jti-1", time.Now().Add(time.Hour))
+	if !bl.IsBlacklisted("jti-1") {
+		t.Fatal("expected jti-1 to be blacklisted after Add")
+	}
+
+	if bl.IsBlacklisted("jti-unknown") {
+		t.Fatal("expected jti-unknown to not be blacklisted")
+	}
+}
+
+func TestTokenBlacklistMemory_ExpiredEntry(t *testing.T) {
+	bl := NewTokenBlacklistModule("test-bl", "memory", "", time.Minute)
+
+	// Add a JTI that has already expired.
+	bl.Add("jti-expired", time.Now().Add(-time.Second))
+	if bl.IsBlacklisted("jti-expired") {
+		t.Fatal("expected already-expired JTI to not be blacklisted")
+	}
+}
+
+func TestTokenBlacklistMemory_Cleanup(t *testing.T) {
+	bl := NewTokenBlacklistModule("test-bl", "memory", "", 50*time.Millisecond)
+
+	app := NewMockApplication()
+	if err := bl.Init(app); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+	if err := bl.Start(context.Background()); err != nil {
+		t.Fatalf("Start: %v", err)
+	}
+	defer func() { _ = bl.Stop(context.Background()) }()
+
+	// Add a JTI that expires in 10ms.
+	bl.Add("jti-cleanup", time.Now().Add(10*time.Millisecond))
+
+	// Give it time to expire and be cleaned up by the cleanup goroutine.
+	time.Sleep(300 * time.Millisecond)
+
+	if bl.IsBlacklisted("jti-cleanup") {
+		t.Fatal("expected cleaned-up JTI to no longer be blacklisted")
+	}
+}
+
+func TestTokenBlacklistModule_StopIdempotent(t *testing.T) {
+	bl := NewTokenBlacklistModule("test-bl", "memory", "", time.Minute)
+	app := NewMockApplication()
+	if err := bl.Init(app); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+	if err := bl.Start(context.Background()); err != nil {
+		t.Fatalf("Start: %v", err)
+	}
+	// Calling Stop twice must not panic.
+	if err := bl.Stop(context.Background()); err != nil {
+		t.Fatalf("first Stop: %v", err)
+	}
+	if err := bl.Stop(context.Background()); err != nil {
+		t.Fatalf("second Stop: %v", err)
+	}
+}
+
+func TestTokenBlacklistModule_ProvidesServices(t *testing.T) {
+	bl := NewTokenBlacklistModule("my-bl", "memory", "", time.Minute)
+	svcs := bl.ProvidesServices()
+	if len(svcs) != 1 {
+		t.Fatalf("expected 1 service, got %d", len(svcs))
+	}
+	if svcs[0].Name != "my-bl" {
+		t.Fatalf("expected service name 'my-bl', got %q", svcs[0].Name)
+	}
+	if _, ok := svcs[0].Instance.(TokenBlacklist); !ok {
+		t.Fatal("expected service instance to implement TokenBlacklist")
+	}
+}

module/cache_redis.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/CrisisTextLine/modular"
+	"github.com/GoCodeAlone/workflow/pkg/tlsutil"
 	"github.com/redis/go-redis/v9"
 )
 
@@ -30,10 +31,11 @@ type RedisClient interface {
 // RedisCacheConfig holds configuration for the cache.redis module.
 type RedisCacheConfig struct {
 	Address    string
-	Password   string //nolint:gosec // G117: config struct field, not a hardcoded secret
+	Password   string           //nolint:gosec // G117: config struct field, not a hardcoded secret
 	DB         int
 	Prefix     string
 	DefaultTTL time.Duration
+	TLS        tlsutil.TLSConfig `yaml:"tls" json:"tls"`
 }
 
 // RedisCache is a module that connects to a Redis instance and exposes
@@ -87,6 +89,14 @@ func (r *RedisCache) Start(ctx context.Context) error {
 		opts.Password = r.cfg.Password
 	}
 
+	if r.cfg.TLS.Enabled {
+		tlsCfg, err := tlsutil.LoadTLSConfig(r.cfg.TLS)
+		if err != nil {
+			return fmt.Errorf("cache.redis %q: TLS config: %w", r.name, err)
+		}
+		opts.TLSConfig = tlsCfg
+	}
+
 	r.client = redis.NewClient(opts)
 
 	if err := r.client.Ping(ctx).Err(); err != nil {