feat(manager-core): admin auth gate (Phase 3a)

Closes the regression risk of the admin API and dashboard being open
to anyone reaching the bound port. Required foundation before v1.1
data-plane services land.

Per-user accounts (admin_users), Argon2id passwords, env-var bootstrap
of the first admin that becomes inert once any admin exists, opaque
32-byte session token doubling as bearer credential, 24h sliding TTL
configurable via PICLOUD_SESSION_TTL_HOURS. is_active column lets
admins be deactivated without losing audit history; last-active-admin
guard on DELETE and on PATCH that flips is_active to false (sessions
also wiped on deactivation).

require_admin middleware fronts every /api/v1/admin/* route. The data
plane (/api/v1/execute/{id}), /healthz, /version, and user routes
stay open. picloud admin reset-password <username> subcommand handles
recovery without going through HTTP.

Dashboard gains /admin/login and /admin/admins surfaces, a top-bar
user menu, and a token store with a localStorage echo so refreshes
don't sign you out. Cookie-based auth works in parallel for non-SPA
clients.

Forward compatibility: future RBAC tables (admin_roles,
admin_user_roles) join on admin_users.id; the auth middleware is the
seam where role checks slot in. Email, 2FA, passkeys, and personal
API tokens are all additive without touching admin_users.

Blueprint §11.4 updated to reflect what actually shipped.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/picloud/src/lib.rs

@@ -6,10 +6,13 @@
 use std::sync::Arc;
 use std::time::Duration;
 
+use axum::middleware::from_fn_with_state;
 use axum::{routing::get, Json, Router};
 use picloud_executor_core::{Engine, Limits};
 use picloud_manager_core::{
-    admin_router, compile_routes, migrations, route_admin_router, AdminState,
+    admin_router, admins_router, auth_router, compile_routes, migrations, require_admin,
+    route_admin_router, AdminSessionRepository, AdminState, AdminUserRepository, AdminsState,
+    AuthState, PostgresAdminSessionRepository, PostgresAdminUserRepository,
     PostgresExecutionLogRepository, PostgresExecutionLogSink, PostgresRouteRepository,
     PostgresScriptRepository, RepoResolver, RouteAdminState, RouteRepository, SandboxCeiling,
 };
@@ -24,6 +27,38 @@ use sqlx::postgres::PgPoolOptions;
 use sqlx::PgPool;
 use tower_http::trace::TraceLayer;
 
+/// Default session TTL when `PICLOUD_SESSION_TTL_HOURS` isn't set.
+const DEFAULT_SESSION_TTL_HOURS: u64 = 24;
+
+/// Bundles the auth-related dependencies that both `build_app` and the
+/// startup bootstrap need. Built once in `main.rs` from the shared pool.
+pub struct AuthDeps {
+    pub users: Arc<dyn AdminUserRepository>,
+    pub sessions: Arc<dyn AdminSessionRepository>,
+    pub ttl: Duration,
+}
+
+impl AuthDeps {
+    /// Construct from a pool with the binary's standard defaults.
+    #[must_use]
+    pub fn from_pool(pool: PgPool) -> Self {
+        Self {
+            users: Arc::new(PostgresAdminUserRepository::new(pool.clone())),
+            sessions: Arc::new(PostgresAdminSessionRepository::new(pool)),
+            ttl: read_session_ttl(),
+        }
+    }
+}
+
+fn read_session_ttl() -> Duration {
+    let hours = std::env::var("PICLOUD_SESSION_TTL_HOURS")
+        .ok()
+        .and_then(|s| s.parse::<u64>().ok())
+        .filter(|h| *h > 0)
+        .unwrap_or(DEFAULT_SESSION_TTL_HOURS);
+    Duration::from_secs(hours * 3600)
+}
+
 /// Compose the manager + orchestrator routes on top of a shared
 /// Postgres pool, returning an Axum router ready to be served.
 ///
@@ -31,7 +66,15 @@ use tower_http::trace::TraceLayer;
 /// is mounted by Caddy at `/admin/*` (its base path). Anything else
 /// falls through to the user-route table — user scripts can bind to
 /// arbitrary paths (subject to the reserved-prefix list).
-pub async fn build_app(pool: PgPool) -> anyhow::Result<Router> {
+///
+/// `auth` carries the admin user/session repositories and the
+/// configured session TTL. The manager-side admin endpoints
+/// (`/api/v1/admin/scripts/*`, `/api/v1/admin/routes/*`,
+/// `/api/v1/admin/admins/*`, `/api/v1/admin/auth/me`) are guarded by
+/// the `require_admin` middleware. The data plane
+/// (`/api/v1/execute/{id}`, the user-route fallthrough, `/healthz`,
+/// `/version`) stays open — it's the public ingress for user scripts.
+pub async fn build_app(pool: PgPool, auth: AuthDeps) -> anyhow::Result<Router> {
     let engine = Arc::new(Engine::new(Limits::default()));
 
     let script_repo = Arc::new(PostgresScriptRepository::new(pool.clone()));
@@ -68,9 +111,29 @@ pub async fn build_app(pool: PgPool) -> anyhow::Result<Router> {
         routes: route_table,
     };
 
+    let auth_state = AuthState {
+        users: auth.users.clone(),
+        sessions: auth.sessions.clone(),
+        ttl: auth.ttl,
+    };
+    let admins_state = AdminsState {
+        users: auth.users,
+        sessions: auth.sessions,
+    };
+
+    // /admin/auth/login + /logout are unguarded by design (login is how
+    // you get in). /admin/auth/me applies the middleware internally so
+    // the same Router::with_state machinery composes cleanly. Everything
+    // else under /admin gets the require_admin layer.
+    let guarded_admin = Router::new()
+        .merge(admin_router(admin))
+        .merge(route_admin_router(route_admin))
+        .merge(admins_router(admins_state))
+        .layer(from_fn_with_state(auth_state.clone(), require_admin));
+
     let api_v1 = Router::new()
-        .nest("/admin", admin_router(admin))
-        .nest("/admin", route_admin_router(route_admin))
+        .nest("/admin", auth_router(auth_state))
+        .nest("/admin", guarded_admin)
         .merge(data_plane_router(data_plane.clone()));
 
     Ok(Router::new()