feat: ACN Application Security Standard V7.30 compliance (19/23 items)

CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>

packages/api/src/router/user.ts

@@ -12,7 +12,7 @@ import { Prisma } from "@capakraken/db";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { findUniqueOrThrow } from "../db/helpers.js";
-import { adminProcedure, createTRPCRouter, managerProcedure, protectedProcedure } from "../trpc.js";
+import { adminProcedure, createTRPCRouter, managerProcedure, protectedProcedure, publicProcedure } from "../trpc.js";
 import { createAuditEntry } from "../lib/audit.js";
 
 export const userRouter = createTRPCRouter({
@@ -39,6 +39,7 @@ export const userRouter = createTRPCRouter({
         lastLoginAt: true,
         lastActiveAt: true,
         permissionOverrides: true,
+        totpEnabled: true,
       },
       orderBy: { name: "asc" },
     });
@@ -466,4 +467,147 @@ export const userRouter = createTRPCRouter({
         overrides: user.permissionOverrides as PermissionOverrides | null,
       };
     }),
+
+  // ─── TOTP / MFA ─────────────────────────────────────────────────────────────
+
+  /** Generate a new TOTP secret for the current user (not yet enabled). */
+  generateTotpSecret: protectedProcedure.mutation(async ({ ctx }) => {
+    const { TOTP, Secret } = await import("otpauth");
+    const secret = new Secret({ size: 20 });
+    const totp = new TOTP({
+      issuer: "CapaKraken",
+      label: ctx.session.user?.email ?? ctx.dbUser!.id,
+      algorithm: "SHA1",
+      digits: 6,
+      period: 30,
+      secret,
+    });
+
+    // Store the secret (not yet enabled)
+    await ctx.db.user.update({
+      where: { id: ctx.dbUser!.id },
+      data: { totpSecret: secret.base32 },
+    });
+
+    const uri = totp.toString();
+    return { secret: secret.base32, uri };
+  }),
+
+  /** Verify a TOTP token and enable MFA for the current user. */
+  verifyAndEnableTotp: protectedProcedure
+    .input(z.object({ token: z.string().length(6) }))
+    .mutation(async ({ ctx, input }) => {
+      const user = await ctx.db.user.findUniqueOrThrow({
+        where: { id: ctx.dbUser!.id },
+        select: { id: true, name: true, email: true, totpSecret: true, totpEnabled: true },
+      });
+
+      if (!user.totpSecret) {
+        throw new TRPCError({ code: "BAD_REQUEST", message: "No TOTP secret generated. Call generateTotpSecret first." });
+      }
+      if (user.totpEnabled) {
+        throw new TRPCError({ code: "BAD_REQUEST", message: "TOTP is already enabled." });
+      }
+
+      const { TOTP, Secret } = await import("otpauth");
+      const totp = new TOTP({
+        issuer: "CapaKraken",
+        label: user.email,
+        algorithm: "SHA1",
+        digits: 6,
+        period: 30,
+        secret: Secret.fromBase32(user.totpSecret),
+      });
+
+      const delta = totp.validate({ token: input.token, window: 1 });
+      if (delta === null) {
+        throw new TRPCError({ code: "BAD_REQUEST", message: "Invalid TOTP token." });
+      }
+
+      await ctx.db.user.update({
+        where: { id: user.id },
+        data: { totpEnabled: true },
+      });
+
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "User",
+        entityId: user.id,
+        entityName: `${user.name} (${user.email})`,
+        action: "UPDATE",
+        userId: user.id,
+        source: "ui",
+        summary: "Enabled TOTP MFA",
+      });
+
+      return { enabled: true };
+    }),
+
+  /** Admin override: disable TOTP for a specific user. */
+  disableTotp: adminProcedure
+    .input(z.object({ userId: z.string() }))
+    .mutation(async ({ ctx, input }) => {
+      const user = await ctx.db.user.findUniqueOrThrow({
+        where: { id: input.userId },
+        select: { id: true, name: true, email: true, totpEnabled: true },
+      });
+
+      await ctx.db.user.update({
+        where: { id: input.userId },
+        data: { totpEnabled: false, totpSecret: null },
+      });
+
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "User",
+        entityId: user.id,
+        entityName: `${user.name} (${user.email})`,
+        action: "UPDATE",
+        ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+        source: "ui",
+        summary: "Disabled TOTP MFA (admin override)",
+      });
+
+      return { disabled: true };
+    }),
+
+  /** Verify a TOTP token (used during the login flow — public procedure). */
+  verifyTotp: publicProcedure
+    .input(z.object({ userId: z.string(), token: z.string().length(6) }))
+    .mutation(async ({ ctx, input }) => {
+      const user = await ctx.db.user.findUniqueOrThrow({
+        where: { id: input.userId },
+        select: { id: true, totpSecret: true, totpEnabled: true },
+      });
+
+      if (!user.totpEnabled || !user.totpSecret) {
+        throw new TRPCError({ code: "BAD_REQUEST", message: "TOTP is not enabled for this user." });
+      }
+
+      const { TOTP, Secret } = await import("otpauth");
+      const totp = new TOTP({
+        issuer: "CapaKraken",
+        label: user.id,
+        algorithm: "SHA1",
+        digits: 6,
+        period: 30,
+        secret: Secret.fromBase32(user.totpSecret),
+      });
+
+      const delta = totp.validate({ token: input.token, window: 1 });
+      if (delta === null) {
+        throw new TRPCError({ code: "UNAUTHORIZED", message: "Invalid TOTP token." });
+      }
+
+      return { valid: true };
+    }),
+
+  /** Get MFA status for the current user. */
+  getMfaStatus: protectedProcedure.query(async ({ ctx }) => {
+    const user = await ctx.db.user.findUniqueOrThrow({
+      where: { id: ctx.dbUser!.id },
+      select: { totpEnabled: true },
+    });
+    return { totpEnabled: user.totpEnabled };
+  }),
 });