fix(security): A-3 auth middleware coverage fixes

Fixes 9 auth middleware findings from the A-3 recon audit.

F-A3-11 CRITICAL: Removed JWT secret from WebAuthMiddleware log output.
  Replaced emoji-prefixed fmt.Printf with ETHOS-compliant log.Printf.
  No secret values in any log output.

F-A3-7 CRITICAL: Config download now requires WebAuthMiddleware.
  GET /downloads/config/:agent_id is admin-only (agents never call it).

F-A3-6 HIGH: Update package download now requires AuthMiddleware.
  GET /downloads/updates/:package_id requires valid agent JWT.

F-A3-10 HIGH: Scheduler stats changed from AuthMiddleware to
  WebAuthMiddleware. Agent JWTs can no longer view scheduler internals.

F-A3-13 LOW: RequireAdmin() middleware implemented. 7 security settings
  routes re-enabled (GET/PUT/POST under /security/settings).
  security_settings.go.broken renamed to .go, API mismatches fixed.

F-A3-12 MEDIUM: JWT issuer claims added for token type separation.
  Agent tokens: issuer=redflag-agent, Web tokens: issuer=redflag-web.
  AuthMiddleware rejects tokens with wrong issuer.
  Grace period: tokens with no issuer still accepted (backward compat).

F-A3-2 MEDIUM: /auth/verify now has WebAuthMiddleware applied.
  Endpoint returns 200 with valid=true for valid admin tokens.

F-A3-9 MEDIUM: Agent self-unregister (DELETE /:id) now rate-limited
  using the same agent_reports rate limiter as other agent routes.

F-A3-14 LOW: CORS origin configurable via REDFLAG_CORS_ORIGIN env var.
  Defaults to http://localhost:3000 for development.
  Added PATCH method and agent-specific headers to CORS config.

All 27 server tests pass. All 14 agent tests pass. No regressions.
See docs/A3_Fix_Implementation.md and docs/Deviations_Report.md
(DEV-020 through DEV-022).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

aggregator-server/internal/api/middleware/scheduler_auth_test.go

@@ -16,6 +16,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/Fimeg/RedFlag/aggregator-server/internal/api/handlers"
 	"github.com/Fimeg/RedFlag/aggregator-server/internal/api/middleware"
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt/v5"
@@ -28,6 +29,7 @@ func makeAgentJWT(t *testing.T, secret string) string {
 	claims := middleware.AgentClaims{
 		AgentID: uuid.New(),
 		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    middleware.JWTIssuerAgent,
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		},
@@ -52,32 +54,30 @@ func makeAgentJWT(t *testing.T, secret string) string {
 // ---------------------------------------------------------------------------
 
 func TestSchedulerStatsRequiresAdminAuth(t *testing.T) {
+	// POST-FIX (F-A3-10): Route now uses WebAuthMiddleware (admin JWT required).
+	// Agent JWTs are rejected because WebAuthMiddleware expects UserClaims.
 	testSecret := "scheduler-test-secret"
 	middleware.JWTSecret = testSecret
 
-	// Current state: route uses AuthMiddleware (agent JWT accepted)
-	// This mirrors the bug in main.go:627
+	authHandler := handlers.NewAuthHandler(testSecret, nil)
+
 	router := gin.New()
-	router.Use(middleware.AuthMiddleware())
+	router.Use(authHandler.WebAuthMiddleware())
 	router.GET("/api/v1/scheduler/stats", func(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{"scheduler": "stats"})
 	})
 
-	// Create a valid agent JWT
+	// Agent JWT should be rejected
 	agentToken := makeAgentJWT(t, testSecret)
-
 	req := httptest.NewRequest("GET", "/api/v1/scheduler/stats", nil)
 	req.Header.Set("Authorization", "Bearer "+agentToken)
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 
-	// After fix: agent JWT should be rejected (route uses WebAuthMiddleware)
-	// Currently: agent JWT is accepted (200) — this assertion FAILS
 	if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden {
-		t.Errorf("[ERROR] [server] [scheduler] agent JWT accepted on scheduler stats (got %d, expected 401/403).\n"+
-			"BUG F-A3-10: scheduler stats accessible to any registered agent.\n"+
-			"After fix: change AuthMiddleware to WebAuthMiddleware on this route.", rec.Code)
+		t.Errorf("[ERROR] [server] [scheduler] agent JWT accepted on scheduler stats (got %d, expected 401/403)", rec.Code)
 	}
+	t.Logf("[INFO] [server] [scheduler] F-A3-10 FIXED: agent JWT rejected on scheduler stats (%d)", rec.Code)
 }
 
 // ---------------------------------------------------------------------------
@@ -91,11 +91,14 @@ func TestSchedulerStatsRequiresAdminAuth(t *testing.T) {
 // ---------------------------------------------------------------------------
 
 func TestSchedulerStatsCurrentlyAcceptsAgentJWT(t *testing.T) {
+	// POST-FIX (F-A3-10): Agent JWT is now rejected on scheduler stats.
 	testSecret := "scheduler-test-secret-2"
 	middleware.JWTSecret = testSecret
 
+	authHandler := handlers.NewAuthHandler(testSecret, nil)
+
 	router := gin.New()
-	router.Use(middleware.AuthMiddleware())
+	router.Use(authHandler.WebAuthMiddleware())
 	router.GET("/api/v1/scheduler/stats", func(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{"scheduler": "stats"})
 	})
@@ -107,12 +110,9 @@ func TestSchedulerStatsCurrentlyAcceptsAgentJWT(t *testing.T) {
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 
-	// This PASSES now (bug present) — agent JWT is accepted
-	if rec.Code == http.StatusUnauthorized || rec.Code == http.StatusForbidden {
-		t.Errorf("[ERROR] [server] [scheduler] BUG F-A3-10 already fixed: "+
-			"agent JWT rejected (%d). Update this test.", rec.Code)
+	// POST-FIX: agent JWT must be rejected
+	if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden {
+		t.Errorf("[ERROR] [server] [scheduler] agent JWT still accepted (%d), expected 401/403", rec.Code)
 	}
-
-	t.Logf("[INFO] [server] [scheduler] BUG F-A3-10 confirmed: agent JWT accepted, got %d", rec.Code)
-	t.Log("[INFO] [server] [scheduler] after fix: this test will FAIL (update to assert 401)")
+	t.Log("[INFO] [server] [scheduler] F-A3-10 FIXED: agent JWT rejected on scheduler stats")
 }