feat: add login challenge security helpers

[hardy-dev-infinilabs]

Summary

• add password challenge helpers for challenge-response style login flows
• add replay protection middleware and secure transport middleware for sensitive API endpoints
• add targeted tests and a release note for the new security helpers

Included scope

• core/security/passwordchallenge/*
• core/security/replay/*
• core/api/security.go and its tests

Explicitly excluded

• agent instance / websocket / embedded API routing changes
• unrelated core/api/web.go and core/api/api.go work from console_framework

[medcl]

@copilot add a http_filter to seamless add these options to specific api on purpose: framework/modules/security/http_filters

[SteveLauC]

Suggested change

	return Challenge{}, errors.New("login challenge is invalid")
	return Challenge{}, errors.New("login challenge not found")

[SteveLauC]

这两个 const 好像没有用到

[hardy-dev-infinilabs]

给调用者使用的

[Copilot]

@copilot add a http_filter to seamless add these options to specific api on purpose: framework/modules/security/http_filters

Implemented via commit cec184f: added a new SecurityFilter under modules/security/http_filters that applies secure-transport and replay-protection checks based on per-API handler options (api.SecureTransportOption(...) and api.ReplayProtectionOption()). Also added focused tests for the new option wiring and filter behavior.

[hardy-dev-infinilabs]

Follow-up changes related to the native account challenge rollout have been pushed to this PR branch:

• keep framework JWT claims compatible with existing console username / user_id aliases during rollout
• decorate /account/login responses with the console-consumed fields (username, id, roles, privilege, expires_at)
• add shared ValidateAuthorizationHeader helper for downstream apps that are moving onto framework session handling
• add framework POST /account/refresh so the shared account flow can cover refresh as well
• add coverage for the claims compatibility and refresh path

These are the framework-side compatibility changes needed while console is still converging onto the shared auth/session stack.

[hardy-dev-infinilabs]

Additional follow-up for the same rollout has now been pushed:

• framework can now accept app-provided password-login fallback providers, so products can move /account/login onto the shared framework handler without keeping a separate login implementation
• session token responses now support app-provided decorators, which lets console keep its current privilege response semantics while reusing framework login/refresh
• shared password material generation was extracted so downstream apps can stop carrying their own password-challenge helper wrappers

This is the next step toward removing console-owned /account/* auth flow code while keeping the existing frontend contract.

[hardy-dev-infinilabs]

Follow-up for the shared account-flow rollout:

• replaced direct panics in modules/security/rbac/user.go for user-facing validation/business conflicts with explicit HTTP errors
• CreateUser on the provider path now returns normal errors instead of aborting on weak passwords / duplicate emails
• added a focused test to lock the weak-password validation behavior

This keeps the native account management path aligned with the earlier challenge-login/account-flow changes in this PR.

[hardy-dev-infinilabs]

Follow-up for the shared account-flow rollout:

• removed remaining runtime panics in the framework auth/security request path where user input or backend failures should surface as normal errors
• UserSessionInfo.IsValid() now returns false instead of panicking, so auth filter fallback and invalid-token handling keep following the intended error path
• RBAC role/principal/entity helpers now return explicit HTTP errors or safe deny/empty results instead of aborting the request
• added focused tests for incomplete session users, invalid claims, and nil-session token issuance

This is the cleanup pass after the earlier account-flow convergence work in this PR.

[hardy-dev-infinilabs]

Small structure cleanup for reviewability:

• removed the standalone core/security/account_flow.go
• moved password-login fallback registration into core/security/service_registry.go alongside the other auth registries
• moved token-response decorator registration into core/security/session.go alongside session issuance/decoration
• no behavior change; this is only rehoming the same extension points to more natural locations

The console bridge keeps using the same hooks, but the framework side now reads as normal registry/session extension instead of a migration-specific file.

[hardy-dev-infinilabs]

Follow-up reviewability cleanup:

• removed the dead lookupAccountByLogin compatibility wrapper and now call the native RBAC lookup directly
• duplicate login/email matches now surface as explicit errors instead of being silently treated as "not found"
• the legacy-password -> challenge-material upgrade remains best-effort, but no longer waits for an index refresh before returning from login
• added focused coverage for the duplicate-account lookup behavior

This keeps the auth flow behavior the same for valid users while making error semantics and migration intent clearer for review.

[hardy-dev-infinilabs]

Follow-up simplification after confirming the rollout only targets new console + new framework together:

• removed the legacy username / user_id JWT claim aliases from core/security/UserClaims
• dropped the old-console-specific marshal/unmarshal compatibility layer entirely
• kept the native framework claim shape (login / userid) only

This reduces review noise and keeps the framework token model product-neutral.