slice 10D (hub): DR capstone — recovery mode + re-enroll + directive serving (hub v0.11.0)

Recovery-mode toggle (global key, bounded auto-expiry) gates re-enroll +
restore-directive serving. Re-enroll rotates the agent<->hub credential to the
new box (old key revoked); returns the opaque escrow blobs + non-secret
directive. Store gains recovery_mode_until + identity_blob + directive_json.
Hub holds no usable secret + no Cloudflare write-power (operator-side rotation).
Doc 03 §9: slice 10 CLOSED.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

hub/internal/api/handler.go

@@ -129,6 +129,20 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case r.Method == http.MethodPut && strings.HasPrefix(path, "/hosts/") && strings.HasSuffix(path, "/escrow"):
 		hostID := strings.TrimSuffix(strings.TrimPrefix(path, "/hosts/"), "/escrow")
 		h.handleHostEscrowPut(w, r, hostID)
+	// DR capstone (slice 10D). Recovery-mode toggle (global key); re-enroll + restore-directive
+	// (gated on recovery mode — no old key needed, the box is lost).
+	case r.Method == http.MethodPut && strings.HasPrefix(path, "/admin/hosts/") && strings.HasSuffix(path, "/recovery-mode"):
+		hostID := strings.TrimSuffix(strings.TrimPrefix(path, "/admin/hosts/"), "/recovery-mode")
+		h.handleSetRecoveryMode(w, r, hostID)
+	case r.Method == http.MethodDelete && strings.HasPrefix(path, "/admin/hosts/") && strings.HasSuffix(path, "/recovery-mode"):
+		hostID := strings.TrimSuffix(strings.TrimPrefix(path, "/admin/hosts/"), "/recovery-mode")
+		h.handleClearRecoveryMode(w, r, hostID)
+	case r.Method == http.MethodPost && strings.HasPrefix(path, "/hosts/") && strings.HasSuffix(path, "/re-enroll"):
+		hostID := strings.TrimSuffix(strings.TrimPrefix(path, "/hosts/"), "/re-enroll")
+		h.handleReEnroll(w, r, hostID)
+	case r.Method == http.MethodGet && strings.HasPrefix(path, "/hosts/") && strings.HasSuffix(path, "/restore-directive"):
+		hostID := strings.TrimSuffix(strings.TrimPrefix(path, "/hosts/"), "/restore-directive")
+		h.handleGetRestoreDirective(w, r, hostID)
 	// Desired-state serving (slice 10A) — per-host-key, self-scoped (a host reads only its own).
 	case r.Method == http.MethodGet && strings.HasPrefix(path, "/hosts/") && strings.HasSuffix(path, "/desired-state"):
 		hostID := strings.TrimSuffix(strings.TrimPrefix(path, "/hosts/"), "/desired-state")
@@ -619,6 +633,9 @@ type escrowUploadRequest struct {
 	KeyFingerprint string `json:"key_fingerprint"` // for operator display only
 	Posture        string `json:"posture"`         // e.g. "zero_knowledge"
 	CreatedAt      string `json:"created_at"`      // RFC3339
+	// Slice 10D.1 — optional DR bundle, stored alongside the K-escrow (both opaque/non-secret).
+	IdentityBlobB64 string          `json:"identity_blob_b64,omitempty"` // age-wrapped {tunnel_token, pbs_token}
+	DirectiveJSON   json.RawMessage `json:"directive,omitempty"`         // non-secret directive (pbs repo/ns, expected fp, tunnel id)
 }
 
 // handleHostEscrowPut stores a host's opaque escrow blob (doc 03 §8a). Authed with the PER-HOST key
@@ -664,6 +681,26 @@ func (h *Handler) handleHostEscrowPut(w http.ResponseWriter, r *http.Request, pa
 		http.Error(w, "Internal error", http.StatusInternalServerError)
 		return
 	}
+	// Slice 10D.1: optionally store the IDENTITY escrow blob + the non-secret DR directive alongside
+	// the K-escrow (both opaque / non-secret — no usable secret hub-side). Additive: a slice-7
+	// upload without these is unchanged.
+	if req.IdentityBlobB64 != "" {
+		idBlob, derr := base64.StdEncoding.DecodeString(req.IdentityBlobB64)
+		if derr != nil || len(idBlob) == 0 {
+			http.Error(w, "Invalid payload: identity_blob_b64 not valid base64", http.StatusBadRequest)
+			return
+		}
+		directive := req.DirectiveJSON
+		if len(directive) == 0 || !json.Valid(directive) {
+			directive = json.RawMessage("{}")
+		}
+		if err := h.store.SaveHostDRBundle(pathHostID, idBlob, string(directive)); err != nil {
+			h.logger.Printf("[ERROR] Failed to store DR bundle for host %s: %v", pathHostID, err)
+			http.Error(w, "Internal error", http.StatusInternalServerError)
+			return
+		}
+		h.logger.Printf("[INFO] stored DR bundle for host %s (identity %d bytes + directive)", pathHostID, len(idBlob))
+	}
 	h.logger.Printf("[INFO] stored opaque escrow blob for host %s (%d bytes, posture=%s, fp=%s)",
 		pathHostID, len(blob), req.Posture, req.KeyFingerprint)
 	w.WriteHeader(http.StatusOK)