Feat(Chore): Verify Flow, Invites, Suspend, Depart Cert Policy

feat: add password reset and email verification flow
feat: add org invite listing, cancellation, and invite link fallback
feat: add user suspend/unsuspend with audit logging
feat: add department certificate policy (expiry, extensions)
feat: enforce dept cert policy on SSH certificate signing
feat: wire up OIDC consent and token flow (replace mocks)
feat: rework CLI auth bridge to use frontend login flow
feat: add admin OAuth provider management (CRUD)
chore: refactor model import paths after module reorganisation
chore: clean up config, decorators, and dev tooling

etc/ssh_ca.conf

@@ -1,114 +1,30 @@
 
 [default]
 # Certificate validity period (in hours)
-# Default: 1 hour
-cert_validity_hours=1
+cert_validity_hours=8
 
 # Maximum certificate validity allowed (in hours)
-# Default: 24 hours
-# Prevents users from requesting certificates valid longer than this
-max_cert_validity_hours=24
+max_cert_validity_hours=720
 
-# Certificate Request Limits
-# Maximum number of certificates per user
-max_certs_per_user=100
-
-# Certificate revocation list (CRL) configuration
-crl_enabled=true
-# CRL endpoint URL - set to your domain where CRL is served
-crl_endpoint=https://ca.example.com/crl
-# CRL refresh interval (in hours)
-crl_refresh_hours=24
-
-# CA Key Configuration
-# Default key type for new CAs (ed25519, rsa, ecdsa)
-default_key_type=ed25519
-
-# RSA key size (if using RSA)
-rsa_key_bits=4096
-
-# Private key encryption
-# Method: kms (AWS Key Management Service) or local (for development only)
-private_key_encryption=kms
-# AWS KMS Key ID (only used if private_key_encryption=kms)
-aws_kms_key_id=${SSH_CA_KMS_KEY_ID}
-
-# SSH Certificate Extensions
-# Default extensions to add to certificates
-extensions_enabled=true
-extensions=permit-X11-forwarding,permit-agent-forwarding,permit-pty,permit-port-forwarding,permit-user-rc
-
-# Critical Options
-# Critical options to add to certificates (rarely needed)
-critical_options_enabled=false
+# CA private key path (required for local encryption mode)
+ca_key_path=
 
 # Certificate Field Limits
-# Maximum number of principals per certificate (SSH limitation is 256)
 max_principals_per_cert=256
-
-# Maximum length for key_id field
 max_key_id_length=255
 
-# Logging Configuration
-# Log level for SSH CA operations (DEBUG, INFO, WARNING, ERROR)
-log_level=INFO
-
-# Audit Configuration
-# Log all certificate signing operations
-audit_enabled=true
-
-# Security Configuration
-# Require SSH key verification before issuing certificates
-require_key_verification=true
-
 # Verification challenge max age (in hours)
 verification_challenge_max_age=24
 
-# Rate limiting for certificate signing
-# Max certificates per minute per user
-rate_limit_certs_per_minute=5
-
-# Request timeout (in seconds)
-request_timeout=30
-
-# Cleanup Configuration
-# Automatically delete unverified SSH keys after this many days
+# Cleanup: delete unverified SSH keys after this many days
 auto_delete_unverified_days=30
 
-# Archive expired certificates after this many days
-archive_expired_days=365
-
-# CLI OAuth Configuration (for secuird-cli.py compatibility)
-# OAuth token endpoint for CLI clients
-oauth_token_endpoint=/api/v1/oauth2/token
-# OAuth userinfo endpoint for CLI clients
-oauth_userinfo_endpoint=/api/v1/oauth2/userinfo
-
 [development]
-# Override settings for development environment
-private_key_encryption=local
-ca_key_path=/home/james/cory/secuird/certs/ca-users
-log_level=DEBUG
+ca_key_path=${SSH_CA_KEY_PATH}
 cert_validity_hours=24
-max_cert_validity_hours=720
-rate_limit_certs_per_minute=100
-require_key_verification=false
 
 [production]
-# Override settings for production environment
-private_key_encryption=kms
-log_level=WARNING
-cert_validity_hours=1
-max_cert_validity_hours=24
-rate_limit_certs_per_minute=5
-require_key_verification=true
+cert_validity_hours=8
 
 [testing]
-# Override settings for testing environment
-private_key_encryption=local
-log_level=DEBUG
-cert_validity_hours=1
-max_cert_validity_hours=24
-rate_limit_certs_per_minute=100
-require_key_verification=true
-audit_enabled=false
+cert_validity_hours=8