ospab
91ab02dc8e
feat(oncp): OTP enrollment tokens and dynamic IPAM
- Add OTP token management (oncp/src/token.rs)
* Time-limited tokens with expiry (default 3 minutes)
* One-time use validation (token deleted after use)
* Automatic cleanup of expired tokens
* Cryptographically secure random generation (10 chars)
* Token masking in logs (XX****XX format)
- Add dynamic IPAM (oncp/src/network.rs)
* NetworkConfig for 10.X.0.0/16 subnet management
* IpamPool with sequential IP allocation
* Master node octet validation (0-255, excluding reserved)
* IP release mechanism for rollback scenarios
- Update enrollment flow
* EnrollmentRequest requires OTP token field
* Silent drop (HTTP 444) for invalid tokens
* IP allocation during node approval
* CLI command: 'node token --expiry 3'
* Master CLI --network-octet parameter
- Security enhancements
* Two-factor enrollment: token + admin approval
* Token enumeration prevention (no error responses)
* Automatic token cleanup every 60 seconds
* PSK + assigned IP returned on approval
Tests: All 16 tests passing (4 token, 5 network, 7 existing)