feat(creds): Phase 1 — Authorization header + SNMP community capture

Closes the cred-coverage gap for 7 services that already had the data
on the wire but never landed it in the Credential table:

- SNMP — community string lands as secret_kind="snmp_community",
  principal=None (v1/v2c has no per-user identity, the community IS
  the auth).
- SIP — Digest response hash, previously buried in the auth= header
  dump, now classify_authorization()-extracted.
- HTTP / HTTPS — Authorization header was in the headers JSON but
  never extracted. Now Basic decodes to plaintext, Bearer →
  http_bearer (principal=None), Digest → http_digest_md5.
- K8s — already extracted Authorization but didn't normalize. Service-
  account JWTs flow through as Bearer.
- Docker API — headers absent entirely. Adds the headers JSON dump
  and runs Authorization through the classifier.
- Elasticsearch — five distinct request handlers; each gains a
  per-handler _cred_fields() helper.

Adds canonical templates/syslog_bridge.py:classify_authorization().
Recognised: Basic / Bearer / Token / Digest. Unknown schemes (NTLM,
AWS4-HMAC, Negotiate) return None; the header still rides in the
ambient SD-block but isn't normalized as a credential. The SD shape
on the wire collapses sip_digest_md5 into http_digest_md5 — same
algorithm, so cross-protocol reuse correlates correctly when (rare)
nonce collisions allow.

Drive-by repair of tests/core/test_fingerprinting.py:

- The pre-existing `test_http_useragent_extracted` asserted both that
  add_bounty was called exactly once AND that the UA payload carried
  `path` and `method` fields. Both wrong since this session opened:
  the http_quirks fingerprint added later fires too, and the UA
  payload never actually included path/method despite the assertion.
- Adds `path`/`method` to the UA fingerprint payload (real operator
  value: "Nikto hit /admin" beats "Nikto seen on this decky").
- Replaces `assert_awaited_once` with a `_find_ua_bounty()` helper
  that filters add_bounty calls by `fingerprint_type`. New fingerprint
  families landing later won't retroactively break old tests.
- Updates the two credential-bearing tests to use the post-DEBT-039
  native shape (`secret_b64` / `principal`) and `upsert_credential`,
  not the deleted legacy `username+password` adapter.

Also rebuilds the per-service fake `syslog_bridge` modules in
tests/service_testing/{conftest,test_imap,test_pop3,test_snmp,test_mqtt,test_smtp}.py
to expose `encode_secret` + `classify_authorization`. Service templates
that import either now no longer fail at test collection.

173 tests pass in the touched scope. Phases 2-7 still pending.

tests/core/test_fingerprinting.py

@@ -15,6 +15,23 @@ def _make_repo():
 # HTTP User-Agent
 # ---------------------------------------------------------------------------
 
+def _find_ua_bounty(repo) -> dict:
+    """Find the http_useragent fingerprint among all add_bounty calls.
+
+    A single HTTP request can produce multiple `bounty_type="fingerprint"`
+    bounties (UA, http_quirks, ip_leak, …). Tests for one specific kind
+    must filter rather than assert call count, so adding new fingerprint
+    families later doesn't retroactively break old tests."""
+    for c in repo.add_bounty.await_args_list:
+        payload = c[0][0].get("payload") or {}
+        if payload.get("fingerprint_type") == "http_useragent":
+            return c[0][0]
+    raise AssertionError(
+        "no http_useragent bounty found; calls=%r"
+        % [c[0][0].get("payload") for c in repo.add_bounty.await_args_list]
+    )
+
+
 @pytest.mark.asyncio
 async def test_http_useragent_extracted():
     repo = _make_repo()
@@ -30,13 +47,12 @@ async def test_http_useragent_extracted():
         },
     }
     await _extract_bounty(repo, log_data)
-    repo.add_bounty.assert_awaited_once()
-    call_kwargs = repo.add_bounty.call_args[0][0]
-    assert call_kwargs["bounty_type"] == "fingerprint"
-    assert call_kwargs["payload"]["fingerprint_type"] == "http_useragent"
-    assert call_kwargs["payload"]["value"] == "Nikto/2.1.6"
-    assert call_kwargs["payload"]["path"] == "/admin"
-    assert call_kwargs["payload"]["method"] == "GET"
+    bounty = _find_ua_bounty(repo)
+    assert bounty["bounty_type"] == "fingerprint"
+    assert bounty["payload"]["fingerprint_type"] == "http_useragent"
+    assert bounty["payload"]["value"] == "Nikto/2.1.6"
+    assert bounty["payload"]["path"] == "/admin"
+    assert bounty["payload"]["method"] == "GET"
 
 
 @pytest.mark.asyncio
@@ -52,12 +68,14 @@ async def test_http_useragent_lowercase_key():
         },
     }
     await _extract_bounty(repo, log_data)
-    call_kwargs = repo.add_bounty.call_args[0][0]
-    assert call_kwargs["payload"]["value"] == "sqlmap/1.7"
+    bounty = _find_ua_bounty(repo)
+    assert bounty["payload"]["value"] == "sqlmap/1.7"
 
 
 @pytest.mark.asyncio
 async def test_http_no_useragent_no_fingerprint_bounty():
+    """No User-Agent header → no http_useragent bounty (other fingerprint
+    families like http_quirks may still fire on the same request)."""
     repo = _make_repo()
     log_data = {
         "decky": "decky-01",
@@ -69,7 +87,11 @@ async def test_http_no_useragent_no_fingerprint_bounty():
         },
     }
     await _extract_bounty(repo, log_data)
-    repo.add_bounty.assert_not_awaited()
+    ua_calls = [
+        c for c in repo.add_bounty.await_args_list
+        if (c[0][0].get("payload") or {}).get("fingerprint_type") == "http_useragent"
+    ]
+    assert ua_calls == []
 
 
 @pytest.mark.asyncio
@@ -142,39 +164,59 @@ async def test_vnc_version_event_no_client_version_field():
 
 @pytest.mark.asyncio
 async def test_credential_still_extracted_alongside_fingerprint():
+    """Native-shape credential lands via upsert_credential, not add_bounty.
+
+    The legacy username+password adapter was deleted in DEBT-039; the
+    universal shape (secret_b64 + principal) goes straight to the
+    Credential table. Fingerprint bounties continue to ride add_bounty."""
+    import base64
     repo = _make_repo()
+    repo.upsert_credential = AsyncMock()
     log_data = {
         "decky": "decky-03",
         "service": "ftp",
         "attacker_ip": "10.0.0.8",
         "event_type": "auth_attempt",
-        "fields": {"username": "admin", "password": "1234"},
+        "fields": {
+            "username": "admin",
+            "principal": "admin",
+            "secret_kind": "plaintext",
+            "secret_printable": "1234",
+            "secret_b64": base64.b64encode(b"1234").decode(),
+        },
     }
     await _extract_bounty(repo, log_data)
-    repo.add_bounty.assert_awaited_once()
-    call_kwargs = repo.add_bounty.call_args[0][0]
-    assert call_kwargs["bounty_type"] == "credential"
+    repo.upsert_credential.assert_awaited_once()
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "ftp"
+    assert cred["principal"] == "admin"
 
 
 @pytest.mark.asyncio
 async def test_http_credential_and_fingerprint_both_extracted():
-    """An HTTP login attempt can yield both a credential and a UA fingerprint."""
+    """An HTTP login attempt yields both a Credential row and a UA
+    fingerprint bounty — distinct write paths."""
+    import base64
     repo = _make_repo()
+    repo.upsert_credential = AsyncMock()
     log_data = {
         "decky": "decky-03",
         "service": "http",
         "attacker_ip": "10.0.0.9",
         "event_type": "request",
         "fields": {
-            "username": "root",
-            "password": "toor",
+            "principal": "root",
+            "secret_kind": "plaintext",
+            "secret_printable": "toor",
+            "secret_b64": base64.b64encode(b"toor").decode(),
             "headers": {"User-Agent": "curl/7.88.1"},
         },
     }
     await _extract_bounty(repo, log_data)
-    assert repo.add_bounty.await_count == 2
-    types = {c[0][0]["bounty_type"] for c in repo.add_bounty.call_args_list}
-    assert types == {"credential", "fingerprint"}
+    repo.upsert_credential.assert_awaited_once()
+    # add_bounty fired for the UA fingerprint; http_quirks may also fire.
+    bounty_types = {c[0][0]["bounty_type"] for c in repo.add_bounty.call_args_list}
+    assert "fingerprint" in bounty_types
 
 
 # ---------------------------------------------------------------------------

tests/service_testing/conftest.py

@@ -25,6 +25,14 @@ def make_fake_syslog_bridge() -> ModuleType:
     mod.forward_syslog = MagicMock()
     mod.SEVERITY_WARNING = 4
     mod.SEVERITY_INFO = 6
+    # encode_secret returns the universal cred SD shape; tests don't
+    # care about the exact bytes, just that the key set is correct.
+    mod.encode_secret = MagicMock(
+        return_value={"secret_printable": "", "secret_b64": ""}
+    )
+    # classify_authorization returns None for unknown / absent auth so
+    # services that call **(cred or {}) get a no-op spread.
+    mod.classify_authorization = MagicMock(return_value=None)
     return mod
 
 

tests/service_testing/test_imap.py

@@ -24,6 +24,8 @@ def _make_fake_syslog_bridge() -> ModuleType:
     mod.forward_syslog = MagicMock()
     mod.SEVERITY_WARNING = 4
     mod.SEVERITY_INFO = 6
+    mod.encode_secret = MagicMock(return_value={"secret_printable": "", "secret_b64": ""})
+    mod.classify_authorization = MagicMock(return_value=None)
     return mod
 
 

tests/service_testing/test_mqtt.py

@@ -23,6 +23,8 @@ def _make_fake_syslog_bridge() -> ModuleType:
     mod.forward_syslog = MagicMock()
     mod.SEVERITY_WARNING = 4
     mod.SEVERITY_INFO = 6
+    mod.encode_secret = MagicMock(return_value={"secret_printable": "", "secret_b64": ""})
+    mod.classify_authorization = MagicMock(return_value=None)
     return mod
 
 

tests/service_testing/test_pop3.py

@@ -24,6 +24,8 @@ def _make_fake_syslog_bridge() -> ModuleType:
     mod.forward_syslog = MagicMock()
     mod.SEVERITY_WARNING = 4
     mod.SEVERITY_INFO = 6
+    mod.encode_secret = MagicMock(return_value={"secret_printable": "", "secret_b64": ""})
+    mod.classify_authorization = MagicMock(return_value=None)
     return mod
 
 

tests/service_testing/test_smtp.py

@@ -27,6 +27,8 @@ def _make_fake_syslog_bridge() -> ModuleType:
     mod.forward_syslog = MagicMock()
     mod.SEVERITY_WARNING = 4
     mod.SEVERITY_INFO = 6
+    mod.encode_secret = MagicMock(return_value={"secret_printable": "", "secret_b64": ""})
+    mod.classify_authorization = MagicMock(return_value=None)
     return mod
 
 

tests/service_testing/test_snmp.py

@@ -25,6 +25,8 @@ def _make_fake_syslog_bridge() -> ModuleType:
     mod.forward_syslog = MagicMock()
     mod.SEVERITY_WARNING = 4
     mod.SEVERITY_INFO = 6
+    mod.encode_secret = MagicMock(return_value={"secret_printable": "", "secret_b64": ""})
+    mod.classify_authorization = MagicMock(return_value=None)
     return mod
 
 

tests/services/test_cred_emitters.py

@@ -222,6 +222,109 @@ async def test_vnc_hash_credential():
     assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
 
 
+@pytest.mark.asyncio
+async def test_snmp_community_native_shape():
+    """SNMP v1/v2c community string lands as secret_kind=snmp_community,
+    principal=None (no per-user identity in v1/v2c)."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    raw = b"public"
+    log_data = {
+        "decky": "decky-01",
+        "service": "snmp",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "version": 1,
+            "community": "public",
+            "secret_kind": "snmp_community",
+            "secret_printable": "public",
+            "secret_b64": base64.b64encode(raw).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "snmp"
+    assert cred["secret_kind"] == "snmp_community"
+    assert cred["principal"] is None
+    assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
+
+
+@pytest.mark.asyncio
+async def test_http_basic_native_shape():
+    """HTTP Basic via classify_authorization → principal+plaintext."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    log_data = {
+        "decky": "decky-01",
+        "service": "http",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "method": "GET",
+            "path": "/admin",
+            "principal": "admin",
+            "secret_kind": "plaintext",
+            "secret_printable": "hunter2",
+            "secret_b64": base64.b64encode(b"hunter2").decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "http"
+    assert cred["principal"] == "admin"
+    assert cred["secret_kind"] == "plaintext"
+
+
+@pytest.mark.asyncio
+async def test_http_bearer_native_shape():
+    """HTTP Bearer — principal=None, secret_kind=http_bearer, opaque."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    token = b"eyJhbGciOiJIUzI1NiJ9.foo.bar"
+    log_data = {
+        "decky": "decky-01",
+        "service": "k8s",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "method": "GET",
+            "path": "/api/v1/secrets",
+            "principal": None,
+            "secret_kind": "http_bearer",
+            "secret_printable": token.decode(),
+            "secret_b64": base64.b64encode(token).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["secret_kind"] == "http_bearer"
+    assert cred["principal"] is None
+    assert cred["secret_sha256"] == hashlib.sha256(token).hexdigest()
+
+
+@pytest.mark.asyncio
+async def test_sip_digest_native_shape():
+    """SIP Digest via classify_authorization → response hash captured."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    response_hash = "d41d8cd98f00b204e9800998ecf8427e"
+    log_data = {
+        "decky": "decky-01",
+        "service": "sip",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "method": "REGISTER",
+            "principal": "alice",
+            "secret_kind": "http_digest_md5",
+            "secret_printable": response_hash,
+            "secret_b64": base64.b64encode(response_hash.encode()).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "sip"
+    assert cred["secret_kind"] == "http_digest_md5"
+    assert cred["principal"] == "alice"
+
+
 @pytest.mark.asyncio
 async def test_lossless_b64_survives_nonprintable_password():
     """Even when secret_printable is sanitized, secret_b64 still decodes

tests/services/test_syslog_bridge_helpers.py

@@ -65,6 +65,53 @@ def test_encode_secret_preserves_rfc5424_specials(syslog_bridge):
     assert base64.b64decode(out["secret_b64"]) == secret.encode("utf-8")
 
 
+def test_classify_authorization_basic(syslog_bridge):
+    """HTTP Basic — base64(user:pw) decodes to plaintext credential."""
+    cred = syslog_bridge.classify_authorization("Basic YWRtaW46aHVudGVyMg==")
+    assert cred is not None
+    assert cred["principal"] == "admin"
+    assert cred["secret_kind"] == "plaintext"
+    assert base64.b64decode(cred["secret_b64"]) == b"hunter2"
+    assert cred["secret_printable"] == "hunter2"
+
+
+def test_classify_authorization_bearer(syslog_bridge):
+    cred = syslog_bridge.classify_authorization("Bearer eyJhbGciOiJIUzI1NiJ9.foo.bar")
+    assert cred["principal"] is None
+    assert cred["secret_kind"] == "http_bearer"
+    assert base64.b64decode(cred["secret_b64"]) == b"eyJhbGciOiJIUzI1NiJ9.foo.bar"
+
+
+def test_classify_authorization_token_alias(syslog_bridge):
+    """`Token <opaque>` = same shape as Bearer (Kubernetes service accounts)."""
+    cred = syslog_bridge.classify_authorization("Token sa-jwt-token-abc")
+    assert cred["secret_kind"] == "http_bearer"
+
+
+def test_classify_authorization_digest(syslog_bridge):
+    """RFC 7616 Digest — extract username + response hash."""
+    header = ('Digest username="alice", realm="example.com", '
+              'nonce="abc123", uri="/", response="d41d8cd98f00b204e9800998ecf8427e"')
+    cred = syslog_bridge.classify_authorization(header)
+    assert cred["principal"] == "alice"
+    assert cred["secret_kind"] == "http_digest_md5"
+    assert cred["secret_printable"] == "d41d8cd98f00b204e9800998ecf8427e"
+
+
+def test_classify_authorization_unknown_scheme(syslog_bridge):
+    """NTLM, AWS4-HMAC-…, Negotiate — all return None for now."""
+    assert syslog_bridge.classify_authorization("NTLM TlRMTVNTUAA=") is None
+    assert syslog_bridge.classify_authorization("AWS4-HMAC-SHA256 Credential=…") is None
+
+
+def test_classify_authorization_malformed(syslog_bridge):
+    assert syslog_bridge.classify_authorization(None) is None
+    assert syslog_bridge.classify_authorization("") is None
+    assert syslog_bridge.classify_authorization("Basic !!not-base64!!") is None
+    assert syslog_bridge.classify_authorization("Basic dXNlcg==") is None  # no colon
+    assert syslog_bridge.classify_authorization("Digest no-response-here") is None
+
+
 def test_encode_secret_unicode_replaced(syslog_bridge):
     """Non-ASCII unicode encodes via utf-8, then printable strips the
     multi-byte sequence to '?' chars (one per raw byte)."""