fix(creds): MQTT regression + secret_kind for hash credentials

Honest correction to the "every cred-emitting service" claim. Audit
of templates/* found three gaps:

1. MQTT — was working through the legacy adapter, silently dropped
   when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret()
   alongside the others.
2. Postgres — `auth, pw_hash=…` event captures the MD5
   challenge-response the attacker sent. Plaintext irrecoverable, so
   it never fit the (principal, secret_b64=raw_bytes) shape. Lands
   in Credential as secret_kind="postgres_md5_challenge".
3. VNC — `auth_response, response=…hex` event captures the 16-byte
   DES-encrypted challenge. Same situation as Postgres: plaintext
   irrecoverable. Lands as secret_kind="vnc_des_response".

Adds a `secret_kind` discriminator column to Credential (default
"plaintext", indexed). The dedup tuple gains secret_kind so two
credentials with the same sha256 but different kinds are
fundamentally different rows — different challenges produce
different bytes for the same plaintext password, so cross-kind
reuse matches are meaningless and would only confuse analytics.

The model now genuinely covers every cred-emitting service in the
fleet:

  plaintext        SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP,
                   MQTT
  postgres_md5_*   Postgres
  vnc_des_response VNC

Username-only services (MySQL/MSSQL — TDS pre-encryption captures
the user but never sees the password byte) intentionally don't feed
Credential — they're recon signals, not cred attempts.

40 tests pass in the touched scope. New cases: secret_kind dedups
independently in the repo; Postgres MD5 + VNC DES emitters thread
through; MQTT round-trips through the native branch.

decnet/templates/mqtt/server.py

@@ -14,7 +14,12 @@ import random
 import struct
 
 import instance_seed as _seed
-from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
+from syslog_bridge import (
+    encode_secret,
+    forward_syslog,
+    syslog_line,
+    write_syslog_file,
+)
 
 NODE_NAME = os.environ.get("NODE_NAME", "mqtt-broker")
 SERVICE_NAME   = "mqtt"
@@ -256,7 +261,17 @@ class MQTTProtocol(asyncio.Protocol):
 
             if pkt_type == 1:  # CONNECT
                 info = _parse_connect(payload)
-                _log("auth", **info)
+                # Migrate auth event to the universal credential SD shape
+                # so the ingester's native branch picks up the row. The
+                # legacy username/password keys are intentionally NOT
+                # forwarded — encode_secret() supplies secret_printable
+                # and secret_b64 in their place.
+                _user = info.get("username", "")
+                _password = info.get("password", "")
+                _passthrough = {k: v for k, v in info.items()
+                                if k not in ("username", "password")}
+                _log("auth", username=_user, principal=_user,
+                     **encode_secret(_password), **_passthrough)
                 # Decide connection: accept-all > cred list > deny.
                 cred = (info.get("username", ""), info.get("password", ""))
                 accepted = (

decnet/templates/postgres/server.py

@@ -11,6 +11,7 @@ import os
 import struct
 
 import instance_seed as _seed
+import base64 as _base64
 from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "pgserver")
@@ -137,10 +138,27 @@ class PostgresProtocol(asyncio.Protocol):
         self._transport.write(auth_md5)
 
     def _handle_password(self, payload: bytes):
+        # Postgres MD5 challenge-response: the wire form is the literal
+        # ASCII string "md5" + 32 hex chars (md5(md5(pw+user)+salt)).
+        # Plaintext is unrecoverable, so we land this in the Credential
+        # table as secret_kind="postgres_md5_challenge" — secret_b64
+        # carries the raw hash bytes (after stripping the "md5" prefix
+        # and hex-decoding) for content-addressable reuse within-kind.
         pw_hash = payload.rstrip(b"\x00").decode(errors="replace")
-        _log("auth", src=self._peer[0], pw_hash=pw_hash,
-             username=getattr(self, "_username", ""),
-             database=getattr(self, "_database", ""))
+        _hex = pw_hash[3:] if pw_hash.startswith("md5") else pw_hash
+        try:
+            _raw = bytes.fromhex(_hex)
+        except ValueError:
+            _raw = _hex.encode("utf-8", errors="replace")
+        _b64 = _base64.b64encode(_raw).decode("ascii")
+        _user = getattr(self, "_username", "")
+        _log("auth", src=self._peer[0],
+             username=_user, principal=_user,
+             database=getattr(self, "_database", ""),
+             pw_hash=pw_hash,
+             secret_kind="postgres_md5_challenge",
+             secret_printable=pw_hash,
+             secret_b64=_b64)
         user = getattr(self, "_username", "")
         msg = f'password authentication failed for user "{user}"'
         _seed.jitter_sync(20, 90)

decnet/templates/vnc/server.py

@@ -8,6 +8,7 @@ failed". Logs the raw response for offline cracking.
 
 import asyncio
 import os
+import base64 as _base64
 from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "desktop")
@@ -68,7 +69,16 @@ class VNCProtocol(asyncio.Protocol):
                 return
             response = self._buf[:16]
             self._buf = self._buf[16:]
-            _log("auth_response", src=self._peer[0], response=response.hex())
+            # VNC protocol: 16-byte DES-encrypted challenge. Plaintext
+            # password is irrecoverable, so we land this credential as
+            # secret_kind="vnc_des_response" — secret_b64 carries the
+            # raw 16 bytes for content-addressable within-kind reuse.
+            _hex = response.hex()
+            _log("auth_response", src=self._peer[0],
+                 response=_hex,
+                 secret_kind="vnc_des_response",
+                 secret_printable=_hex,
+                 secret_b64=_base64.b64encode(response).decode("ascii"))
             # SecurityResult: 1 = failed
             self._transport.write(b"\x00\x00\x00\x01")
             # Failure reason

decnet/web/db/models/logs.py

@@ -72,7 +72,22 @@ class Credential(SQLModel, table=True):
     decky_name: str = Field(index=True)
     service: str = Field(index=True)
     principal: Optional[str] = Field(default=None, index=True, max_length=256)
-    # Universal lossless secret representations.
+    # Discriminator for what `secret_b64` actually contains. Default
+    # ``"plaintext"`` — a recoverable password the attacker sent on the
+    # wire (SSH/Telnet/FTP/IMAP/POP3/SMTP/Redis/LDAP/MQTT). Other kinds:
+    # ``"postgres_md5_challenge"`` (md5(md5(pw+user)+salt) hex bytes
+    # the attacker sent in the Postgres password message — plaintext
+    # irrecoverable), ``"vnc_des_response"`` (16-byte DES-encrypted
+    # challenge response — same shape).
+    #
+    # Reuse semantics gracefully degrade: same secret_sha256 only
+    # correlates within a single ``secret_kind``. Cross-kind matches
+    # are meaningless because different challenges produce different
+    # bytes for the same plaintext password.
+    secret_kind: str = Field(default="plaintext", index=True, max_length=32)
+    # Universal lossless secret representations. For non-plaintext
+    # kinds, secret_b64 is base64 of the raw attacker-sent bytes (after
+    # hex-decode for protocols that ship the response as a hex string).
     secret_sha256: str = Field(index=True, max_length=64)
     secret_b64: Optional[str] = Field(default=None, max_length=2048)
     # Best-effort printable form — non-printable bytes collapsed to '?'

decnet/web/db/sqlmodel_repo.py

@@ -557,11 +557,13 @@ class SQLModelRepository(BaseRepository):
             payload["fields"] = json.dumps(payload["fields"], ensure_ascii=True)
 
         principal = payload.get("principal")
+        secret_kind = payload.get("secret_kind") or "plaintext"
         async with self._session() as session:
             stmt = select(Credential).where(
                 Credential.attacker_ip == payload["attacker_ip"],
                 Credential.decky_name == payload["decky_name"],
                 Credential.service == payload["service"],
+                Credential.secret_kind == secret_kind,
                 Credential.secret_sha256 == payload["secret_sha256"],
                 # NULL == NULL is False under SQL — branch the predicate.
                 (Credential.principal == principal) if principal is not None
@@ -582,6 +584,7 @@ class SQLModelRepository(BaseRepository):
                 decky_name=payload["decky_name"],
                 service=payload["service"],
                 principal=principal,
+                secret_kind=secret_kind,
                 secret_sha256=payload["secret_sha256"],
                 secret_b64=payload.get("secret_b64"),
                 secret_printable=payload.get("secret_printable"),

decnet/web/ingester.py

@@ -246,12 +246,14 @@ async def _ingest_credential_native(
     sha256_hex = hashlib.sha256(raw).hexdigest()
     principal = fields.get("principal") or fields.get("username")
     secret_printable = fields.get("secret_printable")
+    secret_kind = fields.get("secret_kind") or "plaintext"
 
     await repo.upsert_credential({
         "attacker_ip": log_data.get("attacker_ip"),
         "decky_name": log_data.get("decky"),
         "service": log_data.get("service"),
         "principal": _truncate_with_warn(principal, _PRINCIPAL_MAX, "principal"),
+        "secret_kind": secret_kind,
         "secret_sha256": sha256_hex,
         "secret_b64": _truncate_with_warn(b64, _SECRET_B64_MAX, "secret_b64"),
         "secret_printable": _truncate_with_warn(