fix(creds): MQTT regression + secret_kind for hash credentials

Honest correction to the "every cred-emitting service" claim. Audit
of templates/* found three gaps:

1. MQTT — was working through the legacy adapter, silently dropped
   when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret()
   alongside the others.
2. Postgres — `auth, pw_hash=…` event captures the MD5
   challenge-response the attacker sent. Plaintext irrecoverable, so
   it never fit the (principal, secret_b64=raw_bytes) shape. Lands
   in Credential as secret_kind="postgres_md5_challenge".
3. VNC — `auth_response, response=…hex` event captures the 16-byte
   DES-encrypted challenge. Same situation as Postgres: plaintext
   irrecoverable. Lands as secret_kind="vnc_des_response".

Adds a `secret_kind` discriminator column to Credential (default
"plaintext", indexed). The dedup tuple gains secret_kind so two
credentials with the same sha256 but different kinds are
fundamentally different rows — different challenges produce
different bytes for the same plaintext password, so cross-kind
reuse matches are meaningless and would only confuse analytics.

The model now genuinely covers every cred-emitting service in the
fleet:

  plaintext        SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP,
                   MQTT
  postgres_md5_*   Postgres
  vnc_des_response VNC

Username-only services (MySQL/MSSQL — TDS pre-encryption captures
the user but never sees the password byte) intentionally don't feed
Credential — they're recon signals, not cred attempts.

40 tests pass in the touched scope. New cases: secret_kind dedups
independently in the repo; Postgres MD5 + VNC DES emitters thread
through; MQTT round-trips through the native branch.

decnet/templates/mqtt/server.py

@@ -14,7 +14,12 @@ import random
 import struct
 
 import instance_seed as _seed
-from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
+from syslog_bridge import (
+    encode_secret,
+    forward_syslog,
+    syslog_line,
+    write_syslog_file,
+)
 
 NODE_NAME = os.environ.get("NODE_NAME", "mqtt-broker")
 SERVICE_NAME   = "mqtt"
@@ -256,7 +261,17 @@ class MQTTProtocol(asyncio.Protocol):
 
             if pkt_type == 1:  # CONNECT
                 info = _parse_connect(payload)
-                _log("auth", **info)
+                # Migrate auth event to the universal credential SD shape
+                # so the ingester's native branch picks up the row. The
+                # legacy username/password keys are intentionally NOT
+                # forwarded — encode_secret() supplies secret_printable
+                # and secret_b64 in their place.
+                _user = info.get("username", "")
+                _password = info.get("password", "")
+                _passthrough = {k: v for k, v in info.items()
+                                if k not in ("username", "password")}
+                _log("auth", username=_user, principal=_user,
+                     **encode_secret(_password), **_passthrough)
                 # Decide connection: accept-all > cred list > deny.
                 cred = (info.get("username", ""), info.get("password", ""))
                 accepted = (

decnet/templates/postgres/server.py

@@ -11,6 +11,7 @@ import os
 import struct
 
 import instance_seed as _seed
+import base64 as _base64
 from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "pgserver")
@@ -137,10 +138,27 @@ class PostgresProtocol(asyncio.Protocol):
         self._transport.write(auth_md5)
 
     def _handle_password(self, payload: bytes):
+        # Postgres MD5 challenge-response: the wire form is the literal
+        # ASCII string "md5" + 32 hex chars (md5(md5(pw+user)+salt)).
+        # Plaintext is unrecoverable, so we land this in the Credential
+        # table as secret_kind="postgres_md5_challenge" — secret_b64
+        # carries the raw hash bytes (after stripping the "md5" prefix
+        # and hex-decoding) for content-addressable reuse within-kind.
         pw_hash = payload.rstrip(b"\x00").decode(errors="replace")
-        _log("auth", src=self._peer[0], pw_hash=pw_hash,
-             username=getattr(self, "_username", ""),
-             database=getattr(self, "_database", ""))
+        _hex = pw_hash[3:] if pw_hash.startswith("md5") else pw_hash
+        try:
+            _raw = bytes.fromhex(_hex)
+        except ValueError:
+            _raw = _hex.encode("utf-8", errors="replace")
+        _b64 = _base64.b64encode(_raw).decode("ascii")
+        _user = getattr(self, "_username", "")
+        _log("auth", src=self._peer[0],
+             username=_user, principal=_user,
+             database=getattr(self, "_database", ""),
+             pw_hash=pw_hash,
+             secret_kind="postgres_md5_challenge",
+             secret_printable=pw_hash,
+             secret_b64=_b64)
         user = getattr(self, "_username", "")
         msg = f'password authentication failed for user "{user}"'
         _seed.jitter_sync(20, 90)

decnet/templates/vnc/server.py

@@ -8,6 +8,7 @@ failed". Logs the raw response for offline cracking.
 
 import asyncio
 import os
+import base64 as _base64
 from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "desktop")
@@ -68,7 +69,16 @@ class VNCProtocol(asyncio.Protocol):
                 return
             response = self._buf[:16]
             self._buf = self._buf[16:]
-            _log("auth_response", src=self._peer[0], response=response.hex())
+            # VNC protocol: 16-byte DES-encrypted challenge. Plaintext
+            # password is irrecoverable, so we land this credential as
+            # secret_kind="vnc_des_response" — secret_b64 carries the
+            # raw 16 bytes for content-addressable within-kind reuse.
+            _hex = response.hex()
+            _log("auth_response", src=self._peer[0],
+                 response=_hex,
+                 secret_kind="vnc_des_response",
+                 secret_printable=_hex,
+                 secret_b64=_base64.b64encode(response).decode("ascii"))
             # SecurityResult: 1 = failed
             self._transport.write(b"\x00\x00\x00\x01")
             # Failure reason

decnet/web/db/models/logs.py

@@ -72,7 +72,22 @@ class Credential(SQLModel, table=True):
     decky_name: str = Field(index=True)
     service: str = Field(index=True)
     principal: Optional[str] = Field(default=None, index=True, max_length=256)
-    # Universal lossless secret representations.
+    # Discriminator for what `secret_b64` actually contains. Default
+    # ``"plaintext"`` — a recoverable password the attacker sent on the
+    # wire (SSH/Telnet/FTP/IMAP/POP3/SMTP/Redis/LDAP/MQTT). Other kinds:
+    # ``"postgres_md5_challenge"`` (md5(md5(pw+user)+salt) hex bytes
+    # the attacker sent in the Postgres password message — plaintext
+    # irrecoverable), ``"vnc_des_response"`` (16-byte DES-encrypted
+    # challenge response — same shape).
+    #
+    # Reuse semantics gracefully degrade: same secret_sha256 only
+    # correlates within a single ``secret_kind``. Cross-kind matches
+    # are meaningless because different challenges produce different
+    # bytes for the same plaintext password.
+    secret_kind: str = Field(default="plaintext", index=True, max_length=32)
+    # Universal lossless secret representations. For non-plaintext
+    # kinds, secret_b64 is base64 of the raw attacker-sent bytes (after
+    # hex-decode for protocols that ship the response as a hex string).
     secret_sha256: str = Field(index=True, max_length=64)
     secret_b64: Optional[str] = Field(default=None, max_length=2048)
     # Best-effort printable form — non-printable bytes collapsed to '?'

decnet/web/db/sqlmodel_repo.py

@@ -557,11 +557,13 @@ class SQLModelRepository(BaseRepository):
             payload["fields"] = json.dumps(payload["fields"], ensure_ascii=True)
 
         principal = payload.get("principal")
+        secret_kind = payload.get("secret_kind") or "plaintext"
         async with self._session() as session:
             stmt = select(Credential).where(
                 Credential.attacker_ip == payload["attacker_ip"],
                 Credential.decky_name == payload["decky_name"],
                 Credential.service == payload["service"],
+                Credential.secret_kind == secret_kind,
                 Credential.secret_sha256 == payload["secret_sha256"],
                 # NULL == NULL is False under SQL — branch the predicate.
                 (Credential.principal == principal) if principal is not None
@@ -582,6 +584,7 @@ class SQLModelRepository(BaseRepository):
                 decky_name=payload["decky_name"],
                 service=payload["service"],
                 principal=principal,
+                secret_kind=secret_kind,
                 secret_sha256=payload["secret_sha256"],
                 secret_b64=payload.get("secret_b64"),
                 secret_printable=payload.get("secret_printable"),

decnet/web/ingester.py

@@ -246,12 +246,14 @@ async def _ingest_credential_native(
     sha256_hex = hashlib.sha256(raw).hexdigest()
     principal = fields.get("principal") or fields.get("username")
     secret_printable = fields.get("secret_printable")
+    secret_kind = fields.get("secret_kind") or "plaintext"
 
     await repo.upsert_credential({
         "attacker_ip": log_data.get("attacker_ip"),
         "decky_name": log_data.get("decky"),
         "service": log_data.get("service"),
         "principal": _truncate_with_warn(principal, _PRINCIPAL_MAX, "principal"),
+        "secret_kind": secret_kind,
         "secret_sha256": sha256_hex,
         "secret_b64": _truncate_with_warn(b64, _SECRET_B64_MAX, "secret_b64"),
         "secret_printable": _truncate_with_warn(

development/DEBT.md

@@ -1,6 +1,6 @@
 # DECNET — Technical Debt Register
 
-> Last updated: 2026-04-25 — DEBT-039 resolved (six service emitters on standardized shape, legacy ingester adapter deleted).
+> Last updated: 2026-04-25 — Credential model gained `secret_kind` discriminator; Postgres MD5 + VNC DES challenge creds now land in the table; MQTT regression from the legacy-adapter removal patched.
 > Severity: 🔴 Critical · 🟠 High · 🟡 Medium · 🟢 Low
 
 ---

tests/db/test_credentials.py

@@ -123,6 +123,32 @@ async def test_get_credentials_for_attacker(repo) -> None:
     assert rows[0]["attacker_ip"] == "10.0.0.5"
 
 
+@pytest.mark.anyio
+async def test_secret_kind_dedups_independently(repo) -> None:
+    """Same sha256, same principal — different secret_kind = different row.
+
+    Two rows with the same content-addressable hash but different kinds
+    represent fundamentally different credentials (e.g. a plaintext
+    password that happens to hash to the same value as a Postgres
+    md5 challenge response is statistically impossible but semantically
+    distinct anyway). Dedup must respect the kind boundary."""
+    base = {
+        "attacker_ip": "10.0.0.5",
+        "decky_name": "decky-01",
+        "service": "ssh",
+        "principal": "root",
+        "secret_sha256": _sha256("hunter2"),
+        "secret_b64": "aHVudGVyMg==",
+        "fields": {},
+    }
+    await repo.upsert_credential({**base, "secret_kind": "plaintext"})
+    await repo.upsert_credential({**base, "secret_kind": "postgres_md5_challenge"})
+    rows = await repo.get_credentials()
+    assert len(rows) == 2
+    kinds = {r["secret_kind"] for r in rows}
+    assert kinds == {"plaintext", "postgres_md5_challenge"}
+
+
 @pytest.mark.anyio
 async def test_filters(repo) -> None:
     base_secret = _sha256("a")

tests/services/test_cred_emitters.py

@@ -154,6 +154,74 @@ async def test_ldap_principal_is_dn():
     assert cred["principal"] == "cn=admin,dc=acme,dc=com"
 
 
+@pytest.mark.asyncio
+async def test_mqtt_native_shape():
+    """MQTT CONNECT — username + password decoded from the wire,
+    emitted as principal + secret_b64. Was silently dropped between
+    Phase 3 (legacy adapter removed) and the MQTT migration commit."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    await _extract_bounty(repo, _native_log(
+        "mqtt", principal="iotuser", password="iotpass",
+    ))
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "mqtt"
+    assert cred["principal"] == "iotuser"
+    assert cred["secret_sha256"] == hashlib.sha256(b"iotpass").hexdigest()
+
+
+@pytest.mark.asyncio
+async def test_postgres_hash_credential():
+    """Postgres MD5 challenge-response — plaintext irrecoverable, lands
+    as secret_kind=postgres_md5_challenge with the raw hash bytes."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    pw_hash = "md5" + "ab" * 16  # 32 hex chars after the "md5" prefix
+    raw = bytes.fromhex("ab" * 16)
+    log_data = {
+        "decky": "decky-01",
+        "service": "postgres",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "username": "postgres",
+            "principal": "postgres",
+            "pw_hash": pw_hash,
+            "secret_kind": "postgres_md5_challenge",
+            "secret_printable": pw_hash,
+            "secret_b64": base64.b64encode(raw).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "postgres"
+    assert cred["secret_kind"] == "postgres_md5_challenge"
+    assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
+
+
+@pytest.mark.asyncio
+async def test_vnc_hash_credential():
+    """VNC DES-encrypted challenge response — same shape, different kind."""
+    from decnet.web.ingester import _extract_bounty
+    repo = MagicMock(); repo.upsert_credential = AsyncMock()
+    raw = bytes(range(16))
+    log_data = {
+        "decky": "decky-01",
+        "service": "vnc",
+        "attacker_ip": "10.0.0.5",
+        "fields": {
+            "response": raw.hex(),
+            "secret_kind": "vnc_des_response",
+            "secret_printable": raw.hex(),
+            "secret_b64": base64.b64encode(raw).decode("ascii"),
+        },
+    }
+    await _extract_bounty(repo, log_data)
+    cred = repo.upsert_credential.call_args[0][0]
+    assert cred["service"] == "vnc"
+    assert cred["secret_kind"] == "vnc_des_response"
+    assert cred["secret_sha256"] == hashlib.sha256(raw).hexdigest()
+
+
 @pytest.mark.asyncio
 async def test_lossless_b64_survives_nonprintable_password():
     """Even when secret_printable is sanitized, secret_b64 still decodes