fix: P0 security remediation wave B — null checks, role enforcement, HMAC audit, hookSecret encryption

[OneStepAt4time]

Summary

Fixes the remaining 5 P0 CRITICAL security issues identified in the security audit (wave B, following PR #1681 which addressed O0-1/O0-2/O0-3).

Issues Fixed

Issue	Title	Fix
O0-4	\�uditLogger\ null-check inconsistency + eager null at init	\server.ts: lazy \getAuditLogger\ getter; consistent \if (auditLogger)\ guard
O0-5	Viewer role can approve/reject sessions	\server.ts: \
esolveRole\ now always wired; \permission-routes.ts: enforces role when resolver configured
O0-6	PBKDF2 120k iterations blocks event loop	\�udit.ts: replaced with synchronous HMAC-SHA256 (chain-secure, non-blocking)
O0-7	\writeFileSync\ blocks event loop	Pre-existing fix in develop; no changes needed
O0-8	\hookSecret\ persisted in plaintext	\session.ts: AES-256-GCM encrypt/decrypt; \server.ts: wires master token as key

Changes

\src/audit.ts\ (O0-6)

• Removed PBKDF2 120k-iteration async hash (was blocking event loop for 400ms+)
• Replaced with synchronous HMAC-SHA256 keyed on \prevHash\ — chain integrity preserved
• Salt prefix bumped to \�egis-audit-chain-v3\

\src/server.ts\ (O0-4, O0-5, O0-8)

• Fixed \if (typeof auditLogger !== 'undefined')\ → \if (auditLogger)\
• Changed
  egisterPermissionRoutes\ to pass
  esolveRole\ and lazy \getAuditLogger\
• Added \sessions.setEncryptionKey(config.authToken)\ in \main()\

\src/permission-routes.ts\ (O0-4, O0-5)

• Added \getAuditLogger?: () => AuditLogger | null\ to options (lazy resolution)
• Role enforcement now uses
  esolveRole\ when provided — viewer is denied approve/reject

\src/session.ts\ (O0-8)

• Added \setEncryptionKey(masterToken)\ — derives 256-bit key via \scryptSync\
• \serializeState()\ now encrypts hookSecret with AES-256-GCM instead of omitting it
• 
  estoreSessionHookSecrets()\ detects and decrypts AES-GCM ciphertext on load

Quality Gate

\
npx tsc --noEmit ✅ clean
npm run build ✅ passed
npm test ✅ 2798 passed, 29 skipped, 0 failed (158 test files)
\\

Aegis version

Developed with: v0.3.2-alpha

[aegis-gh-agent]

❌ REQUEST CHANGES — CodeQL failing.

Code quality is excellent — all 4 fixes are correct, well-tested, and backward compatible. But CodeQL is red. Per non-negotiable rules: never merge without CI green.

Please check the CodeQL finding and either fix it or request a re-run if it's a false positive.