Spike: Hash out Secrets Management and Provisioning Flows in Console + RPC-Go to Support Cloud Deployment

[graikhel-intel]

Description

Extend Console and RPC-Go to deliver cloud-ready secrets management and provisioning/profile flows using a new security model: store only the master encryption key in Vault/KMS, and store all other secrets encrypted-at-rest in the Console DB.
Enable RPC-Go to complete activation and secret transfer directly with Console (no RPS dependency) while minimizing expensive Vault/KMS calls.

Scope / Requirements

1) Secrets Management:

- Vault/KMS stores only the master encryption key.
- Console DB stores all other secrets encrypted with this key.
- Stored in Vault/KMS (initial secrets):
    - DB connection string
    - Sensitive OAuth client values
    - JWT signing key / password
    - Encryption key (master)

- Stored encrypted in DB:
    - MPS credentials
    - AMT & MEBx credentials
    - Wi-Fi profile secrets
    - Any other device-specific provisioning data

2) Provisioning & Profile Retrieval Flow (Combined)

- Provisioning cert handling:
    - Evaluate private-key-less provisioning: include nonce + signing data in GET /profile so RPC-Go can generate the activation signature without receiving the private key.
    - If not feasible, define a separate secure API for provisioning certificate key upload/usage.

- AMT UUID association:
    - Console must know the AMT device UUID to bind MPS credentials and validate AMT connections (e.g., CIRA).

- Secrets exchange:
    - If private-key-less is insufficient, RPC-Go POSTs final provisioning details & generated secrets (AMT creds, Wi-Fi secrets, provisioning cert refs) to Console at end of local provisioning.
    - Ensure deterministic, replay-safe behavior and compatibility with RPC-Go activation semantics.

3) Multi-Tenant Scenarios (High-Level Brainstorm):

- Tenant Identification & Routing (Middleware): resolve tenant via JWT claims
- Per-tenant Data Keys (DEKs)
- DB Schema Changes (Minimum): add tenant_id to multi-tenant tables; composite uniques (e.g., (tenant_id, device_uuid)); backfill default tenant; indexes for (tenant_id, device_uuid).

Create Acceptance Criteria based on this Spike story for the implementation story