feat(acme): (b) HTTP-01 Webroot-Handler in der API

internal/handlers/acme.go: GET /.well-known/acme-challenge/:token
serviert Token-Files aus /var/lib/edgeguard/acme/.well-known/
acme-challenge/ (default; override via EDGEGUARD_ACME_WEBROOT).
Validiert Token-Charset gegen RFC 8555 §8.3 (base64url, 1..128
chars) und prüft mit filepath.Abs+HasPrefix gegen path-traversal.
Mounted auf der bare gin Engine vor SetupGate/RequireAuth — ACME
muss unmittelbar nach HAProxy-Start funktionieren, lange bevor
ein Admin Setup abgeschlossen hat.

4 Unit-Tests (valid/missing/dir/invalid-charset). Live-Smoke gegen
/tmp/eg-acme bestanden.

Test gegen 89.163.205.6 mit echtem certbot wird Teil von (d) —
unnötig Let's-Encrypt-Rate-Limits zu verbrennen ohne stehendes
HAProxy-Frontend auf dem Server.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/handlers/acme_test.go

@@ -0,0 +1,84 @@
+package handlers
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+)
+
+func init() { gin.SetMode(gin.TestMode) }
+
+func setupACME(t *testing.T) (*gin.Engine, string) {
+	t.Helper()
+	root := t.TempDir()
+	if err := os.MkdirAll(filepath.Join(root, ".well-known", "acme-challenge"), 0o755); err != nil {
+		t.Fatal(err)
+	}
+	r := gin.New()
+	NewACMEHandler(root).Register(r)
+	return r, root
+}
+
+func TestACME_ServesExistingToken(t *testing.T) {
+	r, root := setupACME(t)
+	tokenContent := "abc123-some-key-authorisation"
+	tokenPath := filepath.Join(root, ".well-known", "acme-challenge", "tok_42")
+	if err := os.WriteFile(tokenPath, []byte(tokenContent), 0o644); err != nil {
+		t.Fatal(err)
+	}
+	rec := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/tok_42", nil)
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status: %d, body=%s", rec.Code, rec.Body.String())
+	}
+	if rec.Body.String() != tokenContent {
+		t.Errorf("body: %q", rec.Body.String())
+	}
+}
+
+func TestACME_MissingToken_Returns404(t *testing.T) {
+	r, _ := setupACME(t)
+	rec := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/notthere", nil)
+	r.ServeHTTP(rec, req)
+	if rec.Code != http.StatusNotFound {
+		t.Errorf("status: %d", rec.Code)
+	}
+}
+
+func TestACME_RejectsTraversal(t *testing.T) {
+	// gin parses `:token` as one path segment, so `..` literally
+	// can't reach the handler — but we still want the validToken
+	// guard to reject any non-charset value defensively.
+	cases := []string{
+		"a/b",
+		"..",
+		"a%2Fb",
+		"with space",
+		"semi;colon",
+	}
+	for _, c := range cases {
+		if validToken(c) {
+			t.Errorf("validToken(%q) should be false", c)
+		}
+	}
+}
+
+func TestACME_DirIsNotAFile(t *testing.T) {
+	r, root := setupACME(t)
+	if err := os.Mkdir(filepath.Join(root, ".well-known", "acme-challenge", "subdir"), 0o755); err != nil {
+		t.Fatal(err)
+	}
+	rec := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/subdir", nil)
+	r.ServeHTTP(rec, req)
+	if rec.Code != http.StatusNotFound {
+		t.Errorf("expected 404 for directory, got %d", rec.Code)
+	}
+}