Harden hosted-alpha auth: gate behind Cloudflare Access + email allowlist

[spaceshipmike]

Part of #24.

Problem (from pre-tester assessment): src/knowmarks/core/auth.py:182 — login_user(email) creates a session for any existing user given only an email. No password, no magic-link proof, no one-time code. If a tester's email is known or guessed, anyone can sign in as them at https://alpha.knowmarks.app.

Recommended fix: put the whole alpha URL behind Cloudflare Access with an email allowlist of invited testers. This neutralizes the email-only-login risk entirely — Cloudflare checks identity (magic link/OTP/Google SSO of tester's choice) before requests reach knowmarks.

Implementation scope:

• Cloudflare dashboard: add Access application on alpha.knowmarks.app with allowlist identity-provider rules (email list or one-time PIN).
• Verify session cookie behavior still works behind CF Access (CF_Authorization cookie forwards to origin).
• Document CF Access setup in docs/alpha-deployment.md.
• Decide extension auth posture under CF Access (see the extension issue) — likely per-user API key with /api/v1/* routes whitelisted past CF Access via service-token header, or separate subdomain without CF Access.
• Once CF Access is live, the in-app email-only login becomes defense-in-depth; consider still replacing with magic-link as a follow-up before wider invite rollout.

Acceptance:

• Anonymous browser load of https://alpha.knowmarks.app hits CF Access challenge.
• Non-allowlisted email can't get past CF.
• Allowlisted email reaches the knowmarks login page and can redeem an invite.
• Extension save still works for an authenticated tester (details in extension issue).

[spaceshipmike]

Closing — Cloudflare Access is live in front of alpha.knowmarks.app with an email allowlist policy (currently solo-allowlisted while shaking out the auth posture; expands to testers as they're invited).

What shipped:

• Edge auth. CF Access self-hosted application on alpha.knowmarks.app, One-Time PIN identity provider, Allow policy with email allowlist Include rule. 24-hour session.
• Origin guard. KNOWMARKS_REQUIRE_CF_ACCESS=true env flag on the knowmarks container. AuthMiddleware (src/knowmarks/web/app.py) rejects requests missing the Cf-Access-Authenticated-User-Email header with a 403, except /api/health + /api/v1/health (cloudflared probe bypass). Defense-in-depth even if the origin URL leaks.
• Tests. tests/test_cf_access_guard.py — 5 cases covering guard-off pass-through, guard-on missing-header reject, health bypass, header-present pass-through, and missing-header-with-guard-off sanity.
• Runbook. docs/alpha-deployment.md rewritten with full Cloudflare Access dashboard walkthrough, env config, verify-from-the-container block, and acceptance checklist.
• Spec. §4.7 absorbed an Edge-auth paragraph; §3.7 surfaces the new env flag; §4.5 cross-references both. spec-version 6.15 → 6.16.
• Deploy cutover. NAS container rebuilt from current source on 2026-04-25 — picked up four prior commits the deployed image was missing (per-user DB routing, per-user governance cache, SSRF guard) plus today's CF Access work.

Commits: 98d55d9 (code + docs + tests), a5bcb61 (spec absorption), today's doc fix correcting the verify section (CF Access intercepts at edge — there's no anonymous public health endpoint by design; verification happens against docker exec inside the container).

Verified:

• Anonymous browser load of https://alpha.knowmarks.app lands on Cloudflare Access challenge.
• Allowlisted email reaches the knowmarks /login page.
• KNOWMARKS_REQUIRE_CF_ACCESS=true set in .env.alpha; container running with REQUIRE_CF_ACCESS=True confirmed at runtime.
• Container-internal /api/health returns 200; cloudflared sidecar healthcheck passing.
• Public-URL anonymous requests (including /api/health) get 302 to <team>.cloudflareaccess.com/cdn-cgi/access/login/....
• (deferred) Non-allowlisted email rejection — only one email on the list right now; will validate when the second tester joins.

Hand-off to #31: sideloaded extensions can't carry CF Access cookies, so the extension hits 403 against alpha.knowmarks.app/api/save with the guard on. That's the per-user-API-key + api.alpha.knowmarks.app work; testers will use the dashboard to save until that lands.

The defense-in-depth follow-up the original issue mentioned (replace email-only auth_login with magic-link) stays parked — with CF Access in front it's no longer the front door.