macOS SE | Create LAA Backend: ADE enrollment flow

[cdcme]

Related user story

Parent: #37141
Depends on: #42942

Task

Wire the foundational primitives into the ADE enrollment flow, MDM command result processing, enterprise settings toggle, password retrieval API, and host detail response. This is one PR because the pieces are tightly coupled: the datastore interface is driven by the enrollment flow's needs, the ack handler and API endpoint share service-layer context, and the end-to-end integration test (enrollment → ack → view password → host detail) spans all of them.

Key implementation details:

• The AccountConfiguration plist uses passwordHash (SALTED-SHA512-PBKDF2), not plaintext. The PBKDF2 hash is computed at command creation time and embedded directly in the plist. No ExpandHostSecrets / placeholder expansion is needed.
• When both SSO and managed local account are enabled, they must be combined into a single AccountConfiguration command, not sent as two separate commands.
• When only managed local account is enabled (no SSO), AccountConfiguration is sent with AutoSetupAdminAccounts only. This is a new code path. Today AccountConfiguration is only sent when SSO is enabled.
• The plaintext password is passed to SaveHostManagedLocalAccount, which encrypts internally using ds.serverPrivateKey (same pattern as SetHostsRecoveryLockPasswords). Only the PBKDF2 hash goes to Apple.

Conditions of satisfaction

Enrollment + ack:

• ADE-enrolled macOS host with feature enabled: host_managed_local_account_passwords row with
  status = NULL after worker, status = 'verified' after MDM ack; created_managed_local_account activity logged
• AccountConfiguration plist contains passwordHash with valid SALTED-SHA512-PBKDF2 data (not plaintext)
• When both SSO and managed local account are enabled: ONE AccountConfiguration command with both PrimaryAccountFullName/UserName AND AutoSetupAdminAccounts
• When only managed local account is enabled (no SSO): AccountConfiguration sent with AutoSetupAdminAccounts only
• Feature disabled: no row, no AccountConfiguration for admin account
• Hosts enrolled before feature was enabled: no row, no command
• SSO-only AccountConfiguration ack (no matching command_uuid row): no-op, no error

Settings:

• PATCH /api/v1/fleet/setup_experience with enable_managed_local_account: true logs enabled_managed_local_account; false logs disabled_managed_local_account

API + host response:

• GET /hosts/:id/managed_local_account returns { host_id, managed_local_account: { username, password, updated_at } } when status = 'verified'
• Returns 404 when no record exists
• Returns error for non-darwin hosts
• viewed_managed_local_account activity logged on success
• Host detail JSON response includes mdm.os_settings.managed_local_account.{status, password_available} for darwin hosts
• password_available is true only when status = 'verified', false when pending or failed

End-to-end integration test:

• Enable feature → ADE enroll → ack → GET /hosts/:id/managed_local_account returns password → host detail shows status: "verified", password_available: true
• MYSQL_TEST=1 REDIS_TEST=1 go test ./server/service/... ./server/worker/... passes