Harden deployment and fix PEN-01

- Fix Bearer token extraction to validate prefix (PEN-01)
- Add TestExtractBearerFromRequest covering PEN-01 edge cases
- Fix flaky TestRenewToken timing (2s → 4s lifetime)
- Move default config/install paths to /srv/mcias
- Add RUNBOOK.md for operational procedures
- Update AUDIT.md with penetration test round 4

Security: extractBearerFromRequest now uses case-insensitive prefix
validation instead of fixed-offset slicing, rejecting non-Bearer
Authorization schemes that were previously accepted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/mciasdb/main.go

@@ -9,7 +9,7 @@
 //
 // Usage:
 //
-//	mciasdb --config /etc/mcias/mcias.toml <command> [subcommand] [flags]
+//	mciasdb --config /srv/mcias/mcias.toml <command> [subcommand] [flags]
 //
 // Commands:
 //
@@ -53,7 +53,7 @@ import (
 )
 
 func main() {
-	configPath := flag.String("config", "mcias.toml", "path to TOML configuration file")
+	configPath := flag.String("config", "/srv/mcias/mcias.toml", "path to TOML configuration file")
 	flag.Usage = usage
 	flag.Parse()