Add FIDO2/WebAuthn passkey authentication

Phase 14: Full WebAuthn support for passwordless passkey login and
hardware security key 2FA.

- go-webauthn/webauthn v0.16.1 dependency
- WebAuthnConfig with RPID/RPOrigin/DisplayName validation
- Migration 000009: webauthn_credentials table
- DB CRUD with ownership checks and admin operations
- internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM
- REST: register begin/finish, login begin/finish, list, delete
- Web UI: profile enrollment, login passkey button, admin management
- gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs
- mciasdb: webauthn list/delete/reset subcommands
- OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema
- Policy: self-service enrollment rule, admin remove via wildcard
- Tests: DB CRUD, adapter round-trip, interface compliance
- Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14

Security: Credential IDs and public keys encrypted at rest with
AES-256-GCM via vault master key. Challenge ceremonies use 128-bit
nonces with 120s TTL in sync.Map. Sign counter validated on each
assertion to detect cloned authenticators. Password re-auth required
for registration (SEC-01 pattern). No credential material in API
responses or logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cmd/mciasdb/account.go

@@ -13,7 +13,7 @@ import (
 
 func (t *tool) runAccount(args []string) {
 	if len(args) == 0 {
-		fatalf("account requires a subcommand: list, get, create, set-password, set-status, reset-totp")
+		fatalf("account requires a subcommand: list, get, create, set-password, set-status, reset-totp, reset-webauthn")
 	}
 	switch args[0] {
 	case "list":
@@ -28,6 +28,8 @@ func (t *tool) runAccount(args []string) {
 		t.accountSetStatus(args[1:])
 	case "reset-totp":
 		t.accountResetTOTP(args[1:])
+	case "reset-webauthn":
+		t.webauthnReset(args[1:])
 	default:
 		fatalf("unknown account subcommand %q", args[0])
 	}