Add FIDO2/WebAuthn passkey authentication

Phase 14: Full WebAuthn support for passwordless passkey login and
hardware security key 2FA.

- go-webauthn/webauthn v0.16.1 dependency
- WebAuthnConfig with RPID/RPOrigin/DisplayName validation
- Migration 000009: webauthn_credentials table
- DB CRUD with ownership checks and admin operations
- internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM
- REST: register begin/finish, login begin/finish, list, delete
- Web UI: profile enrollment, login passkey button, admin management
- gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs
- mciasdb: webauthn list/delete/reset subcommands
- OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema
- Policy: self-service enrollment rule, admin remove via wildcard
- Tests: DB CRUD, adapter round-trip, interface compliance
- Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14

Security: Credential IDs and public keys encrypted at rest with
AES-256-GCM via vault master key. Challenge ceremonies use 128-bit
nonces with 120s TTL in sync.Map. Sign counter validated on each
assertion to detect cloned authenticators. Password re-auth required
for registration (SEC-01 pattern). No credential material in API
responses or logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/webauthn/adapter_test.go

@@ -0,0 +1,75 @@
+package webauthn
+
+import (
+	"testing"
+
+	libwebauthn "github.com/go-webauthn/webauthn/webauthn"
+
+	"git.wntrmute.dev/kyle/mcias/internal/config"
+)
+
+func TestNewWebAuthn(t *testing.T) {
+	cfg := &config.WebAuthnConfig{
+		RPID:        "example.com",
+		RPOrigin:    "https://example.com",
+		DisplayName: "Test App",
+	}
+	wa, err := NewWebAuthn(cfg)
+	if err != nil {
+		t.Fatalf("NewWebAuthn: %v", err)
+	}
+	if wa == nil {
+		t.Fatal("expected non-nil WebAuthn instance")
+	}
+}
+
+func TestNewWebAuthnMissingFields(t *testing.T) {
+	_, err := NewWebAuthn(&config.WebAuthnConfig{})
+	if err == nil {
+		t.Error("expected error for empty config")
+	}
+
+	_, err = NewWebAuthn(&config.WebAuthnConfig{RPID: "example.com"})
+	if err == nil {
+		t.Error("expected error for missing RPOrigin")
+	}
+}
+
+func TestNewWebAuthnDefaultDisplayName(t *testing.T) {
+	cfg := &config.WebAuthnConfig{
+		RPID:     "example.com",
+		RPOrigin: "https://example.com",
+	}
+	wa, err := NewWebAuthn(cfg)
+	if err != nil {
+		t.Fatalf("NewWebAuthn: %v", err)
+	}
+	if wa == nil {
+		t.Fatal("expected non-nil WebAuthn instance")
+	}
+}
+
+func TestAccountUserInterface(t *testing.T) {
+	uuidBytes := []byte("12345678-1234-1234-1234-123456789abc")
+	creds := []libwebauthn.Credential{
+		{ID: []byte("cred1")},
+		{ID: []byte("cred2")},
+	}
+	user := NewAccountUser(uuidBytes, "alice", creds)
+
+	// Verify interface compliance.
+	var _ libwebauthn.User = user
+
+	if string(user.WebAuthnID()) != string(uuidBytes) {
+		t.Error("WebAuthnID mismatch")
+	}
+	if user.WebAuthnName() != "alice" {
+		t.Errorf("WebAuthnName = %q, want %q", user.WebAuthnName(), "alice")
+	}
+	if user.WebAuthnDisplayName() != "alice" {
+		t.Errorf("WebAuthnDisplayName = %q, want %q", user.WebAuthnDisplayName(), "alice")
+	}
+	if len(user.WebAuthnCredentials()) != 2 {
+		t.Errorf("WebAuthnCredentials len = %d, want 2", len(user.WebAuthnCredentials()))
+	}
+}