Add FIDO2/WebAuthn passkey authentication

Phase 14: Full WebAuthn support for passwordless passkey login and
hardware security key 2FA.

- go-webauthn/webauthn v0.16.1 dependency
- WebAuthnConfig with RPID/RPOrigin/DisplayName validation
- Migration 000009: webauthn_credentials table
- DB CRUD with ownership checks and admin operations
- internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM
- REST: register begin/finish, login begin/finish, list, delete
- Web UI: profile enrollment, login passkey button, admin management
- gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs
- mciasdb: webauthn list/delete/reset subcommands
- OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema
- Policy: self-service enrollment rule, admin remove via wildcard
- Tests: DB CRUD, adapter round-trip, interface compliance
- Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14

Security: Credential IDs and public keys encrypted at rest with
AES-256-GCM via vault master key. Challenge ceremonies use 128-bit
nonces with 120s TTL in sync.Map. Sign counter validated on each
assertion to detect cloned authenticators. Password re-auth required
for registration (SEC-01 pattern). No credential material in API
responses or logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

proto/mcias/v1/auth.proto

@@ -75,6 +75,40 @@ message RemoveTOTPRequest {
 // RemoveTOTPResponse confirms removal.
 message RemoveTOTPResponse {}
 
+// --- WebAuthn ---
+
+// ListWebAuthnCredentialsRequest lists metadata for an account's WebAuthn credentials.
+message ListWebAuthnCredentialsRequest {
+  string account_id = 1;  // UUID
+}
+
+// WebAuthnCredentialInfo holds metadata about a stored WebAuthn credential.
+// Credential material (IDs, public keys) is never included.
+message WebAuthnCredentialInfo {
+  int64  id           = 1;
+  string name         = 2;
+  string aaguid       = 3;
+  uint32 sign_count   = 4;
+  bool   discoverable = 5;
+  string transports   = 6;
+  google.protobuf.Timestamp created_at  = 7;
+  google.protobuf.Timestamp last_used_at = 8;
+}
+
+// ListWebAuthnCredentialsResponse returns credential metadata.
+message ListWebAuthnCredentialsResponse {
+  repeated WebAuthnCredentialInfo credentials = 1;
+}
+
+// RemoveWebAuthnCredentialRequest removes a specific WebAuthn credential (admin).
+message RemoveWebAuthnCredentialRequest {
+  string account_id    = 1;  // UUID
+  int64  credential_id = 2;
+}
+
+// RemoveWebAuthnCredentialResponse confirms removal.
+message RemoveWebAuthnCredentialResponse {}
+
 // AuthService handles all authentication flows.
 service AuthService {
   // Login authenticates with username+password (+optional TOTP) and returns a JWT.
@@ -100,4 +134,12 @@ service AuthService {
   // RemoveTOTP removes TOTP from an account (admin only).
   // Requires: admin JWT in metadata.
   rpc RemoveTOTP(RemoveTOTPRequest) returns (RemoveTOTPResponse);
+
+  // ListWebAuthnCredentials returns metadata for an account's WebAuthn credentials.
+  // Requires: admin JWT in metadata.
+  rpc ListWebAuthnCredentials(ListWebAuthnCredentialsRequest) returns (ListWebAuthnCredentialsResponse);
+
+  // RemoveWebAuthnCredential removes a specific WebAuthn credential.
+  // Requires: admin JWT in metadata.
+  rpc RemoveWebAuthnCredential(RemoveWebAuthnCredentialRequest) returns (RemoveWebAuthnCredentialResponse);
 }