Add granular role grant/revoke endpoints to REST and gRPC APIs

- Add POST /v1/accounts/{id}/roles and DELETE /v1/accounts/{id}/roles/{role} REST endpoints
- Add GrantRole and RevokeRole RPCs to AccountService in gRPC API
- Update OpenAPI specification with new endpoints
- Add grant and revoke subcommands to mciasctl
- Add grant and revoke subcommands to mciasgrpcctl
- Regenerate proto files with new message types and RPCs
- Implement gRPC server methods for granular role management
- All existing tests pass; build verified with goimports
Security: Role changes are audited via EventRoleGranted and EventRoleRevoked events,
consistent with existing SetRoles implementation.

openapi.yaml

@@ -995,6 +995,76 @@ paths:
         "404":
           $ref: "#/components/responses/NotFound"
 
+    post:
+      summary: Grant a role to an account (admin)
+      description: |
+        Add a single role to an account's role set. If the role already exists,
+        this is a no-op. Roles take effect in the **next** token issued or
+        renewed; existing tokens continue to carry the roles embedded at
+        issuance time.
+      operationId: grantRole
+      tags: [Admin — Accounts]
+      security:
+        - bearerAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [role]
+              properties:
+                role:
+                  type: string
+                  example: editor
+      responses:
+        "204":
+          description: Role granted.
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "401":
+          $ref: "#/components/responses/Unauthorized"
+        "403":
+          $ref: "#/components/responses/Forbidden"
+        "404":
+          $ref: "#/components/responses/NotFound"
+
+  /v1/accounts/{id}/roles/{role}:
+    parameters:
+      - name: id
+        in: path
+        required: true
+        schema:
+          type: string
+          format: uuid
+        example: 550e8400-e29b-41d4-a716-446655440000
+      - name: role
+        in: path
+        required: true
+        schema:
+          type: string
+        example: editor
+
+    delete:
+      summary: Revoke a role from an account (admin)
+      description: |
+        Remove a single role from an account's role set. Roles take effect in
+        the **next** token issued or renewed; existing tokens continue to carry
+        the roles embedded at issuance time.
+      operationId: revokeRole
+      tags: [Admin — Accounts]
+      security:
+        - bearerAuth: []
+      responses:
+        "204":
+          description: Role revoked.
+        "401":
+          $ref: "#/components/responses/Unauthorized"
+        "403":
+          $ref: "#/components/responses/Forbidden"
+        "404":
+          $ref: "#/components/responses/NotFound"
+
   /v1/accounts/{id}/pgcreds:
     parameters:
       - name: id