Add granular role grant/revoke endpoints to REST and gRPC APIs

- Add POST /v1/accounts/{id}/roles and DELETE /v1/accounts/{id}/roles/{role} REST endpoints
- Add GrantRole and RevokeRole RPCs to AccountService in gRPC API
- Update OpenAPI specification with new endpoints
- Add grant and revoke subcommands to mciasctl
- Add grant and revoke subcommands to mciasgrpcctl
- Regenerate proto files with new message types and RPCs
- Implement gRPC server methods for granular role management
- All existing tests pass; build verified with goimports
Security: Role changes are audited via EventRoleGranted and EventRoleRevoked events,
consistent with existing SetRoles implementation.

proto/mcias/v1/account.proto

@@ -78,6 +78,24 @@ message SetRolesRequest {
 // SetRolesResponse confirms the update.
 message SetRolesResponse {}
 
+// GrantRoleRequest adds a single role to an account.
+message GrantRoleRequest {
+  string id   = 1;  // UUID
+  string role = 2;  // role name
+}
+
+// GrantRoleResponse confirms the grant.
+message GrantRoleResponse {}
+
+// RevokeRoleRequest removes a single role from an account.
+message RevokeRoleRequest {
+  string id   = 1;  // UUID
+  string role = 2;  // role name
+}
+
+// RevokeRoleResponse confirms the revocation.
+message RevokeRoleResponse {}
+
 // AccountService manages accounts and roles. All RPCs require admin role.
 service AccountService {
   rpc ListAccounts(ListAccountsRequest)     returns (ListAccountsResponse);
@@ -87,6 +105,8 @@ service AccountService {
   rpc DeleteAccount(DeleteAccountRequest)   returns (DeleteAccountResponse);
   rpc GetRoles(GetRolesRequest)             returns (GetRolesResponse);
   rpc SetRoles(SetRolesRequest)             returns (SetRolesResponse);
+  rpc GrantRole(GrantRoleRequest)           returns (GrantRoleResponse);
+  rpc RevokeRole(RevokeRoleRequest)         returns (RevokeRoleResponse);
 }
 
 // --- PG credentials ---