Implement Phase 7: gRPC dual-stack interface

- proto/mcias/v1/: AdminService, AuthService, TokenService,
  AccountService, CredentialService; generated Go stubs in gen/
- internal/grpcserver: full handler implementations sharing all
  business logic (auth, token, db, crypto) with REST server;
  interceptor chain: logging -> auth (JWT alg-first + revocation) ->
  rate-limit (token bucket, 10 req/s, burst 10, per-IP)
- internal/config: optional grpc_addr field in [server] section
- cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr
  when configured; graceful shutdown of both servers in 15s window
- cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands
  (health, pubkey, account, role, token, pgcreds) using TLS with
  optional custom CA cert
- internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering
  public RPCs, auth interceptor (no token, invalid, revoked -> 401),
  non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows,
  AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip,
  credential fields absent from all responses
Security:
  JWT validation path identical to REST: alg header checked before
  signature, alg:none rejected, revocation table checked after sig.
  Authorization metadata value never logged by any interceptor.
  Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from
  all proto response messages — enforced by proto design and confirmed
  by test TestCredentialFieldsAbsentFromAccountResponse.
  Login dummy-Argon2 timing guard preserves timing uniformity for
  unknown users (same as REST handleLogin).
  TLS required at listener level; cmd/mciassrv uses
  credentials.NewServerTLSFromFile; no h2c offered.
137 tests pass, zero race conditions (go test -race ./...)

cmd/mciasdb/account.go

@@ -0,0 +1,251 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"strings"
+
+	"git.wntrmute.dev/kyle/mcias/internal/auth"
+	"git.wntrmute.dev/kyle/mcias/internal/model"
+	"golang.org/x/term"
+)
+
+func (t *tool) runAccount(args []string) {
+	if len(args) == 0 {
+		fatalf("account requires a subcommand: list, get, create, set-password, set-status, reset-totp")
+	}
+	switch args[0] {
+	case "list":
+		t.accountList()
+	case "get":
+		t.accountGet(args[1:])
+	case "create":
+		t.accountCreate(args[1:])
+	case "set-password":
+		t.accountSetPassword(args[1:])
+	case "set-status":
+		t.accountSetStatus(args[1:])
+	case "reset-totp":
+		t.accountResetTOTP(args[1:])
+	default:
+		fatalf("unknown account subcommand %q", args[0])
+	}
+}
+
+func (t *tool) accountList() {
+	accounts, err := t.db.ListAccounts()
+	if err != nil {
+		fatalf("list accounts: %v", err)
+	}
+	if len(accounts) == 0 {
+		fmt.Println("no accounts found")
+		return
+	}
+	fmt.Printf("%-36s  %-20s  %-8s  %-10s\n", "UUID", "USERNAME", "TYPE", "STATUS")
+	fmt.Println(strings.Repeat("-", 80))
+	for _, a := range accounts {
+		fmt.Printf("%-36s  %-20s  %-8s  %-10s\n",
+			a.UUID, a.Username, string(a.AccountType), string(a.Status))
+	}
+}
+
+func (t *tool) accountGet(args []string) {
+	fs := flag.NewFlagSet("account get", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" {
+		fatalf("account get: --id is required")
+	}
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	fmt.Printf("UUID:          %s\n", a.UUID)
+	fmt.Printf("Username:      %s\n", a.Username)
+	fmt.Printf("Type:          %s\n", a.AccountType)
+	fmt.Printf("Status:        %s\n", a.Status)
+	fmt.Printf("TOTP required: %v\n", a.TOTPRequired)
+	fmt.Printf("Created:       %s\n", a.CreatedAt.Format("2006-01-02T15:04:05Z"))
+	fmt.Printf("Updated:       %s\n", a.UpdatedAt.Format("2006-01-02T15:04:05Z"))
+	if a.DeletedAt != nil {
+		fmt.Printf("Deleted:       %s\n", a.DeletedAt.Format("2006-01-02T15:04:05Z"))
+	}
+}
+
+func (t *tool) accountCreate(args []string) {
+	fs := flag.NewFlagSet("account create", flag.ExitOnError)
+	username := fs.String("username", "", "username (required)")
+	accountType := fs.String("type", "human", "account type: human or system")
+	_ = fs.Parse(args)
+
+	if *username == "" {
+		fatalf("account create: --username is required")
+	}
+	if *accountType != "human" && *accountType != "system" {
+		fatalf("account create: --type must be human or system")
+	}
+
+	atype := model.AccountType(*accountType)
+	a, err := t.db.CreateAccount(*username, atype, "")
+	if err != nil {
+		fatalf("create account: %v", err)
+	}
+
+	if err := t.db.WriteAuditEvent("account_created", nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","username":%q}`, *username)); err != nil {
+		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
+	}
+
+	fmt.Printf("created account %s (UUID: %s)\n", *username, a.UUID)
+}
+
+// accountSetPassword prompts twice for a new password, hashes it with
+// Argon2id, and updates the account's password_hash column.
+//
+// Security: No --password flag is provided; passwords must be entered
+// interactively so they never appear in shell history or process listings.
+// The password is hashed with Argon2id using OWASP-compliant parameters before
+// any database write.
+func (t *tool) accountSetPassword(args []string) {
+	fs := flag.NewFlagSet("account set-password", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" {
+		fatalf("account set-password: --id is required")
+	}
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	fmt.Printf("Setting password for account %s (%s)\n", a.Username, a.UUID)
+
+	password, err := readPassword("New password: ")
+	if err != nil {
+		fatalf("read password: %v", err)
+	}
+	confirm, err := readPassword("Confirm password: ")
+	if err != nil {
+		fatalf("read confirm: %v", err)
+	}
+	if password != confirm {
+		fatalf("passwords do not match")
+	}
+	if password == "" {
+		fatalf("password must not be empty")
+	}
+
+	hash, err := auth.HashPassword(password, auth.DefaultArgonParams())
+	if err != nil {
+		fatalf("hash password: %v", err)
+	}
+
+	if err := t.db.UpdatePasswordHash(a.ID, hash); err != nil {
+		fatalf("update password hash: %v", err)
+	}
+
+	if err := t.db.WriteAuditEvent("account_updated", nil, &a.ID, "", `{"actor":"mciasdb","action":"set_password"}`); err != nil {
+		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
+	}
+
+	fmt.Printf("password updated for account %s\n", a.Username)
+}
+
+func (t *tool) accountSetStatus(args []string) {
+	fs := flag.NewFlagSet("account set-status", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	status := fs.String("status", "", "new status: active, inactive, or deleted (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" {
+		fatalf("account set-status: --id is required")
+	}
+	if *status == "" {
+		fatalf("account set-status: --status is required")
+	}
+
+	var newStatus model.AccountStatus
+	switch *status {
+	case "active":
+		newStatus = model.AccountStatusActive
+	case "inactive":
+		newStatus = model.AccountStatusInactive
+	case "deleted":
+		newStatus = model.AccountStatusDeleted
+	default:
+		fatalf("account set-status: --status must be active, inactive, or deleted")
+	}
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	if err := t.db.UpdateAccountStatus(a.ID, newStatus); err != nil {
+		fatalf("update account status: %v", err)
+	}
+
+	eventType := "account_updated"
+	if newStatus == model.AccountStatusDeleted {
+		eventType = "account_deleted"
+	}
+	if err := t.db.WriteAuditEvent(eventType, nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","status":%q}`, *status)); err != nil {
+		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
+	}
+
+	fmt.Printf("account %s status set to %s\n", a.Username, *status)
+}
+
+// accountResetTOTP clears TOTP fields for the account, disabling the
+// TOTP requirement. This is a break-glass operation for locked-out users.
+func (t *tool) accountResetTOTP(args []string) {
+	fs := flag.NewFlagSet("account reset-totp", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" {
+		fatalf("account reset-totp: --id is required")
+	}
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	if err := t.db.ClearTOTP(a.ID); err != nil {
+		fatalf("clear TOTP: %v", err)
+	}
+
+	if err := t.db.WriteAuditEvent("totp_removed", nil, &a.ID, "", `{"actor":"mciasdb","action":"reset_totp"}`); err != nil {
+		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
+	}
+
+	fmt.Printf("TOTP cleared for account %s\n", a.Username)
+}
+
+// readPassword reads a password from the terminal without echo.
+// Falls back to a regular line read if stdin is not a terminal (e.g. in tests).
+func readPassword(prompt string) (string, error) {
+	fmt.Fprint(os.Stderr, prompt)
+	fd := int(os.Stdin.Fd()) //nolint:gosec // G115: file descriptors are non-negative and fit in int on all supported platforms
+	if term.IsTerminal(fd) {
+		pw, err := term.ReadPassword(fd)
+		fmt.Fprintln(os.Stderr) // newline after hidden input
+		if err != nil {
+			return "", fmt.Errorf("read password from terminal: %w", err)
+		}
+		return string(pw), nil
+	}
+	// Not a terminal: read a plain line (for piped input in tests).
+	var line string
+	_, err := fmt.Fscanln(os.Stdin, &line)
+	if err != nil {
+		return "", fmt.Errorf("read password: %w", err)
+	}
+	return line, nil
+}