Implement Phase 7: gRPC dual-stack interface

- proto/mcias/v1/: AdminService, AuthService, TokenService,
  AccountService, CredentialService; generated Go stubs in gen/
- internal/grpcserver: full handler implementations sharing all
  business logic (auth, token, db, crypto) with REST server;
  interceptor chain: logging -> auth (JWT alg-first + revocation) ->
  rate-limit (token bucket, 10 req/s, burst 10, per-IP)
- internal/config: optional grpc_addr field in [server] section
- cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr
  when configured; graceful shutdown of both servers in 15s window
- cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands
  (health, pubkey, account, role, token, pgcreds) using TLS with
  optional custom CA cert
- internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering
  public RPCs, auth interceptor (no token, invalid, revoked -> 401),
  non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows,
  AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip,
  credential fields absent from all responses
Security:
  JWT validation path identical to REST: alg header checked before
  signature, alg:none rejected, revocation table checked after sig.
  Authorization metadata value never logged by any interceptor.
  Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from
  all proto response messages — enforced by proto design and confirmed
  by test TestCredentialFieldsAbsentFromAccountResponse.
  Login dummy-Argon2 timing guard preserves timing uniformity for
  unknown users (same as REST handleLogin).
  TLS required at listener level; cmd/mciassrv uses
  credentials.NewServerTLSFromFile; no h2c offered.
137 tests pass, zero race conditions (go test -race ./...)

internal/grpcserver/credentialservice.go

@@ -0,0 +1,107 @@
+// credentialServiceServer implements mciasv1.CredentialServiceServer.
+// All RPCs require admin role.
+package grpcserver
+
+import (
+	"context"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"git.wntrmute.dev/kyle/mcias/internal/crypto"
+	"git.wntrmute.dev/kyle/mcias/internal/db"
+	"git.wntrmute.dev/kyle/mcias/internal/model"
+	mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1"
+)
+
+type credentialServiceServer struct {
+	mciasv1.UnimplementedCredentialServiceServer
+	s *Server
+}
+
+// GetPGCreds decrypts and returns Postgres credentials. Admin only.
+// Security: the password field is decrypted and returned; this constitutes
+// a sensitive operation. The audit log records the access.
+func (c *credentialServiceServer) GetPGCreds(ctx context.Context, req *mciasv1.GetPGCredsRequest) (*mciasv1.GetPGCredsResponse, error) {
+	if err := c.s.requireAdmin(ctx); err != nil {
+		return nil, err
+	}
+	if req.Id == "" {
+		return nil, status.Error(codes.InvalidArgument, "id is required")
+	}
+	acct, err := c.s.db.GetAccountByUUID(req.Id)
+	if err != nil {
+		if err == db.ErrNotFound {
+			return nil, status.Error(codes.NotFound, "account not found")
+		}
+		return nil, status.Error(codes.Internal, "internal error")
+	}
+
+	cred, err := c.s.db.ReadPGCredentials(acct.ID)
+	if err != nil {
+		if err == db.ErrNotFound {
+			return nil, status.Error(codes.NotFound, "no credentials stored")
+		}
+		return nil, status.Error(codes.Internal, "internal error")
+	}
+
+	// Decrypt the password for admin retrieval.
+	password, err := crypto.OpenAESGCM(c.s.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc)
+	if err != nil {
+		return nil, status.Error(codes.Internal, "internal error")
+	}
+
+	c.s.db.WriteAuditEvent(model.EventPGCredAccessed, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck
+
+	return &mciasv1.GetPGCredsResponse{
+		Creds: &mciasv1.PGCreds{
+			Host:     cred.PGHost,
+			Database: cred.PGDatabase,
+			Username: cred.PGUsername,
+			Password: string(password), // security: returned only on explicit admin request
+			Port:     int32(cred.PGPort),
+		},
+	}, nil
+}
+
+// SetPGCreds stores Postgres credentials for an account. Admin only.
+func (c *credentialServiceServer) SetPGCreds(ctx context.Context, req *mciasv1.SetPGCredsRequest) (*mciasv1.SetPGCredsResponse, error) {
+	if err := c.s.requireAdmin(ctx); err != nil {
+		return nil, err
+	}
+	if req.Id == "" {
+		return nil, status.Error(codes.InvalidArgument, "id is required")
+	}
+	if req.Creds == nil {
+		return nil, status.Error(codes.InvalidArgument, "creds is required")
+	}
+
+	cr := req.Creds
+	if cr.Host == "" || cr.Database == "" || cr.Username == "" || cr.Password == "" {
+		return nil, status.Error(codes.InvalidArgument, "host, database, username, and password are required")
+	}
+	port := int(cr.Port)
+	if port == 0 {
+		port = 5432
+	}
+
+	acct, err := c.s.db.GetAccountByUUID(req.Id)
+	if err != nil {
+		if err == db.ErrNotFound {
+			return nil, status.Error(codes.NotFound, "account not found")
+		}
+		return nil, status.Error(codes.Internal, "internal error")
+	}
+
+	enc, nonce, err := crypto.SealAESGCM(c.s.masterKey, []byte(cr.Password))
+	if err != nil {
+		return nil, status.Error(codes.Internal, "internal error")
+	}
+
+	if err := c.s.db.WritePGCredentials(acct.ID, cr.Host, port, cr.Database, cr.Username, enc, nonce); err != nil {
+		return nil, status.Error(codes.Internal, "internal error")
+	}
+
+	c.s.db.WriteAuditEvent(model.EventPGCredUpdated, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck
+	return &mciasv1.SetPGCredsResponse{}, nil
+}