Implement Phase 7: gRPC dual-stack interface

- proto/mcias/v1/: AdminService, AuthService, TokenService,
  AccountService, CredentialService; generated Go stubs in gen/
- internal/grpcserver: full handler implementations sharing all
  business logic (auth, token, db, crypto) with REST server;
  interceptor chain: logging -> auth (JWT alg-first + revocation) ->
  rate-limit (token bucket, 10 req/s, burst 10, per-IP)
- internal/config: optional grpc_addr field in [server] section
- cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr
  when configured; graceful shutdown of both servers in 15s window
- cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands
  (health, pubkey, account, role, token, pgcreds) using TLS with
  optional custom CA cert
- internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering
  public RPCs, auth interceptor (no token, invalid, revoked -> 401),
  non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows,
  AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip,
  credential fields absent from all responses
Security:
  JWT validation path identical to REST: alg header checked before
  signature, alg:none rejected, revocation table checked after sig.
  Authorization metadata value never logged by any interceptor.
  Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from
  all proto response messages — enforced by proto design and confirmed
  by test TestCredentialFieldsAbsentFromAccountResponse.
  Login dummy-Argon2 timing guard preserves timing uniformity for
  unknown users (same as REST handleLogin).
  TLS required at listener level; cmd/mciassrv uses
  credentials.NewServerTLSFromFile; no h2c offered.
137 tests pass, zero race conditions (go test -race ./...)

proto/generate.go

@@ -0,0 +1,10 @@
+// Package proto contains the protobuf source definitions for MCIAS.
+//
+// To regenerate Go stubs after editing .proto files:
+//
+//	go generate ./proto/...
+//
+// Prerequisites: protoc, protoc-gen-go, protoc-gen-go-grpc must be in PATH.
+//
+//go:generate protoc --proto_path=../proto --go_out=../gen --go_opt=paths=source_relative --go-grpc_out=../gen --go-grpc_opt=paths=source_relative mcias/v1/common.proto mcias/v1/admin.proto mcias/v1/auth.proto mcias/v1/token.proto mcias/v1/account.proto
+package proto

proto/mcias/v1/account.proto

@@ -0,0 +1,119 @@
+// AccountService: account and role CRUD. All RPCs require admin role.
+// CredentialService: Postgres credential management.
+syntax = "proto3";
+
+package mcias.v1;
+
+option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1";
+
+import "mcias/v1/common.proto";
+
+// --- Account CRUD ---
+
+// ListAccountsRequest carries no parameters.
+message ListAccountsRequest {}
+
+// ListAccountsResponse returns all accounts. Credential fields are absent.
+message ListAccountsResponse {
+  repeated Account accounts = 1;
+}
+
+// CreateAccountRequest specifies a new account to create.
+message CreateAccountRequest {
+  string username     = 1;
+  string password     = 2;  // required for human accounts; security: never logged
+  string account_type = 3;  // "human" or "system"
+}
+
+// CreateAccountResponse returns the created account record.
+message CreateAccountResponse {
+  Account account = 1;
+}
+
+// GetAccountRequest identifies an account by UUID.
+message GetAccountRequest {
+  string id = 1;  // UUID
+}
+
+// GetAccountResponse returns the account record.
+message GetAccountResponse {
+  Account account = 1;
+}
+
+// UpdateAccountRequest updates mutable fields. Only non-empty fields are applied.
+message UpdateAccountRequest {
+  string id     = 1;  // UUID
+  string status = 2;  // "active" or "inactive" (omit to leave unchanged)
+}
+
+// UpdateAccountResponse confirms the update.
+message UpdateAccountResponse {}
+
+// DeleteAccountRequest soft-deletes an account and revokes its tokens.
+message DeleteAccountRequest {
+  string id = 1;  // UUID
+}
+
+// DeleteAccountResponse confirms deletion.
+message DeleteAccountResponse {}
+
+// --- Role management ---
+
+// GetRolesRequest identifies an account by UUID.
+message GetRolesRequest {
+  string id = 1;  // UUID
+}
+
+// GetRolesResponse lists the current roles.
+message GetRolesResponse {
+  repeated string roles = 1;
+}
+
+// SetRolesRequest replaces the role set for an account.
+message SetRolesRequest {
+  string          id    = 1;  // UUID
+  repeated string roles = 2;
+}
+
+// SetRolesResponse confirms the update.
+message SetRolesResponse {}
+
+// AccountService manages accounts and roles. All RPCs require admin role.
+service AccountService {
+  rpc ListAccounts(ListAccountsRequest)     returns (ListAccountsResponse);
+  rpc CreateAccount(CreateAccountRequest)   returns (CreateAccountResponse);
+  rpc GetAccount(GetAccountRequest)         returns (GetAccountResponse);
+  rpc UpdateAccount(UpdateAccountRequest)   returns (UpdateAccountResponse);
+  rpc DeleteAccount(DeleteAccountRequest)   returns (DeleteAccountResponse);
+  rpc GetRoles(GetRolesRequest)             returns (GetRolesResponse);
+  rpc SetRoles(SetRolesRequest)             returns (SetRolesResponse);
+}
+
+// --- PG credentials ---
+
+// GetPGCredsRequest identifies an account by UUID.
+message GetPGCredsRequest {
+  string id = 1;  // UUID
+}
+
+// GetPGCredsResponse returns decrypted Postgres credentials.
+// Security: password is present only in this response; never in list output.
+message GetPGCredsResponse {
+  PGCreds creds = 1;
+}
+
+// SetPGCredsRequest stores Postgres credentials for an account.
+message SetPGCredsRequest {
+  string id    = 1;  // UUID
+  PGCreds creds = 2;
+}
+
+// SetPGCredsResponse confirms the update.
+message SetPGCredsResponse {}
+
+// CredentialService manages Postgres credentials for system accounts.
+// All RPCs require admin role.
+service CredentialService {
+  rpc GetPGCreds(GetPGCredsRequest) returns (GetPGCredsResponse);
+  rpc SetPGCreds(SetPGCredsRequest) returns (SetPGCredsResponse);
+}

proto/mcias/v1/admin.proto

@@ -0,0 +1,38 @@
+// AdminService: health check and public-key retrieval.
+// These RPCs are public — no authentication is required.
+syntax = "proto3";
+
+package mcias.v1;
+
+option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1";
+
+// HealthRequest carries no parameters.
+message HealthRequest {}
+
+// HealthResponse confirms the server is operational.
+message HealthResponse {
+  string status = 1;  // "ok"
+}
+
+// GetPublicKeyRequest carries no parameters.
+message GetPublicKeyRequest {}
+
+// GetPublicKeyResponse returns the Ed25519 public key in JWK format fields.
+// The "x" field is the base64url-encoded 32-byte public key.
+message GetPublicKeyResponse {
+  string kty = 1;  // "OKP"
+  string crv = 2;  // "Ed25519"
+  string use = 3;  // "sig"
+  string alg = 4;  // "EdDSA"
+  string x   = 5;  // base64url-encoded public key bytes
+}
+
+// AdminService exposes health and key-material endpoints.
+// All RPCs bypass the auth interceptor.
+service AdminService {
+  // Health returns OK when the server is operational.
+  rpc Health(HealthRequest) returns (HealthResponse);
+
+  // GetPublicKey returns the Ed25519 public key used to verify JWTs.
+  rpc GetPublicKey(GetPublicKeyRequest) returns (GetPublicKeyResponse);
+}

proto/mcias/v1/auth.proto

@@ -0,0 +1,99 @@
+// AuthService: login, logout, token renewal, and TOTP management.
+syntax = "proto3";
+
+package mcias.v1;
+
+option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1";
+
+import "google/protobuf/timestamp.proto";
+
+// --- Login ---
+
+// LoginRequest carries username/password and an optional TOTP code.
+// Security: never logged; password and totp_code must not appear in audit logs.
+message LoginRequest {
+  string username  = 1;
+  string password  = 2;  // security: never logged or stored
+  string totp_code = 3;  // optional; required if TOTP enrolled
+}
+
+// LoginResponse returns the signed JWT and its expiry time.
+// Security: token is a bearer credential; the caller must protect it.
+message LoginResponse {
+  string token = 1;
+  google.protobuf.Timestamp expires_at = 2;
+}
+
+// --- Logout ---
+
+// LogoutRequest carries no body; the token is extracted from gRPC metadata.
+message LogoutRequest {}
+
+// LogoutResponse confirms the token has been revoked.
+message LogoutResponse {}
+
+// --- Token renewal ---
+
+// RenewTokenRequest carries no body; the existing token is in metadata.
+message RenewTokenRequest {}
+
+// RenewTokenResponse returns a new JWT with a fresh expiry.
+message RenewTokenResponse {
+  string token = 1;
+  google.protobuf.Timestamp expires_at = 2;
+}
+
+// --- TOTP enrollment ---
+
+// EnrollTOTPRequest carries no body; the acting account is from the JWT.
+message EnrollTOTPRequest {}
+
+// EnrollTOTPResponse returns the TOTP secret and otpauth URI for display.
+// Security: the secret is shown once; it is stored only in encrypted form.
+message EnrollTOTPResponse {
+  string secret      = 1;  // base32-encoded; display once, then discard
+  string otpauth_uri = 2;
+}
+
+// ConfirmTOTPRequest carries the TOTP code to confirm enrollment.
+message ConfirmTOTPRequest {
+  string code = 1;
+}
+
+// ConfirmTOTPResponse confirms TOTP enrollment is complete.
+message ConfirmTOTPResponse {}
+
+// RemoveTOTPRequest carries the target account ID (admin only).
+message RemoveTOTPRequest {
+  string account_id = 1;  // UUID of the account to remove TOTP from
+}
+
+// RemoveTOTPResponse confirms removal.
+message RemoveTOTPResponse {}
+
+// AuthService handles all authentication flows.
+service AuthService {
+  // Login authenticates with username+password (+optional TOTP) and returns a JWT.
+  // Public RPC — no auth required.
+  rpc Login(LoginRequest) returns (LoginResponse);
+
+  // Logout revokes the caller's current token.
+  // Requires: valid JWT in metadata.
+  rpc Logout(LogoutRequest) returns (LogoutResponse);
+
+  // RenewToken exchanges the caller's token for a fresh one.
+  // Requires: valid JWT in metadata.
+  rpc RenewToken(RenewTokenRequest) returns (RenewTokenResponse);
+
+  // EnrollTOTP begins TOTP enrollment for the calling account.
+  // Requires: valid JWT in metadata.
+  rpc EnrollTOTP(EnrollTOTPRequest) returns (EnrollTOTPResponse);
+
+  // ConfirmTOTP confirms TOTP enrollment with a code from the authenticator app.
+  // Requires: valid JWT in metadata.
+  rpc ConfirmTOTP(ConfirmTOTPRequest) returns (ConfirmTOTPResponse);
+
+  // RemoveTOTP removes TOTP from an account (admin only).
+  // Requires: admin JWT in metadata.
+  rpc RemoveTOTP(RemoveTOTPRequest) returns (RemoveTOTPResponse);
+}

proto/mcias/v1/common.proto

@@ -0,0 +1,45 @@
+// Common message types shared across MCIAS gRPC services.
+syntax = "proto3";
+
+package mcias.v1;
+
+option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1";
+
+import "google/protobuf/timestamp.proto";
+
+// Account represents a user or service identity. Credential fields
+// (password_hash, totp_secret) are never included in any response.
+message Account {
+  string id           = 1;  // UUID
+  string username     = 2;
+  string account_type = 3;  // "human" or "system"
+  string status       = 4;  // "active", "inactive", or "deleted"
+  bool   totp_enabled = 5;
+  google.protobuf.Timestamp created_at = 6;
+  google.protobuf.Timestamp updated_at = 7;
+}
+
+// TokenInfo describes an issued token by its JTI (never the raw value).
+message TokenInfo {
+  string jti = 1;
+  google.protobuf.Timestamp issued_at  = 2;
+  google.protobuf.Timestamp expires_at = 3;
+  google.protobuf.Timestamp revoked_at = 4;  // zero if not revoked
+}
+
+// PGCreds holds Postgres connection details. Password is decrypted and
+// present only when explicitly requested via GetPGCreds; it is never
+// included in list responses.
+message PGCreds {
+  string host     = 1;
+  string database = 2;
+  string username = 3;
+  string password = 4;  // security: only populated on explicit get
+  int32  port     = 5;
+}
+
+// Error is the canonical error detail embedded in gRPC status details.
+message Error {
+  string message = 1;
+  string code    = 2;
+}

proto/mcias/v1/token.proto

@@ -0,0 +1,63 @@
+// TokenService: token validation, service-token issuance, and revocation.
+syntax = "proto3";
+
+package mcias.v1;
+
+option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1";
+
+import "google/protobuf/timestamp.proto";
+
+// --- Validate ---
+
+// ValidateTokenRequest carries the token to validate.
+// The token may also be supplied via the Authorization metadata key;
+// this field is an alternative for callers that cannot set metadata.
+message ValidateTokenRequest {
+  string token = 1;
+}
+
+// ValidateTokenResponse reports validity and, on success, the claims.
+message ValidateTokenResponse {
+  bool     valid      = 1;
+  string   subject    = 2;  // UUID of the account; empty if invalid
+  repeated string roles = 3;
+  google.protobuf.Timestamp expires_at = 4;
+}
+
+// --- Issue ---
+
+// IssueServiceTokenRequest specifies the system account to issue a token for.
+message IssueServiceTokenRequest {
+  string account_id = 1;  // UUID of the system account
+}
+
+// IssueServiceTokenResponse returns the new token and its expiry.
+message IssueServiceTokenResponse {
+  string token = 1;
+  google.protobuf.Timestamp expires_at = 2;
+}
+
+// --- Revoke ---
+
+// RevokeTokenRequest specifies the JTI to revoke.
+message RevokeTokenRequest {
+  string jti = 1;
+}
+
+// RevokeTokenResponse confirms revocation.
+message RevokeTokenResponse {}
+
+// TokenService manages token lifecycle.
+service TokenService {
+  // ValidateToken checks whether a JWT is valid and returns its claims.
+  // Public RPC — no auth required.
+  rpc ValidateToken(ValidateTokenRequest) returns (ValidateTokenResponse);
+
+  // IssueServiceToken issues a new service token for a system account.
+  // Requires: admin JWT in metadata.
+  rpc IssueServiceToken(IssueServiceTokenRequest) returns (IssueServiceTokenResponse);
+
+  // RevokeToken revokes a token by JTI.
+  // Requires: admin JWT in metadata.
+  rpc RevokeToken(RevokeTokenRequest) returns (RevokeTokenResponse);
+}