Implement Phase 8: operational artifacts

- Makefile: build/test/lint/generate/man/install/clean/dist/docker;
  CGO_ENABLED=1 throughout; VERSION from git describe --tags --always
- Dockerfile: multi-stage (golang:1.26-bookworm builder ->
  debian:bookworm-slim runtime); non-root uid 10001 (mcias),
  VOLUME /data, EXPOSE 8443/9443; no toolchain in final image
- dist/mcias.service: hardened systemd unit (ProtectSystem=strict,
  ProtectHome, PrivateTmp, NoNewPrivileges, MemoryDenyWriteExecute,
  CapabilityBoundingSet= empty, EnvironmentFile, LimitNOFILE=65536)
- dist/mcias.env.example: passphrase env file template
- dist/mcias.conf.example: fully-commented production TOML config
- dist/mcias-dev.conf.example: local dev config (/tmp, short expiry)
- dist/mcias.conf.docker.example: container config template
- dist/install.sh: POSIX sh idempotent installer; creates mcias
  user/group, installs binaries, /etc/mcias, /var/lib/mcias,
  systemd unit, man pages; prints post-install instructions
- man/man1/mciassrv.1: mdoc synopsis/config/API/signals/files
- man/man1/mciasctl.1: mdoc all subcommands/env/examples
- man/man1/mciasdb.1: mdoc trust model/safety/all subcommands
- man/man1/mciasgrpcctl.1: mdoc gRPC commands/grpcurl example
- README.md: user-facing quick-start, first-run setup, build
  instructions, CLI references, Docker deployment, security notes
- .gitignore: added /bin/, dist/mcias_*.tar.gz, man/man1/*.gz

dist/mcias-dev.conf.example

@@ -0,0 +1,42 @@
+# mcias-dev.conf — Local development configuration for mciassrv
+#
+# Suitable for running mciassrv on a developer workstation.
+# DO NOT use this configuration in production:
+#   - Tokens expire quickly (for rapid test iteration).
+#   - The master key passphrase is trivial.
+#   - TLS paths point to local self-signed certificates.
+#
+# Generate a self-signed certificate for local development:
+#   openssl req -x509 -newkey ed25519 -days 365 \
+#     -keyout /tmp/mcias-dev.key -out /tmp/mcias-dev.crt \
+#     -subj "/CN=localhost" -nodes
+#
+# Set the master passphrase:
+#   export MCIAS_MASTER_PASSPHRASE=devpassphrase
+#
+# Start the server:
+#   mciassrv -config /path/to/mcias-dev.conf
+
+[server]
+listen_addr = "127.0.0.1:8443"
+grpc_addr   = "127.0.0.1:9443"
+tls_cert    = "/tmp/mcias-dev.crt"
+tls_key     = "/tmp/mcias-dev.key"
+
+[database]
+path = "/tmp/mcias-dev.db"
+
+[tokens]
+issuer         = "https://localhost:8443"
+default_expiry = "1h"
+admin_expiry   = "30m"
+service_expiry = "24h"
+
+[argon2]
+# OWASP minimums maintained even in dev; do not reduce further.
+time    = 2
+memory  = 65536
+threads = 4
+
+[master_key]
+passphrase_env = "MCIAS_MASTER_PASSPHRASE"