Implement Phase 8: operational artifacts

- Makefile: build/test/lint/generate/man/install/clean/dist/docker;
  CGO_ENABLED=1 throughout; VERSION from git describe --tags --always
- Dockerfile: multi-stage (golang:1.26-bookworm builder ->
  debian:bookworm-slim runtime); non-root uid 10001 (mcias),
  VOLUME /data, EXPOSE 8443/9443; no toolchain in final image
- dist/mcias.service: hardened systemd unit (ProtectSystem=strict,
  ProtectHome, PrivateTmp, NoNewPrivileges, MemoryDenyWriteExecute,
  CapabilityBoundingSet= empty, EnvironmentFile, LimitNOFILE=65536)
- dist/mcias.env.example: passphrase env file template
- dist/mcias.conf.example: fully-commented production TOML config
- dist/mcias-dev.conf.example: local dev config (/tmp, short expiry)
- dist/mcias.conf.docker.example: container config template
- dist/install.sh: POSIX sh idempotent installer; creates mcias
  user/group, installs binaries, /etc/mcias, /var/lib/mcias,
  systemd unit, man pages; prints post-install instructions
- man/man1/mciassrv.1: mdoc synopsis/config/API/signals/files
- man/man1/mciasctl.1: mdoc all subcommands/env/examples
- man/man1/mciasdb.1: mdoc trust model/safety/all subcommands
- man/man1/mciasgrpcctl.1: mdoc gRPC commands/grpcurl example
- README.md: user-facing quick-start, first-run setup, build
  instructions, CLI references, Docker deployment, security notes
- .gitignore: added /bin/, dist/mcias_*.tar.gz, man/man1/*.gz

dist/mcias.conf.example

@@ -0,0 +1,110 @@
+# mcias.conf — Reference configuration for mciassrv
+#
+# Copy this file to /etc/mcias/mcias.conf and adjust the values for your
+# deployment. All fields marked REQUIRED must be set before the server will
+# start. Fields marked OPTIONAL can be omitted to use defaults.
+#
+# File permissions: mode 0640, owner root:mcias.
+#   chmod 0640 /etc/mcias/mcias.conf
+#   chown root:mcias /etc/mcias/mcias.conf
+
+# ---------------------------------------------------------------------------
+# [server] — Network listener configuration
+# ---------------------------------------------------------------------------
+[server]
+
+# REQUIRED. Address and port for the HTTPS REST listener.
+# Format: "host:port". Use "0.0.0.0" to listen on all interfaces.
+# Ports > 1024 do not require elevated privileges.
+listen_addr = "0.0.0.0:8443"
+
+# OPTIONAL. Address and port for the gRPC/TLS listener.
+# If omitted, the gRPC listener is disabled and only REST is served.
+# Format: "host:port".
+# grpc_addr = "0.0.0.0:9443"
+
+# REQUIRED. Path to the TLS certificate (PEM format).
+# Self-signed certificates work fine for personal deployments; for
+# public-facing deployments consider a certificate from Let's Encrypt.
+tls_cert = "/etc/mcias/server.crt"
+
+# REQUIRED. Path to the TLS private key (PEM format).
+# Permissions: mode 0640, owner root:mcias.
+tls_key = "/etc/mcias/server.key"
+
+# ---------------------------------------------------------------------------
+# [database] — SQLite database
+# ---------------------------------------------------------------------------
+[database]
+
+# REQUIRED. Path to the SQLite database file.
+# The directory must be writable by the mcias user. WAL mode is enabled
+# automatically; expect three files: mcias.db, mcias.db-wal, mcias.db-shm.
+path = "/var/lib/mcias/mcias.db"
+
+# ---------------------------------------------------------------------------
+# [tokens] — JWT issuance policy
+# ---------------------------------------------------------------------------
+[tokens]
+
+# REQUIRED. Issuer claim embedded in every JWT. Relying parties should
+# validate this claim matches the expected value.
+# Use the base URL of your MCIAS server (without trailing slash).
+issuer = "https://auth.example.com"
+
+# OPTIONAL. Default token expiry for interactive (human) logins.
+# Go duration string: "h" hours, "m" minutes, "s" seconds.
+# Default: 720h (30 days). Reduce for higher-security deployments.
+default_expiry = "720h"
+
+# OPTIONAL. Expiry for admin tokens (tokens with the "admin" role).
+# Should be shorter than default_expiry to limit the blast radius of
+# a leaked admin credential.
+# Default: 8h.
+admin_expiry = "8h"
+
+# OPTIONAL. Expiry for system account tokens (machine-to-machine).
+# System accounts have no interactive login; their tokens are long-lived.
+# Default: 8760h (365 days).
+service_expiry = "8760h"
+
+# ---------------------------------------------------------------------------
+# [argon2] — Password hashing parameters (Argon2id)
+# ---------------------------------------------------------------------------
+[argon2]
+
+# OWASP 2023 minimums: time >= 2, memory >= 65536 KiB (64 MB).
+# Increasing these values improves resistance to brute-force attacks but
+# increases CPU and memory usage at login time.
+
+# OPTIONAL. Time cost (number of passes over memory). Default: 3.
+time = 3
+
+# OPTIONAL. Memory cost in KiB. Default: 65536 (64 MB).
+memory = 65536
+
+# OPTIONAL. Parallelism (number of threads). Default: 4.
+threads = 4
+
+# ---------------------------------------------------------------------------
+# [master_key] — AES-256 master key derivation
+# ---------------------------------------------------------------------------
+[master_key]
+
+# REQUIRED. Exactly ONE of passphrase_env or keyfile must be set.
+
+# Option A: Passphrase mode. The passphrase is read from the named environment
+# variable at startup, then cleared. The Argon2id KDF salt is stored in the
+# database on first run and reused on subsequent runs so the same passphrase
+# always produces the same master key.
+#
+# Set the passphrase in /etc/mcias/env (loaded by the systemd EnvironmentFile
+# directive). See dist/mcias.env.example for the template.
+passphrase_env = "MCIAS_MASTER_PASSPHRASE"
+
+# Option B: Key file mode. The file must contain exactly 32 bytes of raw key
+# material (AES-256). Generate with: openssl rand -out /etc/mcias/master.key 32
+# Permissions: mode 0640, owner root:mcias.
+#
+# Uncomment and comment out passphrase_env to switch modes.
+# keyfile = "/etc/mcias/master.key"