Implement Phase 8: operational artifacts

- Makefile: build/test/lint/generate/man/install/clean/dist/docker;
  CGO_ENABLED=1 throughout; VERSION from git describe --tags --always
- Dockerfile: multi-stage (golang:1.26-bookworm builder ->
  debian:bookworm-slim runtime); non-root uid 10001 (mcias),
  VOLUME /data, EXPOSE 8443/9443; no toolchain in final image
- dist/mcias.service: hardened systemd unit (ProtectSystem=strict,
  ProtectHome, PrivateTmp, NoNewPrivileges, MemoryDenyWriteExecute,
  CapabilityBoundingSet= empty, EnvironmentFile, LimitNOFILE=65536)
- dist/mcias.env.example: passphrase env file template
- dist/mcias.conf.example: fully-commented production TOML config
- dist/mcias-dev.conf.example: local dev config (/tmp, short expiry)
- dist/mcias.conf.docker.example: container config template
- dist/install.sh: POSIX sh idempotent installer; creates mcias
  user/group, installs binaries, /etc/mcias, /var/lib/mcias,
  systemd unit, man pages; prints post-install instructions
- man/man1/mciassrv.1: mdoc synopsis/config/API/signals/files
- man/man1/mciasctl.1: mdoc all subcommands/env/examples
- man/man1/mciasdb.1: mdoc trust model/safety/all subcommands
- man/man1/mciasgrpcctl.1: mdoc gRPC commands/grpcurl example
- README.md: user-facing quick-start, first-run setup, build
  instructions, CLI references, Docker deployment, security notes
- .gitignore: added /bin/, dist/mcias_*.tar.gz, man/man1/*.gz

dist/mcias.service

@@ -0,0 +1,51 @@
+[Unit]
+Description=MCIAS Authentication Server
+Documentation=man:mciassrv(1)
+After=network.target
+# Require network to be available before starting.
+# Remove if you bind only to loopback.
+
+[Service]
+Type=simple
+User=mcias
+Group=mcias
+
+# Configuration and secrets.
+# /etc/mcias/env must contain MCIAS_MASTER_PASSPHRASE=<passphrase>
+# See dist/mcias.env.example for the template.
+EnvironmentFile=/etc/mcias/env
+
+ExecStart=/usr/local/bin/mciassrv -config /etc/mcias/mcias.conf
+Restart=on-failure
+RestartSec=5
+
+# File descriptor limit. mciassrv keeps one fd per open connection plus
+# the SQLite WAL files; 65536 is generous headroom for a personal server.
+LimitNOFILE=65536
+
+# Sandboxing. mcias does not need capabilities; it listens on ports > 1024.
+# If you need port 443 or 8443 on a privileged port (< 1024), either:
+#   a) use a reverse proxy (recommended), or
+#   b) grant CAP_NET_BIND_SERVICE with: AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=
+
+# Filesystem restrictions.
+# mciassrv reads /etc/mcias (config, TLS cert/key) and writes /var/lib/mcias (DB).
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=/var/lib/mcias
+
+# Additional hardening.
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictNamespaces=true
+RestrictRealtime=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target