Add vault seal/unseal lifecycle

- New internal/vault package: thread-safe Vault struct with
  seal/unseal state, key material zeroing, and key derivation
- REST: POST /v1/vault/unseal, POST /v1/vault/seal,
  GET /v1/vault/status; health returns sealed status
- UI: /unseal page with passphrase form, redirect when sealed
- gRPC: sealedInterceptor rejects RPCs when sealed
- Middleware: RequireUnsealed blocks all routes except exempt
  paths; RequireAuth reads pubkey from vault at request time
- Startup: server starts sealed when passphrase unavailable
- All servers share single *vault.Vault by pointer
- CSRF manager derives key lazily from vault

Security: Key material is zeroed on seal. Sealed middleware
runs before auth. Handlers fail closed if vault becomes sealed
mid-request. Unseal endpoint is rate-limited (3/s burst 5).
No CSRF on unseal page (no session to protect; chicken-and-egg
with master key). Passphrase never logged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/grpcserver/auth.go

@@ -86,7 +86,11 @@ func (a *authServiceServer) Login(ctx context.Context, req *mciasv1.LoginRequest
 			a.s.db.WriteAuditEvent(model.EventLoginFail, &acct.ID, nil, ip, `{"reason":"totp_missing"}`) //nolint:errcheck
 			return nil, status.Error(codes.Unauthenticated, "TOTP code required")
 		}
-		secret, err := crypto.OpenAESGCM(a.s.masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc)
+		masterKey, mkErr := a.s.vault.MasterKey()
+		if mkErr != nil {
+			return nil, status.Error(codes.Unavailable, "vault sealed")
+		}
+		secret, err := crypto.OpenAESGCM(masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc)
 		if err != nil {
 			a.s.logger.Error("decrypt TOTP secret", "error", err, "account_id", acct.ID)
 			return nil, status.Error(codes.Internal, "internal error")
@@ -121,7 +125,11 @@ func (a *authServiceServer) Login(ctx context.Context, req *mciasv1.LoginRequest
 		}
 	}
 
-	tokenStr, claims, err := token.IssueToken(a.s.privKey, a.s.cfg.Tokens.Issuer, acct.UUID, roles, expiry)
+	privKey, pkErr := a.s.vault.PrivKey()
+	if pkErr != nil {
+		return nil, status.Error(codes.Unavailable, "vault sealed")
+	}
+	tokenStr, claims, err := token.IssueToken(privKey, a.s.cfg.Tokens.Issuer, acct.UUID, roles, expiry)
 	if err != nil {
 		a.s.logger.Error("issue token", "error", err)
 		return nil, status.Error(codes.Internal, "internal error")
@@ -186,7 +194,11 @@ func (a *authServiceServer) RenewToken(ctx context.Context, _ *mciasv1.RenewToke
 		}
 	}
 
-	newTokenStr, newClaims, err := token.IssueToken(a.s.privKey, a.s.cfg.Tokens.Issuer, acct.UUID, roles, expiry)
+	privKey, pkErr := a.s.vault.PrivKey()
+	if pkErr != nil {
+		return nil, status.Error(codes.Unavailable, "vault sealed")
+	}
+	newTokenStr, newClaims, err := token.IssueToken(privKey, a.s.cfg.Tokens.Issuer, acct.UUID, roles, expiry)
 	if err != nil {
 		return nil, status.Error(codes.Internal, "internal error")
 	}
@@ -245,7 +257,11 @@ func (a *authServiceServer) EnrollTOTP(ctx context.Context, req *mciasv1.EnrollT
 		return nil, status.Error(codes.Internal, "internal error")
 	}
 
-	secretEnc, secretNonce, err := crypto.SealAESGCM(a.s.masterKey, rawSecret)
+	masterKey, mkErr := a.s.vault.MasterKey()
+	if mkErr != nil {
+		return nil, status.Error(codes.Unavailable, "vault sealed")
+	}
+	secretEnc, secretNonce, err := crypto.SealAESGCM(masterKey, rawSecret)
 	if err != nil {
 		return nil, status.Error(codes.Internal, "internal error")
 	}
@@ -283,7 +299,11 @@ func (a *authServiceServer) ConfirmTOTP(ctx context.Context, req *mciasv1.Confir
 		return nil, status.Error(codes.FailedPrecondition, "TOTP enrollment not started")
 	}
 
-	secret, err := crypto.OpenAESGCM(a.s.masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc)
+	masterKey, mkErr := a.s.vault.MasterKey()
+	if mkErr != nil {
+		return nil, status.Error(codes.Unavailable, "vault sealed")
+	}
+	secret, err := crypto.OpenAESGCM(masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc)
 	if err != nil {
 		return nil, status.Error(codes.Internal, "internal error")
 	}