Add vault seal/unseal lifecycle

- New internal/vault package: thread-safe Vault struct with
  seal/unseal state, key material zeroing, and key derivation
- REST: POST /v1/vault/unseal, POST /v1/vault/seal,
  GET /v1/vault/status; health returns sealed status
- UI: /unseal page with passphrase form, redirect when sealed
- gRPC: sealedInterceptor rejects RPCs when sealed
- Middleware: RequireUnsealed blocks all routes except exempt
  paths; RequireAuth reads pubkey from vault at request time
- Startup: server starts sealed when passphrase unavailable
- All servers share single *vault.Vault by pointer
- CSRF manager derives key lazily from vault

Security: Key material is zeroed on seal. Sealed middleware
runs before auth. Handlers fail closed if vault becomes sealed
mid-request. Unseal endpoint is rate-limited (3/s burst 5).
No CSRF on unseal page (no session to protect; chicken-and-egg
with master key). Passphrase never logged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/ui/session.go

@@ -2,6 +2,7 @@ package ui
 
 import (
 	"crypto/ed25519"
+	"fmt"
 	"time"
 
 	"git.wntrmute.dev/kyle/mcias/internal/token"
@@ -16,5 +17,9 @@ func validateSessionToken(pubKey ed25519.PublicKey, tokenStr, issuer string) (*t
 
 // issueToken is a convenience method for issuing a signed JWT.
 func (u *UIServer) issueToken(subject string, roles []string, expiry time.Duration) (string, *token.Claims, error) {
-	return token.IssueToken(u.privKey, u.cfg.Tokens.Issuer, subject, roles, expiry)
+	privKey, err := u.vault.PrivKey()
+	if err != nil {
+		return "", nil, fmt.Errorf("vault sealed: %w", err)
+	}
+	return token.IssueToken(privKey, u.cfg.Tokens.Issuer, subject, roles, expiry)
 }