Add vault seal/unseal lifecycle

- New internal/vault package: thread-safe Vault struct with
  seal/unseal state, key material zeroing, and key derivation
- REST: POST /v1/vault/unseal, POST /v1/vault/seal,
  GET /v1/vault/status; health returns sealed status
- UI: /unseal page with passphrase form, redirect when sealed
- gRPC: sealedInterceptor rejects RPCs when sealed
- Middleware: RequireUnsealed blocks all routes except exempt
  paths; RequireAuth reads pubkey from vault at request time
- Startup: server starts sealed when passphrase unavailable
- All servers share single *vault.Vault by pointer
- CSRF manager derives key lazily from vault

Security: Key material is zeroed on seal. Sealed middleware
runs before auth. Handlers fail closed if vault becomes sealed
mid-request. Unseal endpoint is rate-limited (3/s burst 5).
No CSRF on unseal page (no session to protect; chicken-and-egg
with master key). Passphrase never logged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/static/openapi.yaml

@@ -199,12 +199,15 @@ paths:
   /v1/health:
     get:
       summary: Health check
-      description: Returns `{"status":"ok"}` if the server is running. No auth required.
+      description: |
+        Returns `{"status":"ok"}` if the server is running and the vault is
+        unsealed, or `{"status":"sealed"}` if the vault is sealed.
+        No auth required.
       operationId: getHealth
       tags: [Public]
       responses:
         "200":
-          description: Server is healthy.
+          description: Server is healthy (may be sealed).
           content:
             application/json:
               schema:
@@ -212,8 +215,87 @@ paths:
                 properties:
                   status:
                     type: string
+                    enum: [ok, sealed]
                     example: ok
 
+  /v1/vault/status:
+    get:
+      summary: Vault seal status
+      description: Returns `{"sealed": true}` or `{"sealed": false}`. No auth required.
+      operationId: getVaultStatus
+      tags: [Vault]
+      responses:
+        "200":
+          description: Current seal state.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  sealed:
+                    type: boolean
+
+  /v1/vault/unseal:
+    post:
+      summary: Unseal the vault
+      description: |
+        Accepts a passphrase, derives the master key, and unseals the vault.
+        Rate-limited to 3 requests per second, burst of 5.
+        No auth required (the vault is sealed, so no tokens can be validated).
+      operationId: unsealVault
+      tags: [Vault]
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [passphrase]
+              properties:
+                passphrase:
+                  type: string
+                  description: Master passphrase for key derivation.
+      responses:
+        "200":
+          description: Vault unsealed successfully.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  status:
+                    type: string
+                    example: unsealed
+        "401":
+          description: Unseal failed (wrong passphrase).
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+
+  /v1/vault/seal:
+    post:
+      summary: Seal the vault
+      description: |
+        Seals the vault, zeroing all key material in memory.
+        Requires admin authentication. The caller's token becomes invalid
+        after sealing.
+      operationId: sealVault
+      tags: [Vault]
+      security:
+        - bearerAuth: []
+      responses:
+        "200":
+          description: Vault sealed successfully.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  status:
+                    type: string
+                    example: sealed
+
   /v1/keys/public:
     get:
       summary: Ed25519 public key (JWK)

web/templates/unseal.html

@@ -0,0 +1,31 @@
+{{define "unseal"}}<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Unseal Vault — MCIAS</title>
+<link rel="stylesheet" href="/static/style.css">
+</head>
+<body>
+<div class="login-wrapper">
+  <div class="login-box">
+    <div class="brand-heading">MCIAS</div>
+    <div class="brand-subtitle">Vault is Sealed</div>
+    <div class="card">
+      {{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
+      <form id="unseal-form" method="POST" action="/unseal">
+        <div class="form-group">
+          <label for="passphrase">Master Passphrase</label>
+          <input class="form-control" type="password" id="passphrase" name="passphrase"
+                 autocomplete="off" required autofocus>
+        </div>
+        <div class="form-actions">
+          <button class="btn btn-primary" type="submit" style="width:100%">Unseal</button>
+        </div>
+      </form>
+    </div>
+  </div>
+</div>
+</body>
+</html>
+{{end}}