Move SSO clients from config to database

- Add sso_clients table (migration 000010) with client_id, redirect_uri,
  tags (JSON), enabled flag, and audit timestamps
- Add SSOClient model struct and audit events
- Implement DB CRUD with 10 unit tests
- Add REST API: GET/POST/PATCH/DELETE /v1/sso/clients (policy-gated)
- Add gRPC SSOClientService with 5 RPCs (admin-only)
- Add mciasctl sso list/create/get/update/delete commands
- Add web UI admin page at /sso-clients with HTMX create/toggle/delete
- Migrate handleSSOAuthorize and handleSSOTokenExchange to use DB
- Remove SSOConfig, SSOClient struct, lookup methods from config
- Simplify: client_id = service_name for policy evaluation

Security:
- SSO client CRUD is admin-only (policy-gated REST, requireAdmin gRPC)
- redirect_uri must use https:// (validated at DB layer)
- Disabled clients are rejected at both authorize and token exchange
- All mutations write audit events

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/policy/policy.go

@@ -51,6 +51,8 @@ const (
 
 	ActionEnrollWebAuthn Action = "webauthn:enroll" // self-service
 	ActionRemoveWebAuthn Action = "webauthn:remove" // admin
+
+	ActionManageSSOClients Action = "sso_clients:manage" // admin
 )
 
 // ResourceType identifies what kind of object a request targets.
@@ -62,8 +64,9 @@ const (
 	ResourcePGCreds  ResourceType = "pgcreds"
 	ResourceAuditLog ResourceType = "audit_log"
 	ResourceTOTP     ResourceType = "totp"
-	ResourcePolicy   ResourceType = "policy"
-	ResourceWebAuthn ResourceType = "webauthn"
+	ResourcePolicy    ResourceType = "policy"
+	ResourceWebAuthn  ResourceType = "webauthn"
+	ResourceSSOClient ResourceType = "sso_client"
 )
 
 // Effect is the outcome of policy evaluation.