Move SSO clients from config to database

- Add sso_clients table (migration 000010) with client_id, redirect_uri,
  tags (JSON), enabled flag, and audit timestamps
- Add SSOClient model struct and audit events
- Implement DB CRUD with 10 unit tests
- Add REST API: GET/POST/PATCH/DELETE /v1/sso/clients (policy-gated)
- Add gRPC SSOClientService with 5 RPCs (admin-only)
- Add mciasctl sso list/create/get/update/delete commands
- Add web UI admin page at /sso-clients with HTMX create/toggle/delete
- Migrate handleSSOAuthorize and handleSSOTokenExchange to use DB
- Remove SSOConfig, SSOClient struct, lookup methods from config
- Simplify: client_id = service_name for policy evaluation

Security:
- SSO client CRUD is admin-only (policy-gated REST, requireAdmin gRPC)
- redirect_uri must use https:// (validated at DB layer)
- Disabled clients are rejected at both authorize and token exchange
- All mutations write audit events

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/ui/handlers_sso.go

@@ -26,14 +26,20 @@ func (u *UIServer) handleSSOAuthorize(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Security: validate client_id against registered SSO clients.
-	client := u.cfg.SSOClient(clientID)
-	if client == nil {
+	// Security: validate client_id against registered SSO clients in the database.
+	client, err := u.db.GetSSOClient(clientID)
+	if err != nil {
 		u.logger.Warn("sso: unknown client_id", "client_id", clientID)
 		http.Error(w, "unknown client_id", http.StatusBadRequest)
 		return
 	}
 
+	if !client.Enabled {
+		u.logger.Warn("sso: disabled client", "client_id", clientID)
+		http.Error(w, "SSO client is disabled", http.StatusForbidden)
+		return
+	}
+
 	// Security: redirect_uri must exactly match the registered URI to prevent
 	// open-redirect attacks.
 	if redirectURI != client.RedirectURI {