Add record-level authorization for system accounts

Record mutations (create, update, delete) no longer require admin role.
Authorization rules:
  - admin: full access (unchanged)
  - system mcp-agent: create/delete any record
  - system account α: create/delete records named α only
  - human users: read-only (unchanged)

Zone mutations remain admin-only. Both REST and gRPC paths enforce the
same rules. Update checks authorization against both old and new names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/interceptors.go

@@ -25,11 +25,14 @@ func publicMethods() map[string]bool {
 
 func authRequiredMethods() map[string]bool {
 	return map[string]bool{
-		"/mcns.v1.AuthService/Logout":      true,
-		"/mcns.v1.ZoneService/ListZones":   true,
-		"/mcns.v1.ZoneService/GetZone":     true,
-		"/mcns.v1.RecordService/ListRecords": true,
-		"/mcns.v1.RecordService/GetRecord":   true,
+		"/mcns.v1.AuthService/Logout":         true,
+		"/mcns.v1.ZoneService/ListZones":      true,
+		"/mcns.v1.ZoneService/GetZone":        true,
+		"/mcns.v1.RecordService/ListRecords":  true,
+		"/mcns.v1.RecordService/GetRecord":    true,
+		"/mcns.v1.RecordService/CreateRecord": true,
+		"/mcns.v1.RecordService/UpdateRecord": true,
+		"/mcns.v1.RecordService/DeleteRecord": true,
 	}
 }
 
@@ -38,8 +41,5 @@ func adminRequiredMethods() map[string]bool {
 		"/mcns.v1.ZoneService/CreateZone": true,
 		"/mcns.v1.ZoneService/UpdateZone": true,
 		"/mcns.v1.ZoneService/DeleteZone": true,
-		"/mcns.v1.RecordService/CreateRecord": true,
-		"/mcns.v1.RecordService/UpdateRecord": true,
-		"/mcns.v1.RecordService/DeleteRecord": true,
 	}
 }