Apply review fixes: validation, idempotency, SOA dedup, startup cleanup

- Migration v2: INSERT → INSERT OR IGNORE for idempotency
- Config: validate server.tls_cert and server.tls_key are non-empty
- gRPC: add input validation matching REST handlers
- gRPC: add logger to zone/record services, log timestamp parse errors
- REST+gRPC: extract SOA defaults into shared db.ApplySOADefaults()
- DNS: simplify SOA query condition (remove dead code from precedence bug)
- Startup: consolidate shutdown into shutdownAll(), clean up gRPC listener
  on error path, shut down sibling servers when one fails

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/db/migrate.go

@@ -43,28 +43,28 @@ CREATE INDEX IF NOT EXISTS idx_records_zone_name ON records(zone_id, name);`,
 		Name:    "seed zones and records from CoreDNS zone files",
 		SQL: `
 -- Zone: svc.mcp.metacircular.net (service addresses)
-INSERT INTO zones (id, name, primary_ns, admin_email, refresh, retry, expire, minimum_ttl, serial)
+INSERT OR IGNORE INTO zones (id, name, primary_ns, admin_email, refresh, retry, expire, minimum_ttl, serial)
 VALUES (1, 'svc.mcp.metacircular.net', 'ns.mcp.metacircular.net.', 'admin.metacircular.net.', 3600, 600, 86400, 300, 2026032601);
 
 -- Zone: mcp.metacircular.net (node addresses)
-INSERT INTO zones (id, name, primary_ns, admin_email, refresh, retry, expire, minimum_ttl, serial)
+INSERT OR IGNORE INTO zones (id, name, primary_ns, admin_email, refresh, retry, expire, minimum_ttl, serial)
 VALUES (2, 'mcp.metacircular.net', 'ns.mcp.metacircular.net.', 'admin.metacircular.net.', 3600, 600, 86400, 300, 2026032501);
 
 -- svc.mcp.metacircular.net records
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (1, 'metacrypt', 'A', '192.168.88.181', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (1, 'metacrypt', 'A', '100.95.252.120', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (1, 'mcr',       'A', '192.168.88.181', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (1, 'mcr',       'A', '100.95.252.120', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (1, 'sgard',     'A', '192.168.88.181', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (1, 'sgard',     'A', '100.95.252.120', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (1, 'mcp-agent', 'A', '192.168.88.181', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (1, 'mcp-agent', 'A', '100.95.252.120', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (1, 'metacrypt', 'A', '192.168.88.181', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (1, 'metacrypt', 'A', '100.95.252.120', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (1, 'mcr',       'A', '192.168.88.181', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (1, 'mcr',       'A', '100.95.252.120', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (1, 'sgard',     'A', '192.168.88.181', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (1, 'sgard',     'A', '100.95.252.120', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (1, 'mcp-agent', 'A', '192.168.88.181', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (1, 'mcp-agent', 'A', '100.95.252.120', 300);
 
 -- mcp.metacircular.net records
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (2, 'rift', 'A', '192.168.88.181', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (2, 'rift', 'A', '100.95.252.120', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (2, 'ns',   'A', '192.168.88.181', 300);
-INSERT INTO records (zone_id, name, type, value, ttl) VALUES (2, 'ns',   'A', '100.95.252.120', 300);`,
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (2, 'rift', 'A', '192.168.88.181', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (2, 'rift', 'A', '100.95.252.120', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (2, 'ns',   'A', '192.168.88.181', 300);
+INSERT OR IGNORE INTO records (zone_id, name, type, value, ttl) VALUES (2, 'ns',   'A', '100.95.252.120', 300);`,
 	},
 }
 

internal/db/zones.go

@@ -169,6 +169,24 @@ func (d *DB) ZoneNames() ([]string, error) {
 	return names, rows.Err()
 }
 
+// ApplySOADefaults fills in zero-valued SOA parameters with sensible defaults:
+// refresh=3600, retry=600, expire=86400, minTTL=300.
+func ApplySOADefaults(refresh, retry, expire, minTTL int) (int, int, int, int) {
+	if refresh == 0 {
+		refresh = 3600
+	}
+	if retry == 0 {
+		retry = 600
+	}
+	if expire == 0 {
+		expire = 86400
+	}
+	if minTTL == 0 {
+		minTTL = 300
+	}
+	return refresh, retry, expire, minTTL
+}
+
 // nextSerial computes the next SOA serial in YYYYMMDDNN format.
 func nextSerial(current int64) int64 {
 	today := time.Now().UTC()