P1.2-P1.5: Complete Phase 1 core libraries

Four packages built in parallel:

- P1.2 runtime: Container runtime abstraction with podman implementation.
  Interface (Pull/Run/Stop/Remove/Inspect/List), ContainerSpec/ContainerInfo
  types, CLI arg building, version extraction from image tags. 2 tests.

- P1.3 servicedef: TOML service definition file parsing. Load/Write/LoadAll,
  validation (required fields, unique component names), proto conversion.
  5 tests.

- P1.4 config: CLI and agent config loading from TOML. Duration type for
  time fields, env var overrides (MCP_*/MCP_AGENT_*), required field
  validation, sensible defaults. 7 tests.

- P1.5 auth: MCIAS integration. Token validator with 30s SHA-256 cache,
  gRPC unary interceptor (admin role enforcement, audit logging),
  Login/LoadToken/SaveToken for CLI. 9 tests.

All packages pass build, vet, lint, and test.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/runtime/runtime_test.go

@@ -0,0 +1,113 @@
+package runtime
+
+import (
+	"slices"
+	"testing"
+)
+
+func requireEqualArgs(t *testing.T, got, want []string) {
+	t.Helper()
+	if !slices.Equal(got, want) {
+		t.Fatalf("args mismatch\ngot:  %v\nwant: %v", got, want)
+	}
+}
+
+func TestBuildRunArgs(t *testing.T) {
+	p := &Podman{}
+
+	t.Run("full spec", func(t *testing.T) {
+		spec := ContainerSpec{
+			Name:    "metacrypt-api",
+			Image:   "mcr.svc.mcp.metacircular.net:8443/metacrypt:v1.0.0",
+			Network: "docker_default",
+			User:    "0:0",
+			Restart: "unless-stopped",
+			Ports:   []string{"127.0.0.1:18443:8443", "127.0.0.1:19443:9443"},
+			Volumes: []string{"/srv/metacrypt:/srv/metacrypt", "/etc/ssl:/etc/ssl:ro"},
+			Cmd:     []string{"server", "--config", "/srv/metacrypt/metacrypt.toml"},
+		}
+		requireEqualArgs(t, p.BuildRunArgs(spec), []string{
+			"run", "-d", "--name", "metacrypt-api",
+			"--network", "docker_default",
+			"--user", "0:0",
+			"--restart", "unless-stopped",
+			"-p", "127.0.0.1:18443:8443",
+			"-p", "127.0.0.1:19443:9443",
+			"-v", "/srv/metacrypt:/srv/metacrypt",
+			"-v", "/etc/ssl:/etc/ssl:ro",
+			"mcr.svc.mcp.metacircular.net:8443/metacrypt:v1.0.0",
+			"server", "--config", "/srv/metacrypt/metacrypt.toml",
+		})
+	})
+
+	t.Run("minimal spec", func(t *testing.T) {
+		spec := ContainerSpec{
+			Name:  "test-app",
+			Image: "img:latest",
+		}
+		requireEqualArgs(t, p.BuildRunArgs(spec), []string{
+			"run", "-d", "--name", "test-app", "img:latest",
+		})
+	})
+
+	t.Run("ports only", func(t *testing.T) {
+		spec := ContainerSpec{
+			Name:  "test-app",
+			Image: "img:latest",
+			Ports: []string{"8080:80", "8443:443"},
+		}
+		requireEqualArgs(t, p.BuildRunArgs(spec), []string{
+			"run", "-d", "--name", "test-app",
+			"-p", "8080:80", "-p", "8443:443",
+			"img:latest",
+		})
+	})
+
+	t.Run("volumes only", func(t *testing.T) {
+		spec := ContainerSpec{
+			Name:    "test-app",
+			Image:   "img:latest",
+			Volumes: []string{"/data:/data", "/config:/config:ro"},
+		}
+		requireEqualArgs(t, p.BuildRunArgs(spec), []string{
+			"run", "-d", "--name", "test-app",
+			"-v", "/data:/data", "-v", "/config:/config:ro",
+			"img:latest",
+		})
+	})
+
+	t.Run("cmd after image", func(t *testing.T) {
+		spec := ContainerSpec{
+			Name:  "test-app",
+			Image: "img:latest",
+			Cmd:   []string{"serve", "--port", "8080"},
+		}
+		requireEqualArgs(t, p.BuildRunArgs(spec), []string{
+			"run", "-d", "--name", "test-app",
+			"img:latest",
+			"serve", "--port", "8080",
+		})
+	})
+}
+
+func TestExtractVersion(t *testing.T) {
+	tests := []struct {
+		image string
+		want  string
+	}{
+		{"registry.example.com:5000/img:v1.2.0", "v1.2.0"},
+		{"img:latest", "latest"},
+		{"img", ""},
+		{"registry.example.com/path/img:v1", "v1"},
+		{"registry.example.com:5000/path/img", ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.image, func(t *testing.T) {
+			got := ExtractVersion(tt.image)
+			if got != tt.want {
+				t.Fatalf("ExtractVersion(%q) = %q, want %q", tt.image, got, tt.want)
+			}
+		})
+	}
+}