Drop admin requirement from agent interceptor, reject guests

The agent now accepts any authenticated user or system account, except
those with the guest role. Admin is reserved for MCIAS account management
and policy changes, not routine deploy/stop/start operations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/auth/auth_test.go

@@ -126,7 +126,7 @@ func TestInterceptorRejectsInvalidToken(t *testing.T) {
 	}
 }
 
-func TestInterceptorRejectsNonAdmin(t *testing.T) {
+func TestInterceptorAcceptsRegularUser(t *testing.T) {
 	server := mockMCIAS(t, func(authHeader string) (any, int) {
 		return &TokenInfo{
 			Valid:       true,
@@ -142,6 +142,28 @@ func TestInterceptorRejectsNonAdmin(t *testing.T) {
 	md := metadata.Pairs("authorization", "Bearer user-token")
 	ctx := metadata.NewIncomingContext(context.Background(), md)
 
+	_, err := callInterceptor(ctx, v)
+	if err != nil {
+		t.Fatalf("expected regular user to be accepted, got %v", err)
+	}
+}
+
+func TestInterceptorRejectsGuest(t *testing.T) {
+	server := mockMCIAS(t, func(authHeader string) (any, int) {
+		return &TokenInfo{
+			Valid:       true,
+			Username:    "visitor",
+			Roles:       []string{"guest"},
+			AccountType: "human",
+		}, http.StatusOK
+	})
+	defer server.Close()
+
+	v := validatorFromServer(t, server)
+
+	md := metadata.Pairs("authorization", "Bearer guest-token")
+	ctx := metadata.NewIncomingContext(context.Background(), md)
+
 	_, err := callInterceptor(ctx, v)
 	if err == nil {
 		t.Fatal("expected error, got nil")