Migrate gRPC server to mcdsl grpcserver package

Replace MCR's custom auth, admin, and logging interceptors with the
shared mcdsl grpcserver package. This eliminates ~110 lines of
interceptor code and uses the same method-map auth pattern used by
metacrypt.

Key changes:
- server.go: delegate to mcdslgrpc.New() for TLS, logging, and auth
- interceptors.go: replaced with MethodMap definition (public, auth-required, admin-required)
- Handler files: switch from auth.ClaimsFromContext to mcdslauth.TokenInfoFromContext
- auth/client.go: add Authenticator() accessor for the underlying mcdsl authenticator
- Tests: use mock MCIAS HTTP server instead of fakeValidator interface
- Vendor: add mcdsl/grpcserver to vendor directory

ListRepositories and GetRepository are now explicitly auth-required
(not admin-required), matching the REST API. Previously they were
implicitly auth-required by not being in the bypass or admin maps.

Security: method map uses default-deny -- unmapped RPCs are rejected.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/admin_test.go

@@ -5,7 +5,6 @@ import (
 	"testing"
 
 	pb "git.wntrmute.dev/kyle/mcr/gen/mcr/v1"
-	"git.wntrmute.dev/kyle/mcr/internal/auth"
 )
 
 func TestHealthReturnsOk(t *testing.T) {
@@ -23,13 +22,13 @@ func TestHealthReturnsOk(t *testing.T) {
 }
 
 func TestHealthWithoutAuth(t *testing.T) {
+	mcias := mockMCIAS(t)
+	auth := testAuthenticator(t, mcias.URL)
 	database := openTestDB(t)
-	// Use a validator that always rejects.
-	validator := &fakeValidator{err: auth.ErrUnauthorized}
 
 	cc := startTestServer(t, Deps{
-		DB:        database,
-		Validator: validator,
+		DB:            database,
+		Authenticator: auth,
 	})
 
 	client := pb.NewAdminServiceClient(cc)