Migrate gRPC server to mcdsl grpcserver package

Replace MCR's custom auth, admin, and logging interceptors with the
shared mcdsl grpcserver package. This eliminates ~110 lines of
interceptor code and uses the same method-map auth pattern used by
metacrypt.

Key changes:
- server.go: delegate to mcdslgrpc.New() for TLS, logging, and auth
- interceptors.go: replaced with MethodMap definition (public, auth-required, admin-required)
- Handler files: switch from auth.ClaimsFromContext to mcdslauth.TokenInfoFromContext
- auth/client.go: add Authenticator() accessor for the underlying mcdsl authenticator
- Tests: use mock MCIAS HTTP server instead of fakeValidator interface
- Vendor: add mcdsl/grpcserver to vendor directory

ListRepositories and GetRepository are now explicitly auth-required
(not admin-required), matching the REST API. Previously they were
implicitly auth-required by not being in the bypass or admin maps.

Security: method map uses default-deny -- unmapped RPCs are rejected.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/registry.go

@@ -11,8 +11,9 @@ import (
 
 	"github.com/google/uuid"
 
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
+
 	pb "git.wntrmute.dev/kyle/mcr/gen/mcr/v1"
-	"git.wntrmute.dev/kyle/mcr/internal/auth"
 	"git.wntrmute.dev/kyle/mcr/internal/db"
 	"git.wntrmute.dev/kyle/mcr/internal/gc"
 )
@@ -106,10 +107,10 @@ func (s *registryService) DeleteRepository(ctx context.Context, req *pb.DeleteRe
 	}
 
 	if s.auditFn != nil {
-		claims := auth.ClaimsFromContext(ctx)
+		info := mcdslauth.TokenInfoFromContext(ctx)
 		actorID := ""
-		if claims != nil {
-			actorID = claims.Subject
+		if info != nil {
+			actorID = info.Username
 		}
 		s.auditFn("repo_deleted", actorID, req.Name, "", "", nil)
 	}