Migrate gRPC server to mcdsl grpcserver package

Replace MCR's custom auth, admin, and logging interceptors with the
shared mcdsl grpcserver package. This eliminates ~110 lines of
interceptor code and uses the same method-map auth pattern used by
metacrypt.

Key changes:
- server.go: delegate to mcdslgrpc.New() for TLS, logging, and auth
- interceptors.go: replaced with MethodMap definition (public, auth-required, admin-required)
- Handler files: switch from auth.ClaimsFromContext to mcdslauth.TokenInfoFromContext
- auth/client.go: add Authenticator() accessor for the underlying mcdsl authenticator
- Tests: use mock MCIAS HTTP server instead of fakeValidator interface
- Vendor: add mcdsl/grpcserver to vendor directory

ListRepositories and GetRepository are now explicitly auth-required
(not admin-required), matching the REST API. Previously they were
implicitly auth-required by not being in the bypass or admin maps.

Security: method map uses default-deny -- unmapped RPCs are rejected.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/registry_test.go

@@ -2,29 +2,51 @@ package grpcserver
 
 import (
 	"context"
+	"net/http/httptest"
 	"testing"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
+
 	pb "git.wntrmute.dev/kyle/mcr/gen/mcr/v1"
-	"git.wntrmute.dev/kyle/mcr/internal/auth"
 )
 
+// testMCIAS is a package-level variable set by adminDeps for reuse.
+var testMCIASSrv *httptest.Server
+
+// adminDeps returns Deps with an admin-capable authenticator and a fresh DB.
 func adminDeps(t *testing.T) Deps {
 	t.Helper()
+	mcias := mockMCIAS(t)
+	testMCIASSrv = mcias
+	auth := testAuthenticator(t, mcias.URL)
 	return Deps{
-		DB: openTestDB(t),
-		Validator: &fakeValidator{
-			claims: &auth.Claims{Subject: "admin-uuid", AccountType: "human", Roles: []string{"admin"}},
-		},
+		DB:            openTestDB(t),
+		Authenticator: auth,
 	}
 }
 
+// adminCtx returns a context with an admin bearer token.
 func adminCtx() context.Context {
 	return withAuth(context.Background(), "admin-token")
 }
 
+// userCtx returns a context with a regular user bearer token.
+func userCtx() context.Context {
+	return withAuth(context.Background(), "user-token")
+}
+
+// adminDepsWithAuthenticator returns Deps using the given authenticator.
+func adminDepsWithAuthenticator(t *testing.T, auth *mcdslauth.Authenticator) Deps {
+	t.Helper()
+	return Deps{
+		DB:            openTestDB(t),
+		Authenticator: auth,
+	}
+}
+
 func TestListRepositoriesEmpty(t *testing.T) {
 	deps := adminDeps(t)
 	cc := startTestServer(t, deps)
@@ -142,3 +164,37 @@ func TestGarbageCollectTrigger(t *testing.T) {
 		t.Fatal("expected non-empty GC ID")
 	}
 }
+
+func TestListRepositoriesRequiresAuth(t *testing.T) {
+	deps := adminDeps(t)
+	cc := startTestServer(t, deps)
+	client := pb.NewRegistryServiceClient(cc)
+
+	// No auth token -- should be unauthenticated.
+	_, err := client.ListRepositories(context.Background(), &pb.ListRepositoriesRequest{})
+	if err == nil {
+		t.Fatal("expected error for unauthenticated request")
+	}
+	st, ok := status.FromError(err)
+	if !ok {
+		t.Fatalf("expected gRPC status, got %v", err)
+	}
+	if st.Code() != codes.Unauthenticated {
+		t.Fatalf("code: got %v, want Unauthenticated", st.Code())
+	}
+}
+
+func TestListRepositoriesAllowsRegularUser(t *testing.T) {
+	deps := adminDeps(t)
+	cc := startTestServer(t, deps)
+	client := pb.NewRegistryServiceClient(cc)
+
+	// Regular user should be able to list repositories (auth-required, not admin-required).
+	resp, err := client.ListRepositories(userCtx(), &pb.ListRepositoriesRequest{})
+	if err != nil {
+		t.Fatalf("ListRepositories: %v", err)
+	}
+	if resp == nil {
+		t.Fatal("expected non-nil response")
+	}
+}