Migrate db, auth, and config to mcdsl

- db.Open: delegate to mcdsl/db.Open
- db.Migrate: rewrite migrations as mcdsl/db.Migration SQL strings,
  delegate to mcdsl/db.Migrate; keep SchemaVersion via mcdsl
- auth: thin shim wrapping mcdsl/auth.Authenticator, keeps Claims
  type (with Subject, AccountType, Roles) for policy engine compat;
  delete cache.go (handled by mcdsl/auth); add ErrForbidden
- config: embed mcdsl/config.Base for standard sections (Server with
  Duration fields, Database, MCIAS, Log); keep StorageConfig and
  WebConfig as MCR-specific; use mcdsl/config.Load[T] + Validator
- WriteTimeout now defaults to 30s (mcdsl default, was 0)
- All existing tests pass (auth tests rewritten for new shim API,
  cache expiry test removed — caching tested in mcdsl)
- Net -464 lines

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/auth/errors.go

@@ -3,6 +3,12 @@ package auth
 import "errors"
 
 var (
-	ErrUnauthorized     = errors.New("auth: unauthorized")
+	// ErrUnauthorized indicates the token is invalid or expired.
+	ErrUnauthorized = errors.New("auth: unauthorized")
+
+	// ErrForbidden indicates login was denied by MCIAS policy.
+	ErrForbidden = errors.New("auth: forbidden by policy")
+
+	// ErrMCIASUnavailable indicates MCIAS could not be reached.
 	ErrMCIASUnavailable = errors.New("auth: MCIAS unavailable")
 )