Block guest accounts from web UI login

The web UI now validates the MCIAS token after login and rejects
accounts with the guest role before setting the session cookie.
This is defense-in-depth alongside the env:restricted MCIAS tag.

The webserver.New() constructor takes a new ValidateFunc parameter
that inspects token roles post-authentication. MCIAS login does not
return roles, so this requires an extra ValidateToken round-trip at
login time (result is cached for 30s).

Security: guest role accounts are denied web UI access

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ARCHITECTURE.md

@@ -881,6 +881,10 @@ separate binary (`mcr-web`) that communicates with mcrsrv via gRPC.
 - CSRF protection via signed double-submit cookies on all mutating requests.
 - Session cookie: `HttpOnly`, `Secure`, `SameSite=Strict`.
 - All user input escaped by `html/template`.
+- Guest accounts are blocked at login. After MCIAS authentication succeeds,
+  the web UI validates the token and checks roles; accounts with the `guest`
+  role are denied access. This is defense-in-depth alongside the
+  `env:restricted` MCIAS tag.
 
 ---
 
@@ -1059,7 +1063,7 @@ The audit log is append-only. It never contains credentials or token values.
 
 | Threat | Mitigation |
 |--------|------------|
-| Unauthenticated access | All endpoints require MCIAS bearer token; `env:restricted` tag blocks guest/viewer login |
+| Unauthenticated access | All endpoints require MCIAS bearer token; `env:restricted` tag blocks guest/viewer login; web UI additionally rejects `guest` role at login |
 | Unauthorized push/delete | Policy engine enforces per-principal, per-repository access; default-deny for system accounts |
 | Digest mismatch (supply chain) | All uploads verified against client-supplied digest; rejected if mismatch |
 | Blob corruption | Content-addressed storage; digests verified on write. Periodic integrity scrub via `mcrctl scrub` (future) |