Block guest accounts from web UI login

The web UI now validates the MCIAS token after login and rejects
accounts with the guest role before setting the session cookie.
This is defense-in-depth alongside the env:restricted MCIAS tag.

The webserver.New() constructor takes a new ValidateFunc parameter
that inspects token roles post-authentication. MCIAS login does not
return roles, so this requires an extra ValidateToken round-trip at
login time (result is cached for 30s).

Security: guest role accounts are denied web UI access

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

PROGRESS.md

@@ -32,6 +32,30 @@ See `PROJECT_PLAN.md` for the implementation roadmap and
 ### Next Steps
 
 1. Deploy to rift (issue MCR service token, generate TLS cert, update mc-proxy routes)
+2. Consider adding roles to MCIAS login response to eliminate the extra ValidateToken round-trip
+
+### 2026-03-26 — Web UI: block guest login
+
+**Task:** Prevent MCIAS guest accounts from logging into the web UI.
+
+**Changes:**
+
+- `internal/webserver/server.go`: Added `ValidateFunc` type; `New()`
+  accepts a validate function to inspect tokens post-login.
+- `internal/webserver/auth.go`: After `loginFn` succeeds, calls
+  `validateFn` to retrieve roles. Rejects accounts with the `guest`
+  role before setting the session cookie.
+- `cmd/mcr-web/main.go`: Wires `ValidateFunc` via `authClient.ValidateToken()`.
+- `internal/webserver/server_test.go`: Added guest/user test accounts,
+  `validateFn` returning role-appropriate responses, `TestLoginDeniesGuest`.
+- `ARCHITECTURE.md`: Updated Web UI security section and threat mitigations
+  to document guest blocking as defense-in-depth.
+
+**Design note:** MCIAS `/v1/auth/login` does not return roles, so the
+web UI makes a second `ValidateToken` call after login to inspect them.
+This is an extra MCIAS round-trip at login time (cached for 30s). A
+future MCIAS change to include roles in the login response would
+eliminate this.
 
 ### 2026-03-25 — Phase 13: Deployment Artifacts