Add ACME (RFC 8555) server and Go client library

Implements full ACME protocol support in Metacrypt:

- internal/acme: core types, JWS verification (ES256/384/512 + RS256),
  nonce store, per-mount handler, all RFC 8555 protocol endpoints,
  HTTP-01 and DNS-01 challenge validation, EAB management
- internal/server/acme.go: management REST routes (EAB create, config,
  list accounts/orders) + ACME protocol route dispatch
- proto/metacrypt/v1/acme.proto: ACMEService (CreateEAB, SetConfig,
  ListAccounts, ListOrders) — protocol endpoints are HTTP-only per RFC
- clients/go: new Go module with MCIAS-auth bootstrap, ACME account
  registration, certificate issuance/renewal, HTTP-01 and DNS-01
  challenge providers
- .claude/launch.json: dev server configuration

EAB is required for all account creation; MCIAS-authenticated users
obtain a single-use KID + HMAC-SHA256 key via POST /v1/acme/{mount}/eab.

internal/config/config.go

@@ -19,10 +19,11 @@ type Config struct {
 
 // ServerConfig holds HTTP/gRPC server settings.
 type ServerConfig struct {
-	ListenAddr string `toml:"listen_addr"`
-	GRPCAddr   string `toml:"grpc_addr"`
-	TLSCert    string `toml:"tls_cert"`
-	TLSKey     string `toml:"tls_key"`
+	ListenAddr  string `toml:"listen_addr"`
+	GRPCAddr    string `toml:"grpc_addr"`
+	TLSCert     string `toml:"tls_cert"`
+	TLSKey      string `toml:"tls_key"`
+	ExternalURL string `toml:"external_url"` // public base URL for ACME directory, e.g. "https://metacrypt.example.com"
 }
 
 // DatabaseConfig holds SQLite database settings.