Add ACME (RFC 8555) server and Go client library

Implements full ACME protocol support in Metacrypt:

- internal/acme: core types, JWS verification (ES256/384/512 + RS256),
  nonce store, per-mount handler, all RFC 8555 protocol endpoints,
  HTTP-01 and DNS-01 challenge validation, EAB management
- internal/server/acme.go: management REST routes (EAB create, config,
  list accounts/orders) + ACME protocol route dispatch
- proto/metacrypt/v1/acme.proto: ACMEService (CreateEAB, SetConfig,
  ListAccounts, ListOrders) — protocol endpoints are HTTP-only per RFC
- clients/go: new Go module with MCIAS-auth bootstrap, ACME account
  registration, certificate issuance/renewal, HTTP-01 and DNS-01
  challenge providers
- .claude/launch.json: dev server configuration

EAB is required for all account creation; MCIAS-authenticated users
obtain a single-use KID + HMAC-SHA256 key via POST /v1/acme/{mount}/eab.

internal/seal/seal.go

@@ -71,6 +71,13 @@ func NewManager(db *sql.DB, b *barrier.AESGCMBarrier) *Manager {
 	}
 }
 
+// Barrier returns the underlying barrier for direct access by subsystems
+// that need to read/write encrypted storage (e.g. ACME state).
+// The barrier must only be used when the service is unsealed.
+func (m *Manager) Barrier() *barrier.AESGCMBarrier {
+	return m.barrier
+}
+
 // State returns the current service state.
 func (m *Manager) State() ServiceState {
 	m.mu.RLock()