Migrate gRPC server to mcdsl grpcserver package

Replace metacrypt's hand-rolled gRPC interceptor chain with the mcdsl
grpcserver package, which provides TLS setup, logging, and method-map
auth (public/auth-required/admin-required) out of the box.

Metacrypt-specific interceptors are preserved as hooks:
- sealInterceptor runs as a PreInterceptor (before logging/auth)
- auditInterceptor runs as a PostInterceptor (after auth)

The three legacy method maps (seal/auth/admin) are restructured into
mcdsl's MethodMap (Public/AuthRequired/AdminRequired) plus a separate
seal-required map for the PreInterceptor. Token context is now stored
via mcdsl/auth.ContextWithTokenInfo instead of a package-local key.

Bumps mcdsl from v1.0.0 to v1.0.1 (adds PreInterceptors/PostInterceptors
to grpcserver.Options).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/interceptors.go

@@ -4,11 +4,9 @@ import (
 	"context"
 	"log/slog"
 	"path"
-	"strings"
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
 
 	"git.wntrmute.dev/kyle/metacrypt/internal/audit"
@@ -16,61 +14,9 @@ import (
 	"git.wntrmute.dev/kyle/metacrypt/internal/seal"
 )
 
-type contextKey int
-
-const tokenInfoKey contextKey = iota
-
-func tokenInfoFromContext(ctx context.Context) *auth.TokenInfo {
-	v, _ := ctx.Value(tokenInfoKey).(*auth.TokenInfo)
-	return v
-}
-
-// authInterceptor validates the Bearer token from gRPC metadata and injects
-// *auth.TokenInfo into the context. The set of method full names that require
-// auth is passed in; all others pass through without validation.
-func authInterceptor(authenticator *auth.Authenticator, logger *slog.Logger, methods map[string]bool) grpc.UnaryServerInterceptor {
-	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		if !methods[info.FullMethod] {
-			return handler(ctx, req)
-		}
-
-		token := extractToken(ctx)
-		if token == "" {
-			logger.Debug("grpc request rejected: missing token", "method", info.FullMethod)
-			return nil, status.Error(codes.Unauthenticated, "missing authorization token")
-		}
-
-		tokenInfo, err := authenticator.ValidateToken(token)
-		if err != nil {
-			logger.Debug("grpc request rejected: invalid token", "method", info.FullMethod, "error", err)
-			return nil, status.Error(codes.Unauthenticated, "invalid token")
-		}
-
-		logger.Debug("grpc request authenticated", "method", info.FullMethod, "username", tokenInfo.Username)
-		ctx = context.WithValue(ctx, tokenInfoKey, tokenInfo)
-		return handler(ctx, req)
-	}
-}
-
-// adminInterceptor requires IsAdmin on the token info for the listed methods.
-// Must run after authInterceptor.
-func adminInterceptor(logger *slog.Logger, methods map[string]bool) grpc.UnaryServerInterceptor {
-	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		if !methods[info.FullMethod] {
-			return handler(ctx, req)
-		}
-		ti := tokenInfoFromContext(ctx)
-		if ti == nil || !ti.IsAdmin {
-			logger.Debug("grpc request rejected: admin required", "method", info.FullMethod)
-			return nil, status.Error(codes.PermissionDenied, "admin required")
-		}
-		logger.Debug("grpc admin request authorized", "method", info.FullMethod, "username", ti.Username)
-		return handler(ctx, req)
-	}
-}
-
 // sealInterceptor rejects calls with FailedPrecondition when the vault is
-// sealed, for the listed methods.
+// sealed, for the listed methods. It is intended to run as a PreInterceptor
+// in the mcdsl grpcserver chain, before logging and auth.
 func sealInterceptor(sealMgr *seal.Manager, logger *slog.Logger, methods map[string]bool) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
 		if !methods[info.FullMethod] {
@@ -84,30 +30,17 @@ func sealInterceptor(sealMgr *seal.Manager, logger *slog.Logger, methods map[str
 	}
 }
 
-// chainInterceptors reduces a slice of interceptors into a single one.
-func chainInterceptors(interceptors ...grpc.UnaryServerInterceptor) grpc.UnaryServerInterceptor {
-	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		chain := handler
-		for i := len(interceptors) - 1; i >= 0; i-- {
-			next := chain
-			ic := interceptors[i]
-			chain = func(ctx context.Context, req interface{}) (interface{}, error) {
-				return ic(ctx, req, info, next)
-			}
-		}
-		return chain(ctx, req)
-	}
-}
-
-// auditInterceptor logs an audit event after each RPC completes. Must run
-// after authInterceptor so that caller info is available in the context.
+// auditInterceptor logs an audit event after each RPC completes. It is
+// intended to run as a PostInterceptor in the mcdsl grpcserver chain,
+// after auth so that caller info is available in the context via
+// auth.TokenInfoFromContext.
 func auditInterceptor(auditLog *audit.Logger) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
 		resp, err := handler(ctx, req)
 
 		caller := "anonymous"
 		var roles []string
-		if ti := tokenInfoFromContext(ctx); ti != nil {
+		if ti := auth.TokenInfoFromContext(ctx); ti != nil {
 			caller = ti.Username
 			roles = ti.Roles
 		}
@@ -138,19 +71,3 @@ func auditInterceptor(auditLog *audit.Logger) grpc.UnaryServerInterceptor {
 		return resp, err
 	}
 }
-
-func extractToken(ctx context.Context) string {
-	md, ok := metadata.FromIncomingContext(ctx)
-	if !ok {
-		return ""
-	}
-	vals := md.Get("authorization")
-	if len(vals) == 0 {
-		return ""
-	}
-	v := vals[0]
-	if strings.HasPrefix(v, "Bearer ") {
-		return strings.TrimPrefix(v, "Bearer ")
-	}
-	return v
-}