Migrate gRPC server to mcdsl grpcserver package

Replace metacrypt's hand-rolled gRPC interceptor chain with the mcdsl
grpcserver package, which provides TLS setup, logging, and method-map
auth (public/auth-required/admin-required) out of the box.

Metacrypt-specific interceptors are preserved as hooks:
- sealInterceptor runs as a PreInterceptor (before logging/auth)
- auditInterceptor runs as a PostInterceptor (after auth)

The three legacy method maps (seal/auth/admin) are restructured into
mcdsl's MethodMap (Public/AuthRequired/AdminRequired) plus a separate
seal-required map for the PreInterceptor. Token context is now stored
via mcdsl/auth.ContextWithTokenInfo instead of a package-local key.

Bumps mcdsl from v1.0.0 to v1.0.1 (adds PreInterceptors/PostInterceptors
to grpcserver.Options).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/transit.go

@@ -9,6 +9,7 @@ import (
 	"google.golang.org/grpc/status"
 
 	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
+	"git.wntrmute.dev/kyle/metacrypt/internal/auth"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine/transit"
 	"git.wntrmute.dev/kyle/metacrypt/internal/policy"
@@ -58,7 +59,7 @@ func (ts *transitServer) transitHandleRequest(ctx context.Context, mount, operat
 }
 
 func (ts *transitServer) callerInfo(ctx context.Context) *engine.CallerInfo {
-	ti := tokenInfoFromContext(ctx)
+	ti := auth.TokenInfoFromContext(ctx)
 	if ti == nil {
 		return nil
 	}