Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper),
db (SQLite/migrations), barrier (encrypted storage), seal (state machine
with rate-limited unseal), auth (MCIAS integration with token cache),
policy (priority-based ACL engine), engine (interface + registry).

Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI
(init, unseal, login, dashboard pages).

CLI: cobra/viper subcommands (server, init, status, snapshot) with env
var override support (METACRYPT_ prefix).

Operational tooling: Dockerfile (multi-stage, non-root), docker-compose,
hardened systemd units (service + daily backup timer), install script,
backup script with retention pruning, production config examples.

Runbook covering installation, configuration, daily operations,
backup/restore, monitoring, troubleshooting, and security procedures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/scripts/backup.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+#
+# Create a timestamped Metacrypt database backup and prune old ones.
+#
+# Usage: ./backup.sh [retention_days]
+#   retention_days: number of days to keep backups (default: 30)
+#
+set -euo pipefail
+
+CONFIG="${METACRYPT_CONFIG:-/etc/metacrypt/metacrypt.toml}"
+BACKUP_DIR="${METACRYPT_BACKUP_DIR:-/var/lib/metacrypt/backups}"
+RETENTION_DAYS="${1:-30}"
+TIMESTAMP="$(date +%Y%m%d-%H%M%S)"
+BACKUP_FILE="${BACKUP_DIR}/metacrypt-${TIMESTAMP}.db"
+
+echo "==> Creating backup: ${BACKUP_FILE}"
+metacrypt snapshot --config "$CONFIG" --output "$BACKUP_FILE"
+
+echo "==> Pruning backups older than ${RETENTION_DAYS} days"
+find "$BACKUP_DIR" -name 'metacrypt-*.db' -mtime "+${RETENTION_DAYS}" -delete -print
+
+echo "==> Done"
+ls -lh "$BACKUP_DIR"/metacrypt-*.db 2>/dev/null | tail -5