Implement Phase 1: core framework, operational tooling, and runbook

Core packages: crypto (Argon2id/AES-256-GCM), config (TOML/viper),
db (SQLite/migrations), barrier (encrypted storage), seal (state machine
with rate-limited unseal), auth (MCIAS integration with token cache),
policy (priority-based ACL engine), engine (interface + registry).

Server: HTTPS with TLS 1.2+, REST API, auth/admin middleware, htmx web UI
(init, unseal, login, dashboard pages).

CLI: cobra/viper subcommands (server, init, status, snapshot) with env
var override support (METACRYPT_ prefix).

Operational tooling: Dockerfile (multi-stage, non-root), docker-compose,
hardened systemd units (service + daily backup timer), install script,
backup script with retention pruning, production config examples.

Runbook covering installation, configuration, daily operations,
backup/restore, monitoring, troubleshooting, and security procedures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

web/templates/init.html

@@ -0,0 +1,17 @@
+{{define "title"}} - Initialize{{end}}
+{{define "content"}}
+<h2>Initialize Metacrypt</h2>
+<p>Set the seal password for this Metacrypt instance. This password will be required to unseal the service after each restart.</p>
+{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
+<form method="POST" action="/init">
+    <div class="form-group">
+        <label for="password">Seal Password</label>
+        <input type="password" id="password" name="password" required autofocus>
+    </div>
+    <div class="form-group">
+        <label for="confirm">Confirm Password</label>
+        <input type="password" id="confirm" name="confirm" required>
+    </div>
+    <button type="submit">Initialize</button>
+</form>
+{{end}}