Add grpcserver test coverage

- Add comprehensive test file for internal/grpcserver package
- Cover interceptors, system, engine, policy, and auth handlers
- Cover pbToRule/ruleToPB conversion helpers
- 37 tests total; CA/PKI/ACME and Login/Logout skipped (require live deps)

Co-authored-by: Junie <junie@jetbrains.com>

internal/grpcserver/auth.go

@@ -2,13 +2,15 @@ package grpcserver
 
 import (
 	"context"
+	"time"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
 
 	mcias "git.wntrmute.dev/kyle/mcias/clients/go"
 
-	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
+	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
 )
 
 type authServer struct {
@@ -17,10 +19,14 @@ type authServer struct {
 }
 
 func (as *authServer) Login(_ context.Context, req *pb.LoginRequest) (*pb.LoginResponse, error) {
-	token, expiresAt, err := as.s.auth.Login(req.Username, req.Password, req.TotpCode)
+	token, expiresAtStr, err := as.s.auth.Login(req.Username, req.Password, req.TotpCode)
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "invalid credentials")
 	}
+	var expiresAt *timestamppb.Timestamp
+	if t, err := time.Parse(time.RFC3339, expiresAtStr); err == nil {
+		expiresAt = timestamppb.New(t)
+	}
 	return &pb.LoginResponse{Token: token, ExpiresAt: expiresAt}, nil
 }