Add grpcserver test coverage

- Add comprehensive test file for internal/grpcserver package
- Cover interceptors, system, engine, policy, and auth handlers
- Cover pbToRule/ruleToPB conversion helpers
- 37 tests total; CA/PKI/ACME and Login/Logout skipped (require live deps)

Co-authored-by: Junie <junie@jetbrains.com>

internal/server/routes.go

@@ -96,15 +96,19 @@ func (s *Server) handleUnseal(w http.ResponseWriter, r *http.Request) {
 
 	if err := s.seal.Unseal([]byte(req.Password)); err != nil {
 		if errors.Is(err, seal.ErrNotInitialized) {
+			s.logger.Warn("unseal attempt on uninitialized service", "remote_addr", r.RemoteAddr)
 			http.Error(w, `{"error":"not initialized"}`, http.StatusPreconditionFailed)
 		} else if errors.Is(err, seal.ErrInvalidPassword) {
+			s.logger.Warn("unseal attempt with invalid password", "remote_addr", r.RemoteAddr)
 			http.Error(w, `{"error":"invalid password"}`, http.StatusUnauthorized)
 		} else if errors.Is(err, seal.ErrRateLimited) {
+			s.logger.Warn("unseal attempt rate limited", "remote_addr", r.RemoteAddr)
 			http.Error(w, `{"error":"too many attempts, try again later"}`, http.StatusTooManyRequests)
 		} else if errors.Is(err, seal.ErrNotSealed) {
+			s.logger.Warn("unseal attempt on already-unsealed service", "remote_addr", r.RemoteAddr)
 			http.Error(w, `{"error":"already unsealed"}`, http.StatusConflict)
 		} else {
-			s.logger.Error("unseal failed", "error", err)
+			s.logger.Error("unseal failed", "remote_addr", r.RemoteAddr, "error", err)
 			http.Error(w, `{"error":"unseal failed"}`, http.StatusInternalServerError)
 		}
 		return
@@ -116,6 +120,7 @@ func (s *Server) handleUnseal(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	s.logger.Info("service unsealed", "remote_addr", r.RemoteAddr)
 	writeJSON(w, http.StatusOK, map[string]interface{}{
 		"state": s.seal.State().String(),
 	})