Separate web UI into standalone metacrypt-web binary

The vault server holds in-memory unsealed state (KEK, engine keys) that
is lost on restart, requiring a full unseal ceremony. Previously the web
UI ran inside the vault process, so any UI change forced a restart and
re-unseal.

This change extracts the web UI into a separate metacrypt-web binary
that communicates with the vault over an authenticated gRPC connection.
The web server carries no sealed state and can be restarted freely.

- gen/metacrypt/v1/: generated Go bindings from proto/metacrypt/v1/
- internal/grpcserver/: full gRPC server implementation (System, Auth,
  Engine, PKI, Policy, ACME services) with seal/auth/admin interceptors
- internal/webserver/: web server with gRPC vault client; templates
  embedded via web/embed.go (no runtime web/ directory needed)
- cmd/metacrypt-web/: standalone binary entry point
- internal/config: added [web] section (listen_addr, vault_grpc, etc.)
- internal/server/routes.go: removed all web UI routes and handlers
- cmd/metacrypt/server.go: starts gRPC server alongside HTTP server
- Deploy: Dockerfile builds both binaries, docker-compose adds
  metacrypt-web service, new metacrypt-web.service systemd unit,
  Makefile gains proto/metacrypt-web targets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/grpcserver/policy.go

@@ -0,0 +1,86 @@
+package grpcserver
+
+import (
+	"context"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v1"
+	"git.wntrmute.dev/kyle/metacrypt/internal/policy"
+)
+
+type policyServer struct {
+	pb.UnimplementedPolicyServiceServer
+	s *GRPCServer
+}
+
+func (ps *policyServer) CreatePolicy(ctx context.Context, req *pb.CreatePolicyRequest) (*pb.PolicyRule, error) {
+	if req.Rule == nil || req.Rule.Id == "" {
+		return nil, status.Error(codes.InvalidArgument, "rule.id is required")
+	}
+	rule := pbToRule(req.Rule)
+	if err := ps.s.policy.CreateRule(ctx, rule); err != nil {
+		ps.s.logger.Error("grpc: create policy", "error", err)
+		return nil, status.Error(codes.Internal, "internal error")
+	}
+	return ruleToPB(rule), nil
+}
+
+func (ps *policyServer) ListPolicies(ctx context.Context, _ *pb.ListPoliciesRequest) (*pb.ListPoliciesResponse, error) {
+	rules, err := ps.s.policy.ListRules(ctx)
+	if err != nil {
+		ps.s.logger.Error("grpc: list policies", "error", err)
+		return nil, status.Error(codes.Internal, "internal error")
+	}
+	pbRules := make([]*pb.PolicyRule, 0, len(rules))
+	for i := range rules {
+		pbRules = append(pbRules, ruleToPB(&rules[i]))
+	}
+	return &pb.ListPoliciesResponse{Rules: pbRules}, nil
+}
+
+func (ps *policyServer) GetPolicy(ctx context.Context, req *pb.GetPolicyRequest) (*pb.PolicyRule, error) {
+	if req.Id == "" {
+		return nil, status.Error(codes.InvalidArgument, "id is required")
+	}
+	rule, err := ps.s.policy.GetRule(ctx, req.Id)
+	if err != nil {
+		return nil, status.Error(codes.NotFound, "not found")
+	}
+	return ruleToPB(rule), nil
+}
+
+func (ps *policyServer) DeletePolicy(ctx context.Context, req *pb.DeletePolicyRequest) (*pb.DeletePolicyResponse, error) {
+	if req.Id == "" {
+		return nil, status.Error(codes.InvalidArgument, "id is required")
+	}
+	if err := ps.s.policy.DeleteRule(ctx, req.Id); err != nil {
+		return nil, status.Error(codes.NotFound, "not found")
+	}
+	return &pb.DeletePolicyResponse{}, nil
+}
+
+func pbToRule(r *pb.PolicyRule) *policy.Rule {
+	return &policy.Rule{
+		ID:        r.Id,
+		Priority:  int(r.Priority),
+		Effect:    policy.Effect(r.Effect),
+		Usernames: r.Usernames,
+		Roles:     r.Roles,
+		Resources: r.Resources,
+		Actions:   r.Actions,
+	}
+}
+
+func ruleToPB(r *policy.Rule) *pb.PolicyRule {
+	return &pb.PolicyRule{
+		Id:        r.ID,
+		Priority:  int32(r.Priority),
+		Effect:    string(r.Effect),
+		Usernames: r.Usernames,
+		Roles:     r.Roles,
+		Resources: r.Resources,
+		Actions:   r.Actions,
+	}
+}