Migrate db, auth to mcdsl; remove mcias client dependency

- db.Open: delegate to mcdsl/db.Open
- db.Migrate: convert to mcdsl/db.Migration format, delegate
- auth: type aliases for TokenInfo/Authenticator/Config from mcdsl,
  re-export error sentinels, Logout helper
- cmd/server: construct auth.Authenticator from Config (not mcias.Client)
- server/routes.go logout: use auth.Logout(authenticator, token)
- grpcserver/auth.go: same logout pattern, fix Login return type
  (time.Time not string)
- webserver: replace mcias.Client with mcdsl/auth for service token
  validation; resolveUser degrades to raw UUID (TODO: restore when
  mcias client library is properly tagged)
- Dockerfiles: bump to golang:1.25-alpine, remove gcc/musl-dev,
  add VERSION build arg
- Deploy: add docker-compose-rift.yml with localhost-only port mapping
- Remove git.wntrmute.dev/kyle/mcias/clients/go dependency entirely
- All tests pass, net -185 lines

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/metacrypt/server.go

@@ -8,7 +8,6 @@ import (
 	"os/signal"
 	"syscall"
 
-	mcias "git.wntrmute.dev/kyle/mcias/clients/go"
 	"github.com/spf13/cobra"
 
 	"git.wntrmute.dev/kyle/metacrypt/internal/audit"
@@ -74,14 +73,14 @@ func runServer(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	mcClient, err := mcias.New(cfg.MCIAS.ServerURL, mcias.Options{
-		CACertPath: cfg.MCIAS.CACert,
-	})
+	authenticator, err := auth.NewAuthenticator(auth.Config{
+		ServerURL:   cfg.MCIAS.ServerURL,
+		CACert:      cfg.MCIAS.CACert,
+		ServiceName: "metacrypt",
+	}, logger)
 	if err != nil {
 		return err
 	}
-
-	authenticator := auth.NewAuthenticator(mcClient, logger)
 	policyEngine := policy.NewEngine(b)
 	engineRegistry := engine.NewRegistry(b, logger)
 	engineRegistry.RegisterFactory(engine.EngineTypeCA, ca.NewCAEngine)