Migrate db, auth to mcdsl; remove mcias client dependency

- db.Open: delegate to mcdsl/db.Open
- db.Migrate: convert to mcdsl/db.Migration format, delegate
- auth: type aliases for TokenInfo/Authenticator/Config from mcdsl,
  re-export error sentinels, Logout helper
- cmd/server: construct auth.Authenticator from Config (not mcias.Client)
- server/routes.go logout: use auth.Logout(authenticator, token)
- grpcserver/auth.go: same logout pattern, fix Login return type
  (time.Time not string)
- webserver: replace mcias.Client with mcdsl/auth for service token
  validation; resolveUser degrades to raw UUID (TODO: restore when
  mcias client library is properly tagged)
- Dockerfiles: bump to golang:1.25-alpine, remove gcc/musl-dev,
  add VERSION build arg
- Deploy: add docker-compose-rift.yml with localhost-only port mapping
- Remove git.wntrmute.dev/kyle/mcias/clients/go dependency entirely
- All tests pass, net -185 lines

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/auth.go

@@ -2,15 +2,13 @@ package grpcserver
 
 import (
 	"context"
-	"time"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
-	mcias "git.wntrmute.dev/kyle/mcias/clients/go"
-
 	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
+	"git.wntrmute.dev/kyle/metacrypt/internal/auth"
 )
 
 type authServer struct {
@@ -19,13 +17,13 @@ type authServer struct {
 }
 
 func (as *authServer) Login(_ context.Context, req *pb.LoginRequest) (*pb.LoginResponse, error) {
-	token, expiresAtStr, err := as.s.auth.Login(req.Username, req.Password, req.TotpCode)
+	token, expiresAtTime, err := as.s.auth.Login(req.Username, req.Password, req.TotpCode)
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "invalid credentials")
 	}
 	var expiresAt *timestamppb.Timestamp
-	if t, err := time.Parse(time.RFC3339, expiresAtStr); err == nil {
-		expiresAt = timestamppb.New(t)
+	if !expiresAtTime.IsZero() {
+		expiresAt = timestamppb.New(expiresAtTime)
 	}
 	as.s.logger.Info("audit: login", "username", req.Username)
 	return &pb.LoginResponse{Token: token, ExpiresAt: expiresAt}, nil
@@ -33,13 +31,7 @@ func (as *authServer) Login(_ context.Context, req *pb.LoginRequest) (*pb.LoginR
 
 func (as *authServer) Logout(ctx context.Context, _ *pb.LogoutRequest) (*pb.LogoutResponse, error) {
 	token := extractToken(ctx)
-	client, err := mcias.New(as.s.cfg.MCIAS.ServerURL, mcias.Options{
-		CACertPath: as.s.cfg.MCIAS.CACert,
-		Token:      token,
-	})
-	if err == nil {
-		_ = as.s.auth.Logout(client)
-	}
+	_ = auth.Logout(as.s.auth, token)
 	as.s.logger.Info("audit: logout", "username", callerUsername(ctx))
 	return &pb.LogoutResponse{}, nil
 }

internal/grpcserver/grpcserver_test.go

@@ -74,7 +74,7 @@ func newTestGRPCServer(t *testing.T) (*GRPCServer, func()) {
 	sealMgr := seal.NewManager(database, b, nil, slog.Default())
 	policyEngine := policy.NewEngine(b)
 	reg := newTestRegistry()
-	authenticator := auth.NewAuthenticator(nil, slog.Default())
+	authenticator, _ := auth.NewAuthenticator(auth.Config{ServerURL: "http://localhost:0"}, slog.Default())
 	cfg := &config.Config{
 		Seal: config.SealConfig{
 			Argon2Time:    1,
@@ -159,7 +159,7 @@ func TestSealInterceptor_SkipsUnlistedMethod(t *testing.T) {
 }
 
 func TestAuthInterceptor_MissingToken(t *testing.T) {
-	authenticator := auth.NewAuthenticator(nil, slog.Default())
+	authenticator, _ := auth.NewAuthenticator(auth.Config{ServerURL: "http://localhost:0"}, slog.Default())
 	methods := map[string]bool{"/test.Service/Method": true}
 	interceptor := authInterceptor(authenticator, slog.Default(), methods)
 
@@ -173,7 +173,7 @@ func TestAuthInterceptor_MissingToken(t *testing.T) {
 }
 
 func TestAuthInterceptor_SkipsUnlistedMethod(t *testing.T) {
-	authenticator := auth.NewAuthenticator(nil, slog.Default())
+	authenticator, _ := auth.NewAuthenticator(auth.Config{ServerURL: "http://localhost:0"}, slog.Default())
 	methods := map[string]bool{"/test.Service/Other": true}
 	interceptor := authInterceptor(authenticator, slog.Default(), methods)