Migrate db, auth to mcdsl; remove mcias client dependency

- db.Open: delegate to mcdsl/db.Open
- db.Migrate: convert to mcdsl/db.Migration format, delegate
- auth: type aliases for TokenInfo/Authenticator/Config from mcdsl,
  re-export error sentinels, Logout helper
- cmd/server: construct auth.Authenticator from Config (not mcias.Client)
- server/routes.go logout: use auth.Logout(authenticator, token)
- grpcserver/auth.go: same logout pattern, fix Login return type
  (time.Time not string)
- webserver: replace mcias.Client with mcdsl/auth for service token
  validation; resolveUser degrades to raw UUID (TODO: restore when
  mcias client library is properly tagged)
- Dockerfiles: bump to golang:1.25-alpine, remove gcc/musl-dev,
  add VERSION build arg
- Deploy: add docker-compose-rift.yml with localhost-only port mapping
- Remove git.wntrmute.dev/kyle/mcias/clients/go dependency entirely
- All tests pass, net -185 lines

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/webserver/server.go

@@ -15,7 +15,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 
-	mcias "git.wntrmute.dev/kyle/mcias/clients/go"
+	mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
 	"git.wntrmute.dev/kyle/metacrypt/internal/config"
 	webui "git.wntrmute.dev/kyle/metacrypt/web"
 )
@@ -113,8 +113,7 @@ type cachedUsername struct {
 type WebServer struct {
 	cfg       *config.Config
 	vault     vaultBackend
-	mcias     *mcias.Client // optional; nil when no service_token is configured
-	logger    *slog.Logger
+	logger *slog.Logger
 	httpSrv   *http.Server
 	staticFS  fs.FS
 	csrf      *csrfProtect
@@ -136,22 +135,9 @@ func (ws *WebServer) resolveUser(id string) string {
 			return entry.username
 		}
 	}
-	if ws.mcias == nil {
-		ws.logger.Warn("webserver: no MCIAS client available, cannot resolve user ID", "id", id)
-		return id
-	}
-	ws.logger.Info("webserver: looking up user ID via MCIAS", "id", id)
-	acct, err := ws.mcias.GetAccount(id)
-	if err != nil {
-		ws.logger.Warn("webserver: failed to resolve user ID", "id", id, "error", err)
-		return id
-	}
-	ws.logger.Info("webserver: resolved user ID", "id", id, "username", acct.Username)
-	ws.userCache.Store(id, &cachedUsername{
-		username:  acct.Username,
-		expiresAt: time.Now().Add(userCacheTTL),
-	})
-	return acct.Username
+	// TODO: re-enable MCIAS account lookup once mcias client library is
+	// published with proper Go module tags. For now, return the raw ID.
+	return id
 }
 
 // New creates a new WebServer. It dials the vault gRPC endpoint.
@@ -177,22 +163,19 @@ func New(cfg *config.Config, logger *slog.Logger) (*WebServer, error) {
 	}
 
 	if tok := cfg.MCIAS.ServiceToken; tok != "" {
-		mc, err := mcias.New(cfg.MCIAS.ServerURL, mcias.Options{
-			CACertPath: cfg.MCIAS.CACert,
-			Token:      tok,
-		})
+		a, err := mcdslauth.New(mcdslauth.Config{
+			ServerURL: cfg.MCIAS.ServerURL,
+			CACert:    cfg.MCIAS.CACert,
+		}, logger)
 		if err != nil {
-			logger.Warn("webserver: failed to create MCIAS client for user resolution", "error", err)
+			logger.Warn("webserver: failed to create auth client for service token validation", "error", err)
 		} else {
-			claims, err := mc.ValidateToken(tok)
+			info, err := a.ValidateToken(tok)
 			switch {
 			case err != nil:
 				logger.Warn("webserver: MCIAS service token validation failed", "error", err)
-			case !claims.Valid:
-				logger.Warn("webserver: MCIAS service token is invalid or expired")
 			default:
-				logger.Info("webserver: MCIAS service token valid", "sub", claims.Sub, "roles", claims.Roles)
-				ws.mcias = mc
+				logger.Info("webserver: MCIAS service token valid", "username", info.Username, "roles", info.Roles)
 			}
 		}
 	}