Add PG creds + policy/tags UI; fix lint and build

- internal/ui/ui.go: add PGCred, Tags to AccountDetailData; register
  PUT /accounts/{id}/pgcreds and PUT /accounts/{id}/tags routes; add
  pgcreds_form.html and tags_editor.html to shared template set; remove
  unused AccountTagsData; fix fieldalignment on PolicyRuleView, PoliciesData
- internal/ui/handlers_accounts.go: add handleSetPGCreds — encrypts
  password via crypto.SealAESGCM, writes audit EventPGCredUpdated, renders
  pgcreds_form fragment; password never echoed; load PG creds and tags in
  handleAccountDetail
- internal/ui/handlers_policy.go: fix handleSetAccountTags to render with
  AccountDetailData instead of removed AccountTagsData
- internal/ui/ui_test.go: add 5 PG credential UI tests
- web/templates/fragments/pgcreds_form.html: new fragment — metadata display
  + set/replace form; system accounts only; password write-only
- web/templates/fragments/tags_editor.html: new fragment — textarea editor
  with HTMX PUT for atomic tag replacement
- web/templates/fragments/policy_form.html: rewrite to use structured fields
  matching handleCreatePolicyRule (roles/account_types/actions multi-select,
  resource_type, subject_uuid, service_names, required_tags, checkbox)
- web/templates/policies.html: new policies management page
- web/templates/fragments/policy_row.html: new HTMX table row with toggle
  and delete
- web/templates/account_detail.html: add Tags card and PG Credentials card
- web/templates/base.html: add Policies nav link
- internal/server/server.go: remove ~220 lines of duplicate tag/policy
  handler code (real implementations are in handlers_policy.go)
- internal/policy/engine_wrapper.go: fix corrupted source; use errors.New
- internal/db/policy_test.go: use model.AccountTypeHuman constant
- cmd/mciasctl/main.go: add nolint:gosec to int(os.Stdin.Fd()) calls
- gofmt/goimports: db/policy_test.go, policy/defaults.go,
  policy/engine_test.go, ui/ui.go, cmd/mciasctl/main.go
- fieldalignment: model.PolicyRuleRecord, policy.Engine, policy.Rule,
  policy.RuleBody, ui.PolicyRuleView
Security: PG password encrypted AES-256-GCM with fresh random nonce before
storage; plaintext never logged or returned in any response; audit event
written on every credential write.

web/templates/fragments/policy_row.html

@@ -0,0 +1,42 @@
+{{define "policy_row"}}
+<tr id="policy-row-{{.ID}}">
+  <td class="text-small text-muted">{{.ID}}</td>
+  <td class="text-small">{{.Priority}}</td>
+  <td>
+    <strong>{{.Description}}</strong>
+    <details style="margin-top:.25rem">
+      <summary class="text-small text-muted" style="cursor:pointer">Show rule JSON</summary>
+      <pre style="font-size:.75rem;background:#f8fafc;padding:.5rem;border-radius:4px;overflow:auto;margin-top:.25rem">{{.RuleJSON}}</pre>
+    </details>
+  </td>
+  <td class="text-small">
+    {{/* Extract effect from RuleJSON via prettyJSON — displayed separately */}}
+    <span class="badge {{if .Enabled}}badge-active{{else}}badge-inactive{{end}}">
+      {{if .Enabled}}enabled{{else}}disabled{{end}}
+    </span>
+  </td>
+  <td>
+    {{if .Enabled}}
+    <button class="btn btn-sm btn-secondary"
+            hx-patch="/policies/{{.ID}}/enabled"
+            hx-vals='{"enabled":"0"}'
+            hx-target="#policy-row-{{.ID}}"
+            hx-swap="outerHTML">Disable</button>
+    {{else}}
+    <button class="btn btn-sm btn-secondary"
+            hx-patch="/policies/{{.ID}}/enabled"
+            hx-vals='{"enabled":"1"}'
+            hx-target="#policy-row-{{.ID}}"
+            hx-swap="outerHTML">Enable</button>
+    {{end}}
+  </td>
+  <td class="text-small text-muted">{{.UpdatedAt}}</td>
+  <td>
+    <button class="btn btn-sm btn-danger"
+            hx-delete="/policies/{{.ID}}"
+            hx-target="#policy-row-{{.ID}}"
+            hx-swap="outerHTML"
+            hx-confirm="Delete policy rule {{.ID}}? This cannot be undone.">Delete</button>
+  </td>
+</tr>
+{{end}}