Fix F-08, F-12, F-13: Implement account lockout, username validation, and password minimum length enforcement

- Added failed login tracking for account lockout enforcement in `db` and `ui` layers; introduced `failed_logins` table to store attempts, window start, and attempt count.
- Updated login checks in `grpcserver/auth.go` and `ui/handlers_auth.go` to reject requests if the account is locked.
- Added immediate failure counter reset on successful login.
- Implemented username length and character set validation (F-12) and minimum password length enforcement (F-13) in shared `validate` package.
- Updated account creation and edit flows in `ui` and `grpcserver` layers to apply validation before hashing/processing.
- Added comprehensive unit tests for lockout, validation, and related edge cases.
- Updated `AUDIT.md` to mark F-08, F-12, and F-13 as fixed.
- Updated `openapi.yaml` to reflect new validation and lockout behaviors.

Security: Prevents brute-force attacks via lockout mechanism and strengthens defenses against weak and invalid input.

internal/db/migrate.go

@@ -118,6 +118,19 @@ CREATE INDEX IF NOT EXISTS idx_audit_event ON audit_log (event_type);
 -- The salt must be stable across restarts so the passphrase always yields the same key.
 -- We allow NULL signing_key_enc/nonce temporarily until the first signing key is generated.
 ALTER TABLE server_config ADD COLUMN master_key_salt BLOB;
+`,
+	},
+	{
+		id: 3,
+		sql: `
+-- Track per-account failed login attempts for lockout enforcement (F-08).
+-- One row per account; window_start resets when the window expires or on
+-- a successful login.  The DB layer enforces atomicity via UPDATE+INSERT.
+CREATE TABLE IF NOT EXISTS failed_logins (
+    account_id    INTEGER NOT NULL PRIMARY KEY REFERENCES accounts(id) ON DELETE CASCADE,
+    window_start  TEXT    NOT NULL,
+    attempt_count INTEGER NOT NULL DEFAULT 1
+);
 `,
 	},
 }