Add WebAuthn config; Docker single-mount

- Add [webauthn] section to all config examples
- Add active WebAuthn config to run/mcias.conf
- Update Dockerfile to use /srv/mcias single mount
- Add WebAuthn and TOTP sections to RUNBOOK.md
- Fix TOTP QR display (template.URL type)
- Add --force-rm to docker build in Makefile

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/ui/ui.go

@@ -931,11 +931,11 @@ type ProfileData struct { //nolint:govet // fieldalignment: readability over ali
 	WebAuthnEnabled bool
 	// TOTP enrollment fields (populated only during enrollment flow).
 	TOTPEnabled     bool
-	TOTPSecret      string // base32-encoded; shown once during enrollment
-	TOTPQR          string // data:image/png;base64,... QR code
-	TOTPEnrollNonce string // single-use nonce for confirm step
-	TOTPError       string // enrollment-specific error message
-	TOTPSuccess     string // success flash after confirmation
+	TOTPSecret      string       // base32-encoded; shown once during enrollment
+	TOTPQR          template.URL // data:image/png;base64,... QR code; template.URL bypasses URL escaping
+	TOTPEnrollNonce string       // single-use nonce for confirm step
+	TOTPError       string       // enrollment-specific error message
+	TOTPSuccess     string       // success flash after confirmation
 }
 
 // PGCredsData is the view model for the "My PG Credentials" list page.