Add TOTP enrollment to web UI

- Profile page TOTP section with enrollment flow:
  password re-auth → QR code + manual entry → 6-digit confirm
- Server-side QR code generation (go-qrcode, data: URI PNG)
- Admin "Remove TOTP" button on account detail page
- Enrollment nonces: sync.Map with 5-minute TTL, single-use
- Template fragments: totp_section.html, totp_enroll_qr.html
- Handler: handlers_totp.go (enroll start, confirm, admin remove)

Security: Password re-auth before secret generation (SEC-01).
Lockout checked before Argon2. CSRF on all endpoints. Single-use
enrollment nonces with expiry. TOTP counter replay prevention
(CRIT-01). Self-removal not permitted (admin only).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/templates/account_detail.html

@@ -14,7 +14,18 @@
     <dt class="text-muted">Type</dt><dd>{{.Account.AccountType}}</dd>
     <dt class="text-muted">Status</dt>
     <dd id="status-cell">{{template "account_status" .}}</dd>
-    <dt class="text-muted">TOTP</dt><dd>{{if .Account.TOTPRequired}}Enabled{{else}}Disabled{{end}}</dd>
+    <dt class="text-muted">TOTP</dt>
+    <dd id="totp-admin-status">
+      {{if .Account.TOTPRequired}}
+        Enabled
+        <button class="btn btn-sm btn-danger" style="margin-left:.5rem"
+                hx-delete="/accounts/{{.Account.UUID}}/totp"
+                hx-target="#totp-admin-status"
+                hx-swap="innerHTML"
+                hx-confirm="Remove TOTP for this account?"
+                hx-headers='{"X-CSRF-Token": "{{.CSRFToken}}"}'>Remove</button>
+      {{else}}Disabled{{end}}
+    </dd>
     {{if .WebAuthnEnabled}}<dt class="text-muted">Passkeys</dt><dd>{{len .WebAuthnCreds}} registered</dd>{{end}}
     <dt class="text-muted">Created</dt><dd class="text-small">{{formatTime .Account.CreatedAt}}</dd>
     <dt class="text-muted">Updated</dt><dd class="text-small">{{formatTime .Account.UpdatedAt}}</dd>