Fix WebAuthn CSRF; clarify security key UI

- Fix webauthn.js CSRF token: read HMAC header value from
  body hx-headers attribute instead of cookie nonce
- Update profile labels to mention security keys/FIDO2
  alongside passkeys

Security: CSRF double-submit was broken for fetch()-based
WebAuthn requests — JS was sending the cookie nonce as the
header value instead of the HMAC. Fixed by reading the
server-rendered header token from the DOM.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/static/webauthn.js

@@ -25,10 +25,17 @@
     return bytes.buffer;
   }
 
-  // Get the CSRF token from the cookie for mutating requests.
+  // Get the CSRF token from the body's hx-headers attribute (HMAC header value).
+  // The cookie holds the nonce; the header holds the HMAC — they are different.
   function getCSRFToken() {
-    var match = document.cookie.match(/(?:^|;\s*)mcias_csrf=([^;]+)/);
-    return match ? match[1] : '';
+    try {
+      var hdr = document.body.getAttribute('hx-headers');
+      if (hdr) {
+        var parsed = JSON.parse(hdr);
+        if (parsed['X-CSRF-Token']) return parsed['X-CSRF-Token'];
+      }
+    } catch (e) { /* fall through */ }
+    return '';
   }
 
   function showError(id, msg) {