Fix UI: install real HTMX, add PG creds and roles UI

- web/static/htmx.min.js: replace placeholder stub with
  htmx 2.0.4 (downloaded from unpkg.com). The placeholder
  only logged a console warning; no HTMX features worked,
  so form submissions fell back to native POSTs and the
  account_row fragment was returned as a raw HTML body
  rather than spliced into the table. This was the root
  cause of account creation appearing to 'do nothing'.
- internal/ui/ui.go: add pgcreds_form.html to shared
  template list; add PUT /accounts/{id}/pgcreds route;
  reorder AccountDetailData fields so embedded PageData
  does not shadow Account.
- internal/ui/handlers_accounts.go: add handleSetPGCreds
  handler — encrypts the submitted password with AES-256-GCM
  using the server master key before storage, validates
  system-account-only constraint, re-reads and re-renders
  the fragment after save. Add PGCred field population to
  handleAccountDetail.
- internal/ui/ui_test.go: add tests for account creation,
  role management, and PG credential handlers.
- web/templates/account_detail.html: add Postgres
  Credentials card for system accounts.
- web/templates/fragments/pgcreds_form.html: new fragment
  for the PG credentials form; CSRF token is supplied via
  the body-level hx-headers attribute in base.html.
Security: PG password is encrypted with AES-256-GCM
(crypto.SealAESGCM) before storage; a fresh nonce is
generated per call; the plaintext is never logged or
returned in responses.

web/templates/account_detail.html

@@ -34,4 +34,10 @@
   </div>
   {{template "token_list" .}}
 </div>
+{{if eq (string .Account.AccountType) "system"}}
+<div class="card">
+  <h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Postgres Credentials</h2>
+  {{template "pgcreds_form" .}}
+</div>
+{{end}}
 {{end}}

web/templates/fragments/pgcreds_form.html

@@ -0,0 +1,35 @@
+{{define "pgcreds_form"}}
+<div id="pgcreds-section">
+  {{if .PGCred}}
+  <dl style="display:grid;grid-template-columns:140px 1fr;gap:.5rem .75rem;font-size:.9rem;margin-bottom:1rem">
+    <dt class="text-muted">Host</dt><dd>{{.PGCred.PGHost}}:{{.PGCred.PGPort}}</dd>
+    <dt class="text-muted">Database</dt><dd>{{.PGCred.PGDatabase}}</dd>
+    <dt class="text-muted">Username</dt><dd>{{.PGCred.PGUsername}}</dd>
+    <dt class="text-muted">Password</dt><dd><em class="text-muted">stored (not shown)</em></dd>
+    <dt class="text-muted">Updated</dt><dd class="text-small">{{formatTime .PGCred.UpdatedAt}}</dd>
+  </dl>
+  {{else}}
+  <p class="text-muted text-small" style="margin-bottom:1rem">No credentials stored.</p>
+  {{end}}
+  <form hx-put="/accounts/{{.Account.UUID}}/pgcreds"
+        hx-target="#pgcreds-section" hx-swap="outerHTML">
+    <div style="display:grid;grid-template-columns:1fr 1fr;gap:.5rem;margin-bottom:.5rem">
+      <input class="form-control" type="text" name="host" placeholder="Host" required
+             value="{{if .PGCred}}{{.PGCred.PGHost}}{{end}}">
+      <input class="form-control" type="number" name="port" placeholder="Port (5432)"
+             min="1" max="65535"
+             value="{{if .PGCred}}{{.PGCred.PGPort}}{{end}}">
+    </div>
+    <div style="display:grid;grid-template-columns:1fr 1fr;gap:.5rem;margin-bottom:.5rem">
+      <input class="form-control" type="text" name="database" placeholder="Database" required
+             value="{{if .PGCred}}{{.PGCred.PGDatabase}}{{end}}">
+      <input class="form-control" type="text" name="username" placeholder="Username" required
+             value="{{if .PGCred}}{{.PGCred.PGUsername}}{{end}}">
+    </div>
+    <input class="form-control" type="password" name="password"
+           placeholder="Password (required to update)" required
+           style="margin-bottom:.5rem">
+    <button class="btn btn-sm btn-secondary" type="submit">Save Credentials</button>
+  </form>
+</div>
+{{end}}