Fix SEC-01: require password for TOTP enroll

- REST handleTOTPEnroll now requires password field in request body
- gRPC EnrollTOTP updated with password field in proto message
- Both handlers check lockout status and record failures on bad password
- Updated Go, Python, and Rust client libraries to pass password
- Updated OpenAPI specs with new requestBody schema
- Added TestTOTPEnrollRequiresPassword with no-password, wrong-password,
  and correct-password sub-tests

Security: TOTP enrollment now requires the current password to prevent
session-theft escalation to persistent account takeover. Lockout and
failure recording use the same Argon2id constant-time path as login.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

clients/rust/src/lib.rs

@@ -484,9 +484,12 @@ impl Client {
 
     /// Begin TOTP enrollment. Returns `(secret, otpauth_uri)`.
     /// The secret is shown once; store it in an authenticator app immediately.
-    pub async fn enroll_totp(&self) -> Result<(String, String), MciasError> {
+    ///
+    /// Security (SEC-01): current password is required to prevent session-theft
+    /// escalation to persistent account takeover.
+    pub async fn enroll_totp(&self, password: &str) -> Result<(String, String), MciasError> {
         let resp: TotpEnrollResponse =
-            self.post("/v1/auth/totp/enroll", &serde_json::json!({})).await?;
+            self.post("/v1/auth/totp/enroll", &serde_json::json!({"password": password})).await?;
         Ok((resp.secret, resp.otpauth_uri))
     }
 

clients/rust/tests/client_tests.rs

@@ -449,7 +449,7 @@ async fn test_enroll_totp() {
         .await;
 
     let c = admin_client(&server).await;
-    let (secret, uri) = c.enroll_totp().await.unwrap();
+    let (secret, uri) = c.enroll_totp("testpass123").await.unwrap();
     assert_eq!(secret, "JBSWY3DPEHPK3PXP");
     assert!(uri.starts_with("otpauth://totp/"));
 }