Fix SEC-01: require password for TOTP enroll

- REST handleTOTPEnroll now requires password field in request body
- gRPC EnrollTOTP updated with password field in proto message
- Both handlers check lockout status and record failures on bad password
- Updated Go, Python, and Rust client libraries to pass password
- Updated OpenAPI specs with new requestBody schema
- Added TestTOTPEnrollRequiresPassword with no-password, wrong-password,
  and correct-password sub-tests

Security: TOTP enrollment now requires the current password to prevent
session-theft escalation to persistent account takeover. Lockout and
failure recording use the same Argon2id constant-time path as login.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

proto/mcias/v1/auth.proto

@@ -45,8 +45,12 @@ message RenewTokenResponse {
 
 // --- TOTP enrollment ---
 
-// EnrollTOTPRequest carries no body; the acting account is from the JWT.
-message EnrollTOTPRequest {}
+// EnrollTOTPRequest carries the current password for re-authentication.
+// Security (SEC-01): password is required to prevent a stolen session token
+// from being used to enroll attacker-controlled TOTP on the victim's account.
+message EnrollTOTPRequest {
+  string password = 1;  // security: current password required; never logged
+}
 
 // EnrollTOTPResponse returns the TOTP secret and otpauth URI for display.
 // Security: the secret is shown once; it is stored only in encrypted form.