Add HTMX-based UI templates and handlers for account and audit management

- Introduced `web/templates/` for HTMX-fragmented pages (`dashboard`, `accounts`, `account_detail`, `error_fragment`, etc.).
- Implemented UI routes for account CRUD, audit log display, and login/logout with CSRF protection.
- Added `internal/ui/` package for handlers, CSRF manager, session validation, and token issuance.
- Updated documentation to include new UI features and templates directory structure.
- Security: Double-submit CSRF cookies, constant-time HMAC validation, login password/Argon2id re-verification at all steps to prevent bypass.

web/templates/fragments/roles_editor.html

@@ -0,0 +1,27 @@
+{{define "roles_editor"}}
+<div id="roles-editor">
+  <form hx-put="/accounts/{{.Account.UUID}}/roles"
+        hx-target="#roles-editor"
+        hx-swap="outerHTML">
+    <input type="hidden" name="_csrf" value="{{.CSRFToken}}">
+    <div class="d-flex gap-1 align-center" style="flex-wrap:wrap;margin-bottom:.75rem">
+      {{range .AllRoles}}
+      <label style="display:flex;align-items:center;gap:.35rem;font-size:.875rem;cursor:pointer">
+        <input type="checkbox" name="roles" value="{{.}}"
+               {{if hasRole $.Roles .}}checked{{end}}>
+        {{.}}
+      </label>
+      {{end}}
+    </div>
+    <div style="margin-bottom:.75rem">
+      <label style="font-size:.875rem;font-weight:600;display:block;margin-bottom:.25rem">Custom role</label>
+      <div class="d-flex gap-1">
+        <input class="form-control" type="text" name="custom_role" placeholder="e.g. editor"
+               style="max-width:200px;font-size:.875rem">
+        <span class="text-muted text-small" style="align-self:center">(optional)</span>
+      </div>
+    </div>
+    <button class="btn btn-sm btn-primary" type="submit">Save Roles</button>
+  </form>
+</div>
+{{end}}