Add HTMX-based UI templates and handlers for account and audit management

- Introduced `web/templates/` for HTMX-fragmented pages (`dashboard`, `accounts`, `account_detail`, `error_fragment`, etc.).
- Implemented UI routes for account CRUD, audit log display, and login/logout with CSRF protection.
- Added `internal/ui/` package for handlers, CSRF manager, session validation, and token issuance.
- Updated documentation to include new UI features and templates directory structure.
- Security: Double-submit CSRF cookies, constant-time HMAC validation, login password/Argon2id re-verification at all steps to prevent bypass.

web/templates/fragments/totp_step.html

@@ -0,0 +1,18 @@
+{{define "totp_step"}}
+<form id="login-form" method="POST" action="/login"
+      hx-post="/login" hx-target="#login-form" hx-swap="outerHTML">
+  {{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
+  <input type="hidden" name="username" value="{{.Username}}">
+  <input type="hidden" name="password" value="{{.Password}}">
+  <input type="hidden" name="totp_step" value="1">
+  <div class="form-group">
+    <label for="totp_code">Authenticator Code</label>
+    <input class="form-control" type="text" id="totp_code" name="totp_code"
+           autocomplete="one-time-code" inputmode="numeric" pattern="[0-9]{6}"
+           maxlength="6" required autofocus placeholder="6-digit code">
+  </div>
+  <div class="form-actions">
+    <button class="btn btn-primary" type="submit" style="width:100%">Verify</button>
+  </div>
+</form>
+{{end}}