Fix F-02: replace password-in-hidden-field with nonce

- ui/ui.go: add pendingLogin struct and pendingLogins sync.Map
  to UIServer; add issueTOTPNonce (generates 128-bit random nonce,
  stores accountID with 90s TTL) and consumeTOTPNonce (single-use,
  expiry-checked LoadAndDelete); add dummyHash() method
- ui/handlers_auth.go: split handleLoginPost into step 1
  (password verify → issue nonce) and step 2 (handleTOTPStep,
  consume nonce → validate TOTP) via a new finishLogin helper;
  password never transmitted or stored after step 1
- ui/ui_test.go: refactor newTestMux to reuse new
  newTestUIServer; add TestTOTPNonceIssuedAndConsumed,
  TestTOTPNonceUnknownRejected, TestTOTPNonceExpired, and
  TestLoginPostPasswordNotInTOTPForm; 11/11 tests pass
- web/templates/fragments/totp_step.html: replace
  'name=password' hidden field with 'name=totp_nonce'
- db/accounts.go: add GetAccountByID for TOTP step lookup
- AUDIT.md: mark F-02 as fixed
Security: the plaintext password previously survived two HTTP
  round-trips and lived in the browser DOM during the TOTP step.
  The nonce approach means the password is verified once and
  immediately discarded; only an opaque random token tied to an
  account ID (never a credential) crosses the wire on step 2.
  Nonces are single-use and expire after 90 seconds to limit
  the window if one is captured.

AUDIT.md

@@ -221,7 +221,7 @@ The REST `handleTokenIssue` and gRPC `IssueServiceToken` both revoke the existin
 | Fixed? | ID | Severity | Title | Effort |
 |--------|----|----------|-------|--------|
 | Yes | F-01 | MEDIUM | TOTP enrollment sets required=1 before confirmation | Small |
-| No  | F-02 | MEDIUM | Password in HTML hidden fields during TOTP step | Medium |
+| Yes | F-02 | MEDIUM | Password in HTML hidden fields during TOTP step | Medium |
 | Yes | F-03 | MEDIUM | Token renewal not atomic (race window) | Small |
 | Yes | F-04 | MEDIUM | Rate limiter not applied to REST login endpoint | Small |
 | Yes | F-11 | MEDIUM | Missing security headers on UI responses | Small |