Fix WebAuthn login: username pre-fill and policy check

- webauthn.js: read #username value before calling
  mciasWebAuthnLogin so non-discoverable keys work when
  a username is typed (previously always passed empty string,
  forcing discoverable/resident-key flow only)

- handleWebAuthnLoginFinish: evaluate auth:login policy after
  credential verification, mirroring the gate in handleLogin;
  returns 403 on deny so policy rules apply equally to both
  password and passkey authentication paths

Security: policy is checked post-verification so 403 vs 401
distinguishes a policy restriction from a bad credential without
leaking account existence. No service context is sent (WebAuthn
login carries no service_name/tags), so per-service deny rules
don't fire on passkey login; account-level deny rules do.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/static/webauthn.js

@@ -206,10 +206,12 @@
     if (loginBtn) {
       loginBtn.addEventListener('click', function () {
         hideError('webauthn-login-error');
+        var usernameInput = document.getElementById('username');
+        var username = usernameInput ? usernameInput.value.trim() : '';
         loginBtn.disabled = true;
         loginBtn.textContent = 'Waiting for authenticator...';
 
-        window.mciasWebAuthnLogin('', function () {
+        window.mciasWebAuthnLogin(username, function () {
           window.location.href = '/dashboard';
         }, function (err) {
           loginBtn.disabled = false;