trusted proxy, TOTP replay protection, new tests

- Trusted proxy config option for proxy-aware IP extraction
  used by rate limiting and audit logs; validates proxy IP
  before trusting X-Forwarded-For / X-Real-IP headers
- TOTP replay protection via counter-based validation to
  reject reused codes within the same time step (±30s)
- RateLimit middleware updated to extract client IP from
  proxy headers without IP spoofing risk
- New tests for ClientIP proxy logic (spoofed headers,
  fallback) and extended rate-limit proxy coverage
- HTMX error banner script integrated into web UI base
- .gitignore updated for mciasdb build artifact

Security: resolves CRIT-01 (TOTP replay attack) and
DEF-03 (proxy-unaware rate limiting); gRPC TOTP
enrollment aligned with REST via StorePendingTOTP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.claude/settings.local.json

@@ -5,7 +5,26 @@
       "Bash(golangci-lint run:*)",
       "Bash(git restore:*)",
       "Bash(git add:*)",
-      "Bash(git commit:*)"
+      "Bash(git commit:*)",
+      "Bash(grep -n \"handleAdminResetPassword\\\\|handleChangePassword\" /Users/kyle/src/mcias/internal/ui/*.go)",
+      "Bash(go build:*)",
+      "Bash(sqlite3 /Users/kyle/src/mcias/run/mcias.db \"PRAGMA table_info\\(policy_rules\\);\" 2>&1)",
+      "Bash(sqlite3 /Users/kyle/src/mcias/run/mcias.db \"SELECT * FROM schema_version;\" 2>&1; sqlite3 /Users/kyle/src/mcias/run/mcias.db \"SELECT * FROM schema_migrations;\" 2>&1)",
+      "Bash(go run:*)",
+      "Bash(go list:*)"
+    ]
+  },
+  "hooks": {
+    "PostToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "go build ./... 2>&1 | head -20"
+          }
+        ]
+      }
     ]
   }
 }

.claude/skills/checkpoint/SKILL.md

@@ -0,0 +1,8 @@
+# Checkpoint Skill
+
+1. Run `go build ./...`  abort if errors
+2. Run `go test ./...`  abort if failures
+3. Run `go vet ./...`
+4. Run `git add -A && git status`  show user what will be committed
+5. Ask user for commit message
+6. Run `git commit -m "<message>"` and verify with `git log -1`

.claude/tasks/security-audit/TASK.md

@@ -0,0 +1,8 @@
+Run a full security audit of this Go codebase. For each finding rated
+HIGH or CRITICAL: spawn a sub-agent using Task to implement the fix
+across all affected files (models, handlers, migrations, templates,
+tests). Each sub-agent must: 1) write a failing test that reproduces the
+vulnerability, 2) implement the fix, 3) run `go test ./...` and `go vet
+./...` in a loop until all pass, 4) commit with a message referencing
+the finding ID. After all sub-agents complete, generate a summary of
+what was fixed and what needs manual review.