trusted proxy, TOTP replay protection, new tests

- Trusted proxy config option for proxy-aware IP extraction
  used by rate limiting and audit logs; validates proxy IP
  before trusting X-Forwarded-For / X-Real-IP headers
- TOTP replay protection via counter-based validation to
  reject reused codes within the same time step (±30s)
- RateLimit middleware updated to extract client IP from
  proxy headers without IP spoofing risk
- New tests for ClientIP proxy logic (spoofed headers,
  fallback) and extended rate-limit proxy coverage
- HTMX error banner script integrated into web UI base
- .gitignore updated for mciasdb build artifact

Security: resolves CRIT-01 (TOTP replay attack) and
DEF-03 (proxy-unaware rate limiting); gRPC TOTP
enrollment aligned with REST via StorePendingTOTP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/auth/auth_test.go

@@ -101,13 +101,16 @@ func TestValidateTOTP(t *testing.T) {
 		t.Fatalf("hotp: %v", err)
 	}
 
-	ok, err := ValidateTOTP(rawSecret, code)
+	ok, counter, err := ValidateTOTP(rawSecret, code)
 	if err != nil {
 		t.Fatalf("ValidateTOTP: %v", err)
 	}
 	if !ok {
 		t.Errorf("ValidateTOTP rejected a valid code %q", code)
 	}
+	if ok && counter == 0 {
+		t.Errorf("ValidateTOTP returned zero counter for valid code")
+	}
 }
 
 // TestValidateTOTPWrongCode verifies that an incorrect code is rejected.
@@ -117,7 +120,7 @@ func TestValidateTOTPWrongCode(t *testing.T) {
 		t.Fatalf("GenerateTOTPSecret: %v", err)
 	}
 
-	ok, err := ValidateTOTP(rawSecret, "000000")
+	ok, _, err := ValidateTOTP(rawSecret, "000000")
 	if err != nil {
 		t.Fatalf("ValidateTOTP: %v", err)
 	}
@@ -135,7 +138,7 @@ func TestValidateTOTPWrongLength(t *testing.T) {
 	}
 
 	for _, code := range []string{"", "12345", "1234567", "abcdef"} {
-		ok, err := ValidateTOTP(rawSecret, code)
+		ok, _, err := ValidateTOTP(rawSecret, code)
 		if err != nil {
 			t.Errorf("ValidateTOTP(%q): unexpected error: %v", code, err)
 		}