trusted proxy, TOTP replay protection, new tests

- Trusted proxy config option for proxy-aware IP extraction
  used by rate limiting and audit logs; validates proxy IP
  before trusting X-Forwarded-For / X-Real-IP headers
- TOTP replay protection via counter-based validation to
  reject reused codes within the same time step (±30s)
- RateLimit middleware updated to extract client IP from
  proxy headers without IP spoofing risk
- New tests for ClientIP proxy logic (spoofed headers,
  fallback) and extended rate-limit proxy coverage
- HTMX error banner script integrated into web UI base
- .gitignore updated for mciasdb build artifact

Security: resolves CRIT-01 (TOTP replay attack) and
DEF-03 (proxy-unaware rate limiting); gRPC TOTP
enrollment aligned with REST via StorePendingTOTP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/token/token.go

@@ -70,11 +70,16 @@ func IssueToken(key ed25519.PrivateKey, issuer, subject string, roles []string,
 	exp := now.Add(expiry)
 	jti := uuid.New().String()
 
+	// Security (DEF-04): set NotBefore = now so tokens are not valid before
+	// the instant of issuance. This is a defence-in-depth measure: without
+	// nbf, a clock-skewed client or intermediate could present a token
+	// before its intended validity window.
 	jc := jwtClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    issuer,
 			Subject:   subject,
 			IssuedAt:  jwt.NewNumericDate(now),
+			NotBefore: jwt.NewNumericDate(now),
 			ExpiresAt: jwt.NewNumericDate(exp),
 			ID:        jti,
 		},
@@ -127,6 +132,9 @@ func ValidateToken(key ed25519.PublicKey, tokenString, expectedIssuer string) (*
 		jwt.WithIssuedAt(),
 		jwt.WithIssuer(expectedIssuer),
 		jwt.WithExpirationRequired(),
+		// Security (DEF-04): nbf is validated automatically by the library
+		// when the claim is present; no explicit option is needed. If nbf is
+		// in the future the library returns ErrTokenNotValidYet.
 	)
 	if err != nil {
 		// Map library errors to our typed errors for consistent handling.