trusted proxy, TOTP replay protection, new tests

- Trusted proxy config option for proxy-aware IP extraction
  used by rate limiting and audit logs; validates proxy IP
  before trusting X-Forwarded-For / X-Real-IP headers
- TOTP replay protection via counter-based validation to
  reject reused codes within the same time step (±30s)
- RateLimit middleware updated to extract client IP from
  proxy headers without IP spoofing risk
- New tests for ClientIP proxy logic (spoofed headers,
  fallback) and extended rate-limit proxy coverage
- HTMX error banner script integrated into web UI base
- .gitignore updated for mciasdb build artifact

Security: resolves CRIT-01 (TOTP replay attack) and
DEF-03 (proxy-unaware rate limiting); gRPC TOTP
enrollment aligned with REST via StorePendingTOTP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/templates/base.html

@@ -23,12 +23,14 @@
 </nav>
 <main>
   <div class="container">
+    <div id="htmx-error-banner" role="alert" style="display:none"></div>
     {{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
     {{if .Flash}}<div class="alert alert-success" role="status">{{.Flash}}</div>{{end}}
     {{block "content" .}}{{end}}
   </div>
 </main>
 <script src="/static/htmx.min.js"></script>
+<script src="/static/mcias.js"></script>
 </body>
 </html>
 {{end}}