test: add comprehensive test suite (44 tests across 3 packages)

Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
  (creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination

Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)

Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio

Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

web/templates/pages/fave_detail.html

@@ -23,6 +23,7 @@
 
 {{define "content"}}
 {{with .Data}}
+    {{$d := .}}
     <article>
         {{with .Fave}}
             {{if .ImagePath}}
@@ -54,7 +55,7 @@
 
             <footer>
                 <small>Lagt til {{.CreatedAt.Format "02.01.2006"}}</small>
-                {{if $.IsOwner}}
+                {{if $d.IsOwner}}
                     <nav class="fave-actions">
                         <a href="{{basePath}}/faves/{{.ID}}/edit" role="button" class="outline">Rediger</a>
                         <button