feat: implement Phase 1 (auth) and Phase 2 (faves CRUD) foundation

Go backend with server-rendered HTML/HTMX frontend, SQLite database,
and filesystem image storage. Self-hostable single-binary architecture.

Phase 1 — Authentication & project foundation:
- Argon2id password hashing with timing-attack prevention
- Session management with cookie-based auth and periodic cleanup
- Login, signup (open/requests/closed modes), logout, forced password reset
- CSRF double-submit cookie pattern with HTMX auto-inclusion
- Proxy-aware real IP extraction (WireGuard/Tailscale support)
- Configurable base path for subdomain and subpath deployment
- Rate limiting on auth endpoints with background cleanup
- Security headers (CSP, X-Frame-Options, Referrer-Policy)
- Structured logging with slog, graceful shutdown
- Pico CSS + HTMX vendored and embedded via go:embed

Phase 2 — Faves CRUD with tags and images:
- Full CRUD for favorites with ownership checks
- Image upload with EXIF stripping, resize to 1920px, UUID filenames
- Tag system with HTMX autocomplete (prefix search, popularity-sorted)
- Privacy controls (public/private per fave, user-configurable default)
- Tag browsing, pagination, batch tag loading (avoids N+1)
- OpenGraph meta tags on public fave detail pages

Includes code quality pass: extracted shared helpers, fixed signup
request persistence bug, plugged rate limiter memory leak, removed
dead code, and logged previously-swallowed errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/middleware/ratelimit.go

@@ -0,0 +1,89 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package middleware
+
+import (
+	"net/http"
+	"sync"
+	"time"
+)
+
+// RateLimiter implements a simple per-IP token bucket rate limiter for
+// protecting auth endpoints from brute-force attacks.
+type RateLimiter struct {
+	mu       sync.Mutex
+	visitors map[string]*bucket
+	rate     int
+	window   time.Duration
+}
+
+type bucket struct {
+	tokens    int
+	lastReset time.Time
+}
+
+// NewRateLimiter creates a rate limiter that allows `rate` requests per minute per IP.
+func NewRateLimiter(rate int) *RateLimiter {
+	return &RateLimiter{
+		visitors: make(map[string]*bucket),
+		rate:     rate,
+		window:   time.Minute,
+	}
+}
+
+// Limit wraps a handler with rate limiting based on the real client IP.
+func (rl *RateLimiter) Limit(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ip := RealIPFromContext(r.Context())
+		if ip == "" {
+			ip = r.RemoteAddr
+		}
+
+		if !rl.allow(ip) {
+			http.Error(w, "Too many requests. Please try again later.", http.StatusTooManyRequests)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (rl *RateLimiter) allow(ip string) bool {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	now := time.Now()
+
+	b, ok := rl.visitors[ip]
+	if !ok {
+		rl.visitors[ip] = &bucket{tokens: rl.rate - 1, lastReset: now}
+		return true
+	}
+
+	// Reset tokens if the window has passed.
+	if now.Sub(b.lastReset) >= rl.window {
+		b.tokens = rl.rate - 1
+		b.lastReset = now
+		return true
+	}
+
+	if b.tokens <= 0 {
+		return false
+	}
+
+	b.tokens--
+	return true
+}
+
+// Cleanup removes stale entries. Call periodically from a goroutine.
+func (rl *RateLimiter) Cleanup() {
+	rl.mu.Lock()
+	defer rl.mu.Unlock()
+
+	now := time.Now()
+	for ip, b := range rl.visitors {
+		if now.Sub(b.lastReset) >= 2*rl.window {
+			delete(rl.visitors, ip)
+		}
+	}
+}