feat: implement Phase 1 (auth) and Phase 2 (faves CRUD) foundation

Go backend with server-rendered HTML/HTMX frontend, SQLite database,
and filesystem image storage. Self-hostable single-binary architecture.

Phase 1 — Authentication & project foundation:
- Argon2id password hashing with timing-attack prevention
- Session management with cookie-based auth and periodic cleanup
- Login, signup (open/requests/closed modes), logout, forced password reset
- CSRF double-submit cookie pattern with HTMX auto-inclusion
- Proxy-aware real IP extraction (WireGuard/Tailscale support)
- Configurable base path for subdomain and subpath deployment
- Rate limiting on auth endpoints with background cleanup
- Security headers (CSP, X-Frame-Options, Referrer-Policy)
- Structured logging with slog, graceful shutdown
- Pico CSS + HTMX vendored and embedded via go:embed

Phase 2 — Faves CRUD with tags and images:
- Full CRUD for favorites with ownership checks
- Image upload with EXIF stripping, resize to 1920px, UUID filenames
- Tag system with HTMX autocomplete (prefix search, popularity-sorted)
- Privacy controls (public/private per fave, user-configurable default)
- Tag browsing, pagination, batch tag loading (avoids N+1)
- OpenGraph meta tags on public fave detail pages

Includes code quality pass: extracted shared helpers, fixed signup
request persistence bug, plugged rate limiter memory leak, removed
dead code, and logged previously-swallowed errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/middleware/realip.go

@@ -0,0 +1,68 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package middleware
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"strings"
+)
+
+// RealIP extracts the real client IP from X-Forwarded-For, but only if the
+// direct connection comes from a trusted proxy. This is essential when Caddy
+// runs on a different machine (e.g. connected via WireGuard/Tailscale).
+func RealIP(trustedProxies []*net.IPNet) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ip := extractRealIP(r, trustedProxies)
+			ctx := context.WithValue(r.Context(), realIPKey, ip)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+func extractRealIP(r *http.Request, trusted []*net.IPNet) string {
+	// Get the direct connection IP.
+	directIP, _, _ := net.SplitHostPort(r.RemoteAddr)
+	if directIP == "" {
+		directIP = r.RemoteAddr
+	}
+
+	// Only trust X-Forwarded-For if the direct connection is from a trusted proxy.
+	if !isTrusted(directIP, trusted) {
+		return directIP
+	}
+
+	// Parse X-Forwarded-For: client, proxy1, proxy2
+	// The rightmost non-trusted IP is the real client.
+	xff := r.Header.Get("X-Forwarded-For")
+	if xff == "" {
+		return directIP
+	}
+
+	ips := strings.Split(xff, ",")
+	// Walk from right to left, finding the first non-trusted IP.
+	for i := len(ips) - 1; i >= 0; i-- {
+		ip := strings.TrimSpace(ips[i])
+		if !isTrusted(ip, trusted) {
+			return ip
+		}
+	}
+
+	// All IPs in the chain are trusted; use the leftmost.
+	return strings.TrimSpace(ips[0])
+}
+
+func isTrusted(ipStr string, nets []*net.IPNet) bool {
+	ip := net.ParseIP(ipStr)
+	if ip == nil {
+		return false
+	}
+	for _, n := range nets {
+		if n.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}