feat: implement Phase 1 (auth) and Phase 2 (faves CRUD) foundation

Go backend with server-rendered HTML/HTMX frontend, SQLite database,
and filesystem image storage. Self-hostable single-binary architecture.

Phase 1 — Authentication & project foundation:
- Argon2id password hashing with timing-attack prevention
- Session management with cookie-based auth and periodic cleanup
- Login, signup (open/requests/closed modes), logout, forced password reset
- CSRF double-submit cookie pattern with HTMX auto-inclusion
- Proxy-aware real IP extraction (WireGuard/Tailscale support)
- Configurable base path for subdomain and subpath deployment
- Rate limiting on auth endpoints with background cleanup
- Security headers (CSP, X-Frame-Options, Referrer-Policy)
- Structured logging with slog, graceful shutdown
- Pico CSS + HTMX vendored and embedded via go:embed

Phase 2 — Faves CRUD with tags and images:
- Full CRUD for favorites with ownership checks
- Image upload with EXIF stripping, resize to 1920px, UUID filenames
- Tag system with HTMX autocomplete (prefix search, popularity-sorted)
- Privacy controls (public/private per fave, user-configurable default)
- Tag browsing, pagination, batch tag loading (avoids N+1)
- OpenGraph meta tags on public fave detail pages

Includes code quality pass: extracted shared helpers, fixed signup
request persistence bug, plugged rate limiter memory leak, removed
dead code, and logged previously-swallowed errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/model/fave.go

@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package model
+
+import "time"
+
+type Fave struct {
+	ID          int64
+	UserID      int64
+	Description string
+	URL         string
+	ImagePath   string
+	Privacy     string
+	Tags        []Tag
+	CreatedAt   time.Time
+	UpdatedAt   time.Time
+
+	// Joined fields for display.
+	Username    string
+	DisplayName string
+}
+
+// IsPublic returns true if the fave is publicly visible.
+func (f *Fave) IsPublic() bool {
+	return f.Privacy == "public"
+}

internal/model/session.go

@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package model
+
+import "time"
+
+type Session struct {
+	Token     string
+	UserID    int64
+	ExpiresAt time.Time
+	CreatedAt time.Time
+}

internal/model/settings.go

@@ -0,0 +1,27 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package model
+
+import "time"
+
+type SiteSettings struct {
+	SiteName        string
+	SiteDescription string
+	SignupMode      string
+	UpdatedAt       time.Time
+}
+
+// SignupOpen returns true if self-registration is allowed.
+func (s *SiteSettings) SignupOpen() bool {
+	return s.SignupMode == "open"
+}
+
+// SignupRequests returns true if signup requires admin approval.
+func (s *SiteSettings) SignupRequests() bool {
+	return s.SignupMode == "requests"
+}
+
+// SignupClosed returns true if no new signups are allowed.
+func (s *SiteSettings) SignupClosed() bool {
+	return s.SignupMode == "closed"
+}

internal/model/tag.go

@@ -0,0 +1,8 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package model
+
+type Tag struct {
+	ID   int64
+	Name string
+}

internal/model/user.go

@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package model
+
+import "time"
+
+type User struct {
+	ID                 int64
+	Username           string
+	DisplayName        string
+	Bio                string
+	AvatarPath         string
+	PasswordHash       string
+	Role               string
+	ProfileVisibility  string
+	DefaultFavePrivacy string
+	MustResetPassword  bool
+	Disabled           bool
+	CreatedAt          time.Time
+	UpdatedAt          time.Time
+}
+
+// IsAdmin returns true if the user has the admin role.
+func (u *User) IsAdmin() bool {
+	return u.Role == "admin"
+}
+
+// DisplayNameOrUsername returns the display name if set, otherwise the username.
+func (u *User) DisplayNameOrUsername() string {
+	if u.DisplayName != "" {
+		return u.DisplayName
+	}
+	return u.Username
+}