v0.23.0 — CSRF protection on all browser-facing POST endpoints

Controller:
- internal/web/csrf.go (new): CsrfProtect middleware, csrfToken/csrfField helpers
- auth.go: per-session CSRF token (csrfToken field, csrfTokenForSession method)
- server.go: executeTemplate wrapper auto-injects CSRFField+CSRFToken
- main.go: wire CsrfProtect on all routes; bump to v0.23.0
- handlers.go, storage_handlers.go, handler_restore.go: executeTemplate
- All templates: CSRFField in forms, meta csrf-token, csrfHeaders() JS helper,
  fetch calls updated; sendBeacon→fetch+keepalive in storage_attach.html

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

controller/internal/web/auth.go

@@ -14,6 +14,7 @@ import (
 
 type session struct {
 	expiresAt time.Time
+	csrfToken string
 }
 
 const (
@@ -141,13 +142,32 @@ func (s *Server) createSession() string {
 	_, _ = rand.Read(b)
 	token := hex.EncodeToString(b)
 
+	csrfB := make([]byte, 32)
+	_, _ = rand.Read(csrfB)
+	csrfToken := hex.EncodeToString(csrfB)
+
 	s.sessionsMu.Lock()
-	s.sessions[token] = &session{expiresAt: time.Now().Add(sessionMaxAge)}
+	s.sessions[token] = &session{
+		expiresAt: time.Now().Add(sessionMaxAge),
+		csrfToken: csrfToken,
+	}
 	s.sessionsMu.Unlock()
 
 	return token
 }
 
+// csrfTokenForSession returns the CSRF token for the given session cookie value.
+// Returns "" if the session is invalid or expired.
+func (s *Server) csrfTokenForSession(sessionToken string) string {
+	s.sessionsMu.RLock()
+	defer s.sessionsMu.RUnlock()
+	sess, ok := s.sessions[sessionToken]
+	if !ok || time.Now().After(sess.expiresAt) {
+		return ""
+	}
+	return sess.csrfToken
+}
+
 func (s *Server) isValidSession(token string) bool {
 	s.sessionsMu.RLock()
 	defer s.sessionsMu.RUnlock()