v0.23.0 — CSRF protection on all browser-facing POST endpoints

Controller:
- internal/web/csrf.go (new): CsrfProtect middleware, csrfToken/csrfField helpers
- auth.go: per-session CSRF token (csrfToken field, csrfTokenForSession method)
- server.go: executeTemplate wrapper auto-injects CSRFField+CSRFToken
- main.go: wire CsrfProtect on all routes; bump to v0.23.0
- handlers.go, storage_handlers.go, handler_restore.go: executeTemplate
- All templates: CSRFField in forms, meta csrf-token, csrfHeaders() JS helper,
  fetch calls updated; sendBeacon→fetch+keepalive in storage_attach.html

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

controller/internal/web/templates/restore.html

@@ -205,7 +205,7 @@
         btn.innerHTML = '<span class="spinner"></span> Visszaállítás indítása...';
         if (skipBtn) skipBtn.style.display = 'none';
 
-        fetch('/api/restore/all', { method: 'POST' })
+        fetch('/api/restore/all', { method: 'POST', headers: csrfHeaders() })
             .then(function(resp) { return resp.json(); })
             .then(function(data) {
                 if (data.ok) {
@@ -229,7 +229,7 @@
 
     function skipRestore() {
         if (!confirm('Biztosan ki szeretné hagyni a visszaállítást? A vezérlőpult üres alkalmazáslistával fog elindulni.')) return;
-        fetch('/api/restore/skip', { method: 'POST' })
+        fetch('/api/restore/skip', { method: 'POST', headers: csrfHeaders() })
             .then(function(resp) { return resp.json(); })
             .then(function(data) {
                 if (data.ok) {
@@ -243,7 +243,7 @@
 
     function finishRestore(e) {
         e.preventDefault();
-        fetch('/api/restore/skip', { method: 'POST' })
+        fetch('/api/restore/skip', { method: 'POST', headers: csrfHeaders() })
             .then(function() { window.location.href = '/'; })
             .catch(function() { window.location.href = '/'; });
     }