v0.23.0 — CSRF protection on all browser-facing POST endpoints

Controller:
- internal/web/csrf.go (new): CsrfProtect middleware, csrfToken/csrfField helpers
- auth.go: per-session CSRF token (csrfToken field, csrfTokenForSession method)
- server.go: executeTemplate wrapper auto-injects CSRFField+CSRFToken
- main.go: wire CsrfProtect on all routes; bump to v0.23.0
- handlers.go, storage_handlers.go, handler_restore.go: executeTemplate
- All templates: CSRFField in forms, meta csrf-token, csrfHeaders() JS helper,
  fetch calls updated; sendBeacon→fetch+keepalive in storage_attach.html

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

controller/internal/web/templates/storage_init.html

@@ -122,7 +122,7 @@ function scanDisks() {
     errEl.style.display = 'none';
     resultEl.style.display = 'none';
 
-    fetch('/api/storage/scan', {method:'POST'})
+    fetch('/api/storage/scan', {method:'POST', headers: csrfHeaders()})
         .then(function(r){ return r.json(); })
         .then(function(data) {
             btn.textContent = '🔍 Meghajtók keresése';
@@ -242,7 +242,7 @@ document.getElementById('init-form').addEventListener('submit', function(e) {
 
     fetch('/api/storage/init', {
         method: 'POST',
-        headers: {'Content-Type': 'application/json'},
+        headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders()),
         body: JSON.stringify(body)
     }).then(function(r){ return r.json(); })
     .then(function(data) {