Add CSRF protection to state-changing POST endpoints

Add gorilla/csrf middleware to protect all HTML-serving routes against
cross-site request forgery attacks. The webhook endpoint is excluded
since it uses secret-based authentication.

Changes:
- Add gorilla/csrf v1.7.3 dependency
- Add CSRF() middleware method using session secret as key
- Apply CSRF middleware to all HTML route groups in routes.go
- Pass CSRF token to all templates via addGlobals helper
- Add {{ .CSRFField }} / {{ $.CSRFField }} hidden inputs to all forms

Closes #11

internal/handlers/dashboard.go

@@ -67,7 +67,7 @@ func (h *Handlers) HandleDashboard() http.HandlerFunc {
 
 		data := h.addGlobals(map[string]any{
 			"AppStats": appStats,
-		})
+		}, request)
 
 		execErr := tmpl.ExecuteTemplate(writer, "dashboard.html", data)
 		if execErr != nil {