refactor: replace custom CSRF and rate-limiting with off-the-shelf libraries

Replace custom CSRF middleware with gorilla/csrf and custom rate-limiting
middleware with go-chi/httprate, as requested in code review.

CSRF changes:
- Replace session-based CSRF tokens with gorilla/csrf cookie-based
  double-submit pattern (HMAC-authenticated cookies)
- Keep same form field name (csrf_token) for template compatibility
- Keep same route exclusions (webhook/API routes)
- In dev mode, mark requests as plaintext HTTP to skip Referer check

Rate limiting changes:
- Replace custom token-bucket rate limiter with httprate sliding-window
  counter (per-IP, 5 POST requests/min on login endpoint)
- Remove custom IP extraction (httprate.KeyByRealIP handles
  X-Forwarded-For, X-Real-IP, True-Client-IP)
- Remove custom cleanup goroutine (httprate manages its own state)

Kept as-is:
- SSRF prevention code (internal/delivery/ssrf.go) — application-specific
- CSRFToken() wrapper function — handlers unchanged

Updated README security section and architecture overview to reflect
library choices.

README.md

@@ -157,6 +157,10 @@ It uses:
   logging with TTY detection (text for dev, JSON for prod)
 - **[gorilla/sessions](https://github.com/gorilla/sessions)** for
   encrypted cookie-based session management
+- **[gorilla/csrf](https://github.com/gorilla/csrf)** for CSRF
+  protection (cookie-based double-submit tokens)
+- **[go-chi/httprate](https://github.com/go-chi/httprate)** for
+  per-IP login rate limiting (sliding window counter)
 - **[Prometheus](https://prometheus.io)** for metrics, served at
   `/metrics` behind basic auth
 - **[Sentry](https://sentry.io)** for optional error reporting
@@ -726,8 +730,8 @@ webhooker/
 │   │   └── logger.go          # slog setup with TTY detection
 │   ├── middleware/
 │   │   ├── middleware.go      # Logging, CORS, Auth, Metrics, MetricsAuth, SecurityHeaders, MaxBodySize
-│   │   ├── csrf.go            # CSRF protection middleware (session-based tokens)
-│   │   └── ratelimit.go       # Per-IP rate limiting middleware (login endpoint)
+│   │   ├── csrf.go            # CSRF protection middleware (gorilla/csrf)
+│   │   └── ratelimit.go       # Per-IP rate limiting middleware (go-chi/httprate)
 │   ├── server/
 │   │   ├── server.go          # Server struct, fx lifecycle, signal handling
 │   │   ├── http.go            # HTTP server setup with timeouts
@@ -814,17 +818,19 @@ Additionally, form endpoints (`/pages`, `/sources`, `/source/*`) apply a
   (`nosniff`), X-Frame-Options (`DENY`), Content-Security-Policy, Referrer-Policy,
   and Permissions-Policy
 - Request body size limits (1 MB) on all form POST endpoints
-- **CSRF protection** on all state-changing forms (session-based tokens
-  with constant-time comparison). Applied to `/pages`, `/sources`,
-  `/source`, and `/user` routes. Excluded from `/webhook` (inbound
-  webhook POSTs) and `/api` (stateless API)
+- **CSRF protection** via [gorilla/csrf](https://github.com/gorilla/csrf)
+  on all state-changing forms (cookie-based double-submit tokens with
+  HMAC authentication). Applied to `/pages`, `/sources`, `/source`, and
+  `/user` routes. Excluded from `/webhook` (inbound webhook POSTs) and
+  `/api` (stateless API)
 - **SSRF prevention** for HTTP delivery targets: private/reserved IP
   ranges (RFC 1918, loopback, link-local, cloud metadata) are blocked
   both at target creation time (URL validation) and at delivery time
   (custom HTTP transport with SSRF-safe dialer that validates resolved
   IPs before connecting, preventing DNS rebinding attacks)
-- **Login rate limiting**: per-IP rate limiter on the login endpoint
-  (5 attempts per minute per IP) to prevent brute-force attacks
+- **Login rate limiting** via [go-chi/httprate](https://github.com/go-chi/httprate):
+  per-IP sliding-window rate limiter on the login endpoint (5 POST
+  attempts per minute per IP) to prevent brute-force attacks
 - Prometheus metrics behind basic auth
 - Static assets embedded in binary (no filesystem access needed at
   runtime)