refactor: replace custom CSRF and rate-limiting with off-the-shelf libraries

Replace custom CSRF middleware with gorilla/csrf and custom rate-limiting
middleware with go-chi/httprate, as requested in code review.

CSRF changes:
- Replace session-based CSRF tokens with gorilla/csrf cookie-based
  double-submit pattern (HMAC-authenticated cookies)
- Keep same form field name (csrf_token) for template compatibility
- Keep same route exclusions (webhook/API routes)
- In dev mode, mark requests as plaintext HTTP to skip Referer check

Rate limiting changes:
- Replace custom token-bucket rate limiter with httprate sliding-window
  counter (per-IP, 5 POST requests/min on login endpoint)
- Remove custom IP extraction (httprate.KeyByRealIP handles
  X-Forwarded-For, X-Real-IP, True-Client-IP)
- Remove custom cleanup goroutine (httprate manages its own state)

Kept as-is:
- SSRF prevention code (internal/delivery/ssrf.go) — application-specific
- CSRFToken() wrapper function — handlers unchanged

Updated README security section and architecture overview to reflect
library choices.

internal/session/testing.go

@@ -9,10 +9,13 @@ import (
 
 // NewForTest creates a Session with a pre-configured cookie store for use
 // in tests. This bypasses the fx lifecycle and database dependency, allowing
-// middleware and handler tests to use real session functionality.
-func NewForTest(store *sessions.CookieStore, cfg *config.Config, log *slog.Logger) *Session {
+// middleware and handler tests to use real session functionality. The key
+// parameter is the raw 32-byte authentication key used for session encryption
+// and CSRF cookie signing.
+func NewForTest(store *sessions.CookieStore, cfg *config.Config, log *slog.Logger, key []byte) *Session {
 	return &Session{
 		store:  store,
+		key:    key,
 		config: cfg,
 		log:    log,
 	}