fix: add CSRF tokens to admin forms and HTML5 validation hints

Add hidden CSRF token inputs to admin profile, groups, and invite
forms. Add maxlength, pattern, and title attributes to invite input.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/porchlight/templates/admin/user_detail.html

@@ -11,6 +11,7 @@
 <section>
     <h2>Profile</h2>
     <form hx-post="/admin/users/{{ target_user.userid }}/profile" hx-target="#profile-status" hx-swap="innerHTML">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token_processor(request) }}">
         <div>
             <label for="given_name">Given name</label>
             <input type="text" id="given_name" name="given_name" value="{{ target_user.given_name or '' }}" maxlength="255">
@@ -48,6 +49,7 @@
     <h2>Groups</h2>
     <div id="groups-section">
         <form hx-post="/admin/users/{{ target_user.userid }}/groups" hx-target="#groups-status" hx-swap="innerHTML">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token_processor(request) }}">
             <div id="group-list">
                 {% for group in target_user.groups %}
                 <span class="group-tag">{{ group }}</span>

src/porchlight/templates/admin/users.html

@@ -8,8 +8,11 @@
 <section>
     <h2>Create invite</h2>
     <form hx-post="/admin/invite" hx-target="#invite-status" hx-swap="innerHTML">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token_processor(request) }}">
         <div class="admin-search">
-            <input type="text" name="username" placeholder="Username for new invite" required>
+            <input type="text" name="username" placeholder="Username or email for new invite" required
+                   maxlength="255" pattern="[a-zA-Z0-9_.@-]+"
+                   title="Letters, digits, dots, hyphens, underscores, and @">
             <button type="submit">Create invite</button>
         </div>
     </form>