feat: add authentication routes with session login, WebAuthn, and credential management

Implement Phase 4 auth routes: password login/logout, WebAuthn
registration and authentication, magic link registration, and
credential management pages with HTMX. Includes session middleware,
Jinja2 templates, vendored HTMX, and last-credential guardrails.

120 tests passing.

src/fastapi_oidc_op/config.py

@@ -29,6 +29,9 @@ class Settings(BaseSettings):
     # Management RP
     manage_client_id: str = "manage-app"
 
+    # Session
+    session_secret: str | None = None  # If None, a random secret is generated per process
+
     # Magic links
     invite_ttl: int = 86400  # seconds