feat: add Secure Portal with TOTP/2FA authentication

[Neorichi]

Add a secondary admin portal at /secure-portal that requires mandatory
TOTP-based two-factor authentication, coexisting with the standard
/admin (no 2FA).

Features:

• TOTP setup with QR code generation
• 2FA login flow with 6-digit authenticator codes
• Pre-configured test user (admin2fa) for easy testing
• Integrates with existing auth system

New vulnerabilities planted:

• V-030: No rate-limit on TOTP verification (brute force)
• V-031: TOTP secret exposed in login response

[Acorzo1983]

Hey @Neorichi — thanks for this contribution! Great idea adding a TOTP/2FA portal with planted vulnerabilities.

We've integrated the feature into the current codebase (which has changed significantly since the PR was opened — migration from SQLite to MariaDB, restructured models, etc.). The implementation is now live:

What was integrated:

• Secure Portal with TOTP/2FA login, setup wizard, and protected dashboard
• Two new planted vulnerabilities: V-031 (TOTP brute force, no rate limiting) and V-032 (TOTP secret disclosed in login response)
• New admin2fa seed user with pre-configured TOTP
• Full frontend with 3 new pages matching the existing hive theme

Adaptations made:

• Renumbered vulnerabilities (V-030 was already taken by "Known Vulnerable Components")
• MySQL/MariaDB-compatible String(100) column lengths instead of unbounded
• Adapted imports and auth patterns to current codebase structure
• Credits preserved in source: secure_portal.py header

Closing this PR since we did a manual integration rather than a direct merge due to the codebase changes. Your contribution is credited in the code. Thanks again!