feat: MFA frontend with auth page restyling, challenge screen, and setup wizard

- Restyle organizer auth pages: Dutch text, remove placeholder social login
- Restyle portal auth pages to Vuexy v1 centered card pattern with decorative shapes
- MFA challenge card component with VOtpInput, method tabs, backup code input,
  trusted device checkbox, and session countdown timer
- Login pages handle mfa_required response with device fingerprint header
- Security settings page with TOTP setup (QR code), email setup, disable MFA,
  backup codes regeneration, and trusted devices management
- Portal profile page includes MFA security section
- Admin user detail page shows MFA status with reset button
- MFA enforcement route guard redirects to security settings when required
- Device fingerprint utility for trusted device identification
- MFA types, composables with TanStack Query for both apps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/app/src/plugins/1.router/guards.ts

@@ -44,6 +44,12 @@ export function setupGuards(router: Router) {
       return { path: '/login', query: { to: to.fullPath } }
     }
 
+    // MFA enforcement — redirect to security settings if MFA setup is required
+    if (authStore.mfaSetupRequired && to.path !== '/account-settings/security') {
+      if (import.meta.env.DEV) console.log('🔒 MFA setup required, redirecting to security settings')
+      return { path: '/account-settings/security' }
+    }
+
     // Platform admin routes — require super_admin role
     if (to.path.startsWith('/platform')) {
       if (!authStore.isSuperAdmin) {