fix(admin): show TOTP prompt instead of redirecting on 2fa-required login

The login form's hx-on::after-request redirected to /admin/ on any 2xx
response. The TOTP-required path also returns 2xx — with an HTML
fragment that unhides the TFA section — so the redirect fired before
the user ever saw the code input, locking out anyone who had enrolled
TOTP.

Only redirect when the 2xx body is empty (the real-login signal). When
the body is non-empty it's the prompt fragment, which htmx swaps into
#err and whose inline <script> reveals #tfa-section.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

admin_ui/login.html

@@ -22,7 +22,15 @@
       hx-post="/admin/login"
       hx-target="#err"
       hx-swap="innerHTML"
-      hx-on::after-request="if (event.detail.successful) window.location.href = '/admin/'"
+      hx-on::after-request="
+        const xhr = event.detail.xhr;
+        if (event.detail.successful && (xhr.responseText || '').trim() === '') {
+          /* Empty 2xx body = real login. The TOTP-required path returns 2xx
+             with an HTML prompt fragment, which we MUST NOT redirect away
+             from. */
+          window.location.href = '/admin/';
+        }
+      "
     >
       <div>
         <label class="block text-xs font-medium text-slate-400 mb-1" for="username">Username</label>