Hold TOTP enrollment secret server-side and email user on activation

TOTP enrollment previously round-tripped the generated secret through a
hidden form field and saved whatever the client submitted, letting an
attacker with session access enroll a 2FA device they control by posting
their own secret plus a matching code. Stash the secret in the session
at GET /totp/new, read it only from the session at POST /totp, and drop
the hidden field from the view. Notify the user by email on successful
enrollment so unauthorized activations are visible even if a new vector
appears later.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

app/views/totp/new.html.erb

@@ -35,8 +35,6 @@
       <div>
         <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100 mb-4">Step 2: Verify</h3>
         <%= form_with url: totp_path, method: :post, class: "space-y-4" do |form| %>
-          <%= hidden_field_tag :totp_secret, @totp_secret %>
-
           <div>
             <%= label_tag :code, "Verification Code", class: "block text-sm font-medium text-gray-700 dark:text-gray-300" %>
             <%= text_field_tag :code,

app/views/totp_mailer/enabled.html.erb

@@ -0,0 +1,16 @@
+<p>Hello,</p>
+
+<p>
+  Two-factor authentication was just enabled on the Clinch account for
+  <strong><%= @user.email_address %></strong>.
+</p>
+
+<p>
+  If you did this, you can ignore this email.
+</p>
+
+<p>
+  If you did <strong>not</strong> do this, your account may have been
+  accessed by someone else. Reset your password immediately and contact
+  your administrator.
+</p>

app/views/totp_mailer/enabled.text.erb

@@ -0,0 +1,9 @@
+Hello,
+
+Two-factor authentication was just enabled on the Clinch account for
+<%= @user.email_address %>.
+
+If you did this, you can ignore this email.
+
+If you did NOT do this, your account may have been accessed by someone
+else. Reset your password immediately and contact your administrator.