Disable TOTP

Authenticate admin user with Internal role. When the user's mfa_mode is off, the response includes authenticated session artifacts and the refresh token cookie is scoped to the provided X-App-ID. When mfa_mode requires MFA, the initial response is challenge-only until /v1/verify-2FA succeeds. Internal users with mfa_mode totp and no TOTP secret receive credential_type totp_setup_required until TOTP enrollment completes.