Fix audit findings: budget editing, dead code, logging, multi-currency

- Add budget editing: updateBudget() API, edit button on budget cards,
  BudgetFormModal adapted for create/update (category locked on edit)
- Remove permanently-broken POST /auth/totp/verify stub and its unused
  TOTPVerifyRequest schema
- Wire getHoldingTransactions() to AssetDetail page — transaction history
  table now shows above the candlestick chart, sorted newest-first
- Fix multi-currency net worth in account_service: account balances are
  now converted to base_currency via ExchangeRate table before summing
- Replace silent bare pass exception handlers with logger.warning() in
  transactions.py (OCR/AI pipeline) and price_feed_service.py (search)
  — ValueError in date/number regex parsing left silent (control flow)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/api/v1/auth.py

@@ -19,7 +19,7 @@ from app.schemas.auth import (
     TOTPChallengeResponse,
     TOTPLoginRequest,
     TOTPSetupResponse,
-    TOTPVerifyRequest,
+
     TokenResponse,
 )
 from app.services.auth_service import (
@@ -297,20 +297,6 @@ async def totp_setup(
     return TOTPSetupResponse(secret=secret, qr_code_png_b64=qr_b64, backup_codes=backup_codes)
 
 
-@router.post("/totp/verify", status_code=200)
-async def totp_verify(
-    body: TOTPVerifyRequest,
-    request: Request,
-    db: AsyncSession = Depends(get_db),
-    user=Depends(get_current_user),
-):
-    # Secret must be passed back from setup — here we expect it stored temporarily in body
-    # In practice the client stores it until verification; it's never persisted until verified
-    # This endpoint receives the secret + verification code
-    # For simplicity we accept: {"secret": "...", "code": "..."}
-    # Redefine body inline:
-    raise HTTPException(status_code=400, detail="Use /totp/enable endpoint with secret and code")
-
 
 @router.post("/totp/enable", status_code=200)
 async def totp_enable(