fix: P2 security and correctness issues

P2-10: Change ActivateEmail from GET to POST - token now passed in
request body instead of URL query parameter for better security

P2-11: Change ValidateResetToken from GET to POST - token now passed
in request body instead of URL query parameter to prevent log leakage

P2-12: Note - /uploads static exposure remains (requires architectural
decision about file serving)

P2-13: cursor.Encode() now checks and returns empty string on JSON
marshaling error instead of silently ignoring

P2-14: initDefaultData and ensurePermissions now properly check and
propagate errors from RolePermission creation, and createDefaultPermissions
aggregates errors instead of silently continuing

P2-15: NewJWT now returns (nil, error) on initialization failure
instead of a partially initialized object. All callers updated to handle
the error return.

Backend routes updated:
- POST /auth/activate-email (was GET /activate)
- POST /auth/password/validate (was GET /reset-password)

Frontend updated to match new API endpoints.

frontend/admin/src/services/auth.test.ts

@@ -133,8 +133,8 @@ describe('auth service', () => {
 
     await activateEmail('activation-token')
 
-    expect(getMock).toHaveBeenCalledWith(
-      '/auth/activate',
+    expect(postMock).toHaveBeenCalledWith(
+      '/auth/activate-email',
       { token: 'activation-token' },
       { auth: false },
     )