fix: P2 security and correctness issues

P2-10: Change ActivateEmail from GET to POST - token now passed in
request body instead of URL query parameter for better security

P2-11: Change ValidateResetToken from GET to POST - token now passed
in request body instead of URL query parameter to prevent log leakage

P2-12: Note - /uploads static exposure remains (requires architectural
decision about file serving)

P2-13: cursor.Encode() now checks and returns empty string on JSON
marshaling error instead of silently ignoring

P2-14: initDefaultData and ensurePermissions now properly check and
propagate errors from RolePermission creation, and createDefaultPermissions
aggregates errors instead of silently continuing

P2-15: NewJWT now returns (nil, error) on initialization failure
instead of a partially initialized object. All callers updated to handle
the error return.

Backend routes updated:
- POST /auth/activate-email (was GET /activate)
- POST /auth/password/validate (was GET /reset-password)

Frontend updated to match new API endpoints.

internal/auth/jwt_closure_test.go

@@ -10,13 +10,12 @@ import (
 )
 
 func TestNewJWT_DoesNotPanicOnInvalidLegacyConfig(t *testing.T) {
-	manager := NewJWT("", 2*time.Hour, 7*24*time.Hour)
-	if manager == nil {
-		t.Fatal("expected manager instance")
+	manager, err := NewJWT("", 2*time.Hour, 7*24*time.Hour)
+	if err == nil {
+		t.Fatal("expected error for empty secret")
 	}
-
-	if _, err := manager.GenerateAccessToken(1, "tester", 0); err == nil {
-		t.Fatal("expected invalid legacy manager to return error")
+	if manager != nil {
+		t.Fatal("expected nil manager for empty secret")
 	}
 }