fix: P2 security and correctness issues

P2-10: Change ActivateEmail from GET to POST - token now passed in
request body instead of URL query parameter for better security

P2-11: Change ValidateResetToken from GET to POST - token now passed
in request body instead of URL query parameter to prevent log leakage

P2-12: Note - /uploads static exposure remains (requires architectural
decision about file serving)

P2-13: cursor.Encode() now checks and returns empty string on JSON
marshaling error instead of silently ignoring

P2-14: initDefaultData and ensurePermissions now properly check and
propagate errors from RolePermission creation, and createDefaultPermissions
aggregates errors instead of silently continuing

P2-15: NewJWT now returns (nil, error) on initialization failure
instead of a partially initialized object. All callers updated to handle
the error return.

Backend routes updated:
- POST /auth/activate-email (was GET /activate)
- POST /auth/password/validate (was GET /reset-password)

Frontend updated to match new API endpoints.

internal/performance/benchmark_test.go

@@ -64,7 +64,7 @@ func BenchmarkArgon2idHashingDefaultParams(b *testing.B) {
 // =============================================================================
 
 func BenchmarkJWTGenerateToken(b *testing.B) {
-	jwtManager := auth.NewJWT("benchmark-secret-key-32bytes!", 2*time.Hour, 7*24*time.Hour)
+	jwtManager, _ := auth.NewJWT("benchmark-secret-key-32bytes!", 2*time.Hour, 7*24*time.Hour)
 
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
@@ -73,7 +73,7 @@ func BenchmarkJWTGenerateToken(b *testing.B) {
 }
 
 func BenchmarkJWTValidateToken(b *testing.B) {
-	jwtManager := auth.NewJWT("benchmark-secret-key-32bytes!", 2*time.Hour, 7*24*time.Hour)
+	jwtManager, _ := auth.NewJWT("benchmark-secret-key-32bytes!", 2*time.Hour, 7*24*time.Hour)
 	token, _, _ := jwtManager.GenerateTokenPair(1, "testuser", 0)
 
 	b.ResetTimer()
@@ -83,7 +83,7 @@ func BenchmarkJWTValidateToken(b *testing.B) {
 }
 
 func BenchmarkJWTGenerateAndValidate(b *testing.B) {
-	jwtManager := auth.NewJWT("benchmark-secret-key-32bytes!", 2*time.Hour, 7*24*time.Hour)
+	jwtManager, _ := auth.NewJWT("benchmark-secret-key-32bytes!", 2*time.Hour, 7*24*time.Hour)
 
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {

internal/performance/performance_test.go

@@ -142,7 +142,7 @@ func BenchmarkGetUserByID(b *testing.B) {
 
 // BenchmarkTokenGeneration JWT生成性能测试
 func BenchmarkTokenGeneration(b *testing.B) {
-	jwtManager := auth.NewJWT("benchmark-secret", 2*time.Hour, 7*24*time.Hour)
+	jwtManager, _ := auth.NewJWT("benchmark-secret", 2*time.Hour, 7*24*time.Hour)
 	metrics := NewPerformanceMetrics()
 	b.ResetTimer()
 
@@ -164,7 +164,7 @@ func BenchmarkTokenGeneration(b *testing.B) {
 
 // BenchmarkTokenValidation JWT验证性能测试
 func BenchmarkTokenValidation(b *testing.B) {
-	jwtManager := auth.NewJWT("benchmark-secret", 2*time.Hour, 7*24*time.Hour)
+	jwtManager, _ := auth.NewJWT("benchmark-secret", 2*time.Hour, 7*24*time.Hour)
 	accessToken, _, err := jwtManager.GenerateTokenPair(1, "benchuser", 0)
 	if err != nil {
 		b.Fatalf("生成Token失败: %v", err)
@@ -199,7 +199,7 @@ func TestP99LatencyThreshold(t *testing.T) {
 		{
 			name: "JWT生成P99",
 			operation: func() time.Duration {
-				jwtManager := auth.NewJWT("test-secret", 2*time.Hour, 7*24*time.Hour)
+				jwtManager, _ := auth.NewJWT("test-secret", 2*time.Hour, 7*24*time.Hour)
 				start := time.Now()
 				jwtManager.GenerateTokenPair(1, "testuser", 0)
 				return time.Since(start)
@@ -320,7 +320,7 @@ func TestMemoryUsage(t *testing.T) {
 	runtime.ReadMemStats(&m)
 	baselineMemory := m.Alloc
 
-	jwtManager := auth.NewJWT("test-secret", 2*time.Hour, 7*24*time.Hour)
+	jwtManager, _ := auth.NewJWT("test-secret", 2*time.Hour, 7*24*time.Hour)
 	for i := 0; i < 10000; i++ {
 		accessToken, _, _ := jwtManager.GenerateTokenPair(int64(i%100), "testuser", 0)
 		jwtManager.ValidateAccessToken(accessToken)