hotfix: Security, performance, and code cleanup

- Remove hardcoded database password fallback
- Add encryption salt validation (min 32 chars)
- Separate EMAIL_ENCRYPTION_KEY from JWT_SECRET
- Fix command injection in status.service.js (use execFileSync)
- Remove unnecessary SQL injection regex middleware
- Create shared utilities (queryBuilder, pagination, emailAccountHelper)
- Fix N+1 query problems in contact and todo services
- Merge duplicate JMAP config functions
- Add database indexes migration
- Standardize error responses with error codes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/config/database.js

@@ -8,7 +8,7 @@ const pool = new Pool({
   host: process.env.DB_HOST || 'localhost',
   port: parseInt(process.env.DB_PORT || '5432'),
   user: process.env.DB_USER || 'admin',
-  password: process.env.DB_PASSWORD || 'heslo123',
+  password: process.env.DB_PASSWORD,
   database: process.env.DB_NAME || 'crm',
   max: 20, // maximum number of connections in pool
   idleTimeoutMillis: 30000,

src/config/env.js

@@ -0,0 +1,2 @@
+import dotenv from 'dotenv';
+dotenv.config();