hotfix: Security, performance, and code cleanup

- Remove hardcoded database password fallback
- Add encryption salt validation (min 32 chars)
- Separate EMAIL_ENCRYPTION_KEY from JWT_SECRET
- Fix command injection in status.service.js (use execFileSync)
- Remove unnecessary SQL injection regex middleware
- Create shared utilities (queryBuilder, pagination, emailAccountHelper)
- Fix N+1 query problems in contact and todo services
- Merge duplicate JMAP config functions
- Add database indexes migration
- Standardize error responses with error codes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/middlewares/global/validateBody.js

@@ -1,20 +1,9 @@
-import { logger } from '../../utils/logger.js';
-
+/**
+ * Body validation middleware
+ * NOTE: SQL injection regex patterns have been removed as they are unnecessary
+ * when using Drizzle ORM which uses parameterized queries.
+ * The regex patterns also caused false positives (e.g., when user types "SELECT" in text).
+ */
 export function validateBody(req, res, next) {
-  const data = JSON.stringify({ body: req.body, query: req.query, params: req.params });
-  const dangerousPatterns = [
-    /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|TRUNCATE|ALTER|CREATE|EXEC|UNION|LOAD_FILE|OUTFILE)\b.*\b(FROM|INTO|TABLE|DATABASE)\b)/gi,
-    /\b(OR 1=1|AND 1=1|OR '1'='1'|--|#|\/\*|\*\/|;|\bUNION\b.*?\bSELECT\b)/gi,
-    /\b(\$where|\$ne|\$gt|\$lt|\$regex|\$exists|\$not|\$or|\$and)\b/gi,
-    /(<script|<\/script>|document\.cookie|eval\(|alert\(|javascript:|onerror=|onmouseover=)/gi,
-    /(\bexec\s*xp_cmdshell|\bshutdown\b|\bdrop\s+database|\bdelete\s+from)/gi,
-    /(\b(base64_decode|cmd|powershell|wget|curl|rm -rf|nc -e|perl -e|python -c)\b)/gi,
-  ];
-  for (const pattern of dangerousPatterns) {
-    if (pattern.test(data)) {
-      logger.warn('Detegovaný podozrivý vstup', { data: data.substring(0, 100) });
-      return res.status(400).json({ message: 'Detegovaný škodlivý obsah v požiadavke' });
-    }
-  }
   next();
 }