Complete implementation: e2e tests, gofmt, hardening

- Add test/e2e: 11 end-to-end tests covering full login/logout,
  token renewal, admin account management, credential-never-in-response,
  unauthorised access, JWT alg confusion and alg:none attacks,
  revoked token rejection, system account token issuance,
  wrong-password vs unknown-user indistinguishability
- Apply gofmt to all source files (formatting only, no logic changes)
- Update .golangci.yaml for golangci-lint v2 (version field required,
  gosimple merged into staticcheck, formatters section separated)
- Update PROGRESS.md to reflect Phase 5 completion
Security:
  All 97 tests pass with go test -race ./... (zero race conditions).
  Adversarial JWT tests (alg confusion, alg:none) confirm the
  ValidateToken alg-first check is effective against both attack classes.
  Credential fields (PasswordHash, TOTPSecret*, PGPassword) confirmed
  absent from all API responses via both unit and e2e tests.
  go vet ./... clean. golangci-lint v2.6.2 incompatible with go1.26
  runtime; go vet used as linter until toolchain is updated.

internal/db/accounts.go

@@ -35,14 +35,14 @@ func (db *DB) CreateAccount(username string, accountType model.AccountType, pass
 	}
 
 	return &model.Account{
-		ID:          rowID,
-		UUID:        id,
-		Username:    username,
-		AccountType: accountType,
-		Status:      model.AccountStatusActive,
+		ID:           rowID,
+		UUID:         id,
+		Username:     username,
+		AccountType:  accountType,
+		Status:       model.AccountStatusActive,
 		PasswordHash: passwordHash,
-		CreatedAt:   createdAt,
-		UpdatedAt:   createdAt,
+		CreatedAt:    createdAt,
+		UpdatedAt:    createdAt,
 	}, nil
 }