fix: resolve P0 security issues per governance baseline

P0-01: LIKE injection fix in device.go (2 locations)
- Added escapeLikePattern() to prevent LIKE pattern manipulation

P0-03: Token refresh blacklist fail-closed
- RefreshToken() now returns error if cache.Set fails
- Prevents token double-spend on cache failures

P0-05: CORS dangerous default configuration
- Default changed to empty origins, credentials off
- init() panics if default config is dangerous

P0-06: UpdateUser IDOR vulnerability fix
- Added authorization check (self-or-admin)
- Prevents unauthorized user profile modification

Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts

All 518 frontend tests pass, all backend tests pass.

internal/api/handler/user_handler.go

@@ -185,6 +185,22 @@ func (h *UserHandler) UpdateUser(c *gin.Context) {
 		return
 	}
 
+	// Authorization: only self or admin can update user profile
+	currentUserID := c.GetInt64("user_id")
+	isAdmin := false
+	if roles, ok := c.Get("user_roles"); ok {
+		for _, role := range roles.([]*domain.Role) {
+			if role.Code == "admin" {
+				isAdmin = true
+				break
+			}
+		}
+	}
+	if currentUserID != id && !isAdmin {
+		c.JSON(http.StatusForbidden, gin.H{"code": 403, "message": "permission denied"})
+		return
+	}
+
 	var req struct {
 		Email    *string `json:"email"`
 		Nickname *string `json:"nickname"`