feat: auto-seed admin + healthcheck fix (from PR #41, security hardened)

[howard-eridani]

Summary

Based on community contribution from @venturecrew / @appset in #41, with security fixes:

• Auto-seed admin user when MESH_SEED_ADMIN=true and no users exist in DB. Configurable via MESH_ADMIN_EMAIL, MESH_ADMIN_PASSWORD, MESH_ADMIN_NAME env vars
• Healthcheck fix: wget --spider → wget -O /dev/null (our /health endpoint returns 405 for HEAD)
• Quickstart docs updated to mention seed admin option

Security fixes vs original PR #41

Issue	PR #41	This PR
Password logged to stdout	log.Printf("...%s / %s", email, pass)	Only logs email, never password
Default in prod compose	MESH_SEED_ADMIN:-true (always seeds)	MESH_SEED_ADMIN:-false (opt-in)
Default password empty	Falls back to Admin123	Same fallback, but not logged

Closes #41

Test plan

• go build ./cmd/api — compiles
• All tests pass (pre-push hook)
• Manual: start with MESH_SEED_ADMIN=true on empty DB — admin created
• Manual: start without flag — no seed
• Manual: docker compose healthcheck passes

🤖 Generated with Claude Code

[garfieldstoun]

Hey @daedalus-mb, two things to address before this can merge:

1. Lint failure (govet shadow)

cmd/api/main.go:95:6: shadow: declaration of "err" shadows declaration at line 38 (govet)
    if err := db.QueryRow("SELECT COUNT(*) FROM users").Scan(&count); err == nil && count == 0 {

The inner err in the seed block shadows the outer err from line 38. Fix: rename it to seedErr (or any other non-conflicting name).

2. Merge conflict
PR #43 (docker-deploy restructure) was just merged into main. This branch now has a conflict — please rebase onto main before re-pushing.

Steps:

git fetch origin
git rebase origin/main
# fix the shadow var
git push --force-with-lease

Once lint is green and the conflict is resolved, this is good to go.

[garfieldstoun]

LGTM. govet shadow fixed (seedErr/regErr), password leak removed from logs. CI green. Merging.