fix: code principles audit — correctness, security, testability

- Add rows.Err() checks after all scan loops (entities, tags, resolve)
- Surface time.Parse errors instead of silently discarding
- Extract entityRow scan helper to eliminate Get/List duplication
- Cap request body at 1MB via MaxBytesReader
- Stop leaking internal errors to API clients (log server-side only)
- Block javascript: URIs in link card open button (XSS)
- Fix all go vet failures in api_test.go (unchecked http errors)
- Add tests for display package, generateCardData, absorb-source-card
- Run go mod tidy to fix direct/indirect dep markers

internal/db/entities_test.go

@@ -441,3 +441,34 @@ func TestResolve_NotFound(t *testing.T) {
 		t.Errorf("expected ErrNotFound, got %v", err)
 	}
 }
+
+func TestAbsorb_SourceIsCard(t *testing.T) {
+	s := testStore(t)
+	target := &Entity{Body: "target", Glyph: GlyphNote, Tags: []string{"a"}}
+	s.Create(target)
+
+	source := &Entity{Body: "source", Glyph: GlyphNote}
+	s.Create(source)
+	s.Promote(source.ID, CardSnippet, nil)
+	s.IncrementUse(source.ID)
+
+	if err := s.Absorb(target.ID, source.ID); err != nil {
+		t.Fatal(err)
+	}
+
+	got, _ := s.Get(target.ID)
+	if got.Body != "target\nsource" {
+		t.Errorf("merged body: %q", got.Body)
+	}
+
+	src, _ := s.Get(source.ID)
+	if src.CardType != nil {
+		t.Error("source card_type should be cleared after absorb")
+	}
+	if src.UseCount != 0 {
+		t.Errorf("source use_count should be reset, got %d", src.UseCount)
+	}
+	if src.DeletedAt == nil {
+		t.Error("source should be soft-deleted")
+	}
+}