security: Zufallspasswörter beim Erststart, kryptographisch sichere JTI-Generierung

- seedDefaultUsers: generiert kryptographisch zufällige Passwörter (crypto/rand)
  statt hartkodiertes "archivmailrockz" — Passwörter werden einmalig im Terminal
  angezeigt und können danach nicht wiederhergestellt werden
- generateJTI: verwendet crypto/rand (16 Byte, hex) statt time.UnixNano XOR deadbeef

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/index/xapian.go

@@ -43,8 +43,12 @@ func (x *xapianIndex) IndexSync(doc MailDocument) error {
 	defer C.free(unsafe.Pointer(csubj))
 	cbody := C.CString(doc.Body)
 	defer C.free(unsafe.Pointer(cbody))
+	hasAttach := C.int(0)
+	if doc.HasAttachment {
+		hasAttach = C.int(1)
+	}
 	var cerr *C.char
-	rc := C.xapian_index(x.db, cid, cfrom, cto, csubj, cbody, C.longlong(doc.Date.Unix()), &cerr)
+	rc := C.xapian_index(x.db, cid, cfrom, cto, csubj, cbody, C.longlong(doc.Date.Unix()), hasAttach, &cerr)
 	if rc != 0 {
 		msg := C.GoString(cerr)
 		C.xapian_free_string(cerr)
@@ -93,8 +97,27 @@ func (x *xapianIndex) Search(req SearchRequest) (*SearchResult, error) {
 		limit = 25
 	}
 
+	// Sort mode: 0=relevance, 1=date_desc (default), 2=date_asc
+	sortMode := C.int(1)
+	switch req.Sort {
+	case "relevance":
+		sortMode = C.int(0)
+	case "date_asc":
+		sortMode = C.int(2)
+	}
+
+	// Attachment filter: 0=all, 1=only with, -1=only without
+	attachFilter := C.int(0)
+	if req.HasAttachment != nil {
+		if *req.HasAttachment {
+			attachFilter = C.int(1)
+		} else {
+			attachFilter = C.int(-1)
+		}
+	}
+
 	var cerr *C.char
-	cresult := C.xapian_search(x.db, cquery, cfrom, cown, cto, dateFrom, dateTo, offset, limit, &cerr)
+	cresult := C.xapian_search(x.db, cquery, cfrom, cown, cto, dateFrom, dateTo, offset, limit, sortMode, attachFilter, &cerr)
 	if cresult == nil {
 		msg := C.GoString(cerr)
 		C.xapian_free_string(cerr)