Fix 8 bugs found in code review

- auth/login.py: guard against missing JSON body (get_json silent=True, empty-string check)
- app.py: replace infinite redirect with 404 for unknown /api/* and /setup/* paths
- tools/jwtdecoder.py: add algorithms list to jwt.decode() for PyJWT 2.x compatibility
- util/setup_routes.py: call reset_pool() after save_config() so pool re-initialises with new DB credentials
- util/logger.py: set ERROR level on error.log handler so it no longer receives INFO/WARNING messages
- LoginForm.jsx: remove dead navigate() call that was immediately overridden by window.location.href
- main.jsx: remove base.css, dark.css, light.css that were already imported in App.jsx (duplicate imports)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/util/setup_routes.py

@@ -2,6 +2,7 @@ import time
 import os
 from flask import Blueprint, request, render_template, redirect, jsonify, send_from_directory
 from util.db_config import load_config, save_config, test_connection, is_configured
+from util.db_pool import reset_pool
 from auth.setup_admin import initialize_admin_user
 from util.logger import logger
 
@@ -39,6 +40,7 @@ def setup():
             "database": request.form['database']
         }
         save_config(db_config)
+        reset_pool()
         if test_connection(db_config):
             initialize_admin_user(db_config)
             return redirect('/')