fix(cardav): improve router security and test coverage

- Remove error message leakage (return generic 'Interner Fehler')
- Remove unused imports (str, collectErrors, MAX_TITLE, MAX_URL)
- Add _resetTestDatabase() for proper test cleanup
- Add test for populated accounts case with shape validation
- Import 'after' from node:test for proper teardown

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

server/db.js

@@ -1354,14 +1354,27 @@ function transaction(fn) {
   return get().transaction(fn)();
 }
 
+let _originalDb = null;
+
 /**
  * ONLY FOR TESTING: Override the internal db instance
  * @param {import('better-sqlite3').Database} testDb
  */
 function _setTestDatabase(testDb) {
+  if (!_originalDb) _originalDb = db;
   db = testDb;
 }
 
+/**
+ * ONLY FOR TESTING: Restore the original db instance
+ */
+function _resetTestDatabase() {
+  if (_originalDb) {
+    db = _originalDb;
+    _originalDb = null;
+  }
+}
+
 init();   // auto-initialise when module is first imported
 
-export { init, get, transaction, currentVersion, getPath, backupToFile, restoreFromFile, MIGRATIONS, _setTestDatabase };
+export { init, get, transaction, currentVersion, getPath, backupToFile, restoreFromFile, MIGRATIONS, _setTestDatabase, _resetTestDatabase };

server/routes/cardav.js

@@ -6,13 +6,9 @@
 
 import { createLogger } from '../logger.js';
 import express from 'express';
-import * as db from '../db.js';
 import * as CardDAVSync from '../services/cardav-sync.js';
-import { str, collectErrors, MAX_TITLE } from '../middleware/validate.js';
 
 const log = createLogger('CardDAV');
-const MAX_URL = 500;
-
 const router = express.Router();
 
 /**
@@ -26,7 +22,7 @@ router.get('/accounts', async (req, res) => {
     res.json({ data: accounts });
   } catch (err) {
     log.error('Error fetching accounts:', err);
-    res.status(500).json({ error: err.message || 'Interner Fehler', code: 500 });
+    res.status(500).json({ error: 'Interner Fehler', code: 500 });
   }
 });