License headers on new files, gofmt on routes.go import ordering,
unused imports in test files, testifylint assert.Contains/InDelta,
and infertypeargs cleanups.
Three follow-ups to Task E2 needed to make the routes functional end to end:
- Echo v5 panics on duplicate (method, path) registrations, so the
Huma-backed label routes live under /api/v1/oas3/labels for the spike.
The legacy /api/v1/labels endpoints remain unchanged.
- Huma's built-in /openapi.{json,yaml,docs} routes are disabled. The spec
is re-exposed via a handler on the unauth group so clients and tooling
can fetch it without a bearer token, matching the /docs.json treatment.
- Errors returned from the shared handler.Do* pipeline (echo.HTTPError,
web.HTTPErrorProcessor) are translated into Vikunja-shaped
huma.StatusErrors, preserving the legacy {code, message} body contract
instead of Huma's default "unexpected error occurred" wrap.
Also sets humaConfig.FieldsOptionalByDefault=true so PUT/POST bodies
don't need to include derived fields like created/updated/created_by.