fix: resolve all JS architecture violations (JS-005 through JS-009)

Fixed 89 violations across vendor, admin, and shared JavaScript files:

JS-008 (raw fetch → apiClient):
- Added postFormData() and getBlob() methods to api-client.js
- Updated inventory.js, messages.js to use apiClient.postFormData()
- Added noqa for file downloads that need response headers

JS-009 (window.showToast → Utils.showToast):
- Updated admin/messages.js, notifications.js, vendor/messages.js
- Replaced alert() in customers.js

JS-006 (async error handling):
- Added try/catch to all async init() and reload() methods
- Fixed vendor: billing, dashboard, login, messages, onboarding
- Fixed shared: feature-store, upgrade-prompts
- Fixed admin: all page components

JS-005 (init guards):
- Added initialization guards to prevent duplicate init() calls
- Pattern: if (window._componentInitialized) return;

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

static/admin/js/login.js

@@ -19,6 +19,10 @@ function adminLogin() {
         errors: {},
 
         init() {
+            // Guard against multiple initialization
+            if (window._adminLoginInitialized) return;
+            window._adminLoginInitialized = true;
+
             loginLog.info('=== LOGIN PAGE INITIALIZING ===');
             loginLog.debug('Current pathname:', window.location.pathname);
             loginLog.debug('Current URL:', window.location.href);