security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/admin/components/BulkAttendanceModal.tsx

@@ -57,13 +57,21 @@ export default function BulkAttendanceModal({
           />
           <motion.div
             className="admin-modal admin-modal-lg"
+            role="dialog"
+            aria-modal="true"
+            aria-labelledby="bulk-attendance-modal-title"
             initial={{ opacity: 0, scale: 0.95, y: 20 }}
             animate={{ opacity: 1, scale: 1, y: 0 }}
             exit={{ opacity: 0, scale: 0.95, y: 20 }}
             transition={{ duration: 0.2 }}
           >
             <div className="admin-modal-header">
-              <h2 className="admin-modal-title">Vyplnit docházku za měsíc</h2>
+              <h2
+                id="bulk-attendance-modal-title"
+                className="admin-modal-title"
+              >
+                Vyplnit docházku za měsíc
+              </h2>
               <p
                 style={{
                   color: "var(--text-secondary)",