security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/admin/pages/InvoiceDetail.tsx

@@ -313,7 +313,7 @@ export default function InvoiceDetail() {
   const { id } = useParams<{ id: string }>();
   const isEdit = Boolean(id);
 
-  const keyCounterRef = useRef(0);
+  const keyCounterRef = useRef(1);
   const emptyItem = useCallback(
     (): InvoiceItem => ({
       _key: `inv-${++keyCounterRef.current}`,
@@ -369,7 +369,16 @@ export default function InvoiceDetail() {
 
   const [bankAccounts, setBankAccounts] = useState<BankAccount[]>([]);
   const [dueDays, setDueDays] = useState(14);
-  const [items, setItems] = useState<InvoiceItem[]>([emptyItem()]);
+  const [items, setItems] = useState<InvoiceItem[]>([
+    {
+      _key: "inv-1",
+      description: "",
+      quantity: 1,
+      unit: "ks",
+      unit_price: 0,
+      vat_rate: 21,
+    },
+  ]);
   const [errors, setErrors] = useState<Record<string, string>>({});
   const [saving, setSaving] = useState(false);
   const [loading, setLoading] = useState(true);