security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/routes/admin/company-settings.ts

@@ -74,6 +74,13 @@ export default async function companySettingsRoutes(
     let mime = "image/png";
     if (buf[0] === 0xff && buf[1] === 0xd8) mime = "image/jpeg";
     else if (buf[0] === 0x47 && buf[1] === 0x49) mime = "image/gif";
+    else if (
+      buf[0] === 0x52 &&
+      buf[1] === 0x49 &&
+      buf[8] === 0x57 &&
+      buf[9] === 0x45
+    )
+      mime = "image/webp";
 
     return reply
       .type(mime)
@@ -324,15 +331,12 @@ export default async function companySettingsRoutes(
         nas: {
           projects: {
             configured: projectNas.isConfigured(),
-            path: config.nas.path || "—",
           },
           financials: {
             configured: nasFinancialsManager.isConfigured(),
-            path: config.nas.financialsPath || "—",
           },
           offers: {
             configured: nasOffersManager.isConfigured(),
-            path: config.nas.offersPath || "—",
           },
         },
       });