security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/routes/admin/invoices.ts

@@ -191,10 +191,8 @@ export default async function invoicesRoutes(
       if (!existing) return error(reply, "Faktura nenalezena", 404);
 
       // Delete PDF from NAS
-      if (existing.invoice_number && existing.issue_date) {
-        const d = new Date(existing.issue_date);
-        const relPath = `Vydané/${d.getFullYear()}/${String(d.getMonth() + 1).padStart(2, "0")}/${existing.invoice_number}.pdf`;
-        nasFinancialsManager.deleteIssuedInvoice(relPath);
+      if (existing.invoice_number) {
+        await nasFinancialsManager.cleanIssuedInvoice(existing.invoice_number);
       }
 
       await logAudit({