security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/routes/admin/roles.ts

@@ -111,13 +111,15 @@ export default async function rolesRoutes(
       });
 
       if (Array.isArray(body.permission_ids)) {
-        await prisma.role_permissions.deleteMany({ where: { role_id: id } });
-        await prisma.role_permissions.createMany({
-          data: (body.permission_ids as number[]).map((pid) => ({
-            role_id: id,
-            permission_id: pid,
-          })),
-        });
+        await prisma.$transaction([
+          prisma.role_permissions.deleteMany({ where: { role_id: id } }),
+          prisma.role_permissions.createMany({
+            data: (body.permission_ids as number[]).map((pid) => ({
+              role_id: id,
+              permission_id: pid,
+            })),
+          }),
+        ]);
       }
 
       await logAudit({