security: fix all Critical and High findings from FLAWS_REPORT audit

- Auth: pessimistic locking on login tokens and refresh token rotation,
  backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
  unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
  and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
  refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
  permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
  restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
  HTML, ref mutation fixes, accessibility attributes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/services/exchange-rates.ts

@@ -37,7 +37,7 @@ async function fetchRatesForDate(
   } catch (err) {
     console.error("Failed to fetch CNB exchange rates:", err);
     if (rateCache["today"]) return rateCache["today"];
-    return { CZK: 1, EUR: 25, USD: 22, GBP: 28 };
+    throw new Error("Nepodařilo se získat aktuální kurzy z ČNB");
   }
 }
 
@@ -50,7 +50,7 @@ export async function toCzk(
   if (currency === "CZK") return amount;
   const rates = await fetchRatesForDate(date);
   const rate = rates[currency];
-  if (!rate) return amount;
+  if (!rate) throw new Error(`Neznámá měna: ${currency}`);
   return Math.round(amount * rate * 100) / 100;
 }
 
@@ -61,5 +61,7 @@ export async function getRate(
 ): Promise<number> {
   if (currency === "CZK") return 1;
   const rates = await fetchRatesForDate(date);
-  return rates[currency] || 1;
+  const rate = rates[currency];
+  if (!rate) throw new Error(`Neznámá měna: ${currency}`);
+  return rate;
 }