feat: system settings, dynamic logos, template numbering, permission consolidation

- System settings page with tabs: Security, System, Firma
- Configurable attendance rules (break thresholds, rounding) from DB
- Configurable document numbering with template patterns ({YYYY}/{PREFIX}/{NNN})
- Dynamic logo upload (light/dark variants) served from DB instead of static files
- Email settings (SMTP from/name, alert/leave emails) configurable in UI
- Currency and VAT rate lists configurable, used across all modules
- Permissions simplified: offers.settings + settings.roles + settings.security → settings.manage
- Leaflet bundled locally, removed unpkg.com from CSP
- Silent catch blocks fixed with proper logging
- console.log replaced with app.log.info in server.ts
- Schema renamed: company-settings.schema → settings.schema
- App info section: version, Node.js, uptime, memory, DB status, NAS status

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/schemas/company-settings.schema.ts

@@ -1,28 +0,0 @@
-import { z } from "zod";
-
-export const UpdateCompanySettingsSchema = z.object({
-  company_name: z.string().nullish(),
-  street: z.string().nullish(),
-  city: z.string().nullish(),
-  postal_code: z.string().nullish(),
-  country: z.string().nullish(),
-  company_id: z.string().nullish(),
-  vat_id: z.string().nullish(),
-  quotation_prefix: z.string().nullish(),
-  default_currency: z.string().nullish(),
-  order_type_code: z.string().nullish(),
-  invoice_type_code: z.string().nullish(),
-  default_vat_rate: z
-    .union([z.number(), z.string()])
-    .transform((v) => Number(v))
-    .optional(),
-  require_2fa: z
-    .preprocess((v) => v === true || v === 1 || v === "1", z.boolean())
-    .optional(),
-  custom_fields: z.array(z.any()).optional(),
-  supplier_field_order: z.array(z.any()).optional(),
-});
-
-export type UpdateCompanySettingsInput = z.infer<
-  typeof UpdateCompanySettingsSchema
->;

src/schemas/settings.schema.ts

@@ -0,0 +1,65 @@
+import { z } from "zod";
+
+export const UpdateCompanySettingsSchema = z.object({
+  company_name: z.string().nullish(),
+  street: z.string().nullish(),
+  city: z.string().nullish(),
+  postal_code: z.string().nullish(),
+  country: z.string().nullish(),
+  company_id: z.string().nullish(),
+  vat_id: z.string().nullish(),
+  quotation_prefix: z.string().nullish(),
+  default_currency: z.string().nullish(),
+  order_type_code: z.string().nullish(),
+  invoice_type_code: z.string().nullish(),
+  default_vat_rate: z
+    .union([z.number(), z.string()])
+    .transform((v) => Number(v))
+    .optional(),
+  require_2fa: z
+    .preprocess((v) => v === true || v === 1 || v === "1", z.boolean())
+    .optional(),
+  break_threshold_hours: z
+    .union([z.number(), z.string()])
+    .transform((v) => Number(v))
+    .optional(),
+  break_duration_short: z
+    .union([z.number(), z.string()])
+    .transform((v) => Number(v))
+    .optional(),
+  break_duration_long: z
+    .union([z.number(), z.string()])
+    .transform((v) => Number(v))
+    .optional(),
+  clock_rounding_minutes: z
+    .union([z.number(), z.string()])
+    .transform((v) => Number(v))
+    .optional(),
+  invoice_alert_email: z.string().nullish(),
+  leave_notify_email: z.string().nullish(),
+  smtp_from: z.string().nullish(),
+  smtp_from_name: z.string().nullish(),
+  offer_number_pattern: z.string().nullish(),
+  order_number_pattern: z.string().nullish(),
+  invoice_number_pattern: z.string().nullish(),
+  max_login_attempts: z
+    .union([z.number(), z.string()])
+    .transform((v) => Number(v))
+    .optional(),
+  lockout_minutes: z
+    .union([z.number(), z.string()])
+    .transform((v) => Number(v))
+    .optional(),
+  max_requests_per_minute: z
+    .union([z.number(), z.string()])
+    .transform((v) => Number(v))
+    .optional(),
+  available_vat_rates: z.array(z.number()).optional(),
+  available_currencies: z.array(z.string()).optional(),
+  custom_fields: z.array(z.any()).optional(),
+  supplier_field_order: z.array(z.any()).optional(),
+});
+
+export type UpdateCompanySettingsInput = z.infer<
+  typeof UpdateCompanySettingsSchema
+>;