refactor: fix all Low findings from FLAWS_REPORT audit

- Auth: TOTP params from config, JWT error logging, audit log failure
  logging, replaced_by_hash validation on token rotation
- Invoices: remove dead VAT code, consistent PDF permissions,
  WebP magic-byte detection, deduped exchange-rate fetches
- Orders/Offers: multipart limit from config, use paginated() helper,
  payment method from DB in PDF
- Projects: verify project exists before creating note
- Attendance: action_type enum validation, consistent local-time
  shift_date construction, holiday attendance in work fund,
  trips.view permission on last-km query
- Users: paginated() helper usage, remove duplicate dashboard keys,
  parallel currency conversion, single hashToken implementation
- Frontend: memoized customInput, reliable print onload, modal prop
  standardization (isOpen), ConfirmModal type icons, id===0 key
  fallback, Login useCallback, CompanySettings ConfirmModal,
  Attendance timeout cleanup, Dashboard memoization, beforeunload
  dirty-state warnings on Invoice/Offer/Order detail
- Schema: invoice_alert_log timestamp, config/env comment on
  Date.prototype.toJSON override
- Utils: exchange-rate inflight dedup

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/admin/pages/CompanySettings.tsx

@@ -3,6 +3,7 @@ import { useAlert } from "../context/AlertContext";
 import { useAuth } from "../context/AuthContext";
 import Forbidden from "../components/Forbidden";
 import FormField from "../components/FormField";
+import ConfirmModal from "../components/ConfirmModal";
 import { motion } from "framer-motion";
 
 import apiFetch from "../utils/api";
@@ -98,6 +99,10 @@ export default function CompanySettings({
   const [bankLoading, setBankLoading] = useState(true);
   const [bankSaving, setBankSaving] = useState(false);
   const [editingBank, setEditingBank] = useState<number | null>(null);
+  const [bankDeleteConfirm, setBankDeleteConfirm] = useState<{
+    isOpen: boolean;
+    id: number | null;
+  }>({ isOpen: false, id: null });
   const [bankForm, setBankForm] = useState<BankForm>({
     account_name: "",
     bank_name: "",
@@ -300,22 +305,31 @@ export default function CompanySettings({
     }
   };
 
-  const handleBankDelete = async (id: number) => {
-    if (!confirm("Opravdu smazat tento bankovní účet?")) return;
+  const handleBankDelete = (id: number) => {
+    setBankDeleteConfirm({ isOpen: true, id });
+  };
+
+  const confirmBankDelete = async () => {
+    if (bankDeleteConfirm.id == null) return;
     try {
-      const response = await apiFetch(`${API_BASE}/bank-accounts/${id}`, {
-        method: "DELETE",
-      });
+      const response = await apiFetch(
+        `${API_BASE}/bank-accounts/${bankDeleteConfirm.id}`,
+        {
+          method: "DELETE",
+        },
+      );
       const result = await response.json();
       if (result.success) {
         alert.success(result.message);
-        if (editingBank === id) resetBankForm();
+        if (editingBank === bankDeleteConfirm.id) resetBankForm();
         fetchBankAccounts();
       } else {
         alert.error(result.error || "Chyba při mazání");
       }
     } catch {
       alert.error("Chyba připojení");
+    } finally {
+      setBankDeleteConfirm({ isOpen: false, id: null });
     }
   };
 
@@ -1215,6 +1229,17 @@ export default function CompanySettings({
           </button>
         </motion.div>
       )}
+
+      <ConfirmModal
+        isOpen={bankDeleteConfirm.isOpen}
+        onClose={() => setBankDeleteConfirm({ isOpen: false, id: null })}
+        onConfirm={confirmBankDelete}
+        title="Smazat bankovní účet"
+        message="Opravdu chcete smazat tento bankovní účet?"
+        confirmText="Smazat"
+        cancelText="Zrušit"
+        type="danger"
+      />
     </div>
   );
 }