refactor: fix all Low findings from FLAWS_REPORT audit

- Auth: TOTP params from config, JWT error logging, audit log failure
  logging, replaced_by_hash validation on token rotation
- Invoices: remove dead VAT code, consistent PDF permissions,
  WebP magic-byte detection, deduped exchange-rate fetches
- Orders/Offers: multipart limit from config, use paginated() helper,
  payment method from DB in PDF
- Projects: verify project exists before creating note
- Attendance: action_type enum validation, consistent local-time
  shift_date construction, holiday attendance in work fund,
  trips.view permission on last-km query
- Users: paginated() helper usage, remove duplicate dashboard keys,
  parallel currency conversion, single hashToken implementation
- Frontend: memoized customInput, reliable print onload, modal prop
  standardization (isOpen), ConfirmModal type icons, id===0 key
  fallback, Login useCallback, CompanySettings ConfirmModal,
  Attendance timeout cleanup, Dashboard memoization, beforeunload
  dirty-state warnings on Invoice/Offer/Order detail
- Schema: invoice_alert_log timestamp, config/env comment on
  Date.prototype.toJSON override
- Utils: exchange-rate inflight dedup

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/routes/admin/trips.ts

@@ -175,7 +175,7 @@ export default async function tripsRoutes(
   // Matches PHP: COALESCE(MAX(end_km), vehicle.initial_km, 0)
   fastify.get<{ Params: { vehicleId: string } }>(
     "/last-km/:vehicleId",
-    { preHandler: requireAuth },
+    { preHandler: requirePermission("trips.view") },
     async (request, reply) => {
       const vehicleId = parseInt(request.params.vehicleId, 10);
       if (isNaN(vehicleId)) return error(reply, "Neplatné ID vozidla", 400);