fix: security, validation, and data integrity fixes across 53 files

- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
  for inactive/locked users, locked_until check in loadAuthData, TOTP
  fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
  foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
  and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
  relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
  duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
  leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
  null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
  numbering.service releaseSequence no-op, nas-offers filename sanitize,
  Content-Disposition header injection fix, mojibake Czech strings

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/routes/admin/attendance.ts

@@ -144,19 +144,19 @@ export default async function attendanceRoutes(
 
     // --- action=attendance_users: users with attendance.record permission ---
     if (action === "attendance_users") {
+      if (
+        !authData.permissions.includes("attendance.admin") &&
+        !authData.permissions.includes("attendance.view") &&
+        !authData.permissions.includes("attendance.record")
+      ) {
+        return error(reply, "Nedostatečná oprávnění", 403);
+      }
       const users = await prisma.users.findMany({
         where: {
           is_active: true,
           roles: {
-            is: {
-              OR: [
-                { name: "admin" },
-                {
-                  role_permissions: {
-                    some: { permissions: { name: "attendance.record" } },
-                  },
-                },
-              ],
+            role_permissions: {
+              some: { permissions: { name: "attendance.record" } },
             },
           },
         },
@@ -182,6 +182,12 @@ export default async function attendanceRoutes(
 
     // --- action=project_logs: get project logs for a specific attendance record ---
     if (action === "project_logs") {
+      if (
+        !authData.permissions.includes("attendance.view") &&
+        !authData.permissions.includes("attendance.record")
+      ) {
+        return error(reply, "Nedostatečná oprávnění", 403);
+      }
       const attendanceId = Number(query.attendance_id);
       if (!attendanceId) return error(reply, "Missing attendance_id", 400);
       const data = await attendanceService.getProjectLogs(attendanceId);
@@ -411,7 +417,7 @@ export default async function attendanceRoutes(
   // PUT /api/admin/attendance/:id
   fastify.put<{ Params: { id: string } }>(
     "/:id",
-    { preHandler: requireAuth },
+    { preHandler: requirePermission("attendance.edit") },
     async (request, reply) => {
       const id = parseId(request.params.id, reply);
       if (id === null) return;