refactor: System2/3, User Management SSO 인증 통합

- System2 신고: SSO JWT 인증 전환, API base 정리
- System3 부적합: SSO 인증 매니저 통합, 권한 체계 정비
- User Management: SSO 토큰 기반 사용자 관리 API 연동

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

user-management/web/static/js/tkuser-vacations.js

@@ -246,11 +246,11 @@ function openVacBalanceModal(editId) {
     // 작업자 셀렉트
     const wSel = document.getElementById('vbWorker');
     wSel.innerHTML = '<option value="">선택</option>';
-    vacWorkers.forEach(w => { wSel.innerHTML += `<option value="${w.worker_id}">${w.worker_name}</option>`; });
+    vacWorkers.forEach(w => { wSel.innerHTML += `<option value="${w.worker_id}">${escapeHtml(w.worker_name)}</option>`; });
     // 유형 셀렉트
     const tSel = document.getElementById('vbType');
     tSel.innerHTML = '<option value="">선택</option>';
-    vacTypes.filter(t => t.is_active).forEach(t => { tSel.innerHTML += `<option value="${t.id}">${t.type_name} (${t.type_code})</option>`; });
+    vacTypes.filter(t => t.is_active).forEach(t => { tSel.innerHTML += `<option value="${t.id}">${escapeHtml(t.type_name)} (${escapeHtml(t.type_code)})</option>`; });
     if (editId) {
         const b = vacBalances.find(x => x.id === editId);
         if (!b) return;