fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정

Phase 1 CRITICAL XSS:
- marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management)
- toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header)
- onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail)

Phase 2 HIGH 인가:
- getUserBalance 본인확인 추가 (tksupport vacationController)

Phase 3 HIGH 토큰+CSP:
- localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스)
- unsafe-eval CSP 제거 (system1 security.js)

Phase 4 MEDIUM:
- nginx 보안 헤더 추가 (8개 서비스)
- 500 에러 메시지 마스킹 (5개 API)
- path traversal 방지 (system3 file_service.py)
- cookie fallback 데드코드 제거 (4개 auth.js)
- /login/form rate limiting 추가 (sso-auth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tksupport/api/controllers/vacationController.js

@@ -246,6 +246,12 @@ const vacationController = {
   async getUserBalance(req, res) {
     try {
       const { userId } = req.params;
+      const requestedId = parseInt(userId);
+      const currentUserId = req.user.user_id || req.user.id;
+      const role = (req.user.role || '').toLowerCase();
+      if (requestedId !== currentUserId && !['admin', 'system'].includes(role)) {
+        return res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
+      }
       const year = parseInt(req.query.year) || new Date().getFullYear();
       const balances = await vacationBalanceModel.getByUserAndYear(userId, year);
       const hireDate = await vacationBalanceModel.getUserHireDate(userId);