fix(security): CRITICAL 보안 이슈 13건 일괄 수정

- SEC-42: JWT algorithm HS256 명시 (sign 5곳, verify 3곳)
- SEC-44: MariaDB/PhpMyAdmin 포트 127.0.0.1 바인딩
- SEC-29: escHtml = escapeHtml alias 추가 (XSS 방지)
- SEC-39: Python Dockerfile 4개 non-root user + chown
- SEC-43: deploy-remote.sh 삭제 (평문 비밀번호 포함)
- SEC-11,12: SQL SET ? → 명시적 컬럼 whitelist + IN절 parameterized
- QA-34: vacation approveRequest/cancelRequest 트랜잭션 래핑
- SEC-32,34: material_comparison.py 5개 엔드포인트 인증 + confirmed_by
- SEC-33: files.py 17개 미인증 엔드포인트 인증 추가
- SEC-37: chatbot 프롬프트 인젝션 방어 (sanitize + XML 구분자)
- SEC-38: fastapi-bridge 프록시 JWT 검증 + 캐시 키 user_id 포함
- SEC-58/QA-98: monthly-comparison API_BASE_URL 수정 + 401 처리
- SEC-61: monthlyComparisonModel SELECT FOR UPDATE 추가
- SEC-63: proxyInputController 에러 메시지 노출 제거
- QA-103: pageAccessRoutes error→message 통일
- SEC-62: tbm-create onclick 인젝션 → data-attribute event delegation
- QA-99: tbm-mobile/create 캐시 버스팅 갱신
- QA-100,101: ESC 키 리스너 cleanup 추가

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

system1-factory/web/js/my-monthly-confirm.js

@@ -395,4 +395,6 @@ async function submitReject() {
 function fmtNum(v) { var n = parseFloat(v) || 0; return n % 1 === 0 ? n.toString() : n.toFixed(1); }
 function escHtml(s) { return (s || '').replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;'); }
 // showToast — tkfb-core.js의 전역 showToast 사용 (재정의 불필요)
-document.addEventListener('keydown', function(e) { if (e.key === 'Escape') closeRejectModal(); });
+function handleEscKey(e) { if (e.key === 'Escape') closeRejectModal(); }
+document.addEventListener('keydown', handleEscKey);
+window.addEventListener('beforeunload', function() { document.removeEventListener('keydown', handleEscKey); });

system1-factory/web/js/tbm-create.js

@@ -306,7 +306,7 @@
     var skipSelected = W.projectId === null ? ' selected' : '';
     var projectItems = projects.map(function(p) {
       var selected = W.projectId === p.project_id ? ' selected' : '';
-      return '<div class="list-item' + selected + '" onclick="selectProject(' + p.project_id + ', \'' + esc(p.project_name).replace(/'/g, "\\'") + '\')">' +
+      return '<div class="list-item' + selected + '" data-action="selectProject" data-project-id="' + p.project_id + '" data-project-name="' + esc(p.project_name) + '">' +
         '<div class="item-title">' + esc(p.project_name) + '</div>' +
         '<div class="item-desc">' + esc(p.job_no || '') + '</div>' +
       '</div>';
@@ -315,7 +315,7 @@
     // 공정 pill 버튼
     var pillHtml = workTypes.map(function(wt) {
       var selected = W.workTypeId === wt.id ? ' selected' : '';
-      return '<button type="button" class="pill-btn' + selected + '" onclick="selectWorkType(' + wt.id + ', \'' + esc(wt.name).replace(/'/g, "\\'") + '\')">' + esc(wt.name) + '</button>';
+      return '<button type="button" class="pill-btn' + selected + '" data-action="selectWorkType" data-wt-id="' + wt.id + '" data-wt-name="' + esc(wt.name) + '">' + esc(wt.name) + '</button>';
     }).join('');
     pillHtml += '<button type="button" class="pill-btn-add" onclick="toggleAddWorkType()">+ 추가</button>';
 
@@ -335,7 +335,7 @@
     container.innerHTML =
       '<div class="wizard-section">' +
         '<div class="section-title"><span class="sn">2</span>프로젝트 선택 <span style="font-size:0.75rem;font-weight:400;color:#9ca3af;">(선택사항)</span></div>' +
-        '<div class="list-item-skip' + skipSelected + '" onclick="selectProject(null, \'\')">' +
+        '<div class="list-item-skip' + skipSelected + '" data-action="selectProject" data-project-id="" data-project-name="">' +
           '선택 안함' +
         '</div>' +
         (projects.length > 0 ? projectItems : '<div class="empty-state">등록된 프로젝트가 없습니다</div>') +
@@ -357,6 +357,19 @@
         };
       }
     }
+
+    // Event delegation for project/workType selection
+    container.onclick = function(e) {
+      var el = e.target.closest('[data-action]');
+      if (!el) return;
+      var action = el.getAttribute('data-action');
+      if (action === 'selectProject') {
+        var pid = el.getAttribute('data-project-id');
+        selectProject(pid ? parseInt(pid) : null, el.getAttribute('data-project-name') || '');
+      } else if (action === 'selectWorkType') {
+        selectWorkType(parseInt(el.getAttribute('data-wt-id')), el.getAttribute('data-wt-name') || '');
+      }
+    };
   }
 
   window.selectProject = function(projectId, projectName) {

system1-factory/web/pages/work/tbm-create.html

@@ -844,14 +844,14 @@
 
     <!-- Scripts -->
     <script src="/static/js/tkfb-core.js?v=2026033108"></script>
-    <script src="/js/api-base.js?v=2026031401"></script>
+    <script src="/js/api-base.js?v=2026040101"></script>
     <!-- 공통 모듈 -->
-    <script src="/js/common/utils.js?v=2026031401"></script>
-    <script src="/js/common/base-state.js?v=2026031401"></script>
-    <script src="/js/tbm/state.js?v=2026031401"></script>
-    <script src="/js/tbm/utils.js?v=2026031401"></script>
-    <script src="/js/tbm/api.js?v=2026031401"></script>
-    <script src="/js/tbm-create.js?v=2026031401"></script>
+    <script src="/js/common/utils.js?v=2026040101"></script>
+    <script src="/js/common/base-state.js?v=2026040101"></script>
+    <script src="/js/tbm/state.js?v=2026040101"></script>
+    <script src="/js/tbm/utils.js?v=2026040101"></script>
+    <script src="/js/tbm/api.js?v=2026040101"></script>
+    <script src="/js/tbm-create.js?v=2026040101"></script>
     <script>initAuth();</script>
 </body>
 </html>

system1-factory/web/pages/work/tbm-mobile.html

@@ -7,7 +7,7 @@
     <script src="https://cdn.tailwindcss.com"></script>
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
     <link rel="stylesheet" href="/static/css/tkfb.css?v=2026033108">
-    <link rel="stylesheet" href="/css/tbm-mobile.css?v=2026031401">
+    <link rel="stylesheet" href="/css/tbm-mobile.css?v=2026040101">
 
 </head>
 <body class="bg-gray-50">
@@ -265,13 +265,13 @@
 
     <!-- 공통 모듈 -->
     <script src="/static/js/tkfb-core.js?v=2026033108"></script>
-    <script src="/js/api-base.js?v=2026031401"></script>
-    <script src="/js/common/utils.js?v=2026031401"></script>
-    <script src="/js/common/base-state.js?v=2026031401"></script>
+    <script src="/js/api-base.js?v=2026040101"></script>
+    <script src="/js/common/utils.js?v=2026040101"></script>
+    <script src="/js/common/base-state.js?v=2026040101"></script>
 
-    <script src="/js/tbm/state.js?v=2026031401"></script>
-    <script src="/js/tbm/utils.js?v=2026031401"></script>
-    <script src="/js/tbm/api.js?v=2026031401"></script>
+    <script src="/js/tbm/state.js?v=2026040101"></script>
+    <script src="/js/tbm/utils.js?v=2026040101"></script>
+    <script src="/js/tbm/api.js?v=2026040101"></script>
     <script src="/js/tbm-mobile.js?v=2026033102"></script>
     <script>initAuth();</script>
 </body>

system1-factory/web/static/js/tkfb-core.js

@@ -64,6 +64,7 @@ function showToast(msg, type = 'success') {
 
 /* ===== Escape ===== */
 function escapeHtml(str) { if (!str) return ''; const d = document.createElement('div'); d.textContent = str; return d.innerHTML; }
+const escHtml = escapeHtml;
 
 /* ===== Helpers ===== */
 function formatDate(d) { if (!d) return ''; return String(d).substring(0, 10); }