fix(security): CRITICAL 보안 이슈 13건 일괄 수정

- SEC-42: JWT algorithm HS256 명시 (sign 5곳, verify 3곳)
- SEC-44: MariaDB/PhpMyAdmin 포트 127.0.0.1 바인딩
- SEC-29: escHtml = escapeHtml alias 추가 (XSS 방지)
- SEC-39: Python Dockerfile 4개 non-root user + chown
- SEC-43: deploy-remote.sh 삭제 (평문 비밀번호 포함)
- SEC-11,12: SQL SET ? → 명시적 컬럼 whitelist + IN절 parameterized
- QA-34: vacation approveRequest/cancelRequest 트랜잭션 래핑
- SEC-32,34: material_comparison.py 5개 엔드포인트 인증 + confirmed_by
- SEC-33: files.py 17개 미인증 엔드포인트 인증 추가
- SEC-37: chatbot 프롬프트 인젝션 방어 (sanitize + XML 구분자)
- SEC-38: fastapi-bridge 프록시 JWT 검증 + 캐시 키 user_id 포함
- SEC-58/QA-98: monthly-comparison API_BASE_URL 수정 + 401 처리
- SEC-61: monthlyComparisonModel SELECT FOR UPDATE 추가
- SEC-63: proxyInputController 에러 메시지 노출 제거
- QA-103: pageAccessRoutes error→message 통일
- SEC-62: tbm-create onclick 인젝션 → data-attribute event delegation
- QA-99: tbm-mobile/create 캐시 버스팅 갱신
- QA-100,101: ESC 키 리스너 cleanup 추가

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tksupport/api/controllers/vacationController.js

@@ -128,6 +128,8 @@ const vacationController = {
   },
 
   async cancelRequest(req, res) {
+    const db = getPool();
+    const conn = await db.getConnection();
     try {
       const { id } = req.params;
       const results = await vacationRequestModel.getById(id);
@@ -145,11 +147,13 @@ const vacationController = {
         return res.status(400).json({ success: false, error: '이미 취소된 신청입니다' });
       }
 
+      await conn.beginTransaction();
+
       // 승인된 건 취소 시 잔여일 복구
       if (existing.status === 'approved') {
         const year = new Date(existing.start_date).getFullYear();
         await vacationBalanceModel.restoreDays(
-          existing.user_id, existing.vacation_type_id, year, parseFloat(existing.days_used)
+          existing.user_id, existing.vacation_type_id, year, parseFloat(existing.days_used), conn
         );
       }
 
@@ -157,11 +161,16 @@ const vacationController = {
         status: 'cancelled',
         reviewed_by: userId,
         review_note: '취소됨'
-      });
+      }, conn);
+      await conn.commit();
+
       res.json({ success: true, message: '휴가 신청이 취소되었습니다' });
     } catch (error) {
+      await conn.rollback();
       console.error('휴가 취소 오류:', error);
       res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    } finally {
+      conn.release();
     }
   },
 
@@ -178,6 +187,8 @@ const vacationController = {
   },
 
   async approveRequest(req, res) {
+    const db = getPool();
+    const conn = await db.getConnection();
     try {
       const { id } = req.params;
       const { review_note } = req.body;
@@ -192,18 +203,22 @@ const vacationController = {
       }
 
       const request = results[0];
-
-      // 잔여일 차감
       const year = new Date(request.start_date).getFullYear();
-      await vacationBalanceModel.deductDays(
-        request.user_id, request.vacation_type_id, year, parseFloat(request.days_used)
-      );
 
-      await vacationRequestModel.updateStatus(id, { status: 'approved', reviewed_by, review_note });
+      await conn.beginTransaction();
+      await vacationBalanceModel.deductDays(
+        request.user_id, request.vacation_type_id, year, parseFloat(request.days_used), conn
+      );
+      await vacationRequestModel.updateStatus(id, { status: 'approved', reviewed_by, review_note }, conn);
+      await conn.commit();
+
       res.json({ success: true, message: '휴가 신청이 승인되었습니다' });
     } catch (error) {
+      await conn.rollback();
       console.error('휴가 승인 오류:', error);
       res.status(500).json({ success: false, error: '서버 오류가 발생했습니다' });
+    } finally {
+      conn.release();
     }
   },