Fix security and quality issues from code review

Critical: Add company scoping to line item update/delete and note
delete via ownership verification through ticket join. Add companyId
validation to signed URL file serving. High: Paginate notes list
endpoint with search and sort support. Fix blob URL memory leaks in
AuthImage components with proper cleanup on unmount. Improve photo
upload error handling — count failures and show specific error count
instead of silently clearing form.

packages/backend/api-tests/suites/repairs.ts

@@ -296,14 +296,16 @@ suite('Repairs', { tags: ['repairs'] }, (t) => {
     t.assert.equal(res.data.visibility, 'customer')
   })
 
-  t.test('lists notes for a ticket in chronological order', { tags: ['notes', 'read'] }, async () => {
+  t.test('lists notes for a ticket with pagination', { tags: ['notes', 'read'] }, async () => {
     const ticket = await t.api.post('/v1/repair-tickets', { customerName: 'List Notes', problemDescription: 'Test' })
     await t.api.post(`/v1/repair-tickets/${ticket.data.id}/notes`, { content: 'First note' })
     await t.api.post(`/v1/repair-tickets/${ticket.data.id}/notes`, { content: 'Second note' })
 
-    const res = await t.api.get(`/v1/repair-tickets/${ticket.data.id}/notes`)
+    const res = await t.api.get(`/v1/repair-tickets/${ticket.data.id}/notes`, { limit: 100 })
     t.assert.status(res, 200)
     t.assert.equal(res.data.data.length, 2)
+    t.assert.ok(res.data.pagination)
+    t.assert.equal(res.data.pagination.total, 2)
     t.assert.equal(res.data.data[0].content, 'First note')
     t.assert.equal(res.data.data[1].content, 'Second note')
   })
@@ -323,7 +325,7 @@ suite('Repairs', { tags: ['repairs'] }, (t) => {
     const res = await t.api.del(`/v1/repair-notes/${note.data.id}`)
     t.assert.status(res, 200)
 
-    const list = await t.api.get(`/v1/repair-tickets/${ticket.data.id}/notes`)
+    const list = await t.api.get(`/v1/repair-tickets/${ticket.data.id}/notes`, { limit: 100 })
     t.assert.equal(list.data.data.length, 0)
   })