Fix security issues: path traversal, typed errors, file validation

- Fix path traversal in file serve endpoint (validate company prefix, block ..)
- Add typed error classes: ValidationError, NotFoundError, ForbiddenError,
  ConflictError, StorageError
- Global error handler catches AppError subclasses with correct status codes
- 4xx logged as warn, 5xx as error with request ID
- File upload validates entityType whitelist, UUID format, category pattern
- Remove fragile string-matching error handling from routes
- Services throw typed errors instead of plain Error
- Health endpoint documented as intentionally public

packages/backend/src/services/lookup.service.ts

@@ -1,5 +1,6 @@
 import { eq, and } from 'drizzle-orm'
 import type { PostgresJsDatabase } from 'drizzle-orm/postgres-js'
+import { ForbiddenError } from '../lib/errors.js'
 import {
   inventoryUnitStatuses,
   itemConditions,
@@ -73,7 +74,7 @@ function createLookupService(
 
       if (!existing[0]) return null
       if (existing[0].isSystem && input.isActive === false) {
-        throw new Error('Cannot deactivate a system status')
+        throw new ForbiddenError('Cannot deactivate a system status')
       }
 
       const [row] = await db
@@ -93,7 +94,7 @@ function createLookupService(
 
       if (!existing[0]) return null
       if (existing[0].isSystem) {
-        throw new Error('Cannot delete a system status')
+        throw new ForbiddenError('Cannot delete a system status')
       }
 
       const [row] = await db