Harden invoice item ID generation in insecure contexts and make cleared company Tax ID persistent

[Copilot]

Invoice creation could fail on non-HTTPS deployments because crypto.randomUUID() is not universally available in insecure browser contexts. Separately, clearing company Tax ID in settings was not durable: the key was removed, allowing default seeding to repopulate it later.

• Frontend: resilient item ID generation (InvoiceEditor.svelte)

  • Replaced direct crypto.randomUUID() calls with a createItemId() helper.
  • Added a compatibility chain:
    1. crypto.randomUUID()
    2. RFC4122 v4-style ID from crypto.getRandomValues()
    3. last-resort timestamp/random fallback
  • Applied this to initial line-item mapping and addItem().

• Backend: durable clearing of optional company fields (settings.ts)

  • Normalized alias keys (taxId, email, phone, countryCode) to canonical settings keys before persistence.
  • Changed clear behavior for empty clearable fields (including companyTaxId) from delete row to upsert empty string.
  • Added explicit clearable-key set and canonicalization comment to keep alias handling predictable.

• Behavioral impact

  • Invoice editor no longer depends on secure-context-only UUID APIs.
  • Blank company Tax ID remains blank across restarts/long-term usage instead of being repopulated by defaults.

function createItemId() {
  if (typeof globalThis.crypto?.randomUUID === "function") return globalThis.crypto.randomUUID();
  if (typeof globalThis.crypto?.getRandomValues === "function") {
    // build RFC4122 v4-compatible UUID from random bytes
  }
  return `${Date.now()}-${Math.random().toString(16).slice(2)}`;
}