Pentest 55.2 + 55.3 HIGH + 55.4 + 53.3: Notes/Document-Auth/Race/Generate

55.3 HIGH (Contract-Documents ohne Auth abrufbar):
- /uploads/contract-documents/*.pdf war HTTP 200 ohne Token, weil
  nginx die Datei direkt ausliefert und Backend nur /api/uploads/*
  schützte.
- Defense-in-Depth: app.get('/uploads/*') jetzt ebenfalls mit
  authenticate + downloadFile (Ownership-Check) abgesichert.
  Falls nginx fehlkonfiguriert sein sollte, fängt das Backend.

55.2 MEDIUM (notes ungestrippt + unlimitiert):
- Neuer sanitizeNotes-Helper: stripHtml + CRLF→LF + Control-Chars
  raus + Cap 2000 Zeichen. Eingesetzt für ContractDocument.notes
  in allen 3 Schreibpfaden (contract.controller, saveAttachment-
  AsContractDocument, saveEmailAsContractDocument).
- documentType zusätzlich stripHtml.

55.4 LOW (Race: 5x Lieferbestätigung → 5 Dokumente):
- Neuer In-Memory-Lock per (contractId, documentType) in
  contractStatusScheduler.service. withContractDocumentLock führt
  Recent-Duplicate-Check (10s-Window) + Write atomar aus.
- In cachedEmail-Pfaden: fs.writeFileSync ist jetzt INNERHALB des
  Locks → kein verwaister Datei-Müll bei Race-Reject.

53.3 (Prisma-Client veraltet bei ungebauten Images):
- docker-entrypoint.sh: `prisma generate` am Container-Start
  hinzugefügt. Kostet ~5–10 s, regeneriert den Client gegen das
  aktuelle Schema falls jemand ein Stale-Image hochgezogen hat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/controllers/contract.controller.ts

@@ -7,9 +7,9 @@ import * as authorizationService from '../services/authorization.service.js';
 import { recordPredecessorFinalReading } from '../services/customer.service.js';
 import { ApiResponse, AuthRequest } from '../types/index.js';
 import { logChange } from '../services/audit.service.js';
-import { sanitizeContract, sanitizeContractStrict, sanitizeContracts, sanitizeContractsStrict, stripHtml } from '../utils/sanitize.js';
+import { sanitizeContract, sanitizeContractStrict, sanitizeContracts, sanitizeContractsStrict, stripHtml, sanitizeNotes } from '../utils/sanitize.js';
 import { canAccessContract } from '../utils/accessControl.js';
-import { maybeActivateOnDeliveryConfirmation } from '../services/contractStatusScheduler.service.js';
+import { maybeActivateOnDeliveryConfirmation, withContractDocumentLock } from '../services/contractStatusScheduler.service.js';
 
 /**
  * Walk-and-clean: strippt HTML/Script-/URI-Schemata in allen String-Werten
@@ -727,16 +727,20 @@ export async function uploadContractDocument(req: AuthRequest, res: Response): P
     }
 
     const documentPath = `/uploads/contract-documents/${req.file.filename}`;
-    const doc = await prisma.contractDocument.create({
-      data: {
-        contractId,
-        documentType,
-        documentPath,
-        originalName: req.file.originalname,
-        notes: notes || null,
-        uploadedBy: req.user?.email,
-      },
-    });
+    const cleanType = stripHtml(documentType) as string;
+    // Pentest 55.4: Race-Schutz – Lock + Recent-Duplicate-Check.
+    const doc = await withContractDocumentLock(contractId, cleanType, () =>
+      prisma.contractDocument.create({
+        data: {
+          contractId,
+          documentType: cleanType,
+          documentPath,
+          originalName: req.file!.originalname,
+          notes: sanitizeNotes(notes),
+          uploadedBy: req.user?.email,
+        },
+      }),
+    );
 
     const contract = await prisma.contract.findUnique({ where: { id: contractId }, select: { contractNumber: true, customerId: true } });
     await logChange({