security: fix 27 vulnerabilities + UI integration (Issues tab, project nav, validation)

Security fixes (27 vulnerabilities across 20 files):
CRITICAL:
- MediaManager: whitelist mediable types prevents RCE via class instantiation
- MediaManager/OfflineSyncController: IDOR fixes, remove Auth::id()??1 fallback
- ClientProjects: verify project ownership on all mutations (IDOR)
- CompanyManagement: Admin role check on mount() and mutations (auth bypass)
- ProjectMap: scope feature/template lookups to current project (IDOR x5)
- PhaseList/TemplateManager/LayerManager: scope mutations to owned resources (IDOR)
- ProjectEditTabs: Gate::authorize on mount() and updateProject()
- routes/web.php: reports routes moved inside can:manage all middleware (auth bypass)

MEDIUM:
- layer-manager: escapeHtml() on Leaflet popup interpolations (XSS)
- MediaManager: server-side MIME validation + 50MB limit
- ProjectList/ProjectUsers/ProjectCompanies/PhaseProgress: auth checks added
- AdminUsers/ReportsDashboard/ExportController: role/permission checks added

LOW:
- config/session.php: secure cookie tied to production env
- OfflineSyncController: sanitize storage path (path traversal)

UI integration:
- project-map: Issues tab (4th) with open-count badge
- project-map: project navigation bar (Dashboard/Map/Gantt/Report/Issues)
- project-dashboard: action buttons for Map/Gantt/Report/Issues
- project-form: validation error summary + per-field @error spans
- template-manager: validation error display

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/Livewire/PhaseList.php

@@ -5,6 +5,8 @@ namespace App\Livewire;
 use Livewire\Component;
 use App\Models\Project;
 use App\Models\Phase;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Gate;
 
 class PhaseList extends Component
 {
@@ -13,16 +15,19 @@ class PhaseList extends Component
 
     public function mount(Project $project)
     {
+        Gate::authorize('edit projects', $project);
         $this->project = $project;
-        $this->phases = $project->phases;
+        $this->phases  = $project->phases;
     }
 
     public function addPhase()
     {
+        Gate::authorize('edit projects', $this->project);
+
         $this->project->phases()->create([
-            'name' => 'Nueva fase',
+            'name'  => 'Nueva fase',
             'order' => $this->phases->count() + 1,
-            'color' => '#'.substr(md5(rand()), 0, 6)
+            'color' => '#' . substr(md5(random_int(0, PHP_INT_MAX)), 0, 6),
         ]);
         $this->phases = $this->project->phases()->get();
         session()->flash('message', 'Fase agregada');
@@ -30,12 +35,20 @@ class PhaseList extends Component
 
     public function deletePhase($phaseId)
     {
-        Phase::find($phaseId)->delete();
+        Gate::authorize('edit projects', $this->project);
+
+        // Scope to this project to prevent IDOR deletion of another project's phase
+        Phase::where('id', $phaseId)
+            ->where('project_id', $this->project->id)
+            ->firstOrFail()
+            ->delete();
+
         $this->phases = $this->project->phases()->get();
+        session()->flash('message', 'Fase eliminada');
     }
 
     public function render()
     {
         return view('livewire.phase-list');
     }
-}
+}