feat: secure attachment download route with shareId validation

Changes:
- Update attachment download link in UI to use shareId
- Add shareId validation to attachment download route
- Validate TTL before allowing attachment downloads
- Extract locationId from shareId using extractShareId helper

Security:
- Attachment downloads now validate checksum and TTL
- Prevents unauthorized access to bill attachment files
- Returns 404 for invalid/expired share links

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

app/ui/ViewBillCard.tsx

@@ -100,7 +100,7 @@ export const ViewBillCard: FC<ViewBillCardProps> = ({ location, bill, shareId })
                     attachment ?
                         <span className="textarea textarea-bordered max-w-[400px] w-full grow">
                             <p className="font-bold uppercase">{t("attachment")}</p>
-                            <Link href={`/share/attachment/${locationID}-${billID}/`} target="_blank" className='text-center w-full max-w-[20em] text-nowrap truncate inline-block mt-2'>
+                            <Link href={`/share/attachment/${shareId || locationID}-${billID}/`} target="_blank" className='text-center w-full max-w-[20em] text-nowrap truncate inline-block mt-2'>
                                 <DocumentIcon className="h-[1em] w-[1em] text-2xl inline-block mr-1" />
                                 {decodeURIComponent(attachment.fileName)}
                             </Link>