feat: Portal, Email Inbound, Discuss + module improvements

- Portal: /my/* routes, signup, password reset, portal user support
- Email Inbound: IMAP polling (go-imap/v2), thread matching
- Discuss: mail.channel, long-polling bus, DM, unread count
- Cron: ir.cron runner (goroutine scheduler)
- Bank Import, CSV/Excel Import
- Automation (ir.actions.server)
- Fetchmail service
- HR Payroll model
- Various fixes across account, sale, stock, purchase, crm, hr, project

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

pkg/server/static.go

@@ -43,8 +43,9 @@ func (s *Server) handleStatic(w http.ResponseWriter, r *http.Request) {
 	addonName := parts[0]
 	filePath := parts[2]
 
-	// Security: prevent directory traversal
-	if strings.Contains(filePath, "..") {
+	// Security: prevent directory traversal in both addonName and filePath
+	if strings.Contains(filePath, "..") || strings.Contains(addonName, "..") ||
+		strings.Contains(addonName, "/") || strings.Contains(addonName, "\\") {
 		http.NotFound(w, r)
 		return
 	}