fix: harden permissions system after code review

- Gate permissions in /app-config behind optionalAuth so unauthenticated
  requests don't receive admin configuration
- Fix trip_delete isMember parameter (was hardcoded false)
- Return skipped keys from savePermissions for admin visibility
- Add disabled prop to CustomSelect, use in BudgetPanel currency picker
- Fix CollabChat reaction handler returning false instead of void
- Pass canUploadFiles as prop to NoteFormModal instead of internal store read
- Make edit-only NoteFormModal props optional (onDeleteFile, note, tripId)
- Add missing trailing newlines to .gitignore and it.ts

server/src/services/permissions.ts

@@ -95,18 +95,22 @@ export function getAllPermissions(): Record<string, PermissionLevel> {
   return result;
 }
 
-export function savePermissions(settings: Record<string, string>): void {
+export function savePermissions(settings: Record<string, string>): { skipped: string[] } {
+  const skipped: string[] = [];
   const upsert = db.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES (?, ?)");
   const txn = db.transaction(() => {
     for (const [actionKey, level] of Object.entries(settings)) {
       const action = ACTIONS_MAP.get(actionKey);
-      if (!action) continue;
-      if (!action.allowedLevels.includes(level as PermissionLevel)) continue;
+      if (!action || !action.allowedLevels.includes(level as PermissionLevel)) {
+        skipped.push(actionKey);
+        continue;
+      }
       upsert.run(`perm_${actionKey}`, level);
     }
   });
   txn();
   invalidatePermissionsCache();
+  return { skipped };
 }
 
 /**