Add accounting module with bank balance sheet endpoint

[TaprootFreak]

Summary

• Add AccountingModule with balance sheet calculation for year-end accounting
• Add /accounting/balance-sheet/:iban/:year endpoint (Admin/Compliance only)
• Add yearlyBalances JSON field to Bank entity for opening/closing balances
• Calculate income (CRDT transactions) and expenses (DBIT transactions) from bank_tx
• Validate calculated closing balance against defined closing balance
• Add sync scripts for local development database

Test plan

• Test balance sheet endpoint with valid IBAN and year
• Verify income/expenses calculation matches bank_tx data
• Verify validation message when closing balance matches/mismatches
• Test with different years (2024, 2025)

In general, the fix is to avoid passing a single concatenated command string to child_process.execSync, and instead use execFileSync with an explicit executable and an array of arguments. This bypasses the shell, so even if sql contains characters like quotes, semicolons, or backticks, they are treated as data for sqlcmd rather than being interpreted by the shell. We should also avoid manual quote-escaping for shell purposes (sql.replace(/"/g, '\\"')), because shell escaping is no longer needed once we remove the shell.

Concretely, in scripts/sync-bank-tx.js:

• Add execFileSync to the child_process import.
• Rewrite executeSql so it calls execFileSync('docker', [...]) instead of execSync with a command string. The arguments array will be:
  • ['exec', 'dfx-mssql', '/opt/mssql-tools18/bin/sqlcmd', '-U', 'sa', '-P', 'LocalDev2026@SQL', '-d', 'dfx', '-C', '-Q', sql]
• Remove the sql.replace(/"/g, '\\"') since shell quoting is no longer required; the raw sql string can be passed directly as a single argument.
• Keep the existing options stdio: 'pipe' and maxBuffer to preserve behavior.

No other parts of the file need changing; the rest of the script can continue building SQL as before, but the command execution is now shell-free.

In general, you should avoid manually escaping characters when building shell commands, and instead either (a) avoid the shell entirely by using execFile/spawn with an argument array, or (b) if you must stay with execSync and a single command string, ensure that all characters that affect the quoting/escaping rules (notably backslash and the quote characters in use) are handled correctly. For our context, using execSync with an argument array is the most reliable fix and preserves existing functionality.

The best fix here is to stop embedding sql into a double‑quoted -Q "..." argument string inside a larger shell‑quoted command. Instead, call docker directly with arguments, and pass the entire sqlcmd invocation (and the sql string) as arguments. Node’s child_process.execSync supports a form where the first argument is the command and the second is an array of arguments; it then handles escaping correctly according to the underlying platform. This means we no longer need sql.replace(...) at all, eliminating the incomplete escaping issue.

Concretely, in scripts/sync-bank-tx.js, update the executeSql function (around line 92–99):

• Replace the single string command to execSync with a call using the command 'docker' and an array of arguments.
• Build the argument array equivalent to the original command: ["exec", "dfx-mssql", "/opt/mssql-tools18/bin/sqlcmd", "-U", "sa", "-P", "LocalDev2026@SQL", "-d", "dfx", "-C", "-Q", sql].
• Remove the sql.replace(/"/g, '\\"') since escaping is now handled by the OS and execSync argument processing.

No new imports are needed; we already import { execSync } from child_process.