feat: implement server-side pricing calculation and add site settings management

Co-authored-by: Copilot <copilot@github.com>

README.md

@@ -41,7 +41,7 @@ cd /mnt/user/appdata/mc-cars
 docker compose up -d
 ```
 
-First boot pulls ~1.5 GB of images and runs migrations (`01-init.sql`, `post-boot.sql`, `02-leads.sql`). Give it 30–60 s to settle.
+First boot pulls ~1.5 GB of images and runs migrations (`01-init.sql`, `post-boot.sql`, `02-leads.sql`, `08-backend-pricing-and-security.sql`, `09-site-settings.sql`). Give it 30–60 s to settle.
 
 ### Stop / reset
 
@@ -74,9 +74,12 @@ The admin is seeded with `must_change_password = true` in `raw_user_meta_data`.
 ## Data model
 
 - `public.vehicles` — fleet, public-readable where `is_active`.
-- `public.leads` — booking form submissions. `anon` may `INSERT` only; `authenticated` has full CRUD. Status: `new | qualified | disqualified`.
+- `public.leads` — booking form submissions with server-computed pricing. `anon` may `INSERT` only (via `create_lead` RPC); `authenticated` has full CRUD. Status: `new | qualified | disqualified`.
+- `public.lead_attachments` — ID documents and income proofs per lead. Max 1 of each enforced by unique partial index.
 - `public.customers` — created **only** by qualifying a lead. Hard FK `lead_id` preserves the audit link to the originating lead.
-- RPCs: `qualify_lead(uuid, text)`, `disqualify_lead(uuid, text)`, `reopen_lead(uuid)` — transactional, `SECURITY INVOKER`, `authenticated` only.
+- `public.sales_orders` — rental orders created during qualification, contain pricing snapshot.
+- `public.site_settings` — key-value settings table (e.g. `hero_image_url`). Publicly readable, admin-writable.
+- RPCs: `calculate_price(uuid, date, date)` (public pricing), `create_lead(...)` (server-side submission), `qualify_lead(uuid, text)`, `disqualify_lead(uuid, text)`, `reopen_lead(uuid)` — transactional, `SECURITY INVOKER`, `authenticated` only (except calculate_price and create_lead which are anon-accessible).
 - Realtime: `supabase_realtime` publication broadcasts inserts/updates on leads, customers, vehicles.
 
 ## Environment: two variables per deployment
@@ -166,16 +169,18 @@ MC Cars/
 │       ├── 00-run-init.sh     # creates supabase service roles
 │       ├── 01-init.sql        # vehicles + bucket + seed cars
 │       ├── post-boot.sql      # admin user (must_change_password) + bucket row
-│       └── 02-leads.sql       # leads, customers, RPCs, realtime publication
+│       ├── 02-leads.sql       # leads, customers, RPCs, realtime publication
+│       ├── 08-backend-pricing-and-security.sql  # calculate_price RPC, refactored create_lead, document security
+│       └── 09-site-settings.sql                 # site_settings table + hero_image_url seed
 ├── frontend/
 │   ├── nginx.conf
 │   ├── index.html             # public DE/EN site, booking form -> leads
-│   ├── admin.html             # auth-gated CRM
-│   ├── app.js
-│   ├── admin.js               # realtime + qualify/disqualify + password change
+│   ├── admin.html             # auth-gated CRM + settings panel
+│   ├── app.js                 # dynamic hero image, server-side pricing sidebar
+│   ├── admin.js               # realtime + qualify/disqualify + password change + settings
 │   ├── config.js              # generated at container start (git-ignored)
 │   ├── i18n.js
-│   ├── styles.css
+│   ├── styles.css             # CSS-variable hero image with fallback
 │   ├── impressum.html
 │   └── datenschutz.html
 ├── .gitattributes             # enforces LF on .sh files