fix: security hardening, UI fixes, and validation improvements

- Fix header nav overflow by switching to lg: breakpoint with tighter gaps
- Fix file upload path traversal by whitelisting allowed folders and extensions
- Fix BookingModal using hardcoded content instead of DB-backed data
- Add input length validation on public master-class registration API
- Add ID validation on team member and reorder API routes
- Fix BookingModal useCallback missing groupInfo/contact dependencies
- Improve admin news date field to use native date picker
- Add missing Мастер-классы and Новости cards to admin dashboard

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/components/ui/BookingModal.tsx

@@ -3,16 +3,22 @@
 import { useState, useEffect, useCallback } from "react";
 import { createPortal } from "react-dom";
 import { X, Instagram, Send, CheckCircle, Phone } from "lucide-react";
-import { siteContent } from "@/data/content";
+import { BRAND } from "@/lib/constants";
 
 interface BookingModalProps {
   open: boolean;
   onClose: () => void;
   groupInfo?: string;
+  contact?: { instagram: string; phone: string };
 }
 
-export function BookingModal({ open, onClose, groupInfo }: BookingModalProps) {
-  const { contact } = siteContent;
+const DEFAULT_CONTACT = {
+  instagram: BRAND.instagram,
+  phone: "+375 29 389-70-01",
+};
+
+export function BookingModal({ open, onClose, groupInfo, contact: contactProp }: BookingModalProps) {
+  const contact = contactProp ?? DEFAULT_CONTACT;
   const [name, setName] = useState("");
   const [phone, setPhone] = useState("+375 ");
 
@@ -72,7 +78,7 @@ export function BookingModal({ open, onClose, groupInfo }: BookingModalProps) {
       window.open(instagramUrl, "_blank");
       setSubmitted(true);
     },
-    [name, phone]
+    [name, phone, groupInfo, contact]
   );
 
   const handleClose = useCallback(() => {