Harden multi-tenant isolation across all user-facing controllers

Added explicit CompanyId == companyId predicates to every tenant-scoped
query in 22 controllers so cross-tenant data leakage is impossible even
if EF Core global query filters are bypassed or misconfigured.

Also fixed ApplicationDbContext.IsPlatformAdmin to correctly return true
for SuperAdmins with no CompanyId claim (break-glass accounts) and when
no HTTP context is present (background services, unit tests), resolving
225 unit test failures that stemmed from the global filter blocking all
in-memory test data.

New MultiTenantIsolationTests class (8 tests) verifies the explicit
predicate layer independently of the global query filters.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/PowderCoating.Web/Controllers/DashboardController.cs

@@ -342,14 +342,16 @@ public class DashboardController : Controller
                 TipOfTheDay = data.TipOfTheDay
             };
 
+            // Resolve company once so all remaining queries are explicitly scoped
+            var currentCompanyId = _tenantContext.GetCurrentCompanyId();
+            var companyId = currentCompanyId ?? 0;
+
             // Dropdowns for the "Add Custom Powder to Inventory" modal
-            var inventoryCategories = (await _unitOfWork.InventoryCategoryLookups.GetAllAsync())
-                .Where(c => c.IsActive)
+            var inventoryCategories = (await _unitOfWork.InventoryCategoryLookups.FindAsync(c => c.IsActive && c.CompanyId == companyId))
                 .OrderBy(c => c.DisplayOrder)
                 .Select(c => new { c.Id, c.DisplayName })
                 .ToList();
-            var vendors = (await _unitOfWork.Vendors.GetAllAsync())
-                .Where(v => v.IsActive)
+            var vendors = (await _unitOfWork.Vendors.FindAsync(v => v.IsActive && v.CompanyId == companyId))
                 .OrderBy(v => v.CompanyName)
                 .Select(v => new { v.Id, v.CompanyName })
                 .ToList();
@@ -357,7 +359,6 @@ public class DashboardController : Controller
             ViewBag.VendorList = vendors;
 
             // Config health check — surface setup gaps to company admins
-            var currentCompanyId = _tenantContext.GetCurrentCompanyId();
             if (currentCompanyId.HasValue)
             {
                 ViewBag.ConfigHealth = await _configHealth.CheckAsync(currentCompanyId.Value);
@@ -711,8 +712,8 @@ public class DashboardController : Controller
                 i => i.Coats.Any(c => c.Id == coatId), false, i => i.Job);
             var companyId = jobItem?.Job?.CompanyId ?? _tenantContext.GetCurrentCompanyId() ?? 0;
 
-            // Check SKU uniqueness
-            if (await _unitOfWork.InventoryItems.AnyAsync(i => i.SKU == sku.Trim()))
+            // Check SKU uniqueness within this company
+            if (await _unitOfWork.InventoryItems.AnyAsync(i => i.SKU == sku.Trim() && i.CompanyId == companyId))
                 return Json(new { success = false, message = $"SKU '{sku}' already exists in inventory." });
 
             // Determine category display name for legacy field