fix: email XSS sanitization, bulk invite concurrency, error handling (code review batch 2)

- Add escapeHtml() helper and apply to all user-supplied variables in 20+ HTML email templates
- Auto-escape in sectionTitle() and statCard() helpers for defense-in-depth
- Replace 5 instances of incomplete manual escaping with escapeHtml()
- Refactor bulkInviteTeamMembers: batch all DB writes in $transaction, then send emails via Promise.allSettled with concurrency pool of 10
- Fix inner catch block in award-eligibility-job.ts to capture its own error variable

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/server/services/award-eligibility-job.ts

@@ -284,9 +284,9 @@ export async function processEligibilityJob(
           eligibilityJobError: errorMessage,
         },
       })
-    } catch {
+    } catch (updateErr) {
       // If we can't even update the status, log and give up
-      console.error('Failed to update eligibility job status:', error)
+      console.error('Failed to update eligibility job status:', updateErr, 'Original error:', error)
     }
   }
 }