fix(costs): harden company auth check, fix frozen date memo, hide empty quota rows

- add company existence check on quota-windows route to guard against
  sentinel and forged company IDs (was a no-op assertCompanyAccess)
- fix useDateRange minuteTick memo frozen at mount; realign interval to
  next calendar minute boundary via setTimeout + intervalRef pattern
- fix midnight timer in Costs.tsx to use stable [] dep and
  self-scheduling todayTimerRef to avoid StrictMode double-invoke
- return null for rolling window rows with no DB data instead of
  rendering $0.00 / 0 tok false zeros
- fix secondsToWindowLabel to handle windows >168h with actual day count
  instead of silently falling back to 7d
- fix byProvider.get(p) non-null assertion to use ?? [] fallback

server/src/routes/costs.ts

@@ -82,6 +82,13 @@ export function costRoutes(db: Db) {
     const companyId = req.params.companyId as string;
     assertCompanyAccess(req, companyId);
     assertBoard(req);
+    // validate companyId resolves to a real company so the "__none__" sentinel
+    // and any forged ids are rejected before we touch provider credentials
+    const company = await companies.getById(companyId);
+    if (!company) {
+      res.status(404).json({ error: "Company not found" });
+      return;
+    }
     const results = await fetchAllQuotaWindows();
     res.json(results);
   });

server/src/services/quota-windows.ts

@@ -169,7 +169,9 @@ function secondsToWindowLabel(seconds: number | null | undefined, fallback: stri
   const hours = seconds / 3600;
   if (hours < 6) return "5h";
   if (hours <= 24) return "24h";
-  return "7d";
+  if (hours <= 168) return "7d";
+  // for windows larger than 7d, show the actual day count rather than silently mislabelling
+  return `${Math.round(hours / 24)}d`;
 }
 
 async function fetchCodexQuota(token: string, accountId: string | null): Promise<QuotaWindow[]> {