Fix ~60 UI and backend bugs: signal bindings, null safety, infinite recursion, filter logic

[Copilot]

Addresses the full bug inventory from BUGS.md — logic errors, broken UI bindings, null crashes, memory leaks, and unsafe backend patterns.

Critical Logic Fixes

• Map filter double-apply: filter += filter += ... → filter += ...
• Copy-paste query param bug: second queryParams.has("from") → has("to") — to date was silently ignored
• Infinite recursion in bounds setter (both map components): this.bounds = ... → this._bounds = ...
• Wrong null check in filter cache: from == null → to == null in setApplicableFilter

Broken UI Bindings (buttons/toggles not working)

[(ngModel)] on Angular signals doesn't work — the signal reference is bound instead of its value. All four affected bindings in route-instances-edit:

<!-- Before (broken) -->
<mat-slide-toggle [(ngModel)]="useDetailedTime" (change)="onTimeModeChange()">

<!-- After (correct) -->
<mat-slide-toggle [ngModel]="useDetailedTime()" (ngModelChange)="useDetailedTime.set($event); onTimeModeChange()">

Same pattern applied to enterScheduledTimes, endTimeDayOffset (mat-select), and selectedMaps (mat-selection-list).

Also fixed !this.maps / !this.countries → !this.maps() / !this.countries() in route-detail (always evaluated falsy).

Auth / Security

• ******** header**: interceptor now only sets Authorization` when token is non-null
• decodeToken(null) crash: guarded in email and admin getters; admin now accepts both "true" string and boolean
• Administrator guard: wrapped in try/catch, checks isLoggedIn before admin
• Login guard: '/' + url.join('/') produced // for empty segments

SignalR

Added connecting flag to prevent duplicate WebSocket connections during rapid connect() calls. Event handlers now registered before .start().

Memory Leaks

Applied takeUntilDestroyed() to unmanaged subscriptions in: map, single-route-map, countries, time-stats, wizard-step2. Added ngOnDestroy to profile to clear the OAuth polling interval; added null-check on window.open() (popup blocked case).

Null Safety

• table()?.renderRows() in route-instances-edit
• mapsSelection() null-guard before .selectedOptions in route-detail
• feature.properties and layer.getPopup() guards in single-route-map
• connectionStatus?.user?.displayName in traewelling template
• data = [] initialization in countries and image-creator; error handlers added

Backend (C#)

• 35+ locations across 12 controllers: SingleOrDefault(...).Value → SingleOrDefault(...)?.Value (NullReferenceException when claim absent)
• RoutesController: .Single() → .SingleOrDefaultAsync() + null check for GetRoute; KML import .Single() → .FirstOrDefault()
• MapsController: null check for dbMap before property assignment in PutMap