fix: code review — XSS, type safety, validation improvements

Critical:
- InvoiceDetail: sanitize notes HTML with DOMPurify
- OrderDetail: use proper DOMPurify import instead of window fallback

Important:
- AttendanceBalances: add fund_to_date to interface, remove as-any casts
- All schemas: replace z.any() with z.preprocess for boolean fields
- Routes: simplify boolean coercion (Zod handles it now)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/admin/pages/AttendanceBalances.tsx

@@ -34,6 +34,7 @@ interface FundUserData {
 interface MonthFundData {
   month_name: string;
   fund: number;
+  fund_to_date: number;
   business_days: number;
   users?: Record<string, FundUserData>;
 }
@@ -320,7 +321,7 @@ export default function AttendanceBalances() {
     let totalCovered = 0;
     for (const monthData of Object.values(fundData.months)) {
       // Use prorated fund (fund_to_date) for current month, full fund for past
-      totalFund += (monthData as any).fund_to_date ?? monthData.fund;
+      totalFund += monthData.fund_to_date ?? monthData.fund;
       const us = monthData.users?.[userId];
       if (us) {
         totalWorked += us.worked;
@@ -571,10 +572,9 @@ export default function AttendanceBalances() {
                           className="text-secondary"
                           style={{ fontSize: "12px" }}
                         >
-                          {(monthData as any).fund_to_date ?? monthData.fund}h (
+                          {monthData.fund_to_date ?? monthData.fund}h (
                           {Math.round(
-                            ((monthData as any).fund_to_date ??
-                              monthData.fund) / 8,
+                            (monthData.fund_to_date ?? monthData.fund) / 8,
                           )}{" "}
                           dnů)
                         </span>
@@ -591,7 +591,7 @@ export default function AttendanceBalances() {
                             const us = monthData.users?.[String(user.id)];
                             if (!us) return null;
                             const effectiveFund =
-                              (monthData as any).fund_to_date ?? monthData.fund;
+                              monthData.fund_to_date ?? monthData.fund;
                             const pct =
                               effectiveFund > 0
                                 ? Math.min(

src/admin/pages/InvoiceDetail.tsx

@@ -5,6 +5,7 @@ import {
   useParams,
   Link,
 } from "react-router-dom";
+import DOMPurify from "dompurify";
 import { useAlert } from "../context/AlertContext";
 import { useAuth } from "../context/AuthContext";
 import Forbidden from "../components/Forbidden";
@@ -1969,7 +1970,9 @@ export default function InvoiceDetail() {
         <h3 className="admin-card-title">Veřejné poznámky na faktuře</h3>
         {isPaid ? (
           notes && notes.trim() && notes !== "<p><br></p>" ? (
-            <div dangerouslySetInnerHTML={{ __html: notes }} />
+            <div
+              dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(notes) }}
+            />
           ) : (
             <p className="text-tertiary">Žádné poznámky.</p>
           )

src/admin/pages/OrderDetail.tsx

@@ -5,9 +5,7 @@ import {
   useMemo,
   type ReactNode,
 } from "react";
-const DOMPurify = (window as any).DOMPurify || {
-  sanitize: (html: string) => html,
-};
+import DOMPurify from "dompurify";
 import { useAlert } from "../context/AlertContext";
 import { useAuth } from "../context/AuthContext";
 import { useParams, useNavigate, Link } from "react-router-dom";