fix: code review — XSS, type safety, validation improvements

Critical:
- InvoiceDetail: sanitize notes HTML with DOMPurify
- OrderDetail: use proper DOMPurify import instead of window fallback

Important:
- AttendanceBalances: add fund_to_date to interface, remove as-any casts
- All schemas: replace z.any() with z.preprocess for boolean fields
- Routes: simplify boolean coercion (Zod handles it now)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/admin/pages/OrderDetail.tsx

@@ -5,9 +5,7 @@ import {
   useMemo,
   type ReactNode,
 } from "react";
-const DOMPurify = (window as any).DOMPurify || {
-  sanitize: (html: string) => html,
-};
+import DOMPurify from "dompurify";
 import { useAlert } from "../context/AlertContext";
 import { useAuth } from "../context/AuthContext";
 import { useParams, useNavigate, Link } from "react-router-dom";