feat: P4 backend kvalita - SELECT * fix, overdue konsolidace, Validator

- SELECT * nahrazen explicitnimi sloupci ve 22 PHP souborech (69+ vyskytu)
- users-handlers.php: password_hash explicitne vyloucen z dotazu
- Overdue detekce presunuta do invoices.php routeru (1x pred dispatch misto 3x v handlerech)
- Validator.php: validacni helper s pravidly required, string, int, email, in, numeric
- PaginationHelper: PHPStan typy opraveny

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

api/admin/handlers/totp-handlers.php

@@ -181,7 +181,9 @@ function handleVerify(PDO $pdo, TwoFactorAuth $tfa): void
     $userId = $tokenData['user_id'];
 
     $stmt = $pdo->prepare('
-        SELECT u.*, r.name as role_name, r.display_name as role_display_name
+        SELECT u.id, u.username, u.email, u.first_name, u.last_name,
+               u.role_id, u.is_active, u.totp_secret, u.totp_enabled,
+               r.name as role_name, r.display_name as role_display_name
         FROM users u
         LEFT JOIN roles r ON u.role_id = r.id
         WHERE u.id = ? AND u.totp_enabled = 1
@@ -230,7 +232,9 @@ function handleBackupVerify(PDO $pdo): void
     $userId = $tokenData['user_id'];
 
     $stmt = $pdo->prepare('
-        SELECT u.*, r.name as role_name, r.display_name as role_display_name
+        SELECT u.id, u.username, u.email, u.first_name, u.last_name,
+               u.role_id, u.is_active, u.totp_enabled, u.totp_backup_codes,
+               r.name as role_name, r.display_name as role_display_name
         FROM users u
         LEFT JOIN roles r ON u.role_id = r.id
         WHERE u.id = ? AND u.totp_enabled = 1
@@ -355,7 +359,8 @@ function verifyLoginToken(PDO $pdo, string $token): ?array
     $hashedToken = hash('sha256', $token);
 
     $stmt = $pdo->prepare('
-        SELECT * FROM totp_login_tokens
+        SELECT id, user_id, token_hash, expires_at, created_at
+        FROM totp_login_tokens
         WHERE token_hash = ? AND expires_at > NOW()
     ');
     $stmt->execute([$hashedToken]);