feat: add Zod validation schemas for all domain routes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/routes/admin/invoices.ts

@@ -5,6 +5,8 @@ import { logAudit } from '../../services/audit';
 import { success, error, parseId } from '../../utils/response';
 import { parsePagination, buildPaginationMeta } from '../../utils/pagination';
 import { getNextNumber } from '../../utils/sequence';
+import { parseBody } from '../../schemas/common';
+import { CreateInvoiceSchema, UpdateInvoiceSchema } from '../../schemas/invoices.schema';
 
 // Status transition rules matching PHP
 const VALID_TRANSITIONS: Record<string, string[]> = {
@@ -236,7 +238,9 @@ export default async function invoicesRoutes(fastify: FastifyInstance): Promise<
 
   // POST /api/admin/invoices
   fastify.post('/', { preHandler: requirePermission('invoices.create') }, async (request, reply) => {
-    const body = request.body as Record<string, unknown>;
+    const parsed = parseBody(CreateInvoiceSchema, request.body);
+    if ('error' in parsed) return error(reply, parsed.error, 400);
+    const body = parsed.data;
 
     const invoice = await prisma.invoices.create({
       data: {
@@ -285,7 +289,9 @@ export default async function invoicesRoutes(fastify: FastifyInstance): Promise<
   fastify.put<{ Params: { id: string } }>('/:id', { preHandler: requirePermission('invoices.edit') }, async (request, reply) => {
     const id = parseId(request.params.id, reply);
     if (id === null) return;
-    const body = request.body as Record<string, unknown>;
+    const parsed = parseBody(UpdateInvoiceSchema, request.body);
+    if ('error' in parsed) return error(reply, parsed.error, 400);
+    const body = parsed.data;
 
     const existing = await prisma.invoices.findUnique({ where: { id } });
     if (!existing) return error(reply, 'Faktura nenalezena', 404);