app/api/admin/received-invoices.php

<?php

/**
 * Received Invoices API - přijaté faktury (upload, CRUD, stats)
 *
 * GET    ?action=list&month=X&year=Y   - Seznam přijatých faktur
 * GET    ?action=stats&month=X&year=Y  - KPI statistiky
 * GET    ?action=detail&id=X           - Detail záznamu (bez BLOB)
 * GET    ?action=file&id=X             - Stažení/zobrazení souboru
 * POST   (FormData)                    - Bulk upload: files[] + invoices JSON
 * PUT    ?id=X                         - Update metadat / změna stavu
 * DELETE ?id=X                         - Smazání záznamu
 */

declare(strict_types=1);

require_once dirname(__DIR__) . '/config.php';
require_once dirname(__DIR__) . '/includes/JWTAuth.php';
require_once dirname(__DIR__) . '/includes/AuditLog.php';
require_once dirname(__DIR__) . '/includes/CnbRates.php';
require_once __DIR__ . '/handlers/received-invoices-handlers.php';

setCorsHeaders();
setSecurityHeaders();
setNoCacheHeaders();
header('Content-Type: application/json; charset=utf-8');

$authData = JWTAuth::requireAuth();
AuditLog::setUser($authData['user_id'], $authData['user']['username'] ?? 'unknown');

$method = $_SERVER['REQUEST_METHOD'];
$action = $_GET['action'] ?? '';
$id = isset($_GET['id']) ? (int) $_GET['id'] : null;

try {
    $pdo = db();

    switch ($method) {
        case 'GET':
            requirePermission($authData, 'invoices.view');
            switch ($action) {
                case 'stats':
                    handleGetStats($pdo);
                    break;
                case 'detail':
                    if (!$id) {
                        errorResponse('ID je povinné');
                    }
                    handleGetDetail($pdo, $id);
                    break;
                case 'file':
                    if (!$id) {
                        errorResponse('ID je povinné');
                    }
                    handleGetFile($pdo, $id);
                    break;
                default:
                    handleGetList($pdo);
            }
            break;

        case 'POST':
            requirePermission($authData, 'invoices.create');
            handleBulkUpload($pdo, $authData);
            break;

        case 'PUT':
            requirePermission($authData, 'invoices.edit');
            if (!$id) {
                errorResponse('ID je povinné');
            }
            handleUpdateReceivedInvoice($pdo, $id);
            break;

        case 'DELETE':
            requirePermission($authData, 'invoices.delete');
            if (!$id) {
                errorResponse('ID je povinné');
            }
            handleDeleteReceivedInvoice($pdo, $id);
            break;

        default:
            errorResponse('Metoda není povolena', 405);
    }
} catch (PDOException $e) {
    error_log('Received Invoices API error: ' . $e->getMessage());
    if (DEBUG_MODE) {
        errorResponse('Chyba databáze: ' . $e->getMessage(), 500);
    } else {
        errorResponse('Chyba databáze', 500);
    }
}

// --- Allowed MIME types ---

/** @return list<string> */