fix(api): add Zod bounds on financial fields, type vacation router, type scenarioData

- dailyCostCents, hoursPerDay, percentage now validated at API boundary
- vacation router no longer uses ctx.db as any
- scenarioData reads through typed Zod schema

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/api/src/router/vacation-management-procedures.ts

@@ -5,7 +5,7 @@ import { z } from "zod";
 import { findUniqueOrThrow } from "../db/helpers.js";
 import { RESOURCE_BRIEF_SELECT } from "../db/selects.js";
 import { createAuditEntry } from "../lib/audit.js";
-import { checkBatchVacationConflicts, checkVacationConflicts } from "../lib/vacation-conflicts.js";
+import { checkBatchVacationConflicts, checkVacationConflicts, type DbClient as VacationConflictDbClient } from "../lib/vacation-conflicts.js";
 import { emitVacationUpdated } from "../sse/event-bus.js";
 import { adminProcedure, managerProcedure, protectedProcedure } from "../trpc.js";
 import {
@@ -73,8 +73,7 @@ export const vacationManagementProcedures = {
 
       const userRecord = await findVacationActor(ctx.db, ctx.session.user?.email);
       const conflictResult = await checkVacationConflicts(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        ctx.db as any,
+        ctx.db as unknown as VacationConflictDbClient,
         input.id,
         userRecord?.id,
       );
@@ -186,8 +185,7 @@ export const vacationManagementProcedures = {
       }
 
       const conflictMap = await checkBatchVacationConflicts(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        ctx.db as any,
+        ctx.db as unknown as VacationConflictDbClient,
         vacations.map((vacation) => vacation.id),
         userRecord?.id,
       );