security: bound Zod inputs, add SSE per-user cap and tRPC body limit (#51, PR #59)

Closes #51 (ESLint rule + conventions doc remain as follow-up).

Co-authored-by: Hartmut Nörenberg <hn@hartmut-noerenberg.com>
Co-committed-by: Hartmut Nörenberg <hn@hartmut-noerenberg.com>

packages/api/src/router/staffing-suggestions-read.ts

@@ -397,8 +397,8 @@ async function queryStaffingSuggestions(
     });
 }
 const GetProjectStaffingSuggestionsInputSchema = z.object({
-  projectId: z.string().min(1),
-  roleName: z.string().optional(),
+  projectId: z.string().min(1).max(64),
+  roleName: z.string().max(200).optional(),
   startDate: z.coerce.date().optional(),
   endDate: z.coerce.date().optional(),
   limit: z.number().int().min(1).max(50).optional().default(5),
@@ -408,14 +408,14 @@ export const staffingSuggestionsReadProcedures = {
   getSuggestions: planningReadProcedure
     .input(
       z.object({
-        requiredSkills: z.array(z.string()),
-        preferredSkills: z.array(z.string()).optional(),
+        requiredSkills: z.array(z.string().max(200)).max(200),
+        preferredSkills: z.array(z.string().max(200)).max(200).optional(),
         startDate: z.coerce.date(),
         endDate: z.coerce.date(),
         hoursPerDay: z.number().min(0).max(24),
-        budgetLcrCentsPerHour: z.number().optional(),
-        chapter: z.string().optional(),
-        skillCategory: z.string().optional(),
+        budgetLcrCentsPerHour: z.number().int().min(0).max(1_000_000_00).optional(),
+        chapter: z.string().max(100).optional(),
+        skillCategory: z.string().max(100).optional(),
         mainSkillsOnly: z.boolean().optional(),
         minProficiency: z.number().min(1).max(5).optional(),
       }),