feat: add Zod schema validation for API route inputs

[kOaDT]

Description

Centralize API input validation using Zod. Adds lib/validation/ with parseBody, parseQuery, and parseParams helpers returning a tagged union, plus per-domain schemas under lib/validation/schemas/ (auth, cart, products, orders, wishlists, admin, gift-cards, coupons, user, support, monitoring, files, documents, tracking, flags, mcp, ai-assistant). Applied to ~30 of 54 API routes (JSON body and query params). Routes consuming multipart/form-data (image upload) or raw XML are intentionally left untouched, as are GETs without inputs.

Validation is structural only (presence + base type), with no regex/sanitization or restrictive .min()/.max() on attacker-controlled fields, so every intentional vulnerability remains exploitable:

• SQLi (products/search, orders/search, admin/reviews): raw z.string(), value flows untouched to $queryRawUnsafe.
• XSS (reviews, user/profile): raw z.string().
• Mass assignment (auth/signup): .passthrough() + optional role.
• Path traversal (/api/files): no sanitization on file/path.
• BOLA / IDOR: IDs/emails accepted as raw strings.
• CSRF (orders/[id], user/profile): the application/x-www-form-urlencoded branch is left out of Zod; only the JSON branch is validated.
• SSRF (support screenshotUrl, ai-assistant mcpServerUrl): z.string(), no URL format check.
• Information disclosure (user/export): only structure validated, leaky error path preserved.
• Plaintext password logging (auth/login): log statement runs against the validated value but unchanged.

Adds zod@^4 to root package.json.

#82

Type of change

• Bug fix
• New feature (e-commerce site improvement)
• New vulnerability / flag
• Walkthrough / writeup
• Documentation update
• Other (please describe):

Testing done

• npm run lint — 0 errors (only pre-existing warnings).
• npm run build — passes.
• npm run test:unit — 47/47 passing.
• API exploitation suite (npm run test:api) and Cypress E2E (npm run test:e2e) should be run before merging — they're the regression suite that asserts every vulnerability remains exploitable, which is the load-bearing check for this change.

Checklist

• Documentation updated (if applicable) — N/A, no user-facing or vulnerability docs affected.

[github-actions]

Thank you @kOaDT for contributing once again!

📊 PR overview

Files changed	Additions	Deletions	Size
51	+464	-264	XL

📝 Before review

To help maintainers review your changes efficiently, please ensure that:

• The PR description clearly explains what was changed and why
• The PR checklist has been filled out
• All existing tests continue to pass
• New tests have been added for any new functionality

📖 Please review our Contributing Guidelines and Code of Conduct.

✅ Continuous Integration

Two CI workflows will run automatically on this PR:

• Code Quality — linting and formatting checks
• Exploitation Tests — ensures vulnerabilities and flags work as expected

You can follow their progress in the Checks tab.

🤝 A note on collaboration

We value respectful and constructive interactions. Whether you are a contributor or a reviewer, please be patient, kind, and open to feedback.

---

A maintainer will review your changes as soon as possible. If you have any questions, feel free to ask in this thread.

kOaDT