fix(billing): add AdminOrgIdParam validation to adminDisputeCredit path param

Completes the Batch 4 admin endpoint param coverage — adminDisputeCredit
/:orgId was missed in the initial pass. Now all 5 :orgId admin endpoints
validate with AdminOrgIdParam.safeParse → 422 on invalid ObjectId.

Author: PierreBrisorgueil

modules/billing/controllers/billing.admin.controller.js

@@ -248,8 +248,13 @@ const adminCancelSubscription = async (req, res) => {
 // biome-ignore lint/correctness/useQwikValidLexicalScope: false positive — Node.js controller, not Qwik
 const adminDisputeCredit = async (req, res) => {
   try {
+    const parsedParams = AdminOrgIdParam.safeParse(req.params);
+    if (!parsedParams.success) {
+      return responses.error(res, 422, 'Unprocessable Entity', 'Invalid path parameters')(parsedParams.error);
+    }
+    const { orgId } = parsedParams.data;
+
     const { chargeId, amountCents, reason, refundRequestId } = req.body;
-    const { orgId } = req.params;
 
     const rawAdminId = req.user?._id;
     if (!rawAdminId) {

modules/billing/tests/billing.admin.integration.tests.js

@@ -548,4 +548,24 @@ describe('Billing admin integration tests:', () => {
 
     expect(res.status).toHaveBeenCalledWith(200);
   });
+
+  test('invalid orgId on POST /dispute/credit/:orgId returns 422', async () => {
+    const routes = await buildRoutes();
+    const route = routes.get('/api/admin/billing/dispute/credit/:orgId');
+    const res = { status: jest.fn().mockReturnThis(), json: jest.fn().mockReturnThis() };
+
+    await runHandlers(
+      [...route.all, ...route.post],
+      {
+        method: 'POST',
+        headers: { 'x-role': 'admin' },
+        params: { orgId: 'not-objectid' },
+        body: { chargeId: 'ch_abc', amountCents: 1000, reason: 'dispute won', refundRequestId: 'req-12345678' },
+        user: { _id: '507f1f77bcf86cd799439022' },
+      },
+      res,
+    );
+
+    expect(res.status).toHaveBeenCalledWith(422);
+  });
 });