feat: add Zod schema validation to predict API route

- Add CandleSchema validating time, open, high, low, close (number) and optional volume
- Add PredictRequestSchema validating pair (non-empty string), timeframe (non-empty string), candles array
- Use safeParse() and return HTTP 400 with error details on invalid input
- Forward only validated data to the inference service
- Mark task 4.1 as done in tasks.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/app/api/predict/route.ts

@@ -1,12 +1,38 @@
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
 
 const INFERENCE_API_URL = process.env.INFERENCE_API_URL || 'http://localhost:8001';
 const INFERENCE_API_TIMEOUT = parseInt(process.env.INFERENCE_API_TIMEOUT || '30000', 10);
 
+const CandleSchema = z.object({
+  time: z.number(),
+  open: z.number(),
+  high: z.number(),
+  low: z.number(),
+  close: z.number(),
+  volume: z.number().optional(),
+});
+
+const PredictRequestSchema = z.object({
+  pair: z.string().min(1),
+  timeframe: z.string().min(1),
+  candles: z.array(CandleSchema),
+});
+
 export async function POST(request: NextRequest) {
   try {
     const body = await request.json();
 
+    const result = PredictRequestSchema.safeParse(body);
+    if (!result.success) {
+      return NextResponse.json(
+        { error: 'Invalid request', details: result.error.flatten() },
+        { status: 400 }
+      );
+    }
+
+    const validatedBody = result.data;
+
     // Forward request to Python inference service
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), INFERENCE_API_TIMEOUT);
@@ -18,7 +44,7 @@ export async function POST(request: NextRequest) {
           'Content-Type': 'application/json',
           'X-API-Key': process.env.API_KEY || '',
         },
-        body: JSON.stringify(body),
+        body: JSON.stringify(validatedBody),
         signal: controller.signal,
       });