Enhance POST /api/v1/shifts with site, guard, availability and clash validation

[LoopyB]

Summary

This PR enhances POST /api/v1/shifts to support the extended create-shift payload and backend validation required for employer shift creation.

Changes made

• extended Shift schema to support:

  • shiftType
  • breakTime
  • detailedInstructions
  • guardIds
  • siteId
  • location.latitude
  • location.longitude

• updated createShift to:

  • validate required fields including location, payRate, shiftType, and siteId
  • validate guardIds format and ensure selected IDs belong to active guards
  • validate siteId ownership against employer branches
  • validate guard availability for the requested day and time
  • prevent overlapping shifts for selected guards across:
    • acceptedBy
    • applicants
    • guardIds

• updated route auth behavior for /api/v1/shifts so:

  • unauthenticated requests return 401
  • incorrect role returns 403

• updated Swagger documentation for POST /api/v1/shifts to reflect the enhanced request body and response behavior

Manual testing completed

• 201 with valid employer token, valid branch/site, and valid payload
• 400 when guardIds contains invalid ObjectId values
• 400 when guardIds contains non-guard user IDs
• 400 when selected guard is unavailable on the requested weekday
• 400 when selected guard is unavailable for the requested time slot
• 400 when selected guard has a conflicting shift
• 201 when selected guard is available and the shift does not overlap an existing one

Notes

• implementation currently rejects the full create request if any selected guard is invalid, unavailable, or conflicting
• a future enhancement could provide a separate guard-availability checking endpoint for partial/multi-guard selection workflows

[LoopyB]

Screenshots added:

• Swagger docs updated
• valid create
• invalid guardIds
• non-guard id
• availability setup
• day mismatch
• time mismatch
• overlap conflict
• non-overlap success