fix: validate customer credit source ownership

[my-dev-jour]

Summary

• validate that credit redemption sources belong to the same customer and company as the target invoice
• reject non-customer or non-receive payment entries before advance allocation
• add regression tests for invoice-credit, advance-credit, and redemption-context validation

Problem

redeem_customer_credit() accepted client-supplied source document names and only validated submission state and available amount.

That meant invoice-credit and advance-credit sources were not checked against the target invoice's customer or company before allocation.

Staging Reproduction

Confirmed on a staging environment (ERPNext 16.11.0 / POSNext 1.15.0):

• staging only had one real customer/company, so I used temporary rows inside a single DB transaction and rolled them back
• _validate_and_lock_invoice_credit() passed for a submitted source row owned by TEMP-OTHER-CUSTOMER / OTHER-COMPANY
• _validate_and_lock_advance_credit() also passed for a submitted advance row owned by TEMP-OTHER-CUSTOMER / OTHER-COMPANY
• current code accepted both because the validators had no target customer/company inputs and no ownership checks

Fix

• pass target invoice customer/company into both validation helpers
• validate source customer/company under the row lock before allocation
• keep the same ownership checks in the downstream JE / Payment Entry mutation paths for defense in depth

Verification

• staging reproduction confirmed the original bug
• local verification was limited to py_compile in this workspace