fix: validate route ID parameters, return 400 for invalid IDs

Adds parseId helper in src/server/lib/params.ts and applies it across
all route files so non-positive-integer IDs return 400 instead of
silently passing NaN to services.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/server/routes/auth.ts

@@ -4,6 +4,7 @@ import { Hono } from "hono";
 import { deleteCookie, getCookie, setCookie } from "hono/cookie";
 import { z } from "zod";
 import { users } from "../../db/schema.ts";
+import { parseId } from "../lib/params.ts";
 import { requireAuth } from "../middleware/auth.ts";
 import {
 	changePassword,
@@ -186,7 +187,8 @@ app.post(
 
 app.delete("/keys/:id", requireAuth, (c) => {
 	const db = c.get("db");
-	const id = Number(c.req.param("id"));
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid key ID" }, 400);
 	deleteApiKey(db, id);
 	return c.json({ ok: true });
 });