fix: validate route ID parameters, return 400 for invalid IDs

Adds parseId helper in src/server/lib/params.ts and applies it across
all route files so non-positive-integer IDs return 400 instead of
silently passing NaN to services.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/server/routes/threads.ts

@@ -10,6 +10,7 @@ import {
 	updateCandidateSchema,
 	updateThreadSchema,
 } from "../../shared/schemas.ts";
+import { parseId } from "../lib/params.ts";
 import {
 	createCandidate,
 	createThread,
@@ -45,7 +46,8 @@ app.post("/", zValidator("json", createThreadSchema), (c) => {
 
 app.get("/:id", (c) => {
 	const db = c.get("db");
-	const id = Number(c.req.param("id"));
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid thread ID" }, 400);
 	const thread = getThreadWithCandidates(db, id);
 	if (!thread) return c.json({ error: "Thread not found" }, 404);
 	return c.json(thread);
@@ -53,7 +55,8 @@ app.get("/:id", (c) => {
 
 app.put("/:id", zValidator("json", updateThreadSchema), (c) => {
 	const db = c.get("db");
-	const id = Number(c.req.param("id"));
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid thread ID" }, 400);
 	const data = c.req.valid("json");
 	const thread = updateThread(db, id, data);
 	if (!thread) return c.json({ error: "Thread not found" }, 404);
@@ -62,7 +65,8 @@ app.put("/:id", zValidator("json", updateThreadSchema), (c) => {
 
 app.delete("/:id", async (c) => {
 	const db = c.get("db");
-	const id = Number(c.req.param("id"));
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid thread ID" }, 400);
 	const deleted = deleteThread(db, id);
 	if (!deleted) return c.json({ error: "Thread not found" }, 404);
 
@@ -82,7 +86,8 @@ app.delete("/:id", async (c) => {
 
 app.post("/:id/candidates", zValidator("json", createCandidateSchema), (c) => {
 	const db = c.get("db");
-	const threadId = Number(c.req.param("id"));
+	const threadId = parseId(c.req.param("id"));
+	if (!threadId) return c.json({ error: "Invalid thread ID" }, 400);
 
 	// Verify thread exists
 	const thread = getThreadWithCandidates(db, threadId);
@@ -98,7 +103,8 @@ app.put(
 	zValidator("json", updateCandidateSchema),
 	(c) => {
 		const db = c.get("db");
-		const candidateId = Number(c.req.param("candidateId"));
+		const candidateId = parseId(c.req.param("candidateId"));
+		if (!candidateId) return c.json({ error: "Invalid candidate ID" }, 400);
 		const data = c.req.valid("json");
 		const candidate = updateCandidate(db, candidateId, data);
 		if (!candidate) return c.json({ error: "Candidate not found" }, 404);
@@ -108,7 +114,8 @@ app.put(
 
 app.delete("/:threadId/candidates/:candidateId", async (c) => {
 	const db = c.get("db");
-	const candidateId = Number(c.req.param("candidateId"));
+	const candidateId = parseId(c.req.param("candidateId"));
+	if (!candidateId) return c.json({ error: "Invalid candidate ID" }, 400);
 	const deleted = deleteCandidate(db, candidateId);
 	if (!deleted) return c.json({ error: "Candidate not found" }, 404);
 
@@ -131,7 +138,8 @@ app.patch(
 	zValidator("json", reorderCandidatesSchema),
 	(c) => {
 		const db = c.get("db");
-		const threadId = Number(c.req.param("id"));
+		const threadId = parseId(c.req.param("id"));
+		if (!threadId) return c.json({ error: "Invalid thread ID" }, 400);
 		const { orderedIds } = c.req.valid("json");
 		const result = reorderCandidates(db, threadId, orderedIds);
 		if (!result.success) return c.json({ error: result.error }, 400);
@@ -143,7 +151,8 @@ app.patch(
 
 app.post("/:id/resolve", zValidator("json", resolveThreadSchema), (c) => {
 	const db = c.get("db");
-	const threadId = Number(c.req.param("id"));
+	const threadId = parseId(c.req.param("id"));
+	if (!threadId) return c.json({ error: "Invalid thread ID" }, 400);
 	const { candidateId } = c.req.valid("json");
 
 	const result = resolveThread(db, threadId, candidateId);