fix: resolve lint errors and harden admin API for 1.0 release

Fix 4 golangci-lint errcheck violations (unchecked fmt.Fprintf in SSE
handler), 1 ineffassign (unused logger in OptionalUserAuthMiddleware),
auth.ts header merge bug, self-referencing type imports, and add input
validation to admin handlers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: gcmsg

internal/server/admin_handler.go

@@ -100,6 +100,10 @@ func (s *HTTPServer) handleAdminGetUser(w http.ResponseWriter, r *http.Request)
 	}
 
 	id := r.PathValue("id")
+	if id == "" {
+		s.jsonError(w, "user id is required", http.StatusBadRequest)
+		return
+	}
 	user, err := s.userAuth.GetUser(r.Context(), id)
 	if err != nil {
 		s.jsonError(w, "user not found", http.StatusNotFound)
@@ -117,6 +121,10 @@ func (s *HTTPServer) handleAdminUpdateUserRole(w http.ResponseWriter, r *http.Re
 	}
 
 	id := r.PathValue("id")
+	if id == "" {
+		s.jsonError(w, "user id is required", http.StatusBadRequest)
+		return
+	}
 	var req struct {
 		Role string `json:"role"`
 	}
@@ -527,9 +535,13 @@ func (s *HTTPServer) registerAdminRoutes() {
 }
 
 // queryInt extracts an integer query parameter with a default value.
+// Values are clamped to [1, 200] to prevent abuse.
 func queryInt(r *http.Request, key string, defaultVal int) int {
 	if v := r.URL.Query().Get(key); v != "" {
 		if n, err := strconv.Atoi(v); err == nil && n > 0 {
+			if n > 200 {
+				n = 200
+			}
 			return n
 		}
 	}

internal/server/auth.go

@@ -237,6 +237,7 @@ func OptionalUserAuthMiddleware(jwtMgr *userauth.JWTManager, logger *slog.Logger
 
 			claims, err := jwtMgr.ValidateAccessToken(parts[1])
 			if err != nil {
+				logger.Debug("optional JWT validation failed", "error", err)
 				next.ServeHTTP(w, r)
 				return
 			}

internal/server/invoke_handler.go

@@ -175,7 +175,7 @@ func (s *HTTPServer) handleInvokeSSE(w http.ResponseWriter, r *http.Request, env
 	invID := uuid.New().String()
 
 	// Send initial event.
-	fmt.Fprintf(w, "event: start\ndata: {\"id\":\"%s\",\"agent_id\":\"%s\"}\n\n", invID, agentID)
+	_, _ = fmt.Fprintf(w, "event: start\ndata: {\"id\":\"%s\",\"agent_id\":\"%s\"}\n\n", invID, agentID)
 	flusher.Flush()
 
 	var respBody string
@@ -199,17 +199,17 @@ func (s *HTTPServer) handleInvokeSSE(w http.ResponseWriter, r *http.Request, env
 	duration := time.Since(start).Milliseconds()
 
 	if invokeErr != "" {
-		fmt.Fprintf(w, "event: error\ndata: {\"error\":\"%s\"}\n\n", invokeErr)
+		_, _ = fmt.Fprintf(w, "event: error\ndata: {\"error\":\"%s\"}\n\n", invokeErr)
 	} else {
 		msgData, _ := json.Marshal(map[string]any{
 			"content":  respBody,
 			"protocol": proto,
 		})
-		fmt.Fprintf(w, "event: message\ndata: %s\n\n", string(msgData))
+		_, _ = fmt.Fprintf(w, "event: message\ndata: %s\n\n", string(msgData))
 	}
 	flusher.Flush()
 
-	fmt.Fprintf(w, "event: done\ndata: {\"duration_ms\":%d}\n\n", duration)
+	_, _ = fmt.Fprintf(w, "event: done\ndata: {\"duration_ms\":%d}\n\n", duration)
 	flusher.Flush()
 
 	// Record invocation.

web/app/src/api/auth.ts

@@ -49,9 +49,10 @@ async function authFetch<T>(
   path: string,
   options: RequestInit = {}
 ): Promise<T> {
+  const { headers, ...rest } = options
   const res = await fetch(`${BASE}${path}`, {
-    headers: { "Content-Type": "application/json", ...options.headers },
-    ...options,
+    ...rest,
+    headers: { "Content-Type": "application/json", ...headers },
   })
   if (!res.ok) {
     const body = await res.json().catch(() => ({ error: res.statusText }))

web/app/src/api/types.ts

@@ -248,10 +248,10 @@ export interface AdminUserListResponse {
 }
 
 export interface AdminAgentDetail {
-  agent: import("./types").Agent
+  agent: Agent
   owner?: AdminUser
   reputation_score?: number
-  reputation_events?: import("./types").ReputationEvent[]
+  reputation_events?: ReputationEvent[]
   review_summary?: ReviewSummary
   invocation_stats?: AgentInvocationStats
 }