address review: validate sanitized IDs, fix FTS comment, early cycle detection, consistent null types

Author: atomantic

server/src/services/multi-platform-comparison.service.ts

@@ -634,19 +634,19 @@ async function linkScrapedParentsToLocal(
 
   const [fatherId, motherId] = person.parents;
   const parentLinks: Array<{
-    parentId?: string;
+    parentId?: string | null;
     externalId?: string;
     providerName?: string;
     providerUrl?: string;
   }> = [
     {
-      parentId: fatherId ?? undefined,
+      parentId: fatherId,
       externalId: scrapedData.fatherExternalId,
       providerName: scrapedData.fatherName,
       providerUrl: scrapedData.fatherUrl,
     },
     {
-      parentId: motherId ?? undefined,
+      parentId: motherId,
       externalId: scrapedData.motherExternalId,
       providerName: scrapedData.motherName,
       providerUrl: scrapedData.motherUrl,

server/src/services/path.service.ts

@@ -138,12 +138,13 @@ function findRandomPath(sourceId: string, targetId: string): string[] | null {
   current = chosenAncestor;
   const visitedDown = new Set<string>();
   iterations = 0;
+  visitedDown.add(current);
   while (current !== targetId && iterations < MAX_ITERATIONS) {
     const info = targetAncestors.get(current);
     if (!info || !info.parent) break;
+    if (visitedDown.has(info.parent)) break;
+    visitedDown.add(info.parent);
     current = info.parent;
-    if (visitedDown.has(current)) break;
-    visitedDown.add(current);
     pathFromAncestor.push(current);
     iterations++;
   }

server/src/utils/validation.ts

@@ -27,12 +27,14 @@ export function isValidUrl(url: string, requiredDomain?: string): boolean {
  */
 export function sanitizePersonId(id: string): string {
   const decoded = decodeURIComponent(id);
-  return decoded.replace(/[/\\]/g, '').replace(/\.\./g, '');
+  const sanitized = decoded.replace(/[/\\]/g, '').replace(/\.\./g, '');
+  if (!/^[\w:-]+$/.test(sanitized)) return '';
+  return sanitized;
 }
 
 /**
  * Escape FTS5 special operators so user input can be safely used in MATCH queries.
- * Removes quotes and wraps in double-quotes for phrase matching.
+ * Removes quotes and special operator characters, then trims whitespace.
  */
 export function sanitizeFtsQuery(query: string): string {
   return query.replace(/['"]/g, '').replace(/[{}()*^~]/g, '').trim();