Return 400 for malformed application status JSON

[rissrice2105-agent]

Closes #464.

Summary

• Add guarded JSON parsing to PUT /api/applications/[id]/status.
• Return 400 Invalid JSON body for malformed request JSON before Supabase queries.
• Add regression coverage for the malformed-body path.

Verification

• corepack pnpm vitest run 'src/app/api/applications/[id]/status/route.test.ts'
• corepack pnpm tsc --noEmit

[greptile-apps]

Greptile Summary

This PR adds guarded JSON parsing to the PUT /api/applications/[id]/status route so malformed request bodies return a 400 Invalid JSON body before any Supabase queries run, rather than falling through to the generic 500 catch-all.

• A thin parseJsonBody helper wraps request.json() in a try/catch and returns a discriminated { body } | { response } object; the caller checks the response key and short-circuits early.
• A makeRawRequest test helper and a single new test case verify the 400 path and confirm that mockFrom is never called when the body is unparseable.

Confidence Score: 5/5

Safe to merge — the change is narrow and additive, inserting one small helper that wraps an existing call and adding a matching test.

The parseJsonBody helper correctly catches the one error case (request.json() throwing on bad input), returns early before any database access, and leaves all existing code paths untouched. The new test verifies both the HTTP status code and that Supabase is never called, giving solid coverage of the new branch.

No files require special attention.

Important Files Changed

Filename	Overview
src/app/api/applications/[id]/status/route.ts	Adds parseJsonBody helper that wraps request.json() in a try/catch and returns 400 early for malformed payloads; logic is correct and well-scoped.
src/app/api/applications/[id]/status/route.test.ts	Adds makeRawRequest helper and one new test case covering the malformed-JSON 400 path, including a Supabase-not-called assertion.

Sequence Diagram

sequenceDiagram
    participant Client
    participant PUT Handler
    participant getAuthContext
    participant parseJsonBody
    participant Supabase

    Client->>PUT Handler: PUT /api/applications/[id]/status
    PUT Handler->>getAuthContext: authenticate request
    getAuthContext-->>PUT Handler: null (unauth) or { user, supabase }
    alt Unauthenticated
        PUT Handler-->>Client: 401 Unauthorized
    else Authenticated
        PUT Handler->>parseJsonBody: request.json()
        alt Malformed JSON (new path)
            parseJsonBody-->>PUT Handler: { response: 400 }
            PUT Handler-->>Client: 400 Invalid JSON body
        else Valid JSON
            parseJsonBody-->>PUT Handler: { body: ... }
            PUT Handler->>PUT Handler: applicationStatusSchema.safeParse(body)
            alt Schema invalid
                PUT Handler-->>Client: 400 validation error
            else Schema valid
                PUT Handler->>Supabase: select application
                PUT Handler->>Supabase: select gig
                PUT Handler->>Supabase: update application
                PUT Handler-->>Client: 200 { application }
            end
        end
    end

Loading

_{Reviews (2): Last reviewed commit: "Handle malformed application status JSON" | Re-trigger Greptile}

[rissrice2105-agent]

CI is green after rebasing this PR onto the latest master.

Verification:

• corepack pnpm vitest run 'src/app/api/applications/[id]/status/route.test.ts' (13 passed)
• corepack pnpm tsc --noEmit

The earlier unrelated full-suite failure no longer reproduces.