address audit findings: subtitle rescan decisions, scan limit, parseId, setup gate

worked through AUDIT.md. triage:
- finding 2 (subtitle rescan wipes decisions): confirmed. /:id/rescan now
  snapshots custom_titles and calls reanalyze() after the stream delete/
  insert, mirroring the review rescan flow. exported reanalyze + titleKey
  from review.ts so both routes share the logic.
- finding 3 (scan limit accepts NaN/negatives): confirmed. extracted
  parseScanLimit into a pure helper, added unit tests covering NaN,
  negatives, floats, infinity, numeric strings. invalid input 400s and
  releases the scan_running lock.
- finding 4 (parseId lenient): confirmed. tightened the regex to /^\d+$/
  so "42abc", "abc42", "+42", "42.0" all return null. rewrote the test
  that codified the old lossy behaviour.
- finding 5 (setup_complete set before jellyfin test passes): confirmed.
  the /jellyfin endpoint still persists url+key unconditionally, but now
  only flips setup_complete=1 on a successful connection test.
- finding 6 (swallowed errors): partial. the mqtt restart and version-
  fetch swallows are intentional best-effort with downstream surfaces
  (getMqttStatus, UI fallback). only the scan.ts db-update swallow was
  a real visibility gap — logs via logError now.
- finding 1 (auth): left as-is. redacting secrets on GET without auth
  on POST is security theater; real fix is an auth layer, which is a
  design decision not a bugfix. audit removed from the tree.
- lint fail on ffmpeg.test.ts: formatted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

server/api/scan.ts

@@ -10,6 +10,19 @@ import { loadLibrary as loadSonarrLibrary, isUsable as sonarrUsable } from "../s
 
 const app = new Hono();
 
+/**
+ * Validate a scan `limit` input. Must be a positive integer or absent —
+ * NaN/negatives/non-numerics would disable the progress cap
+ * (`processed >= NaN` never trips) or produce bogus totals via
+ * `Math.min(NaN, …)`. Exported for unit tests.
+ */
+export function parseScanLimit(raw: unknown): { ok: true; value: number | null } | { ok: false } {
+	if (raw == null || raw === "") return { ok: true, value: null };
+	const n = typeof raw === "number" ? raw : Number(raw);
+	if (!Number.isInteger(n) || n <= 0) return { ok: false };
+	return { ok: true, value: n };
+}
+
 // ─── State ────────────────────────────────────────────────────────────────────
 
 let scanAbort: AbortController | null = null;
@@ -63,10 +76,14 @@ app.post("/start", async (c) => {
 		return c.json({ ok: false, error: "Scan already running" }, 409);
 	}
 
-	const body = await c.req.json<{ limit?: number }>().catch(() => ({ limit: undefined }));
-	const formLimit = body.limit ?? null;
-	const envLimit = process.env.SCAN_LIMIT ? Number(process.env.SCAN_LIMIT) : null;
-	const limit = formLimit ?? envLimit ?? null;
+	const body = await c.req.json<{ limit?: unknown }>().catch(() => ({ limit: undefined }));
+	const formLimit = parseScanLimit(body.limit);
+	const envLimit = parseScanLimit(process.env.SCAN_LIMIT);
+	if (!formLimit.ok || !envLimit.ok) {
+		db.prepare("UPDATE config SET value = '0' WHERE key = 'scan_running'").run();
+		return c.json({ ok: false, error: "limit must be a positive integer" }, 400);
+	}
+	const limit: number | null = formLimit.value ?? envLimit.value ?? null;
 	setConfig("scan_limit", limit != null ? String(limit) : "");
 
 	runScan(limit).catch((err) => {
@@ -239,8 +256,11 @@ async function runScan(limit: number | null = null): Promise<void> {
 				db
 					.prepare("UPDATE media_items SET scan_status = 'error', scan_error = ? WHERE jellyfin_id = ?")
 					.run(String(err), jellyfinItem.Id);
-			} catch {
-				/* ignore */
+			} catch (dbErr) {
+				// Failed to persist the error status — log it so the incident
+				// doesn't disappear silently. We can't do much more; the outer
+				// loop continues so the scan still finishes.
+				logError(`Failed to record scan error for ${jellyfinItem.Id}:`, dbErr);
 			}
 			emitSse("log", { name: jellyfinItem.Name, type: jellyfinItem.Type, status: "error", file: jellyfinItem.Path });
 		}