fix(security): validar chave no endpoint de leitura de settings

O endpoint GET /api/system/settings aceitava qualquer string como
chave sem validação, enquanto o endpoint de escrita (PATCH) já
validava contra um enum de chaves permitidas.

Adiciona getSettingSchema com a mesma validação vine.enum(SETTINGS_KEYS)
para o endpoint de leitura, rejeitando chaves fora da lista permitida.

Ref #211

admin/app/controllers/settings_controller.ts

@@ -3,10 +3,9 @@ import { BenchmarkService } from '#services/benchmark_service';
 import { MapService } from '#services/map_service';
 import { OllamaService } from '#services/ollama_service';
 import { SystemService } from '#services/system_service';
-import { updateSettingSchema } from '#validators/settings';
+import { getSettingSchema, updateSettingSchema } from '#validators/settings';
 import { inject } from '@adonisjs/core';
 import type { HttpContext } from '@adonisjs/core/http'
-import type { KVStoreKey } from '../../types/kv_store.js';
 
 @inject()
 export default class SettingsController {
@@ -103,8 +102,8 @@ export default class SettingsController {
     }
 
     async getSetting({ request, response }: HttpContext) {
-        const key = request.qs().key;
-        const value = await KVStore.getValue(key as KVStoreKey);
+        const { key } = await getSettingSchema.validate({ key: request.qs().key });
+        const value = await KVStore.getValue(key);
         return response.status(200).send({ key, value });
     }
 

admin/app/validators/settings.ts

@@ -1,6 +1,9 @@
 import vine from "@vinejs/vine";
 import { SETTINGS_KEYS } from "../../constants/kv_store.js";
 
+export const getSettingSchema = vine.compile(vine.object({
+    key: vine.enum(SETTINGS_KEYS),
+}))
 
 export const updateSettingSchema = vine.compile(vine.object({
     key: vine.enum(SETTINGS_KEYS),