fix(SEC-API-19+20): Validate brain search length and limit params

- Add @MaxLength(500) to BrainQueryDto.query and BrainQueryDto.search fields
- Create BrainSearchDto with validated q (max 500 chars) and limit (1-100) fields
- Update BrainController.search to use BrainSearchDto instead of raw query params
- Add defensive validation in BrainService.search and BrainService.query methods:
  - Reject search terms exceeding 500 characters with BadRequestException
  - Clamp limit to valid range [1, 100] for defense-in-depth
- Add comprehensive tests for DTO validation and service-level guards
- Update existing controller tests for new search method signature

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/brain/brain.controller.ts

@@ -3,6 +3,7 @@ import { BrainService } from "./brain.service";
 import { IntentClassificationService } from "./intent-classification.service";
 import {
   BrainQueryDto,
+  BrainSearchDto,
   BrainContextDto,
   ClassifyIntentDto,
   IntentClassificationResultDto,
@@ -67,13 +68,10 @@ export class BrainController {
    */
   @Get("search")
   @RequirePermission(Permission.WORKSPACE_ANY)
-  async search(
-    @Query("q") searchTerm: string,
-    @Query("limit") limit: string,
-    @Workspace() workspaceId: string
-  ) {
-    const parsedLimit = limit ? Math.min(parseInt(limit, 10) || 20, 100) : 20;
-    return this.brainService.search(workspaceId, searchTerm || "", parsedLimit);
+  async search(@Query() searchDto: BrainSearchDto, @Workspace() workspaceId: string) {
+    const searchTerm = searchDto.q ?? "";
+    const limit = searchDto.limit ?? 20;
+    return this.brainService.search(workspaceId, searchTerm, limit);
   }
 
   /**