fix(SEC-ORCH-19): Validate agentId path parameter as UUID

Add ParseUUIDPipe to getAgentStatus and killAgent endpoints to
reject invalid agentId values with a 400 Bad Request.

This prevents potential injection attacks and ensures type safety
for agent lookups.

Refs #339

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/orchestrator/src/api/agents/agents.controller.ts

@@ -11,6 +11,7 @@ import {
   ValidationPipe,
   HttpCode,
   UseGuards,
+  ParseUUIDPipe,
 } from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
 import { QueueService } from "../../queue/queue.service";
@@ -133,7 +134,7 @@ export class AgentsController {
    */
   @Get(":agentId/status")
   @Throttle({ status: { limit: 200, ttl: 60000 } })
-  async getAgentStatus(@Param("agentId") agentId: string): Promise<{
+  async getAgentStatus(@Param("agentId", ParseUUIDPipe) agentId: string): Promise<{
     agentId: string;
     taskId: string;
     status: string;
@@ -193,7 +194,7 @@ export class AgentsController {
   @Post(":agentId/kill")
   @Throttle({ strict: { limit: 10, ttl: 60000 } })
   @HttpCode(200)
-  async killAgent(@Param("agentId") agentId: string): Promise<{ message: string }> {
+  async killAgent(@Param("agentId", ParseUUIDPipe) agentId: string): Promise<{ message: string }> {
     this.logger.warn(`Received kill request for agent: ${agentId}`);
 
     try {