fix: add validation to CardQuery.number to return 422 for invalid input

[Washio20]

Summary

• Added min_length=1, max_length=128, and pattern="^[a-zA-Z0-9]+$" constraints to the CardQuery.number field using Pydantic's constr
• This ensures FastAPI returns a 422 validation error for invalid card numbers (e.g., too long, empty, or containing special characters) instead of passing them through to the lookup which returns 404

Root Cause

The CardQuery model defined number as a plain str with no length or format constraints. When an invalid string was submitted, it passed Pydantic validation, reached the Redis lookup in the card handler, failed to find a match, and returned a 404 "not found" error. This is misleading because the issue is invalid input, not a missing resource.

Changes

• Changed CardQuery.number from str to constr(min_length=1, max_length=128, pattern="^[a-zA-Z0-9]+$") in src/card.py
• This aligns with the CardModel.number field which already uses the same pattern constraint

Closes stayforge/Stayforge_Networks_Access#9

Test plan

• Send a POST to /card/ with a card number longer than 128 characters — should return 422
• Send a POST to /card/ with an empty card number — should return 422
• Send a POST to /card/ with special characters in the number — should return 422
• Send a POST to /card/ with a valid card number that doesn't exist — should still return 404
• Send a POST to /card/ with a valid existing card number — should return 200 with card data

🤖 Generated with Claude Code