feat(search): wire sort to DocumentList; validate sort param allowlist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/+page.server.ts

@@ -13,7 +13,12 @@ export async function load({ url, fetch }) {
 	const senderId = url.searchParams.get('senderId') || '';
 	const receiverId = url.searchParams.get('receiverId') || '';
 	const tags = url.searchParams.getAll('tag');
-	const sort = url.searchParams.get('sort') || 'DATE';
+	const VALID_SORTS = ['DATE', 'TITLE', 'SENDER', 'RECEIVER', 'UPLOAD_DATE'] as const;
+	type ValidSort = (typeof VALID_SORTS)[number];
+	const rawSort = url.searchParams.get('sort') ?? 'DATE';
+	const sort: ValidSort = (VALID_SORTS as readonly string[]).includes(rawSort)
+		? (rawSort as ValidSort)
+		: 'DATE';
 	const dir = url.searchParams.get('dir') || 'desc';
 	const tagQ = url.searchParams.get('tagQ') || '';
 
@@ -35,7 +40,7 @@ export async function load({ url, fetch }) {
 								receiverId: receiverId || undefined,
 								tag: tags.length ? tags : undefined,
 								tagQ: tagQ || undefined,
-								sort: sort as 'DATE' | 'TITLE' | 'SENDER' | 'RECEIVER' | 'UPLOAD_DATE',
+								sort,
 								dir: dir || undefined
 							}
 						}

frontend/src/routes/+page.svelte

@@ -139,6 +139,7 @@ const showRightColumn = $derived(data.canWrite || (data.incompleteDocs?.length ?
 			error={data.error}
 			total={data.total ?? 0}
 			q={q}
+			sort={sort}
 		/>
 	{/if}
 </main>