fix(admin): address PR #623 review feedback

- Add load() unit tests for admin/users/[id] (permission gate, 404, success)
- Rename .test.ts → .spec.ts for consistency with rest of suite
- Add @Schema(requiredMode=REQUIRED) to InviteListItem.shareableUrl
- Add client-side allowlist for invite status query param

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/admin/invites/+page.server.ts

@@ -20,8 +20,14 @@ export interface InviteListItem {
 }
 export type UserGroup = components['schemas']['UserGroup'];
 
+const VALID_STATUSES = ['ACTIVE', 'REVOKED', 'EXPIRED'] as const;
+type InviteStatus = (typeof VALID_STATUSES)[number];
+
 export const load: PageServerLoad = async ({ url, fetch }) => {
-	const status = url.searchParams.get('status') ?? 'active';
+	const rawStatus = url.searchParams.get('status');
+	const status: InviteStatus | 'active' = VALID_STATUSES.includes(rawStatus as InviteStatus)
+		? (rawStatus as InviteStatus)
+		: 'active';
 	const api = createApiClient(fetch);
 
 	const [invitesResult, groupsResult] = await Promise.all([