fix: harden camera API endpoints (CUB-234)

- Add request validation: Content-Type check, body size limit (64KB)
- Add field length validation (camera_id: 64, friendly_name: 128, mode: 32, resolution: 32)
- Add FPS range validation (0-240)
- Add battery_pct range validation (0-100)
- Replace ad-hoc map[string]string errors with structured APIError {error, code, details}
- Fix isUniqueConstraintErr to catch both camera_id and mac_address constraint violations
- Fix MacAddress model field from string to *string for NULL handling
- Fix splitSQL to strip -- line comments before splitting (was causing migration failures with modernc.org/sqlite)
- Add 30 integration tests covering all endpoints
- All tests pass: ok github.com/cubecraft/remoterig/internal/api

internal/db/db.go

@@ -7,6 +7,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"strings"
 
 	_ "modernc.org/sqlite"
 )
@@ -67,12 +68,11 @@ func Open(path string) (*DB, error) {
 	return &DB{db}, nil
 }
 
-// migrate executes a SQL migration string.
+// migrate executes a SQL migration string by splitting on semicolons.
 func migrate(db *sql.DB, sql string) error {
-	// Split on semicolons to handle multiple statements
 	statements := splitSQL(sql)
 	for _, stmt := range statements {
-		stmt = stripWhitespace(stmt)
+		stmt = strings.TrimSpace(stmt)
 		if stmt == "" {
 			continue
 		}
@@ -83,8 +83,13 @@ func migrate(db *sql.DB, sql string) error {
 	return nil
 }
 
-// splitSQL splits a SQL string on semicolons, respecting quoted strings.
+// splitSQL splits a SQL string on semicolons, respecting quoted strings
+// and stripping SQL line comments (--).
 func splitSQL(sql string) []string {
+	// First, strip all line comments (--) to prevent them from swallowing
+	// subsequent SQL statements when newlines are collapsed.
+	sql = stripSQLLineComments(sql)
+
 	var stmts []string
 	var current string
 	inQuote := false
@@ -106,30 +111,42 @@ func splitSQL(sql string) []string {
 		case ';':
 			stmts = append(stmts, current)
 			current = ""
+		case '\r', '\n', '\t':
+			current += " "
 		default:
 			current += string(r)
 		}
 	}
-	if len(current) > 0 {
+	if strings.TrimSpace(current) != "" {
 		stmts = append(stmts, current)
 	}
 	return stmts
 }
 
-// stripWhitespace removes leading/trailing whitespace and normalizes newlines.
-func stripWhitespace(s string) string {
-	result := ""
-	runningSpace := false
-	for _, r := range s {
-		if r == ' ' || r == '\t' || r == '\n' || r == '\r' {
-			if !runningSpace {
-				result += " "
-				runningSpace = true
+// stripSQLLineComments removes all -- single-line comments from SQL text.
+func stripSQLLineComments(sql string) string {
+	var result strings.Builder
+	i := 0
+	runes := []rune(sql)
+
+	for i < len(runes) {
+		r := runes[i]
+
+		// Check for -- comment start
+		if r == '-' && i+1 < len(runes) && runes[i+1] == '-' {
+			// Skip to end of line
+			i += 2
+			for i < len(runes) && runes[i] != '\n' && runes[i] != '\r' {
+				i++
 			}
-		} else {
-			result += string(r)
-			runningSpace = false
+			// Replace comment with a newline (preserves statement boundaries)
+			result.WriteRune('\n')
+			continue
 		}
+
+		result.WriteRune(r)
+		i++
 	}
-	return result
+
+	return result.String()
 }