✨ **Enhance input validation and error handling across APIs**

- 🛠️ Refactored controllers to utilize `FiltersNumericIds` concern, ensuring secure numeric ID filtering and avoiding type-sensitive errors in queries.
- ➕ Added feature tests to validate robust input hardening for non-numeric or malformed query parameters (`user_id`, `selected[]`).
- 🔒 Introduced `PublicPropertyNotFoundException` handling in Livewire, returning 400 for invalid property probes and suppressing unnecessary log entries.
- ❌ Updated `MeetupEventController` to handle invalid date formats gracefully, aborting with a 400 response instead of 500.
- ✅ Expanded exception handling pipeline for enhanced resilience against malformed input, bot noise, and exploitable probes.

tests/Feature/Api/ApiIndexInputHardeningTest.php

@@ -0,0 +1,29 @@
+<?php
+
+use App\Models\Course;
+use App\Models\Venue;
+
+it('drops non-numeric selected values on GET /api/courses instead of erroring', function () {
+    $course = Course::factory()->create();
+
+    $response = $this->getJson('/api/courses?selected[]='.$course->id.'&selected[]=foo');
+
+    $response->assertSuccessful();
+    expect(collect($response->json())->pluck('id')->all())->toBe([$course->id]);
+});
+
+it('casts a non-numeric user_id to an empty filter on GET /api/courses', function () {
+    Course::factory()->create();
+
+    $this->getJson('/api/courses?user_id=abc')
+        ->assertSuccessful()
+        ->assertJsonCount(0);
+});
+
+it('tolerates a non-array selected value on GET /api/venues without a 500', function () {
+    Venue::factory()->create();
+
+    $this->getJson('/api/venues?selected=foo')
+        ->assertSuccessful()
+        ->assertJsonCount(0);
+});

tests/Feature/Api/MeetupApiTest.php

@@ -94,3 +94,11 @@ it('filters /api/meetup-events by date when one is supplied', function () {
     $response->assertSuccessful();
     expect($response->json())->toBeArray()->not->toBeEmpty();
 });
+
+it('returns 400 instead of 500 when the date path segment is not parseable', function () {
+    $this->getJson('/api/meetup-events/'.urlencode('{date}'))
+        ->assertStatus(400);
+
+    $this->getJson('/api/meetup-events/not-a-date')
+        ->assertStatus(400);
+});

tests/Feature/LivewireExploitProbeTest.php

@@ -3,6 +3,7 @@
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Route;
 use Livewire\Exceptions\MethodNotFoundException;
+use Livewire\Exceptions\PublicPropertyNotFoundException;
 use Livewire\Features\SupportLifecycleHooks\DirectlyCallingLifecycleHooksNotAllowedException;
 use Livewire\Mechanisms\HandleComponents\CorruptComponentPayloadException;
 
@@ -44,6 +45,28 @@ it('still surfaces genuine method-not-found bugs', function () {
     expect($this->get('/_test/livewire-real-method-not-found')->status())->not->toBe(400);
 });
 
+it('returns 400 for setting an undeclared public property instead of 500', function () {
+    Route::get('/_test/livewire-undeclared-property', function () {
+        throw new PublicPropertyNotFoundException('value', 'welcome');
+    });
+
+    expect($this->get('/_test/livewire-undeclared-property')->status())->toBe(400);
+});
+
+it('does not report undeclared-property probes to the logs', function () {
+    Log::spy();
+
+    Route::get('/_test/livewire-undeclared-property-log', function () {
+        throw new PublicPropertyNotFoundException('value', 'welcome');
+    });
+
+    $this->get('/_test/livewire-undeclared-property-log')->assertStatus(400);
+
+    Log::shouldNotHaveReceived('error');
+    Log::shouldNotHaveReceived('critical');
+    Log::shouldNotHaveReceived('emergency');
+});
+
 it('does not report corrupt Livewire snapshot payloads', function () {
     Log::spy();