Bug
POST /api/messages/send currently calls request.json() directly inside the route's broad try/catch. If an authenticated API/CLI caller sends malformed JSON, the JSON parser throws and the endpoint falls through to the generic 500 response.
Why it matters
This is a client request formatting error, so API clients should receive a 400 response that they can fix. A 500 makes it look like the server failed and makes agent/CLI integrations harder to debug.
Reproduction
Send an authenticated request with an invalid JSON body such as:
{
Expected: 400 Invalid JSON body
Actual: 500 An unexpected error occurred
Fix
Wrap only the JSON parsing step and return 400 when the body cannot be parsed, leaving the existing Zod validation and happy path unchanged. Regression coverage added for the malformed JSON case.
Bug
POST /api/messages/send currently calls request.json() directly inside the route's broad try/catch. If an authenticated API/CLI caller sends malformed JSON, the JSON parser throws and the endpoint falls through to the generic 500 response.
Why it matters
This is a client request formatting error, so API clients should receive a 400 response that they can fix. A 500 makes it look like the server failed and makes agent/CLI integrations harder to debug.
Reproduction
Send an authenticated request with an invalid JSON body such as:
{Expected: 400 Invalid JSON body
Actual: 500 An unexpected error occurred
Fix
Wrap only the JSON parsing step and return 400 when the body cannot be parsed, leaving the existing Zod validation and happy path unchanged. Regression coverage added for the malformed JSON case.