Fix input validation and meta type alignment in apps/me API routes

[Copilot]

Falsy checks on numeric IDs silently rejected 0 as invalid, and formData.get("file") was cast without a type guard. UserUpsert.meta was typed as string despite the DB column being a JSON type.

Changes

• roles/route.ts & positions/route.ts: Replace !body.orgId / !body.positionId falsy checks with explicit == null + typeof === "number" guards:

  // before
  if (!body.orgId || !body.positionId) { ... }
  
  // after
  if (body.orgId == null || typeof body.orgId !== "number" ||
      body.positionId == null || typeof body.positionId !== "number") { ... }

• avatar/route.ts: Replace unsafe as File | null cast with an instanceof File runtime guard — a string value from formData.get() now returns a 400 before any file methods are called. Also corrects the stale error message that listed gif as an allowed type.

• types.ts: Change UserUpsert.meta from string to Record<string, unknown> to match the DB JSON column (json().$type<UserMeta>()) and eliminate the type mismatch throughout the app.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.