security: enforce strict response model for public reviews (only name, rating, text)

backend/routers/orders.py

@@ -201,7 +201,7 @@ async def approve_order_review(order_id: int, admin: dict = Depends(require_admi
     audit_service.log(admin['id'], "ORDER_REVIEW_APPROVE", f"Approved review for order {order_id}", order_id)
     return {"message": "Review approved successfully"}
 
-@router.get("/reviews/public")
+@router.get("/reviews/public", response_model=List[schemas.PublicReview])
 async def get_public_reviews():
     # Only return approved reviews, anonymized (strictly only the first word of the first name)
     query = "SELECT SUBSTRING_INDEX(first_name, ' ', 1) as first_name, rating, review_text FROM orders WHERE review_approved = TRUE ORDER BY created_at DESC LIMIT 10"

backend/schemas.py

@@ -230,6 +230,11 @@ class OrderReview(BaseModel):
     rating: int = Field(..., ge=1, le=5)
     review_text: str = Field(..., min_length=2)
 
+class PublicReview(BaseModel):
+    first_name: str
+    rating: int
+    review_text: str
+
 class MessageCreate(BaseModel):
     message: str