Add model allow-list validation to analysis endpoints

Reject unsupported LLM model identifiers with HTTP 400 on all analysis
endpoints (single, batch, async batch). The SUPPORTED_MODELS list was
already defined for the /models endpoint but not enforced on incoming
requests. This completes the multi-model support feature by adding the
missing server-side validation.

Closes leeworks-agents/SPARC#1013

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

SPARC/api.py

@@ -479,6 +479,20 @@ SUPPORTED_MODELS = [
     {"id": "meta-llama/llama-3.1-70b-instruct", "name": "Llama 3.1 70B", "provider": "Meta"},
 ]
 
+_SUPPORTED_MODEL_IDS = {m["id"] for m in SUPPORTED_MODELS}
+
+
+def _validate_model(model: str | None) -> None:
+    """Raise HTTP 400 if *model* is not in the supported allow-list."""
+    if model is not None and model not in _SUPPORTED_MODEL_IDS:
+        raise HTTPException(
+            status_code=400,
+            detail=(
+                f"Unsupported model '{model}'. "
+                f"Supported models: {', '.join(sorted(_SUPPORTED_MODEL_IDS))}"
+            ),
+        )
+
 
 @app.get("/models", tags=["System"])
 async def list_models():
@@ -814,6 +828,7 @@ async def analyze_company(
     Returns:
         Analysis results including patent count, AI insights, and success status
     """
+    _validate_model(model)
     if not _analyzer:
         raise HTTPException(status_code=503, detail="Analyzer not initialized")
 
@@ -873,6 +888,7 @@ async def analyze_companies_batch(
     Returns:
         Batch results with individual company analyses and summary statistics
     """
+    _validate_model(request.model)
     if not _analyzer:
         raise HTTPException(status_code=503, detail="Analyzer not initialized")
 
@@ -983,6 +999,7 @@ async def analyze_companies_async(
     Returns:
         Job status with job_id for polling
     """
+    _validate_model(request.model)
     global _job_counter
 
     _job_counter += 1