api: clamp public /api/prompts pagination parameters

[kuishou68]

Summary

The public GET /api/prompts endpoint currently parses page and perPage directly from query params without bounding them.

Impact

A client can request arbitrarily large perPage values (or malformed values) and force oversized database reads / response payloads on a public endpoint.

Reproduction

GET /api/prompts?perPage=1000000&page=1

Expected

• page should be normalized to a sane positive integer
• perPage should be clamped to a small public maximum
• malformed values should fall back to defaults instead of propagating unexpected NaN / oversized values

Proposed fix

Add a small pagination parser for the public endpoint that defaults invalid values and clamps perPage to a public maximum.

[kuishou68]

Taking this. I have a small fix in mind: normalize invalid pagination values and clamp the public perPage upper bound.

[kuishou68]

Fix is up in #1130.