Fix 7 bugs: security, memory leak, stale state, error handling

- WebSocket: verify task ownership before allowing subscribe (security)
- POI routes: replace assert with HTTPException for production safety
- cancel_task: return HTTP 404 instead of 200 for missing tasks
- routing_config: add descriptive ValueError for invalid env vars
- POIManager: show error feedback instead of silently swallowing failures
- VisualizationCard: reset POI/travel mode state on metric switch
- Map: clean up heatmap layers/sources on unmount to prevent memory leak
- Update test to expect 404 from cancel_task ownership check

config/routing_config.py

@@ -6,6 +6,15 @@ from dataclasses import dataclass
 from typing import Self
 
 
+def _int_env(name: str, default: str) -> int:
+    """Parse an integer environment variable with a descriptive error."""
+    raw = os.environ.get(name, default)
+    try:
+        return int(raw)
+    except ValueError:
+        raise ValueError(f"Environment variable {name}={raw!r} must be an integer")
+
+
 @dataclass(frozen=True)
 class RoutingConfig:
     """Configuration for self-hosted routing engines (OSRM + OTP).
@@ -39,8 +48,8 @@ class RoutingConfig:
             osrm_foot_url=os.environ.get("OSRM_FOOT_URL", "http://osrm-foot:5000"),
             osrm_bicycle_url=os.environ.get("OSRM_BICYCLE_URL", "http://osrm-bicycle:5000"),
             otp_url=os.environ.get("OTP_URL", "http://otp:8080"),
-            osrm_batch_size=int(os.environ.get("OSRM_BATCH_SIZE", "50")),
-            otp_max_concurrent=int(os.environ.get("OTP_MAX_CONCURRENT", "10")),
+            osrm_batch_size=_int_env("OSRM_BATCH_SIZE", "50"),
+            otp_max_concurrent=_int_env("OTP_MAX_CONCURRENT", "10"),
         )
 
     def get_osrm_url(self, profile: str) -> str: