WA-SEC-018: Verify admin search query scope isolation — model_type param allowlist audit

[kitcommerce]

Summary

After PR for #802 implements the constantize allowlist fix, this follow-up task verifies the full scope of the params[:model_type] path in AdminSearchQueryWrapper.

Objective

Confirm:

• The allowlist covers all model types legitimately used in admin search
• No other constantize or const_get patterns exist in query/search scope that were not covered by Security: Brakeman findings — params-driven constantize (potential RCE) #802
• Admin search results are correctly scoped (no cross-tenant data leakage)

Acceptance Criteria

• Run grep -r 'constantize\|const_get\|classify.*params\|camelize.*params' --include='*.rb' across the repo
• Confirm no new unsafe reflection usages exist after Security: Brakeman findings — params-driven constantize (potential RCE) #802 fix is merged
• Confirm the admin search results are scoped correctly for each allowed model type
• Document the verified allowlist values in a code comment

Verification Plan

• Run the grep commands; confirm no new hits
• Run Brakeman and confirm UnsafeReflection warnings are gone

Client Impact

None (verification + documentation only).

Depends On

#802 (must be merged first)

[kitcommerce]

Blocked: depends on #802 which is currently in review (PR #1025). Will become actionable once #802 is merged.