fix(db): validate order param in get_institutions_page

Matches the existing defensive guard in get_journals_page. The current
ternary is safe via ORM (.asc() / .desc() only), but the explicit
allowlist prevents future refactors from accidentally interpolating a
tainted value into raw SQL.

src/local_deep_research/journal_quality/db.py

@@ -764,6 +764,13 @@ class JournalQualityDB:
         if not self.available:
             return [], 0
 
+        # Defensive allowlist — matches the pattern in get_journals_page.
+        # The ternary below is already safe (non-"desc" falls through to
+        # .asc()), but the explicit check prevents future refactors from
+        # accidentally interpolating a tainted value into SQL.
+        if order not in ("asc", "desc"):
+            order = "desc"
+
         wheres = []
         if search:
             needle = _escape_like(search.lower().strip()[:_MAX_SEARCH_LEN])