feat(api): input validation layer, supertest integration tests & DLQ admin API

[jadonamite]

Summary

This PR closes three related issues in one cohesive change set, all scoped to operator-grade reliability of the Fluxora HTTP surface:

---

Changes

Issue #6 — Input Validation Layer (Zod) for JSON Bodies

• Added src/validation/schemas.ts with reusable Zod schemas for all incoming JSON bodies
• CreateStreamSchema enforces decimal strings (not numbers) for depositAmount and ratePerSecond, preventing floating-point precision loss across the chain/API boundary
• ListStreamsQuerySchema validates cursor, limit, and include_total query parameters
• DlqListQuerySchema validates DLQ pagination parameters
• Helper functions parseBody() and formatZodIssues() provide consistent validation error formatting
• All validation errors return 400 VALIDATION_ERROR with per-field details

Issue #34 — Supertest Integration Tests for HTTP API

• Rewrote tests/streams.test.ts with full Supertest coverage
• Tests cover: valid/invalid decimal strings, idempotency key lifecycle (create, replay, conflict), cursor pagination, dependency outage (503), missing required fields, error response format including requestId propagation
• 57 tests passing across both test files

Issue #43 — Dead-Letter Queue Inspection API (Admin Only)

• Added src/routes/dlq.ts implementing GET /admin/dlq, GET /admin/dlq/:id, and DELETE /admin/dlq/:id
• Mounted under /admin/dlq — operator JWT role required on all routes
• Trust boundary strictly enforced: 401 for unauthenticated, 403 for non-operator roles
• Supports offset pagination, topic filtering, and entry acknowledgement (DELETE)
• Added enqueueDeadLetter() for internal workers to write to the DLQ
• Added tests/dlq.test.ts with full Supertest coverage: auth guards, pagination, topic filter, single entry fetch, acknowledge/delete, shape validation

---

Supporting Fixes

• Fixed upstream src/middleware/auth.ts undefined apiKey reference causing 500s
• Fixed src/middleware/errorHandler.ts requestId propagation into error responses
• Added missing src/config/stellar.ts (upstream dependency)
• Fixed src/types/express.d.ts to declare user and correlationId on Express Request

---

Test Results

• Test Suites: 2 passed, 2 passed
• Tests: 57 passed, 57 total

---

Non-Goals (Intentionally Deferred)

• Persistent DLQ storage (PostgreSQL) — tracked as follow-up
• Rate limiting on DLQ endpoints
• DLQ retry/replay mechanism

---

Closes #6
Closes #34
Closes #43

[drips-wave]

@jadonamite Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits