Some controllers allow malformed payloads or return undocumented response shapes, which weakens client contracts and allows runtime mismatches between frontend, mobile, and backend.
Affected areas: app/backend/src/common/validation.pipe.ts, app/backend/src/*.controller.ts, app/backend/src/contracts/*, app/backend/src/refunds/*, app/backend/src/payments/*, OpenAPI docs/tests.
Implementation scope:
- Add request validation for all public API DTOs and transform untrusted payloads consistently.
- Add response validation or output DTO enforcement for top-level controllers.
- Sync OpenAPI schemas with runtime DTOs and generate snapshot tests.
- Validate pagination, cursor shapes, and contract event payloads.
Acceptance criteria:
- Invalid requests receive a consistent 400 error with a stable schema.
- Controller responses match documented OpenAPI types.
- Tests fail if response shape drifts from the API contract.
Some controllers allow malformed payloads or return undocumented response shapes, which weakens client contracts and allows runtime mismatches between frontend, mobile, and backend.
Affected areas:
app/backend/src/common/validation.pipe.ts,app/backend/src/*.controller.ts,app/backend/src/contracts/*,app/backend/src/refunds/*,app/backend/src/payments/*, OpenAPI docs/tests.Implementation scope:
Acceptance criteria: