Centralize public-key material validation in lib/keys.ts (#163)

[Krishna41357]

Closes #163

What changed

Added apps/backend/src/lib/keys.ts as the single validator for all public-key
material the server accepts: identity keys, signed prekeys, one-time prekeys,
and signatures. Every endpoint that previously validated key material inline
now routes through it.

• IdentityPublicKeySchema — 44-byte Ed25519 SPKI DER, base64
• PreKeyPublicKeySchema — 32-byte raw Ed25519 key, base64
• SignatureSchema — 64-byte Ed25519 signature, base64
• PreKeyEntrySchema / SignedPreKeyEntrySchema — composite schemas used by
  the prekey upload endpoint
• verifyEd25519Signature — shared signature verification, moved out of
  routes/devices.ts
• MlsKeyPackageSchema — 32–4096 byte validator, ready for use, documented as
  currently unused since no endpoint accepts MLS key packages in this
  codebase yet (see scope note below)

Wired in:

• apps/backend/src/schemas/auth.schemas.ts — DeviceSchema and
  VerifySchema now validate identityPublicKey via the shared schema
  instead of a bare min(1) check
• apps/backend/src/routes/devices.ts — POST /devices/:id/prekeys now uses
  SignedPreKeyEntrySchema / PreKeyEntrySchema for the request body and
  verifyEd25519Signature for signature checks; the local copies of both
  were removed

Updated existing fixtures in devices.prekeys.test.ts (VALID_BODY,
ACTIVE_DEVICE.identityPublicKey) to use correctly-sized base64 placeholders,
since the old short placeholders would now fail length validation before
reaching the handler logic those tests exercise.

Scope note: MLS key packages

The issue mentions MLS key packages alongside identity/prekeys. I searched
the backend (grep -rni 'mls|keyPackage|key_package' apps/backend/src) and
confirmed there is no endpoint, schema, or DB column for MLS key packages
anywhere in this codebase yet. MlsKeyPackageSchema is implemented and unit
tested so it's ready the moment such an endpoint exists, but no route was
added here — that would be new functionality outside this issue's stated
scope of centralizing validation, not introducing it for a feature that
doesn't exist.

Acceptance criteria

• All key-accepting endpoints route through the shared validator
  (auth verify/challenge, device registration, prekey upload)
• Wrong-length / non-base64 / bad-signature inputs rejected with 400
• Unit tests cover valid + each invalid case (keys.test.ts)
• Existing endpoint tests (devices.prekeys.test.ts) updated to stay
  green under the new strict validation

Testing

pnpm test in apps/backend — all suites pass, including the new
keys.test.ts and the updated devices.prekeys.test.ts.

[drips-wave]

@Krishna41357 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[codebestia]

@Krishna41357 Please fix the CI

[Krishna41357]

@codebestia fixed the format error , the CI should pass smoothly now

[Krishna41357]

tried to fix the test also

[Krishna41357]

devices.prekeys.test.ts: mock was stubbing createVerify but keys.ts uses the one-shot verify - updated to match

[Krishna41357]

@codebestia pls review and merge now
Thankyou

[codebestia]

LGTM!
Thank you for your contribution.