[Backend] Input validation and rate limiting for all API routes

## Problem

The Express backend accepts arbitrary request bodies with no validation and has no rate limiting. This opens injection and abuse vectors.

## What needs to be done

1. **Zod validation on all routes** (Zod already used in frontend)
2. **Rate limiting** — \`express-rate-limit\`: 100 req / 15min per IP
3. **Helmet.js** security headers
4. No raw Supabase/service errors leaked to clients

## Routes to validate (\`backend/src/routes/\`)

- Message send / inbox fetch
- Notification endpoints
- Groq AI proxy endpoints

## Acceptance criteria

- [ ] Invalid input → \`400\` with structured error body
- [ ] Rate limiting active
- [ ] \`helmet()\` middleware applied
- [ ] Tests for validation logic

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Backend] Input validation and rate limiting for all API routes #13

Problem

What needs to be done

Routes to validate (`backend/src/routes/`)

Acceptance criteria

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[Backend] Input validation and rate limiting for all API routes #13

Description

Problem

What needs to be done

Routes to validate (`backend/src/routes/`)

Acceptance criteria

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions