fix(backend): SSE subscribe substr, Zod issues, users param

[wheval]

Summary

Fixes three correctness issues in the SSE subscribe controller: deprecated substr, empty Zod validation payloads, and silently ignored users query parameter.

Purpose / Motivation

Clients subscribing via GET /v1/events/subscribe could receive empty errors on bad query params (breaking client-side validation UX), and documented users filters had no effect. substr is deprecated and should use slice for stable client IDs.

Changes Made

• Replace String.prototype.substr with slice when generating SSE clientId suffixes.
• Handle validation failures with instanceof z.ZodError and return error.issues in the 400 body.
• Parse users in subscribeSchema and add scoped user:{publicKey} subscriptions (authenticated user plus counterparties on owned streams; arbitrary keys are ignored).

How to Test

1. Start the backend and authenticate to GET /v1/events/subscribe.
2. Call with invalid query shape (e.g. streams=not-an-array) and confirm 400 includes a non-empty errors array with Zod issue objects.
3. Subscribe with ?users=<your-public-key> and confirm the connection opens and subscriptions include user:<your-public-key>.
4. Subscribe with ?users=<unrelated-public-key> and confirm that key is not added (only allowed counterparties/self).
5. Run npx vitest run sse.controller --coverage.enabled=false in backend/.

Breaking Changes

None. Validation errors now populate correctly; previously empty arrays may have masked issues.

Related Issues

Closes #546

[ogazboiz]

hey, #706 just merged and fixes a broken test-mock pattern that was causing 'Failed Suites' / 'is not a function' / '0 tests' on backend integration tests. please rebase to pick it up:

git fetch upstream
git rebase upstream/main
git push --force-with-lease