fix: /api/auth/signup returns 500 on invalid input instead of 400/422

[keon]

Bug

The /api/auth/signup endpoint returns HTTP 500 (internal server error) when given invalid input instead of a proper 400/422 validation error.

Reproduction

# Invalid email - returns 500
curl -s -w "%{http_code}" -X POST http://localhost:3000/api/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email":"notanemail","password":"P@ssword123!","username":"test"}'

# Weak password - returns 500
curl -s -w "%{http_code}" -X POST http://localhost:3000/api/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email":"test@test.com","password":"123","username":"test"}'

# Empty body - returns 500
curl -s -w "%{http_code}" -X POST http://localhost:3000/api/auth/signup \
  -H "Content-Type: application/json" -d '{}'

All three return HTTP 500. Expected: 400 or 422 with a descriptive validation error message.

Expected behavior

The endpoint should validate input (email format, password strength, required fields) before processing and return structured error responses:

{
  "message": "Invalid email address",
  "code": "BAD_REQUEST"
}

Impact

• Poor DX for API consumers who get unhelpful 500 errors
• Unhandled exceptions in server logs (noise)
• Potential for error monitoring alerts on what should be routine validation

Suggested fix

Add Zod schema validation at the top of the signup handler (or use ErrorWithCode per Cal.com conventions) to catch and return proper 400/422 responses before the request reaches business logic.

Found via automated chaos monkey testing against the API.