Validate public API requests before registry access

[vultuk]

Summary

• move agent API validation into a shared service layer before registry lookup or mutation
• return deterministic 400 responses for malformed status filters and malformed agent IDs
• keep unauthorized requests short-circuited before service/registry access and restore the static /agents/count route ahead of the dynamic ID route
• include current-main suite-health fixes for AgentStatus export and metrics timer lock re-entry so the full suite can run cleanly

Validation

• uv run pytest tests/test_api_validation.py -q -> 6 passed
• uv run pytest tests/test_api_validation.py tests/test_metrics.py tests/test_scheduler.py -q -> 15 passed
• uv run pytest -q -> 28 passed
• uv run flake8 src/api/agent_service.py src/api/routes.py src/agent/__init__.py src/common/metrics.py tests/test_api_validation.py -> passed
• python3 -m py_compile src/api/agent_service.py src/api/routes.py src/agent/__init__.py src/common/metrics.py tests/test_api_validation.py -> passed
• git diff --check -> passed
• Star gate verified: viewerHasStarred=true

Fixes #1857

BTC payout wallet: bc1qa5acxqc3wldzxwjhe8a65gjp6n7dxmafm6qs4j