chore(backend): finalize Express/TS foundation — security, structure,…

[Ndifreke000]

… tests

Closes #74

Security fixes:

• jwt: add exp (24h TTL) to every token; caller-supplied exp wins for tests
• jwt: replace string equality with crypto.timingSafeEqual for sig verification
• index: enforce 50kb JSON body limit
• index: throw at startup if CORS_ORIGIN is unset in production

Code quality:

• Extract isValidStellarAddress to src/utils/stellar.ts
• Extract validateMembers (with positive/finite pct guard) to src/utils/validateMembers.ts
• Extract serializeGroup to src/utils/serializeGroup.ts
• Move GroupMember/Group/GroupsService interfaces to src/types/index.ts
• Remove dead requireAuth re-guards from every route handler
• Fix PUT /:id optional chaining on post-guard non-null value
• Replace parseInt with Number() + floor; default negative/NaN params

Scaffold:

• Add src/db/, src/errors/, src/types/ with .gitkeep

Tests (40 pass, 0 fail):

• New: src/tests/app.test.ts — health, headers, CORS block, GET /
• New: expired token 401 test
• New: negative member percentage 400 test
• New: NaN and negative pagination param edge cases
• New: InMemoryGroupsService unit tests (create, getById, list, update, clear)

Config:

• tsconfig: module+moduleResolution aligned to Node16
• package.json: test script uses find instead of fragile shell globs
• .env.example: add CORS_ORIGIN, DATABASE_URL, JWT_SECRET, HORIZON_URL, STELLAR_NETWORK
• README: document folder structure, /health response shape, security notes

[martinvibes]

Please delete this package-lock.json file not needed in this implementation