[codex] Add request validation hardening

[jjoonleo]

Summary

• Add Bean Validation dependency and constraints for inbound request DTOs across auth, schedules, preparations, friends, settings, feedback, Firebase, and alarm APIs.
• Normalize validation failures into the existing ApiResponseForm envelope with code=1002 and structured data.errors details.
• Validate /login and OAuth login filter payloads before authentication/service work.
• Add controller and filter validation tests plus test-only H2 configuration for reliable service test execution.

Frontend impact

• Routes and JSON field names are unchanged.
• Invalid requests now consistently return HTTP 400 with status="error", code=1002, and data.errors.
• Passwords must be 8-64 chars and include at least one letter, number, and special character.
• Schedule creation rejects past scheduleTime; minute fields reject negative values and values above 1440.
• Alarm settings reject unknown fields and wrong JSON types, for example string "true" instead of boolean true.

Validation

• ./gradlew cleanTest test

Fixes #277