feat: implement API key usage tracking & vault validation hardening

[midexol]

Description

This PR resolves #855 and #882 by introducing organization-scoped API key usage analytics, last-used tracking, and hardening destination-address/memo validation constraints during vault creation.

Key Changes

1. API Key Usage Analytics (#855)

• Database Schema: Added Knex and raw SQL baseline migrations to introduce last_used_at (TIMESTAMPTZ), request_count (INTEGER), and last_ip (TEXT) columns to the api_keys table.
• Throttled Usage Recording: Implemented an in-memory batching/throttling Map buffer in src/services/apiKeys.ts that flushes updates asynchronously to the database, ensuring zero performance impact on the authentication path.
• Org Usage Endpoint: Added and registered the GET /api/orgs/:orgId/api-keys/usage endpoint. Access is restricted to organization owners and admins, and secret keys/hashes are redacted from output.
• Deduplicated Auth Compatibility: Corrected requireOrgAccess to recognize legacy authUser?.userId so it runs seamlessly with the API keys user auth middleware.

2. Vault Destination Hardening (#882)

• Address Formatting: Hardened validation schemas to accept classic (G...) and muxed (M...) addresses, and reject contract (C...) addresses.
• Unsafe Addresses: Implemented checks to reject zero/burn (GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXXXXXXXXXXXXXXXXAAAAWHF) and all-ones (GD7777777777777777777777777777777777777777777777777773DB) public keys for success and failure destinations.
• Exchange Memos: Enforced that exchange destinations requiring a memo must use muxed (M...) addresses (classic addresses lacking memos are rejected).
• Soroban payload alignment: Normalized muxed addresses to classic formats inside the on-chain payload builder so contract invocation arguments conform to the on-chain Address specifications.

3. Baseline Bug Fixes

• Restored the deleted validateEnv configuration helper in src/config/env.ts.
• Imported the missing metricsRateLimiter middleware reference in src/app.ts.
• Added the missing getLatestListenerLag export in src/services/monitor.ts.

---

Verification

Automated Unit Tests

Created and ran new unit test suites:

1. API Keys Usage Analytics (src/tests/apiKeys.usageAnalytics.test.ts):
   • records API key usage successfully on authentication
   • GET /api/orgs/:orgId/api-keys/usage returns usage stats and restricts access
2. Vault Address & Memo Hardening (src/tests/vaultValidation.destination.test.ts):
   • accepts valid classic and muxed addresses
   • rejects contract addresses for verifier and destinations
   • rejects unsafe zero/burn and all-ones addresses for success/failure destinations
   • enforces memo via muxed address for exchange destinations requiring a memo

All tests passed successfully on the first run.
closes #855
closes #882

[drips-wave]

@midexol Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[1nonlypiece]

api key usage tracking plus vault hardening, both land cleanly