refactor-registry-low-priority-1: Add Zod validation for Clerk API responses

[shwetank-dev]

Summary

The auth plugin (src/plugins/auth.ts) trusts Clerk's API response without runtime validation. Fields are extracted via TypeScript as casts, which provide no runtime safety.

If Clerk changes their API shape, we get silent undefined propagation instead of a clear error.

Proposed changes

• Define a Zod schema for the Clerk user fields we use (emailAddresses, externalAccounts, publicMetadata, etc.)
• Parse the clerkClient.users.getUser() response through it
• Remove unsafe as unknown as Record<string, unknown> casts
• Applies to both apps/registry/src/plugins/auth.ts and apps/registryDemo/src/plugins/auth.ts

Rationale

Best practice: validate at system boundaries. Clerk is an external service — its responses are untrusted input.

🤖 Generated with Claude Code

[shwetank-dev]

Additional refactor: Global BigInt serialization

The registry uses JSON.stringify as the reply serializer, which throws on BigInt values. Currently every route handler manually wraps BigInt fields in Number() before returning — there are 22 instances across route files.

A global replacer in setReplySerializer would eliminate all manual conversions:

fastify.setReplySerializer((payload) =>
  JSON.stringify(payload, (_, v) => typeof v === 'bigint' ? Number(v) : v)
);

Number() is safe here — max file size is 50MB (~52M bytes) and download counts won't approach Number.MAX_SAFE_INTEGER (9 quadrillion).

🤖 Generated with Claude Code