Add input validation to REST API request DTOs

[devin-ai-integration]

Summary

Adds Bean Validation (JSR 380) annotations to all REST API request DTOs across the FTGO monolith. This ensures that invalid requests are rejected early at the controller layer with structured error responses, rather than propagating bad data into the service/domain layer.

Changes by module

ftgo-common (shared value objects):

• PersonName: @NotBlank on firstName, lastName
• Address: @NotBlank on street1, city, state, zip

ftgo-order-service-api:

• CreateOrderRequest: @Positive on consumerId/restaurantId, @NotNull @NotEmpty @Valid on lineItems
• CreateOrderRequest.LineItem: @NotBlank on menuItemId, @Positive on quantity
• ReviseOrderRequest: @NotNull @NotEmpty on revisedLineItemQuantities
• OrderAcceptance: @NotNull on readyBy

ftgo-consumer-service-api:

• CreateConsumerRequest: @NotNull @Valid on name

ftgo-restaurant-service-api:

• CreateRestaurantRequest: @NotBlank on name, @NotNull @Valid on menu/address
• RestaurantMenuDTO: @NotNull @NotEmpty @Valid on menuItems
• MenuItemDTO: @NotBlank on id/name, @NotNull on price

ftgo-courier-service-api:

• CreateCourierRequest: @NotNull @Valid on name/address

Controllers (all 4 services):

• Added @Valid before @RequestBody on all POST endpoints that accept request DTOs

GlobalExceptionHandler:

• Added MethodArgumentNotValidException handler returning 400 with field-level error details

No new dependencies required — hibernate-validator is already transitively available via spring-boot-starter-web (Spring Boot 2.0.3).

Review & Testing Checklist for Human

• Verify that sending a valid request to each POST endpoint still works as before (no regression)
• Send a request with missing required fields (e.g. POST /orders with empty lineItems) and confirm a 400 response with field-level error messages
• Send a request with invalid nested objects (e.g. blank firstName in PersonName) and confirm cascading validation works
• Check that the 400 error response format from MethodArgumentNotValidException matches expectations for any API clients

Notes

• The pre-existing test failures in OrderControllerTest are a Mockito compatibility issue unrelated to this change (verified by running tests on the base branch).
• CourierAvailability and CourierLocationUpdate were not annotated as their primitive fields (boolean, double) have sensible defaults and don't benefit from null/blank checks.

Link to Devin session: https://app.devin.ai/sessions/7f478653ae6641cab0f3e2c8aeeefb07
Requested by: @WesternConcrete

---

Devin Review

Status	Commit
⚪ Not started	—

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.