fix: chatkit endpoint accepts unvalidated request body

[y4nder]

Summary

POST /chatkit accepts @Body() body: unknown with no validation DTO. The body is JSON-stringified and passed to the ChatKit service without any shape or content validation.

Affected Endpoint

Endpoint	Issue
POST /chatkit	@Body() body: unknown — no validation, no DTO

Source: chat-kit.controller.ts:19

Impact

• No input validation: Arbitrary JSON payloads pass through unchecked. While the service treats it as a stringified blob, there's no guarantee on shape, size, or content.
• No type safety: The controller and service lose all compile-time guarantees about what the body contains.
• Contract ambiguity: Frontend developers have no documented or enforced contract for what to send.

Implementation Notes

• Determine what fields the ChatKit SDK/service actually expects in the body (likely at minimum a message or prompt field, and possibly a threadId).
• Create a ChatKitRequestDto with the expected fields and appropriate validators (@IsString(), @IsOptional(), @MaxLength(), etc.).
• Replace @Body() body: unknown with @Body() body: ChatKitRequestDto.
• If the ChatKit SDK has its own request type, the DTO can mirror its expected fields.

Acceptance Criteria

• POST /chatkit uses a validated request DTO.
• Payloads missing required fields return 400.
• Malformed or oversized payloads are rejected at the controller boundary.