feat: add strict env config validation to access-api

[retkatmun]

• Add config.ts with loadConfig() that validates DATABASE_URL, REDIS_URL, PORT (range), CHAIN_ID, and MEMBERSHIP_NFT_ADDRESS (EVM regex) at startup
• Server refuses to boot with missing or malformed config values
• index.ts and prisma.ts use typed config object instead of process.env
• Add jest.config.js and config.test.ts with 9 cases (valid, missing, malformed)
• Update .env.example with documented required/optional variables
• Update README Environment section

Closes #19

Description

Linked Issue

Closes #

Type of Change

• 🐛 Bug fix (API or policy engine)
• ✨ New feature / endpoint
• 📝 Documentation / OpenAPI spec update
• 🔧 Chore / refactor / dependency update
• 🧪 Tests only
• ⛓️ Smart contract change (requires extra review)

Changes Made

Test Evidence

npm run test output:

Smart Contract Checklist (complete if ⛓️ checked above)

• All new functions have NatSpec documentation
• All state-changing functions emit events
• forge test passes with no failures
• forge fmt applied
• No deployment to a live network included in this PR

General Checklist

• I have read CONTRIBUTING.md
• This PR is linked to an open issue
• npm run typecheck passes
• npm run lint passes
• npm run test passes — all tests green
• Prisma schema changes include a migration file
• New API endpoints are documented in OpenAPI (via Fastify schema)
• No secrets, keys, or wallet addresses introduced
• .env.example updated if new env variables were added
• Documentation updated if new behaviour was introduced

Screenshots / Recordings

Additional Notes

[Dwifax]

Hi — I'm Dwifax. Already applied to #7 (config validation) but #29 is the access-api side of the same problem, which I want to address together.

Plan (2 days):

1. New apps/access-api/src/config/env.ts exporting a loadEnv() that parses process.env with zod schema: DATABASE_URL (postgres://), REDIS_URL, PORT (1-65535), LOG_LEVEL (enum), JWT_SECRET (min 32 chars), plus all the MEMBERSHIP / POLICY / CHAIN vars with format checks.
2. loadEnv() called once at app boot in server.ts — boot fails fast with descriptive error on missing/invalid.
3. Replaces every process.env.X ?? 'default' in server.ts and route handlers with env.X.
4. Vitest tests for: missing required var, malformed URL, JWT_SECRET too short, LOG_LEVEL invalid.
5. .env.example annotated with format requirements per var.

Same pattern as the #7 PR — both land cleanly because they validate at the boundary instead of spreading string-handling across the call graph. Available now, PR within 48h.

[Lakes41]

Do resolve conflicts