feat(passkeys): Add passkey manager functions

Because:
- The passkey routes needs to enforce business rules before touching the database

This commit:
- Implements PasskeyManager with the full passkey lifecycle: register, post-auth update, list, rename, delete, and bulk delete
- Adds name validation (empty/whitespace/too long) with PasskeyInvalidNameError (errno 229)
- Tightens updatePasskeyName to match on both uid and credentialId, preventing cross-user renames
- Guards maxPasskeysPerUser config with @min(1) to prevent accidentally disabling registration
- Adds unit and integration tests for the manager

Closes #FXA-13064

Author: vpomerleau

libs/accounts/passkey/src/lib/passkey.config.ts

@@ -6,9 +6,11 @@ import {
   IsArray,
   IsBoolean,
   IsIn,
+  IsNotEmpty,
   IsNumber,
   IsOptional,
   IsString,
+  Min,
 } from 'class-validator';
 import type {
   AuthenticatorAttachment,
@@ -19,13 +21,15 @@ import type {
 /**
  * Configuration for passkey (WebAuthn) functionality.
  *
- * This configuration is loaded from Convict in auth-server's config/index.ts
- * and passed to PasskeyService constructor.
+ * Class-validator decorators enforce constraints at load time. A dedicated
+ * config provider is responsible for loading this from Convict and registering
+ * it with the NestJS DI container.
  */
 export class PasskeyConfig {
   /**
    * Feature flag to enable/disable passkey functionality.
    */
+  @IsOptional()
   @IsBoolean()
   public enabled?: boolean;
 
@@ -34,13 +38,15 @@ export class PasskeyConfig {
    * @example 'accounts.firefox.com'
    */
   @IsString()
+  @IsNotEmpty()
   public rpId!: string;
 
   /**
    * WebAuthn Relying Party display name.
    * @example 'Mozilla Accounts'
    */
   @IsString()
+  @IsNotEmpty()
   public rpName!: string;
 
   /**
@@ -53,15 +59,21 @@ export class PasskeyConfig {
 
   /**
    * Maximum number of passkeys a user can register.
+   * Must be at least 1; a value of 0 would silently disable registration.
    */
+  @IsOptional()
   @IsNumber()
+  @Min(1)
   public maxPasskeysPerUser?: number;
 
   /**
    * Challenge expiration timeout in milliseconds.
+   * Consumed by ChallengeManager (not yet implemented).
    * @example 300000 (5 minutes)
    */
+  @IsOptional()
   @IsNumber()
+  @Min(1)
   public challengeTimeout?: number;
 
   /**

libs/accounts/passkey/src/lib/passkey.errors.ts

@@ -24,7 +24,7 @@ export class PasskeyError extends BaseError {
   /** WebAuthn credential ID (when applicable) */
   readonly credentialId?: string;
   /** Additional structured context */
-  readonly context: Record<string, any>;
+  readonly context: Record<string, unknown>;
 
   /**
    * Creates a PasskeyError.
@@ -42,7 +42,7 @@ export class PasskeyError extends BaseError {
     message: string,
     info: { errno?: number; uid?: string; credentialId?: string } & Record<
       string,
-      any
+      unknown
     >,
     cause?: Error
   ) {