fix(apigatewayv2): fix route priority, proxy errors, CORS, and dispatch

[vieiralucas]

Summary

• De-prioritize ANY routes vs exact-method routes for same path
• Deterministic stage resolution (sort by API ID) when multiple APIs share a stage name
• Return 502 on malformed Lambda proxy response instead of silently defaulting to 200
• Return 502 on invalid base64 body instead of silently falling back to raw bytes
• Reject duplicate stage names in CreateStage with ConflictException
• Require /v2/apis/* for management API dispatch (not just /v2/*)
• Replace all .parse().unwrap() in CORS with safe fallbacks
• Reflect matching Origin header in CORS preflight responses
• Clamp negative timeout in HTTP proxy

Addresses unresolved Cubic findings from PRs #252, #253, #254, #255, #256.

Test plan

• cargo clippy -p fakecloud-apigatewayv2 -- -D warnings passes
• All 17 unit tests pass (1 new: test_exact_method_over_any)

---

Summary by cubic

Fixes API Gateway v2 routing, CORS, and proxy error handling to prevent silent defaults and panics. Stage resolution is now deterministic and management API dispatch is stricter.

• Bug Fixes

  • Routing: exact-method routes outrank ANY for the same path.
  • Stage resolution: when multiple APIs share a stage name, pick deterministically by sorting API IDs.
  • Dispatch: require /v2/apis/* for management API (no longer any /v2/*).
  • CreateStage: reject duplicate stage names with ConflictException.
  • Lambda proxy: return 502 for invalid statusCode or invalid base64 body (no fallback to 200/raw bytes).
  • CORS preflight: reflect the matching Origin header; replace unsafe header parsing to avoid panics.
  • HTTP proxy: clamp negative timeout before casting.

• Refactors

  • Extracted request recording into a helper to ensure requests (including failures) are logged.

^{Written for commit 69e37d4. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 5 files