fix: validate parsed.method in ws-handler before use

[realfishsam]

Fixes #559

[realfishsam]

PR Review: VERIFIED

What This Does

Validates parsed.method from WebSocket messages before use, promoting it from an unvalidated parsed.method as string cast to a guarded extraction with an early-return error. Previously a client could omit method and the value undefined would be silently cast to string, propagating through subscribe/unsubscribe handlers.

Blast Radius

• Core server only (core/src/server/ws-handler.ts)
• Affects all WebSocket subscribe/unsubscribe message handling
• No exchange/SDK/OpenAPI impact

Findings

1. The method field is already required in both SubscribeMessage and UnsubscribeMessage interfaces (lines 12-27), so validating it at the parsing boundary is correct and consistent with the type contract.
2. The guard !method correctly catches both undefined (missing field) and "" (empty string). The error message is updated to list all four required fields.
3. After the guard, method is a narrowed string, so the downstream assignments (method: method) no longer need as string casts. Clean.
4. The extraction pattern (const method = parsed.method as string | undefined) is consistent with how id, action, and exchange are extracted on lines 254-256.

PMXT Pipeline Check

• Field propagation: N/A
• OpenAPI sync: N/A
• Type safety: OK -- eliminates unsafe cast, adds runtime validation

Semver Impact

patch -- adds input validation to WebSocket handler. Clients that were omitting method were already getting undefined behavior; now they get a clear error.

Risk

None. The only behavioral change is that malformed messages missing method now get an explicit error instead of silently failing downstream.