feat: block unknown subdomains via tenant check

backend/internal/api/handlers/tenant.go

@@ -40,3 +40,31 @@ func (h *TenantHandler) ListAll(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	json.NewEncoder(w).Encode(tenants)
 }
+
+// CheckExists returns 200 if tenant exists by subdomain, otherwise 404
+func (h *TenantHandler) CheckExists(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	subdomain := r.URL.Query().Get("subdomain")
+	if subdomain == "" {
+		http.Error(w, "subdomain is required", http.StatusBadRequest)
+		return
+	}
+
+	tenant, err := h.tenantService.GetBySubdomain(subdomain)
+	if err != nil {
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	if tenant == nil {
+		http.NotFound(w, r)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	json.NewEncoder(w).Encode(map[string]string{"status": "ok"})
+}

backend/internal/service/tenant_service.go

@@ -79,6 +79,11 @@ func (s *TenantService) ListAll() ([]*domain.Tenant, error) {
 	return s.tenantRepo.FindAll()
 }
 
+// GetBySubdomain returns tenant by subdomain or nil
+func (s *TenantService) GetBySubdomain(subdomain string) (*domain.Tenant, error) {
+	return s.tenantRepo.FindBySubdomain(subdomain)
+}
+
 // Delete removes a tenant by ID
 func (s *TenantService) Delete(id uuid.UUID) error {
 	if err := s.tenantRepo.Delete(id); err != nil {