feat: block unknown subdomains via tenant check

backend/internal/api/handlers/tenant.go

@@ -40,3 +40,31 @@ func (h *TenantHandler) ListAll(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	json.NewEncoder(w).Encode(tenants)
 }
+
+// CheckExists returns 200 if tenant exists by subdomain, otherwise 404
+func (h *TenantHandler) CheckExists(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	subdomain := r.URL.Query().Get("subdomain")
+	if subdomain == "" {
+		http.Error(w, "subdomain is required", http.StatusBadRequest)
+		return
+	}
+
+	tenant, err := h.tenantService.GetBySubdomain(subdomain)
+	if err != nil {
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	if tenant == nil {
+		http.NotFound(w, r)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	json.NewEncoder(w).Encode(map[string]string{"status": "ok"})
+}