fix(server): harden RPC $transaction handler correctness

[Copilot]

Several correctness issues in the handleTransaction RPC handler surfaced in review.

Changes:

• Transaction type validation — pass the URL path segment (e.g. sequential) into handleTransaction and return 400 for any unrecognised type, preventing silent acceptance of typo'd routes like /$transaction/foobar
• SuperJSON deserialization — run each operation's args through processRequestPayload before invoking the ORM, so BigInt/Date/Bytes fields encoded with meta.serialization are correctly deserialized (same pipeline as regular RPC operations)
• Promise construction inside try — build the promise array inside the try block so that a missing/undefined model operation (e.g. invalid op name) throws into the error handler rather than crashing unguarded; additionally tighten the args validation to reject arrays
• VALID_OPS hoisted to module scope — replaced the hardcoded per-call Set with new Set(CoreCrudOperations) at module level to avoid redundancy and stay in sync with the canonical operation list
• Test cleanup — moved deleteMany cleanup into beforeEach/afterEach within the describe('transaction') block to eliminate repeated inline teardown

Example — before (args bypass deserialization):

// Date was passed raw; ORM may receive a string instead of a Date
const promises = requestBody.map(item => client[model][op](item.args ?? {}));

After:

const { result: processedArgs } = await this.processRequestPayload(itemArgs ?? {});
processedOps.push({ model, op, args: processedArgs });
// …inside try:
const promises = processedOps.map(({ model, op, args }) => client[model][op](args));

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.