IAV-848/feat(instagram): Instagram Pro API token & webhook validation

Summary

This MR introduces a complete validation module for Instagram Professional API credentials. It covers two distinct concerns: token permission probing and Meta app webhook configuration verification.

Context

Before persisting an Instagram Pro API integration, the platform needs to confirm that the client's token holds the minimum required scopes and that their Meta app has a properly configured Instagram webhook. Meta does not expose a direct introspection endpoint for Instagram Professional API tokens, so permissions are inferred by probing lightweight Graph API endpoints mapped to each scope.

Changes

New files

File	Role
InstagramProApiConfigProperties	Binds instagram.pro-api.* config — required permissions and expected webhook rules
InstagramProApiValidationService	Interface defining the two validation operations
InstagramProApiValidationServiceImpl	Core logic — endpoint probing + webhook subscription check
InstagramProApiValidationController	REST layer — sensitive params passed via request headers
TokenValidationResult	Record DTO with factory methods for token validation outcomes
WebhookValidationResult	Record DTO with factory methods for webhook validation outcomes
WebhookSubscription	Record DTO representing a Meta webhook subscription entry
PermissionDetail	Record DTO holding a permission name and its status

Modified files

• application.yml — added instagram.pro-api.* defaults for local profile; other config blocks moved to config server

Validation logic

Token permissions

• Each required permission is mapped to a minimal read-only Graph API endpoint
• A 2xx response confirms the permission; Meta codes 10/200 → denied; code 190 → hard abort
• Non-conclusive errors (rate limit, 404, etc.) mark the permission as missing rather than denied

Webhook

• Calls GET /{appId}/subscriptions with an app access token (appId|appSecret)
• Checks: Instagram subscription exists, callback URL matches expected, all required fields are subscribed, subscription is active
• Any auth/network failure returns notFound

Security

• Tokens, app IDs, and secrets are passed exclusively via request headers to avoid exposure in server logs or browser history
• No credentials are stored or logged; access tokens are masked in log output

Testing checklist

• Valid token with all permissions → valid: true
• Token missing one permission → valid: false, permission in missingPermissions
• Expired token (Meta code 190) → valid: false, deniedPermissions: [token_invalid_or_expired]
• Valid webhook config → valid: true
• Webhook with wrong callback URL → valid: false, callbackUrlMatch: false
• Missing webhook subscription → valid: false, subscriptionFound: false
• Wrong appId/appSecret (Meta code 190) → notFound

Related Issues

Closes IAV-1029 Closes IAV-1030