Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

deploy/secrets/README.md

@@ -0,0 +1,11 @@
+# Secrets Directory
+
+Create these files (copy from `.example` files):
+
+- `deploy/secrets/postgres_password.txt`
+- `deploy/secrets/secret_key.txt`
+- `deploy/secrets/email_host_password.txt`
+- `deploy/secrets/fcm_server_key.txt`
+- `deploy/secrets/apns_auth_key.p8`
+
+These are consumed by `./.deploy_prod` and converted into Docker Swarm secrets.

deploy/secrets/apns_auth_key.p8.example

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+CHANGEME_APNS_PRIVATE_KEY
+-----END PRIVATE KEY-----

deploy/secrets/email_host_password.txt.example

@@ -0,0 +1 @@
+CHANGEME_SMTP_PASSWORD

deploy/secrets/fcm_server_key.txt.example

@@ -0,0 +1 @@
+CHANGEME_FCM_SERVER_KEY

deploy/secrets/postgres_password.txt.example

@@ -0,0 +1 @@
+CHANGEME_DATABASE_PASSWORD

deploy/secrets/secret_key.txt.example

@@ -0,0 +1 @@
+CHANGEME_SECRET_KEY_MIN_32_CHARS