Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/database/database.go

@@ -369,17 +369,13 @@ func migrateGoAdmin() error {
 	}
 	db.Exec(`CREATE INDEX IF NOT EXISTS idx_goadmin_site_key ON goadmin_site(key)`)
 
-	// Seed default admin user (password: admin - bcrypt hash)
+	// Seed default admin user only on first run (ON CONFLICT DO NOTHING).
+	// Password is NOT reset on subsequent migrations to preserve operator changes.
 	db.Exec(`
 		INSERT INTO goadmin_users (username, password, name, avatar)
 		VALUES ('admin', '$2a$10$t.GCU24EqIWLSl7F51Hdz.IkkgFK.Qa9/BzEc5Bi2C/I2bXf1nJgm', 'Administrator', '')
 		ON CONFLICT DO NOTHING
 	`)
-	// Update existing admin password if it exists with wrong hash
-	db.Exec(`
-		UPDATE goadmin_users SET password = '$2a$10$t.GCU24EqIWLSl7F51Hdz.IkkgFK.Qa9/BzEc5Bi2C/I2bXf1nJgm'
-		WHERE username = 'admin'
-	`)
 
 	// Seed default roles
 	db.Exec(`INSERT INTO goadmin_roles (name, slug) VALUES ('Administrator', 'administrator') ON CONFLICT DO NOTHING`)
@@ -443,8 +439,8 @@ func migrateGoAdmin() error {
 
 	log.Info().Msg("GoAdmin migrations completed")
 
-	// Seed default Next.js admin user (email: admin@mycrib.com, password: admin123)
-	// bcrypt hash for "admin123": $2a$10$t5hGjdXQLxr9Z0193qx.Tef6hd1vYI3JvrfX/piKx2qS9UvQ41I9O
+	// Seed default Next.js admin user only on first run.
+	// Password is NOT reset on subsequent migrations to preserve operator changes.
 	var adminCount int64
 	db.Raw(`SELECT COUNT(*) FROM admin_users WHERE email = 'admin@mycrib.com'`).Scan(&adminCount)
 	if adminCount == 0 {
@@ -453,14 +449,7 @@ func migrateGoAdmin() error {
 			INSERT INTO admin_users (email, password, first_name, last_name, role, is_active, created_at, updated_at)
 			VALUES ('admin@mycrib.com', '$2a$10$t5hGjdXQLxr9Z0193qx.Tef6hd1vYI3JvrfX/piKx2qS9UvQ41I9O', 'Admin', 'User', 'super_admin', true, NOW(), NOW())
 		`)
-		log.Info().Msg("Default admin user created: admin@mycrib.com / admin123")
-	} else {
-		// Update existing admin password if needed
-		db.Exec(`
-			UPDATE admin_users SET password = '$2a$10$t5hGjdXQLxr9Z0193qx.Tef6hd1vYI3JvrfX/piKx2qS9UvQ41I9O'
-			WHERE email = 'admin@mycrib.com'
-		`)
-		log.Info().Msg("Updated admin@mycrib.com password to admin123")
+		log.Info().Msg("Default admin user created: admin@mycrib.com")
 	}
 
 	return nil