Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/dto/requests/contractor.go

@@ -8,13 +8,13 @@ type CreateContractorRequest struct {
 	Phone         string   `json:"phone" validate:"max=20"`
 	Email         string   `json:"email" validate:"omitempty,email,max=254"`
 	Website       string   `json:"website" validate:"max=200"`
-	Notes         string   `json:"notes"`
+	Notes         string   `json:"notes" validate:"max=10000"`
 	StreetAddress string   `json:"street_address" validate:"max=255"`
 	City          string   `json:"city" validate:"max=100"`
 	StateProvince string   `json:"state_province" validate:"max=100"`
 	PostalCode    string   `json:"postal_code" validate:"max=20"`
-	SpecialtyIDs  []uint   `json:"specialty_ids"`
-	Rating        *float64 `json:"rating"`
+	SpecialtyIDs  []uint   `json:"specialty_ids" validate:"omitempty,max=20"`
+	Rating        *float64 `json:"rating" validate:"omitempty,min=0,max=5"`
 	IsFavorite    *bool    `json:"is_favorite"`
 }
 
@@ -25,13 +25,13 @@ type UpdateContractorRequest struct {
 	Phone         *string  `json:"phone" validate:"omitempty,max=20"`
 	Email         *string  `json:"email" validate:"omitempty,email,max=254"`
 	Website       *string  `json:"website" validate:"omitempty,max=200"`
-	Notes         *string  `json:"notes"`
+	Notes         *string  `json:"notes" validate:"omitempty,max=10000"`
 	StreetAddress *string  `json:"street_address" validate:"omitempty,max=255"`
 	City          *string  `json:"city" validate:"omitempty,max=100"`
 	StateProvince *string  `json:"state_province" validate:"omitempty,max=100"`
 	PostalCode    *string  `json:"postal_code" validate:"omitempty,max=20"`
-	SpecialtyIDs  []uint   `json:"specialty_ids"`
-	Rating        *float64 `json:"rating"`
+	SpecialtyIDs  []uint   `json:"specialty_ids" validate:"omitempty,max=20"`
+	Rating        *float64 `json:"rating" validate:"omitempty,min=0,max=5"`
 	IsFavorite    *bool    `json:"is_favorite"`
 	ResidenceID    *uint    `json:"residence_id"`
 }

internal/dto/requests/document.go

@@ -12,11 +12,11 @@ import (
 type CreateDocumentRequest struct {
 	ResidenceID   uint                 `json:"residence_id" validate:"required"`
 	Title         string               `json:"title" validate:"required,min=1,max=200"`
-	Description   string               `json:"description"`
-	DocumentType  models.DocumentType  `json:"document_type"`
+	Description   string               `json:"description" validate:"max=10000"`
+	DocumentType  models.DocumentType  `json:"document_type" validate:"omitempty,oneof=general warranty receipt contract insurance manual"`
 	FileURL       string               `json:"file_url" validate:"max=500"`
 	FileName      string               `json:"file_name" validate:"max=255"`
-	FileSize      *int64               `json:"file_size"`
+	FileSize      *int64               `json:"file_size" validate:"omitempty,min=0"`
 	MimeType      string               `json:"mime_type" validate:"max=100"`
 	PurchaseDate  *time.Time           `json:"purchase_date"`
 	ExpiryDate    *time.Time           `json:"expiry_date"`
@@ -25,17 +25,17 @@ type CreateDocumentRequest struct {
 	SerialNumber  string               `json:"serial_number" validate:"max=100"`
 	ModelNumber   string               `json:"model_number" validate:"max=100"`
 	TaskID        *uint                `json:"task_id"`
-	ImageURLs     []string             `json:"image_urls"` // Multiple image URLs
+	ImageURLs     []string             `json:"image_urls" validate:"omitempty,max=20,dive,max=500"` // Multiple image URLs
 }
 
 // UpdateDocumentRequest represents the request to update a document
 type UpdateDocumentRequest struct {
 	Title         *string              `json:"title" validate:"omitempty,min=1,max=200"`
-	Description   *string              `json:"description"`
-	DocumentType  *models.DocumentType `json:"document_type"`
+	Description   *string              `json:"description" validate:"omitempty,max=10000"`
+	DocumentType  *models.DocumentType `json:"document_type" validate:"omitempty,oneof=general warranty receipt contract insurance manual"`
 	FileURL       *string              `json:"file_url" validate:"omitempty,max=500"`
 	FileName      *string              `json:"file_name" validate:"omitempty,max=255"`
-	FileSize      *int64               `json:"file_size"`
+	FileSize      *int64               `json:"file_size" validate:"omitempty,min=0"`
 	MimeType      *string              `json:"mime_type" validate:"omitempty,max=100"`
 	PurchaseDate  *time.Time           `json:"purchase_date"`
 	ExpiryDate    *time.Time           `json:"expiry_date"`

internal/dto/requests/residence.go

@@ -16,12 +16,12 @@ type CreateResidenceRequest struct {
 	StateProvince  string           `json:"state_province" validate:"max=100"`
 	PostalCode     string           `json:"postal_code" validate:"max=20"`
 	Country        string           `json:"country" validate:"max=100"`
-	Bedrooms       *int             `json:"bedrooms"`
+	Bedrooms       *int             `json:"bedrooms" validate:"omitempty,min=0"`
 	Bathrooms      *decimal.Decimal `json:"bathrooms"`
-	SquareFootage  *int             `json:"square_footage"`
+	SquareFootage  *int             `json:"square_footage" validate:"omitempty,min=0"`
 	LotSize        *decimal.Decimal `json:"lot_size"`
 	YearBuilt      *int             `json:"year_built"`
-	Description    string           `json:"description"`
+	Description    string           `json:"description" validate:"max=10000"`
 	PurchaseDate   *time.Time       `json:"purchase_date"`
 	PurchasePrice  *decimal.Decimal `json:"purchase_price"`
 	IsPrimary      *bool            `json:"is_primary"`
@@ -37,12 +37,12 @@ type UpdateResidenceRequest struct {
 	StateProvince  *string          `json:"state_province" validate:"omitempty,max=100"`
 	PostalCode     *string          `json:"postal_code" validate:"omitempty,max=20"`
 	Country        *string          `json:"country" validate:"omitempty,max=100"`
-	Bedrooms       *int             `json:"bedrooms"`
+	Bedrooms       *int             `json:"bedrooms" validate:"omitempty,min=0"`
 	Bathrooms      *decimal.Decimal `json:"bathrooms"`
-	SquareFootage  *int             `json:"square_footage"`
+	SquareFootage  *int             `json:"square_footage" validate:"omitempty,min=0"`
 	LotSize        *decimal.Decimal `json:"lot_size"`
 	YearBuilt      *int             `json:"year_built"`
-	Description    *string          `json:"description"`
+	Description    *string          `json:"description" validate:"omitempty,max=10000"`
 	PurchaseDate   *time.Time       `json:"purchase_date"`
 	PurchasePrice  *decimal.Decimal `json:"purchase_price"`
 	IsPrimary      *bool            `json:"is_primary"`
@@ -55,5 +55,5 @@ type JoinWithCodeRequest struct {
 
 // GenerateShareCodeRequest represents the request to generate a share code
 type GenerateShareCodeRequest struct {
-	ExpiresInHours int `json:"expires_in_hours"` // Default: 24 hours
+	ExpiresInHours int `json:"expires_in_hours" validate:"omitempty,min=1"` // Default: 24 hours
 }

internal/dto/requests/task.go

@@ -56,11 +56,11 @@ func (fd *FlexibleDate) ToTimePtr() *time.Time {
 type CreateTaskRequest struct {
 	ResidenceID        uint             `json:"residence_id" validate:"required"`
 	Title              string           `json:"title" validate:"required,min=1,max=200"`
-	Description        string           `json:"description"`
+	Description        string           `json:"description" validate:"max=10000"`
 	CategoryID         *uint            `json:"category_id"`
 	PriorityID         *uint            `json:"priority_id"`
 	FrequencyID        *uint            `json:"frequency_id"`
-	CustomIntervalDays *int             `json:"custom_interval_days"` // For "Custom" frequency, user-specified days
+	CustomIntervalDays *int             `json:"custom_interval_days" validate:"omitempty,min=1"` // For "Custom" frequency, user-specified days
 	InProgress         bool             `json:"in_progress"`
 	AssignedToID       *uint            `json:"assigned_to_id"`
 	DueDate            *FlexibleDate    `json:"due_date"`
@@ -75,7 +75,7 @@ type UpdateTaskRequest struct {
 	CategoryID         *uint            `json:"category_id"`
 	PriorityID         *uint            `json:"priority_id"`
 	FrequencyID        *uint            `json:"frequency_id"`
-	CustomIntervalDays *int             `json:"custom_interval_days"` // For "Custom" frequency, user-specified days
+	CustomIntervalDays *int             `json:"custom_interval_days" validate:"omitempty,min=1"` // For "Custom" frequency, user-specified days
 	InProgress         *bool            `json:"in_progress"`
 	AssignedToID       *uint            `json:"assigned_to_id"`
 	DueDate            *FlexibleDate    `json:"due_date"`
@@ -88,18 +88,18 @@ type UpdateTaskRequest struct {
 type CreateTaskCompletionRequest struct {
 	TaskID      uint             `json:"task_id" validate:"required"`
 	CompletedAt *time.Time       `json:"completed_at"` // Defaults to now
-	Notes       string           `json:"notes"`
+	Notes       string           `json:"notes" validate:"max=10000"`
 	ActualCost  *decimal.Decimal `json:"actual_cost"`
-	Rating      *int             `json:"rating"` // 1-5 star rating
-	ImageURLs   []string         `json:"image_urls"` // Multiple image URLs
+	Rating      *int             `json:"rating" validate:"omitempty,min=1,max=5"` // 1-5 star rating
+	ImageURLs   []string         `json:"image_urls" validate:"omitempty,max=20,dive,max=500"` // Multiple image URLs
 }
 
 // UpdateTaskCompletionRequest represents the request to update a task completion
 type UpdateTaskCompletionRequest struct {
-	Notes      *string          `json:"notes"`
+	Notes      *string          `json:"notes" validate:"omitempty,max=10000"`
 	ActualCost *decimal.Decimal `json:"actual_cost"`
-	Rating     *int             `json:"rating"`
-	ImageURLs  []string         `json:"image_urls"`
+	Rating     *int             `json:"rating" validate:"omitempty,min=1,max=5"`
+	ImageURLs  []string         `json:"image_urls" validate:"omitempty,max=20,dive,max=500"`
 }
 
 // CompletionImageInput represents an image to add to a completion