Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/dto/requests/document.go

@@ -12,11 +12,11 @@ import (
 type CreateDocumentRequest struct {
 	ResidenceID   uint                 `json:"residence_id" validate:"required"`
 	Title         string               `json:"title" validate:"required,min=1,max=200"`
-	Description   string               `json:"description"`
-	DocumentType  models.DocumentType  `json:"document_type"`
+	Description   string               `json:"description" validate:"max=10000"`
+	DocumentType  models.DocumentType  `json:"document_type" validate:"omitempty,oneof=general warranty receipt contract insurance manual"`
 	FileURL       string               `json:"file_url" validate:"max=500"`
 	FileName      string               `json:"file_name" validate:"max=255"`
-	FileSize      *int64               `json:"file_size"`
+	FileSize      *int64               `json:"file_size" validate:"omitempty,min=0"`
 	MimeType      string               `json:"mime_type" validate:"max=100"`
 	PurchaseDate  *time.Time           `json:"purchase_date"`
 	ExpiryDate    *time.Time           `json:"expiry_date"`
@@ -25,17 +25,17 @@ type CreateDocumentRequest struct {
 	SerialNumber  string               `json:"serial_number" validate:"max=100"`
 	ModelNumber   string               `json:"model_number" validate:"max=100"`
 	TaskID        *uint                `json:"task_id"`
-	ImageURLs     []string             `json:"image_urls"` // Multiple image URLs
+	ImageURLs     []string             `json:"image_urls" validate:"omitempty,max=20,dive,max=500"` // Multiple image URLs
 }
 
 // UpdateDocumentRequest represents the request to update a document
 type UpdateDocumentRequest struct {
 	Title         *string              `json:"title" validate:"omitempty,min=1,max=200"`
-	Description   *string              `json:"description"`
-	DocumentType  *models.DocumentType `json:"document_type"`
+	Description   *string              `json:"description" validate:"omitempty,max=10000"`
+	DocumentType  *models.DocumentType `json:"document_type" validate:"omitempty,oneof=general warranty receipt contract insurance manual"`
 	FileURL       *string              `json:"file_url" validate:"omitempty,max=500"`
 	FileName      *string              `json:"file_name" validate:"omitempty,max=255"`
-	FileSize      *int64               `json:"file_size"`
+	FileSize      *int64               `json:"file_size" validate:"omitempty,min=0"`
 	MimeType      *string              `json:"mime_type" validate:"omitempty,max=100"`
 	PurchaseDate  *time.Time           `json:"purchase_date"`
 	ExpiryDate    *time.Time           `json:"expiry_date"`