Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/handlers/notification_handler_test.go

@@ -0,0 +1,88 @@
+package handlers
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/gorm"
+
+	"github.com/treytartt/casera-api/internal/models"
+	"github.com/treytartt/casera-api/internal/repositories"
+	"github.com/treytartt/casera-api/internal/services"
+	"github.com/treytartt/casera-api/internal/testutil"
+)
+
+func setupNotificationHandler(t *testing.T) (*NotificationHandler, *echo.Echo, *gorm.DB) {
+	db := testutil.SetupTestDB(t)
+	notifRepo := repositories.NewNotificationRepository(db)
+	notifService := services.NewNotificationService(notifRepo, nil)
+	handler := NewNotificationHandler(notifService)
+	e := testutil.SetupTestRouter()
+	return handler, e, db
+}
+
+func createTestNotifications(t *testing.T, db *gorm.DB, userID uint, count int) {
+	for i := 0; i < count; i++ {
+		notif := &models.Notification{
+			UserID:           userID,
+			NotificationType: models.NotificationTaskDueSoon,
+			Title:            fmt.Sprintf("Test Notification %d", i+1),
+			Body:             fmt.Sprintf("Body %d", i+1),
+		}
+		err := db.Create(notif).Error
+		require.NoError(t, err)
+	}
+}
+
+func TestNotificationHandler_ListNotifications_LimitCappedAt200(t *testing.T) {
+	handler, e, db := setupNotificationHandler(t)
+	user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
+
+	// Create 210 notifications to exceed the cap
+	createTestNotifications(t, db, user.ID, 210)
+
+	authGroup := e.Group("/api/notifications")
+	authGroup.Use(testutil.MockAuthMiddleware(user))
+	authGroup.GET("/", handler.ListNotifications)
+
+	t.Run("limit is capped at 200 when user requests more", func(t *testing.T) {
+		w := testutil.MakeRequest(e, "GET", "/api/notifications/?limit=999", nil, "test-token")
+		testutil.AssertStatusCode(t, w, http.StatusOK)
+
+		var response map[string]interface{}
+		err := json.Unmarshal(w.Body.Bytes(), &response)
+		require.NoError(t, err)
+
+		count := int(response["count"].(float64))
+		assert.Equal(t, 200, count, "response should contain at most 200 notifications when limit exceeds cap")
+	})
+
+	t.Run("limit below cap is respected", func(t *testing.T) {
+		w := testutil.MakeRequest(e, "GET", "/api/notifications/?limit=10", nil, "test-token")
+		testutil.AssertStatusCode(t, w, http.StatusOK)
+
+		var response map[string]interface{}
+		err := json.Unmarshal(w.Body.Bytes(), &response)
+		require.NoError(t, err)
+
+		count := int(response["count"].(float64))
+		assert.Equal(t, 10, count, "response should respect limit when below cap")
+	})
+
+	t.Run("default limit is used when no limit param", func(t *testing.T) {
+		w := testutil.MakeRequest(e, "GET", "/api/notifications/", nil, "test-token")
+		testutil.AssertStatusCode(t, w, http.StatusOK)
+
+		var response map[string]interface{}
+		err := json.Unmarshal(w.Body.Bytes(), &response)
+		require.NoError(t, err)
+
+		count := int(response["count"].(float64))
+		assert.Equal(t, 50, count, "response should use default limit of 50")
+	})
+}